Practice Test 3 Flashcards

1
Q

Which of the following networking technologies provides for local area network segregation using switches?

A) RADIUS
B) Virtualization
C) VPN
D) VLAN

A

D) VLAN

VLANs (virtual LANs) provide for local area network segmentation and separation and are implemented on switches.RADIUS is a remote access authentication technology. Virtualization refers to the creation and management of virtual hosts running in a virtualized environment. VPN is a secure remote access technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

All of the following are considered elements of a password policy EXCEPT:

A) Password aging
B) Password sharing
C) Password history
D) Password complexity

A

B) Password sharing

Password sharing typically will be in the acceptable use policy (AUP), as a directive to users about what they can and cannot do.Password history, aging, and complexity will all typically be found in a password policy, as technical elements that describe how passwords should be constructed, implemented, and managed by administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

All of the following are considered secure application development practices EXCEPT:

A) Input validation
B) Back doors
C) Memory management
D) Error and exception handling

A

B) Back doors

Back doors are a security risk due to the possibility that an attacker could use them to gain unauthorized access to the program.All of these are considered secure coding and application development practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

All of the following are types of penetration testing EXCEPT:

A) Black box
B) Gray box
C) White box
D) Blue box

A

D) Blue box

Blue box testing is not a type of penetration testing.Black box testing involves a penetration test where the test team has no knowledge of the network. In gray box testing, the tester may have some knowledge given to them, such as an infrastructure diagram or IP address list. In a white box test, the test team has full and detailed knowledge of the network, its design, functions, and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The network administrator for your office has configured the company web site for SSL by applying a certificate to the site. What port will you need to open on the firewall to allow communication to the site?

A) 80
B) 22
C) 443
D) 53

A

C) 443

TCP port 443 must be opened on the firewall to allow SSL traffic to pass.None of these ports are used by SSL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following security controls is designed to prevent tailgating?

A) Separation of duties
B) Mantrap
C) Multifactor authentication
D) Least privilege

A

B) Mantrap

A mantrap, an area between two locked doors from which the second door cannot be opened until the first door is locked, is designed to allow only one person at a time to enter a facility, effectively preventing tailgating.Separation of duties and least privilege are two security principles designed to prevent collusion and elevated privileges, respectively. Multifactor authentication is designed to positively identify and authenticate an individual but does not prevent tailgating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ashlyn, the senior security officer within your organization, has requested that you create a plan for an active security test that tries to bypass the security controls of an asset. What type of test would you plan?

A) Vulnerability scan
B) Risk assessment
C) Code review
D) Penetration test

A

D) Penetration test

A penetration test is considered an active test because you are actually interacting with the target system and trying to bypass the security controls.A vulnerability scan is considered a passive test because it only involves reviewing the configuration of a system to determine if there are any vulnerabilities. A risk assessment helps identify risks for each asset. A code review involves reviewing the code of an application to look for flaws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following attacks involves sending ICMP packets from a spoofed IP address to the network’s broadcast address?

A) Smurf attack
B) Watering hole attack
C) Botnet
D) RAT

A

A) Smurf attack

A smurf attack is a type of ICMP attack where large amounts of ping packets are sent from a spoofed IP address on the network to the network broadcast address, causing many replies back to the victim and possibly bringing about a denial of service. A smurf attack is an example of a DDoS attack.A remote access Trojan (RAT) is malicious software that the user typically installs without knowing it, such as by installing a game from the Internet or by running a program that was e-mailed to them that is malicious software. The RAT program then opens a back door for the hacker to gain access to the system remotely at a later time. A botnet is a group of compromised systems that the hacker has control over and uses to attack a victim’s system. A watering hole attack is when the hacker determines sites you may want to visit and then compromises those sites by planting viruses or malicious code on them. When you visit the site (which you trust), you are then infected with the virus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following simple command-line tools would be used from the host to determine what open ports a host is listening on?

A) ping
B) netstat
C) ifconfig
D) nbtstat

A

B) netstat

netstat is a tool found on both Unix/Linux and Windows hosts that can give network statistics and connection information, including port usage. This would help determine if a host is listening on an unexpected or unwanted port.None of the other choices give information on open ports. nbtstat is a command found only on Windows hosts and gives NetBIOS usage information. Ping is found on both Unix/Linux and Windows hosts but only sends simple ICMP requests to a host. ifconfig is found only on Unix and Linux hosts and only gives network interface configuration information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A term used to identify an authentication scheme that involves both sides of the communication authenticating is:

A) Single sign on
B) Nonrepudiation
C) Mutual authentication
D) Hashing

A

C) Mutual authentication

Mutual authentication requires both sides of a communications session to authenticate to each other.Single sign-on (SSO) is a concept that provides for one authentication to be used for multiple resources. Nonrepudiation ensures that a party cannot deny that it took an action. Hashing involves a one-way function that produces a message digest from a piece of text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are troubleshooting a communication problem with an application that sends data to a remote system. What tool can you use to view the traffic being sent on the network by the application?

A) Spectrum analyzer
B) Frequency analyzer
C) Protocol analyzer
D) Switch monitor

A

C) Protocol analyzer

In order to view network traffic, it must be sniffed or captured using a protocol analyzer (sometimes called a sniffer).These devices cannot be used to capture and view network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which type of malware is difficult to detect and replaces key operating system files?

A) Worm
B) Rootkit
C) Logic bomb
D) Trojan

A

B) Rootkit

A rootkit is very difficult to detect and often replaces key operating system files with compromised versions, allowing an attacker to access administrative-level functions.A worm is a self-propagating piece of malware that can spread without user intervention. A Trojan is a piece of malware that disguises itself as useful software. A logic bomb is a malicious script that typically activates after a certain date or event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A user complains that he or she cannot access sites that use the HTTPS protocol. Which port should be opened on the firewall to allow this traffic?

A) 8080
B) 443
C) 80
D) 22

A

B) 443

TCP port 443 is used by HTTPS protocol, which uses SSL as its secure session protocol. Both are associated with port 443.Port 80 is used by HTTP, port 22 by SSH, and port 8080 by some proxy server implementations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are configuring IPSec on your network and need to allow for security association (SA) traffic to pass through the firewall. Which of the following ports does the Internet Key Exchange (IKE) protocol, which is the protocol responsible for the SA setup within IPSec, use?

A) 8080
B) 500
C) 22
D) 443

A

B) 500

IKE uses UDP port 500.Port 443 is used by SSL, 22 is used by SSH, and 8080 does not fall into the range of well-known ports (0-1023) but is frequently used by proxy servers and other security devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is a Type I error?

A) False negative
B) False rejection rate
C) False acceptance rate
D) Crossover error rate

A

B) False rejection rate

A false rejection rate (FRR) is a Type I error in biometrics. This also equates to a false positive.A false acceptance rate (FAR) is a Type II error and referred to sometimes as a false negative. The crossover error rate (CER) is the point where the FRR and FAR are equal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following protocols is considered a secure replacement for Telnet?

A) SSL
B) SSH
C) TLS
D) RLOGIN

A

B) SSH

Secure Shell (SSH) is considered a secure replacement for Telnet.TLS and SSL are secure session protocols used in HTTPS traffic. RLOGIN is an older, nonsecure protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following choices concerns itself with ensuring that data is not modified or destroyed while in storage or transit?

A) Integrity
B) Confidentiality
C) Availability
D) Nonrepudiation

A

A) Integrity

Integrity is concerned with ensuring that data is not modified.Confidentiality protects information from unauthorized access. Availability provides for information and systems to be online and ready for users at any time. Nonrepudiation means that a user cannot deny that he or she took an action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which type of intrusion detection system identifies suspicious activity by monitoring log files on the system?

A) NIDS
B) ACL
C) HIDS
D) NIPS

A

C) HIDS

A host-based intrusion detection system (HIDS) monitors local system activity and logs for indications of an attack.A NIDS is a network-based intrusion detection system and does not monitor host log files. A NIPS is a network-based intrusion prevention system and works on the network instead of the host. An ACL is an access control list and is used to allow or deny traffic through a router or grant/deny permissions to resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You are the security administrator for a small company and would like to limit clients that can connect to the wireless network by hardware address. What would you do?

A) Implement NAC
B) Implement WEP
C) Enable SSID cloaking
D) Implement MAC filtering

A

D) Implement MAC filtering

MAC address filtering, although not an effective security measure by itself, can be used to limit which clients, by hardware address, can connect to the wireless network. WEP is a wireless security protocol. NAC prevents clients from connecting that do not meet specified security requirements, such as patch level or antivirus signature. SSID cloaking merely prevents potential wireless clients from seeing the wireless network name by stopping it from being broadcast.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the wireless encryption protocols uses the RC4 symmetric algorithm for encrypting wireless communication?

A) WPA2
B) WEP
C) TLS
D) EAP

A

B) WEP

WEP (Wired Equivalent Privacy) uses a faulty implementation of the RC4 protocol, in addition to weak initialization vectors, making it an unsecure wireless protocol and as a result should never be used.None of these other protocols use RC4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following identifies a security reason to perform a site survey to identify rogue access points?

A) Frequency overlap
B) Signal propagation
C) Bypass security controls
D) Interference

A

C) Bypass security controls

Rogue wireless routers could be used by unauthorized individuals to access the network and bypass security controls such as firewalls.These issues may affect performance and can be important to security, but do not have a direct impact on securing the wireless network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following steps is the first to be accomplished during a penetration test?

A) Port scanning
B) Password cracking
C) Obtain permission for the test
D) Privilege escalation

A

C) Obtain permission for the test

Before beginning any type of penetration test or vulnerability assessment, you must first obtain permission from the responsible system owner to avoid legal or liability issues.Although these are all valid steps to take during a penetration test or vulnerability assessment, none of these should be started without obtaining permission from the responsible system owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When performing an investigation on a mobile device, you would like to ensure that you shield the device from sending or receiving signals. What would you use?

A) Protocol analyzer
B) Spectrum analyzer
C) Faraday cage
D) Signal reducer

A

C) Faraday cage

A Faraday cage can be used to shield devices from sending or receiving electronic signals.A protocol analyzer is used to capture and view network traffic. A spectrum analyzer is used for site surveys when designing wireless networks. A signal reducer is not a device used in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

All of the following accurately describe the differences between TACACS and RADIUS EXCEPT:

A) TACACS encrypts only passwords between the client and server
B) RADIUS encrypts only passwords between the client and the server
C) RADIUS uses UDP
D) TACACS uses TCP

A

A) TACACS encrypts only passwords between the client and server

TACACS encrypts all information between the client and server, whereas RADIUS only encrypts the passwords.All of these are accurate descriptions of differences between RADIUS and TACACS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

When a user types his or her username into a logon screen, this is known as ___________?

A) Authorization
B) Authentication
C) Impersonation
D) Identification

A

D) Identification

Identification is the first step in the process and involves the user presenting his or her credentials to the server.Authentication occurs after identification and involves the user?s credentials being authenticated by the server. Authorization refers to granting an authenticated user the correct access to an object. Impersonation is an invalid term in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The risk that remains after all reducing and mitigation actions have been taken is called:

A) Residual risk
B) Low risk
C) Mitigated risk
D) Accepted risk

A

A) Residual risk

Residual risk is what risk remains after all mitigation and reduction strategies have been implemented.Low risk is a level that may be accepted without mitigation or requires little mitigation. Accepted risk is what risk the management authority chooses to accept with or without mitigations in place. Mitigated risk is that risk that has been reduced to a lower level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

When users connect to the wireless network, management wants them to receive a message asking them to agree to the terms of use before being granted wireless network access. What network service could be used to perform this goal?

A) NAC
B) Multifactor authentication
C) PKI
D) Kerberos

A

A) NAC

Network access control (NAC) can be used to enforce logon or connection banners that will require users to agree to terms of use before being allowed to connect to the network.None of these other technologies can be used to enforce logon warning banners requiring users to agree to terms of use before being allowed to access the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Your company has a salesperson who travels a lot and will be connecting to hotel networks. What security recommendation would you make for her laptop?

A) Unencrypted drive
B) Host-based firewall
C) FDE
D) Null password

A

B) Host-based firewall

A host-based firewall should be used when connecting to untrusted networks, such as one in a hotel.Having an unencrypted drive and null password are not security recommendations. Although full disk encryption (FDE) can help if the laptop is lost or stolen, it will not help you in situations when you are making connections to an unknown and potentially unsecure network. You could potentially be infected with a virus by connecting to an unknown network without having a firewall enabled, or be vulnerable to an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Your manager is interested in implementing a strong authentication scheme. Which of the following is considered the strongest authentication?

A) PIN
B) Fingerprint
C) Username/password
D) Iris scan

A

D) Iris scan

Out of the choices given, an iris scan is the strongest method of authentication, as these patterns are very unique to individuals. Of all of the biometric authentication methods, including voiceprint and fingerprints, iris scans are most accurate.Username and password combinations are not considered strong methods of authentication, as would be a PIN by itself. These are all considered single-factor forms of authentication. Fingerprints are not considered as strong a method of biometric authentication as iris scans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

In a PKI infrastructure, what is the name of the list that contains all the certificates that have been deemed invalid?

A) Certification invalidation list
B) Certificate revocation list
C) Certificate denial list
D) Certificate authority

A

B) Certificate revocation list

A certificate revocation list (CRL) contains a list of all invalid or revoked certificates.A certificate denial list and certificate invalidation list are false choices and do not exist. A certificate authority is responsible for issuing certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

When working with asymmetric encryption, which of the following is used to encrypt a message sent from Bob to Sue?

A) Bob’s public key
B) Sue’s private key
C) Sue’s public key
D) Bob’s private key

A

C) Sue’s public key

Sue’s public key is used to encrypt a message from Bob to Sue, as only Sue?s private key can decrypt it. Sue’s private key can only decrypt the message, and Bob does not possess it. Neither of Bob’s keys can be used to encrypt a confidential message to Sue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following statements are correct with regard to the concepts of fail-secure and fail-safe? (Choose two.)

A) A fail-safe device responds by not doing anything to cause harm when the failure occurs
B) A fail-safe device responds by making sure the device is using a secure state when a failure occurs
C) A fail-secure device responds by not doing anything to cause harm when the failure occurs
D) A fail-secure device responds by making sure the device is using a secure state when a failure occurs

A

A) A fail-safe device responds by not doing anything to cause harm when the failure occurs
D) A fail-secure device responds by making sure the device is using a secure state when a failure occurs

A fail-safe device responds by not doing anything to cause harm when the failure occurs. A fail-secure device responds by making sure the device is using a secure state when a failure occurs.A is the definition of fail-safe, and B is the definition of fail-secure, not the other way around.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which of the following is typically conducted as a first step in the overall business continuity/disaster recovery strategy?

A) System backup plan
B) Disaster recovery plan
C) Business continuity plan
D) Business impact analysis

A

D) Business impact analysis

The business impact analysis (BIA) is a critical first step in developing the business continuity plan (BCP). It involves determining what risks are present and their effects on the business and its assets.The BCP is the overall and final product that the BIA contributes to. The BIA must be completed as one of the first steps, as it essentially is the risk assessment for the BCP. The disaster recovery plan (DRP) concerns itself with recovering the assets and operations of the business immediately following a disaster. A system backup plan is but one element of the DRP and may or may not be one of the first things accomplished for that plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following protocols is a more secure version of the SSL protocol?

A) AES
B) RSA
C) TLS
D) SSH

A

C) TLS

Transport Layer Security (TLS) is considered a strong replacement for SSL.SSH is a secure replacement for Telnet and other nonsecure protocols. AES is a symmetric algorithm that replaces DES. RSA is an asymmetric algorithm used in public key cryptography.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which device, when implemented with VLANs, can help reduce both collision and the size of broadcast domains?

A) Switch
B) Bridge
C) Router
D) Hub

A

A) Switch

Switches natively help reduce collision domains and, when VLANs are implemented on them, help reduce broadcast domains.Routers can help reduce or eliminate broadcast domains, and bridges can help reduce collision domains, but neither of these devices use VLANs. Hubs do not reduce collision or broadcast domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following technologies is NOT typically used to design secure network architectures?

A) VLAN
B) VPN
C) DMZ
D) Clustering

A

D) Clustering

Although it is part of high availability design, clustering is not typically used in the design and implementation of a secure network architecture. DMZs are used as a security buffer zone to separate internal networks and resources from externally accessible ones. VLANs are used to segregate local networks, providing a secure internal infrastructure. VPNs provide for secure remote access solutions.

37
Q

Which of the following best describes a minimum password age setting?

A) Users must wait a certain amount of time before they are allowed to change passwords
B) Users must not change passwords until a certain date
C) Passwords cannot be reused until they have been expired a certain amount of time
D) Users must change passwords after a certain amount of time

A

A) Users must wait a certain amount of time before they are allowed to change passwords

A minimum password age requires that users must wait a certain amount of time before they are allowed to change passwords.A maximum password age setting requires that users must change passwords after a certain amount of time. Passwords are typically good only for a certain amount of time, not through a certain date. Passwords typically cannot be reused until a certain number of password changes have occurred, preventing the use of the last specified number of passwords.

38
Q

You are performing a site survey of a company location and notice that one of the wireless access points is on top of a bookshelf that is located by the outer wall of the building. What is the security concern?

A) Damage due to failing
B) Interference
C) Wireless network access by persons outside the building
D) Signal degradation

A

C) Wireless network access by persons outside the building

Because of the placement near the outer wall, the wireless access point?s signals could be detected outside the building and could allow an unauthorized user to eavesdrop on or use the connection.Damage due to falling is a concern, but not the most immediate security concern. Interference could happen only if other wireless devices are nearby that transmit on frequencies close to the one that the access point uses. This is a performance concern, but not typically a security concern unless it is malicious in nature and seeks to cause a denial-of-service condition. Signal degradation for the rest of the facility would not be caused by the placement of the access point next to the outer wall.

39
Q

All of the following are potential application security issues requiring attention EXCEPT:

A) Malware
B) Cross-site scripting
C) SQL injection
D) Buffer overflows

A

A) Malware

Malware is a security issue, but not specific to any applications.All of these are potential application security issues that could affect both web-based and client-server applications.

40
Q

You have an Internet-facing web server that only serves static web pages to users. Recently you have discovered that someone has been using your server as a mail relay. Which service and port should you remove to stop this type of attack?

A) SMTP port 110
B) SMTP port 25
C) HTTP port 80
D) HTTP port 443

A

B) SMTP port 25

Simple Mail Transport Protocol (SMTP) uses TCP port 25 and is used to send e-mail and should not be running on an Internet-facing server that only provides a web site.HTTP (port 80) must be allowed to run on the server to provide web content to users. SMTP uses port 25, not port 110. Port 110 is used by POP3 to receive e-mail messages. HTTPS uses port 443, not HTTP.

41
Q

Which of the following is used to identify certificates that are no longer valid for use?

A) CAL
B) CA
C) PKS
D) CRL

A

D) CRL

The certificate revocation list (CRL) is used to identify invalid certificates.A CAL is a client access license. PKS is a cryptographic file standard, and a CA is a certificate authority, which issues certificates.

42
Q

Which of the following wireless attacks specifically attempts to take control of or use Bluetooth-enabled cell phones to make unauthorized calls?

A) Bluebugging
B) Bluejacking
C) Bluesniffing
D) Bluesnarfing

A

A) Bluebugging

Bluebugging, the most serious of the various Bluetooth attacks, involves an attacker attempting to take control of or use a Bluetooth-enabled cell phone to place calls.Bluejacking is the act of sending unsolicited messages or files to a Bluetooth device. Bluesnarfing is a more serious attack than Bluejacking and involves unauthorized access to information on a Bluetooth-enabled device. Bluesniffing is a false, nonexistent term.

43
Q

Which of the following goals of information security deals with identifying modifications to data?

A) Confidentiality
B) Availability
C) Nonrepudiation
D) Integrity

A

D) Integrity

Integrity provides for detection of data modification.Confidentiality deals with protecting data from unauthorized access, not modification. Availability ensures data and systems are available to authorized users whenever needed. Nonrepudiation involves preventing a user from denying that he or she performed an action.

44
Q

Your manager has asked that you perform an assessment of user passwords on the servers but wants to ensure that when you test the passwords you do not lock the user accounts. Which type of password audit should you perform?

A) Account lockout audit
B) White-box penetration test
C) Online password audit
D) Offline password audit

A

D) Offline password audit

If the goal is to prevent user account lockout, then offline password auditing is the correct method.Online auditing would definitely lock out user accounts as soon as the account lockout threshold is reached. An account lockout audit is an invalid type of audit, and a white-box penetration test involves full system or network testing and is incorrect in this context.

45
Q

Which authentication protocol uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server?

A) CHAP
B) MS-CHAP
C) Kerberos
D) EAP

A

B) MS-CHAP

Microsoft CHAP (MS-CHAP) uses Microsoft Point-to-Point Encryption (MPPE) protocol to encrypt all traffic from the client to the server. Neither EAP nor Kerberos uses MPPE. CHAP is the non-proprietary version and uses MD5 as its hashing algorithm.

46
Q

Which of the following terms is most accurately defined by the amount of time a business can survive without a particular function?

A) Recovery time objective (RTO)
B) Maximum tolerable downtime (MTD)
C) Recovery point objective (RPO)
D) Mean time between failures (MTBF)

A

B) Maximum tolerable downtime (MTD)

The maximum tolerable downtime (MTD) indicates how long an asset may be down or offline without seriously impacting the organization.The mean time between failures is an estimate of how long a piece of equipment will perform before failure. The recovery point objective and recovery time objective refer to how much data may be lost during a failure or disaster and the maximum amount of time it must take to recover the system or data, respectively, before the organization is seriously impacted.

47
Q

A printed e-mail would be considered which kind of evidence?

A) Direct evidence
B) Demonstrative evidence
C) Real evidence
D) Documentary evidence

A

D) Documentary evidence

Documentary evidence is usually a printed form of evidence, a recording, or photograph.Real (or physical) evidence is a tangible object presented in court (such as a weapon). Direct evidence is testimony from someone who actually witnessed the event. Demonstrative evidence is presenting a physical object that displays the results of an event that occurred.

48
Q

Your manager has read a lot about server virtualization and is wondering if there are any security benefits to using server virtualization. How would you respond?

A) Decentralized server security
B) Larger hardware footprint
C) More work required to harden systems
D) Fewer systems to physically secure

A

D) Fewer systems to physically secure

Virtualization results in fewer physical systems (and less hardware) that must be secured.None of the other choices offer any benefits, security or otherwise, of virtualization.

49
Q

Susan has received an e-mail message from her brother stating that if she forwards the e-mail to 10 different people that she will receive good fortune over the next three years. Susan forwards the e-mail. What policy has Susan violated in this example?

A) Need-to-know policy
B) Least privilege policy
C) Acceptable usage policy
D) Social engineering policy

A

C) Acceptable usage policy

An acceptable use policy (AUP) defines what users may and may not do with regard to information systems, including e-mail.These policies apply to a wide range of security issues but do not define what actions users may perform on information systems.

50
Q

Which of the following terms refers to the practices of stealing or obtaining a user?s personal or account information, typically using voice over IP (VoIP) systems?

A) Vishing
B) Phishing
C) VoIP hijacking
D) Whaling

A

A) Vishing

Vishing (a combination of the terms voice and phishing) refers to social engineering attacks that make use of VoIP systems to spoof phone numbers, hide caller IDs, and so forth, to obtain personal or account information from unsuspecting users.Phishing involves the use of e-mail targeted to users with a malicious web site link embedded in the e-mail. Whaling involves specifically targeting senior-level executives of an organization for social engineering attacks. VoIP hijacking is a nonexistent term in this context.

51
Q

A common attack on databases through a web-based form is called:

A) SQL injection
B) Cross-site scripting
C) XML injection
D) Directory traversal

A

A) SQL injection

SQL injection is a common attack on databases through a web-based form, where the attacker injects SQL commands into the form input.Cross-site scripting allows client-side scripts to be run on a web site. XML injection is an attack that injects faulty or malicious XML code into an XML statement. Directory traversal is the ability to search a web server?s directories and files.

52
Q

Which of the following application attacks allows attackers to inject client-side script into web pages viewed by other users?

A) XML injection
B) Buffer overflow
C) SQL injection
D) Cross-site scripting

A

D) Cross-site scripting

Cross-site scripting (XSS) enables attackers to inject client-side scripts into web pages viewed by others.XML injection occurs when malicious XML code is inserted into an XML statement. SQL injection involves inserting faulty SQL input commands into a site that connects to a database, producing unintended results or returning privileged information. A buffer overflow takes advantage of programming flaws that occur when data overwrites a program?s allocated memory address and enables arbitrary code to be executed in that address.

53
Q

Which of the following describes the best security practice to use when granting users elevated or administrative privileges?

A) Users who require higher privileges should be placed in the Administrators group
B) Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privilege
C) Users who perform administrative-level tasks should be given the Domain Administrator user account name and password
D) Administrative privileges should be granted directly to those user accounts that perform administrative-level tasks

A

B) Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privilege

Users should have a normal user account for routine tasks, and an administrative account for tasks that require higher privileges.None of these choices are considered to be good security practices. User accounts should not be directly granted administrative privileges, and ordinary user-level accounts should not be placed in the Administrators group. Additionally, no one should be given the Domain Administrator’s username and password to use on a routine basis.

54
Q

Which of the following devices is intentionally left nonsecure, with the hopes of luring a hacker away from the network and observing them?

A) IPS
B) IDS
C) Honeypot
D) Bastion hosts

A

C) Honeypot

A honeypot is a host that has been left with some vulnerabilities open to lure a hacker away from attacking the network and to observe his or her attack methods.A bastion host is a secure host outside the network. An intrusion detection system (IDS) is used to detect network attacks. An intrusion prevention system (IPS) is used to detect attacks and attempt to prevent them by rerouting traffic, blocking ports, etc.

55
Q

Which of the following is the best way to prevent cross-site scripting attacks?

A) Block ports 443 and 80 on the firewall
B) Require certificate-based authentication for website access
C) Validate the input into a website for illegal characters in a particular field
D) Restrict CGI script execution

A

C) Validate the input into a website for illegal characters in a particular field

Validating the input into a web site form for illegal characters in a field is the best choice for preventing cross-site scripting (XSS) attacks.Blocking ports 443 and 80 will make the site unusable, as these are the typical ports used to access web sites. Requiring certificate-based authentication will not prevent cross-site scripting attacks and is an unnecessary measure. CGI is not a method used for cross-site scripting attacks.

56
Q

Which of the following statements bests describes a Trusted Platform Module?

A) A code module that performs authentication
B) A secure logon module
C) A software module that prevents application attacks
D) A hardware module that performs cryptographic functions
A

D) A hardware module that performs cryptographic functions

A Trusted Platform Module (TPM) is a hardware device, usually in the form of an embedded chip, that performs cryptographic functions, such as encrypting an entire hard drive.None of these are valid choices to describe a Trusted Platform Module.

57
Q

Which authentication technology makes use of a key distribution center composed of an authentication server and a ticket-granting service?

A) Sesame
B) Kerberos
C) Single sign on
D) RADIUS

A

B) Kerberos

Kerberos uses a key distribution center (KDC), which consists of an authentication server and a ticket-granting service.None of these choices is associated with these terms.

58
Q

A ‘deny any-any’ rule in a firewall ruleset is normally placed:

A) Nowhere in the ruleset if it has a default allow policy
B) Below the last allow rule, but above the first deny rule in the ruleset
C) At the top of the ruleset
D) At the bottom of the ruleset

A

D) At the bottom of the ruleset

A ‘deny any-any’ rule denies all traffic from all sources, so it should be the last rule in the ruleset. Placement of the ‘deny-any-any’ rule anywhere else in the ruleset would prevent any other rules that follow it from processing.

59
Q

The hacker has managed to modify the cache on the system that stores the IP address and corresponding MAC address with inappropriate entries. What type of attack has occurred?

A) DHCP poisoning
B) DNS poisoning
C) VLAN poisoning
D) ARP poisoning

A

D) ARP poisoning

ARP poisoning involves introducing false entries into the host’s ARP cache, essentially spoofing MAC addresses. DNS poisoning involves introducing false entries into a DNS server?s cache or its zone files. DHCP and VLAN poisoning are invalid answers.

60
Q

Which of the following attacks is NOT typically attempted by a rogue access point on a wireless network?

A) Brute force
B) Evil twin
C) Interference
D) Spoofing

A

A) Brute force

A brute-force attack is typically a password attack. It may be used separately to break wireless passwords but is not unique to wireless attacks.All of these are attack methods that a rogue access point could attempt to engage in, resulting in a denial-of-service condition on the wireless network (as in the case of intentional interference), or by spoofing valid access points to entice an unsuspecting client to connect to it.

61
Q

Which of the following are considered symmetric encryption algorithms? (Choose two.)

A) MD5
B) AES
C) 3DES
D) SHA
E) RSA
A

B) AES
C) 3DES

AES and 3DES are considered encryption standards and use symmetric algorithms. SHA and MD5 are hashing algorithms, and RSA is an asymmetric algorithm.

62
Q

Which of the following files might the hacker modify in order to redirect a user to the wrong web site?

A) hosts
B) ARP cache
C) lmhosts
D) services

A

A) hosts

The hosts file on a local machine provides for fully qualified domain name (FQDN) resolution in the absence of DNS and can be used to redirect users to the wrong web site.The lmhosts file is a Windows-specific file that maps computer names to IP addresses. The services file lists well-known services, such as HTTP and FTP. The ARP cache contains recently resolved local network IP addresses to MAC addresses.

63
Q

Bob logs on to the network and receives a message indicating that patches are not up to date and that he cannot be granted access to the network until patches are updated. What network feature is responsible for the message?

A) NAT
B) TPM
C) NAC
D) VPN

A

C) NAC

Network access control (NAC) can be used to prevent hosts from connecting to the network unless they meet certain security requirements, such as patch level, up-to-date antivirus signatures, and so forth.None of these other technologies are concerned with enforcing host security requirements prior to connecting to the network.

64
Q

Which of the following protocols uses IPSec to ensure confidentiality?

A) L2TP
B) SSL
C) PPTP
D) PPP

A

A) L2TP

IPSec provides encryption services for L2TP when used in a VPN implementation.None of these protocols use IPSec for encryption services.

65
Q

You are troubleshooting a communication issue on the network. Which of the following protocols is responsible for converting the IP address to a MAC address?

A) ARP
B) DHCP
C) RARP
D) DNS

A

A) ARP

Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses.RARP, the Reverse Address Resolution Protocol, resolves MAC addresses to IP addresses?the exact opposite of ARP. DNS, the Domain Name System, resolves fully qualified domain names (FQDN) to IP addresses. DHCP, the Dynamic Host Configuration Protocol, dynamically issues IP addressing information to hosts.

66
Q

All of the following are security measures used to harden a host EXCEPT:

A) Opening unused ports
B) Updating antivirus signatures
C) Uninstalling unnecessary applications
D) Installing security patches

A

A) Opening unused ports

Opening unused ports would increase the attack surface on a host. Closing unused ports is considered a good hardening practice.All of the other choices are considered good security measures to use when hardening a host.

67
Q

Jeff is a user on the network and needs to be able to change the system time. Instead of adding Jeff to the Administrators group, you give Jeff the ?Change the system time? right. What security principle are you following in this example?

A) Least privilege
B) Separation of duties
C) Role-based access control
D) Discretionary access control

A

A) Least privilege

The principle of least privilege allows users to have only the privileges necessary to perform their duties and no more.Separation of duties requires critical roles to be split among personnel so no one user has the privileges to commit fraud or to abuse his or her role. Role-based access control and discretionary access control are access control models.

68
Q

All of the following are valid 5.0 Risk Management strategies EXCEPT:

A) Risk transference
B) Risk mitigation
C) Risk elimination
D) Risk acceptance

A

C) Risk elimination

Risk can never be completely eliminated, only dealt with.These are all valid 5.0 Risk Management strategies.

69
Q

Which of the following keys is used for nonrepudiation?

A) Hash
B) Public key
C) Symmetric key
D) Private key

A

D) Private key

The private key, when used for nonrepudiation, is used to encrypt text that anyone who possesses the public key can decrypt. This assures that only the person owning the private key could have encrypted it, ensuring that he or she is the one who performed the action. Used in this scenario, this does not guarantee confidentiality, but it does provide for nonrepudiation. Symmetric keys and hashes do not provide for nonrepudiation, because they cannot be used to guarantee who sent a message or performed an action. Public keys can be in the possession of anyone and are used in this case to verify that the private key was used to encrypt the text for nonrepudiation.

70
Q

Which of the following disaster recovery technologies is used to help protect you from failures related to a hard disk?

A) Clustering
B) Network load balancing
C) Striping without parity
D) RAID

A

D) RAID

Redundant Array of Independent Disks (RAID) is used to provide for fault tolerance and recovery against disk failures.Striping is used to improve performance but offers no fault tolerance unless used with parity bits. Clustering is used to provide server fault tolerance. Network load balancing is used to enhance network performance through balancing network traffic among servers.

71
Q

You wish to send an encrypted message to Bob. Which of the following is used to encrypt a message sent to Bob in a PKI environment?

A) Hash value
B) Public key
C) Symmetric key
D) Private key

A

B) Public key

Bob’s public key is used to encrypt a message for him. Bob would then decrypt the message with his private key.Symmetric keys and hashes are not used to encrypt a message to an individual in a PKI environment. The private key would be used to decrypt, not encrypt, the message in this scenario.

72
Q

All of the following are advantages to using NAT, EXCEPT:

A) Firewalls and other security devices are not required
B) Internal network addresses are hidden from the public
C) Specific network traffic can be sent to a particular internal address and port
D) Public IP addresses can be more effectively used by the organization

A

A) Firewalls and other security devices are not required

Even when using NAT, firewalls and security devices are required on a network boundary.All of these are advantages to using NAT.

73
Q

What is the security term for disabling unnecessary services on a system and uninstalling unnecessary software?

A) System reduction
B) Application restriction
C) System hardening
D) Network hardening

A

C) System hardening

System hardening involves disabling unnecessary services and protocols on a host, as well as uninstalling software that is not needed. System reduction, network hardening and application restriction are incorrect. These are nonexistent terms used as distractors.

74
Q

Which of the following terms is defined as something that can cause harm to an asset?

A) Risk
B) Vulnerability
C) Loss
D) Threat

A

D) Threat

A threat is defined as an entity or event that has the potential to cause harm or damage to an asset. A threat could cause the organization to suffer a financial loss.Risk is the possibility that a threat could harm an asset. A vulnerability is a weakness in the system. A loss is what damage occurs when a vulnerability is exploited by a threat.

75
Q

Which of the following is used to verify the integrity of the message?

A) Symmetric key
B) Digital signature
C) Digital certificate
D) Message digest

A

D) Message digest

A message digest, or hash, can be used to verify the integrity of a message by comparing the original hash to one generated after receipt of the message. If the two match, then integrity is assured. If they do not match, then the message was altered between transmission and receipt.Digital certificates contain public keys that are distributed to users. Digital signatures provide for authentication. Symmetric keys are not used to provide for integrity, but confidentiality.

76
Q

Which of the following algorithms is the stronger hashing algorithm?

A) MD5
B) 3DES
C) AES-256
D) SHA-1

A

D) SHA-1

SHA-1 (secure hashing algorithm) generates a 160-bit hash.MD5 is a hashing algorithm that generates a 128-bit hash, which is weaker than SHA-1. 3DES and AES-256 are symmetric encryption algorithms, not hashing algorithms.

77
Q

An example of the risk mitigation strategy that involves transferring risk to another entity would be:

A) Alternate site
B) Service-level agreement
C) Insurance
D) Separation of duties

A

C) Insurance

Insurance is a method of risk transference where the organization pays a premium for the insurance company to assume the risk. If a disaster or event occurs, the organization is paid for its losses.Separation of duties transfers key duties to another individual but does not transfer the risk away from the organization. A service-level agreement between two parties specifies levels of service and support, but the organization still maintains risk. An alternate site is used to transfer operations from a primary site in the event of a disaster, but the risk is still borne by the organization.

78
Q

Which of the following is the most volatile source of evidence and should be collected first during a computer forensics investigation?

A) CD/DVDs
B) Hard disks
C) RAM
D) Swap files

A

C) RAM

RAM is the most volatile source of information and is easily lost. It must be collected first during a computer forensics investigation.The order of volatility, and order of evidence collection, is RAM, swap file, hard disk, and CD/DVDs.

79
Q

What is the term used when two different pieces of data generate the same hash value?

A) Interference
B) Disruption
C) Crossover error
D) Collision

A

D) Collision

A collision occurs when two pieces of plaintext are hashed and produce identical hashes.A crossover error is a reference to biometric authentication factors. Interference refers to wireless networks, and disruption is an invalid term in this context.

80
Q

All of the following are considered secure password creation practices EXCEPT:

A) Passwords must use a mixture of uppercase, lowercase, numbers, and special characters
B) Passwords must not use common dictionary-based words
C) Passwords must be of sufficient length
D) Passwords must include the userid

A

D) Passwords must include the userid

Passwords should not be created that include the user?s userid. All of these practices contribute to a secure password.

81
Q

Which of the following statements best describes the concept of ‘implicit deny?’

A) Anything that is not specifically allowed is denied by default
B) Anything that is not specifically denied is allowed by default
C) Anything that is not specifically denied is specifically allowed
D) Anything that is not specifically allowed is specifically denied

A

A) Anything that is not specifically allowed is denied by default

Anything that is not specified as allowed is typically denied, with no deny rules necessary. It is implicitly denied, versus explicitly denied.These statements would describe an explicit deny, an explicit allow, and an implicit allow, respectively.

82
Q

Which of the following techniques involves sending unexpected or invalid data to an application to determine vulnerabilities?

A) Scanning
B) Fuzzing
C) Cracking
D) Spoofing

A

B) Fuzzing

Fuzzing is an application vulnerability testing technique that sends invalid or unexpected data to the application, with the intent to see if any security vulnerabilities exist.Cracking typically involves passwords, not applications. Scanning usually means network port or service scanning. Spoofing means to masquerade as another entity, usually by spoofing an IP address, MAC address, or user.

83
Q

Which of the following network devices provides centralized authentication services for secure remote access connections?

A) Router
B) VPN concentrator
C) Firewall
D) Proxy server

A

B) VPN concentrator

A VPN concentrator serves as a centralized authentication point for virtual private network connections.None of these devices are used to provide centralized authentication services for secure remote access connections.

84
Q

Which of the following describes an alternate processing site that is instantly available in the event of a disaster?

A) Reciprocal site
B) Warm site
C) Cold site
D) Hot site

A

D) Hot site

A hot site is an alternate processing site that can function almost immediately after a disaster and has equipment and data prepositioned, as well as full utilities.Cold sites have only space and utilities available and take longer to activate. Warm sites have space, utilities, and possibly some equipment and furniture, but still need equipment, personnel, and data transferred, so they cannot be activated instantly. Reciprocal sites are alternate locations provided by and in agreement with another organization and are typically co-located with that organization.

85
Q

Which of the following attacks seeks to introduce erroneous or malicious entries into a server?s hostname-to-IP address cache or zone file?

A) DNS poisoning
B) DHCP poisoning
C) ARP poisoning
D) Session hijacking

A

A) DNS poisoning

DNS poisoning involves introducing false entries into a DNS server’s zone file, or a server’s hostname-to-IP address cache, both with the intent of misdirecting a DNS resolution request to a different server or site. ARP poisoning involves introducing false entries into a host’s ARP cache, which maps MAC addresses to IP addresses. DHCP poisoning is a false term, although there are several known DHCP network attacks. Session hijacking involves intercepting and taking over an in-progress communications session between two hosts.

86
Q

Which of the following security measures helps ensure data protection in the event a mobile device is lost or stolen?

A) Remote access
B) Remote destruction
C) Remote wiping
D) Remote encryption

A

C) Remote wiping

Remote drive or disk wiping is used to ensure data protection and confidentiality on a mobile device in the event it is lost or stolen.Remote destruction and remote encryption are invalid terms in this context. Remote access enables a remote user to authenticate to and access an organization?s private network.

87
Q

Administrators who grant access to resources by placing users in groups are using which type of access control model?

A) Role-based access control
B) Rule-based access control
C) Mandatory access control
D) Discretionary access control

A

A) Role-based access control

Role-based access control grants access to groups performing specific functions, or roles, but not to individuals.Discretionary access control allows data owners/creators to grant access to individuals or groups. Mandatory access control permits only administrators to grant access, based upon security labels. Rule-based access control grants access to resources based upon specific rules associated with the resource.

88
Q

Which of the following identifies an example of two-factor authentication?

A) Username and password
B) Password and PIN
C) Smartcard and PIN
D) Fingerprint and retina

A

C) Smartcard and PIN

Use of a smartcard and PIN involves the use of two factors: something you have and something you know.All of the other answers involve the use of only one factor: something you are or something you know, but not used together.

89
Q

Which of the following types of malware is designed to activate after a predetermined amount of time or upon a specific event or date?

A) Rootkit
B) Trojan
C) Adware
D) Logic bomb

A

D) Logic bomb

A logic bomb is a type of malware, usually very difficult to detect, that is designed to activate only after a specific time has passed or a specific date or event has occurred.These other types of malware are not tied to specific dates or events.