Practice Test SYO - 701 General Security Concepts

Question 1

Felicia wants to deploy an encryption solution that will protect files in motion as they are copied between file shares as well as at rest, and also needs it to support granular, per‐user security. What type of solution should she select?
Partition encryption

File encryption

Full‐disk encryption

Record‐level encryption

Answer 1

B. File encryption meets all of the needs described. Full‐disk encryption is easier to deploy and manage but does not protect individual files in motion and does not effectively support multiuser scenarios. Partition‐level encryption has the same challenges, albeit at a partition rather than full‐disk level. Record‐level encryption is typically used in databases to protect individual records or entries.

Question 2

Valerie wants to use a certificate to handle multiple subdomains for her website, including the sales.example.com and support.example.com subdomains. What type of certificate should she use?

A self‐signed certificate

A root of trust certificate

A CRL certificate

A wildcard certificate

Answer 2

D. Wildcard certificates are used to handle multiple subdomains with a single certificate. A self‐signed certificate will not be recognized by browsers and other services, creating confusion for customers. Root of trust certificates and CRL certificates are not types of certificates.

Question 3

What information is analyzed during a gap analysis?

Control objectives and controls intended to meet the objectives

Physically separate networks and their potential connection points

Compensating controls and the controls they are replacing

Security procedures and the policies they are designed to support

Answer 3

A. Gap analysis considers control objectives and the controls that are intended to meet the objectives.

Question 4

Susan’s team has recommended an application restart for a production, customer‐facing application as part of an urgent patch due to a security update. What technical implication is the most common concern when conducting an application restart?

Application configuration changes caused by the restart

Whether the patch will properly apply

Lack of security controls during the restart

The downtime during the restart

Answer 4

D. In most production environments downtime is the primary concern when considering an application restart. Many application architectures are designed to allow restarts of individual systems or services without creating an outage or downtime. Configuration changes should not be created by a restart, patches generally apply properly, and security controls should be in place throughout the process.

Question 5

Using a tool like git is most frequently associated with what critical change management process?

Having a backout plan

Stakeholder analysis

Version control

Standard operating procedures (SOPs)

Answer 5

C. Organizations frequently use tools like git to build repositories that support their need for version control. Backout plans might note that you need to return to the prior version but will need to include how to do so. Stakeholder analysis and SOPs are not specifically supported by or improved by using git.

Question 6

Jacob is concerned that the password used for one of his organization’s services is weak, and he wants to make it harder to crack by making it harder to test possible keys during a brute‐force attack. What is this technique called?

Master keying

Key stretching

Key rotation

Passphrase armoring

Answer 6

B. Key stretching makes potentially weak keys more resistant to brute‐forcing and often involves using a hash or block cipher repeatedly to make the original value harder to crack. Key rotation is the process of changing keys on a periodic basis to limit the impact of potential exposure. Master keying and passphrase armoring are not commonly used concepts for information security, although master keys are used for physical locks.

Question 7

Log monitoring is an example of what control category?

Technical

Managerial

Operational

Physical

Answer 7

C. Operational controls like log monitoring, change management processes, and vulnerability management are all put in place to support managing and using technology in a secure manner.

Question 8

Rick wants to make offline brute‐force attacks against his password file very difficult for attackers. Which of the following is not a common technique to make passwords harder to crack?

Use of a salt

Use of a pepper

Use of a purpose‐built password hashing algorithm

Encrypting password plain text using symmetric encryption

Answer 8

D. Retaining the actual password is not a best practice, and thus encrypting password plain text is not a common technique to make passwords harder to crack. Since the application would need the cryptographic key to read the passwords, anybody who had access to that key could decrypt the passwords. Using a salt, a pepper, and a cryptographic hashing algorithm designed for passwords are all common best practices to prevent offline brute‐force attacks.

Question 9

Diffie–Hellman and RSA are both examples of what important encryption‐related solution?

Rekeying

Certificate revocation protocols

Key exchange algorithms

Key generation algorithms

Answer 9

C. Both Diffie–Hellman and RSA are key exchange algorithms designed to securely allow key exchange between users or systems that have not previously communicated.

Question 10

Sally wants to ensure that her change management process includes a procedure for what to do if the change fails. What should she create to handle this possibility?

An impact analysis

A backout plan

A regression test

A maintenance window

Answer 10

B. Backout plans document what to do to return to a state prior to the change being made and are designed to be implemented if the change fails. They may involve undoing changes, restoring from backups, or taking other steps and they must contain an appropriate level of detail to ensure that the change can be undone. An impact analysis looks at the potential impact of a change, regression testing ensures that old issues are not introduced in new updates, and maintenance windows are scheduled to allow for downtime or other maintenance activities with appropriate communications, staffing, and other needed elements.

Question 11

Carol wants to obfuscate data that is contained in her database. She wants to be able to refer to the data elements without having the actual data exposed. What type of obfuscation option should she select?

Tokenization

Encryption

Data masking

Data randomization

Answer 11

A. Tokens replace data with a value that is linked specifically to the data, allowing it to be referenced and used without the field being exposed. Encryption is not used for this purpose, data masking hides elements of a data field like digits from a credit card number, and data randomization is not an obfuscation method.

Question 11

Charles wants to reduce the threat scope of compromised credentials. What type of the following security controls is best suited to meeting this need?

Single sign‐on

Federation

Zero trust

Multifactor authentication (MFA)

Answer 11

C. Zero trust designs implement continuous verification, which is an effective control used to limit the threat scope of compromised credentials. While multifactor authentication can be a useful control in this circumstance, a fully implemented zero‐trust design will provide greater control than just MFA alone. Single sign‐on and federation are both likely to increase threat scope in a compromised credential scenario.

Question 12

What key is used to decrypt information sent by another individual between two people using public key encryption?

The recipient’s private key

The recipient’s public key

The sender’s private key

The sender’s public key

Answer 12

A. The sender uses the receiver’s public key to encrypt the message, then the receiver uses their private key to decrypt the message. This ensures that the receiver is the only person who can decrypt a message sent using public key encryption.

Question 13

Greg wants to implement a version control system to ensure that changes are made in ways that will not cause problems for his organization’s critical software. Which of the following is not a common feature of version control systems designed for software source code?

Atomic operations

File locking

Regression testing

Tagging and labeling

Answer 13

C. Version control systems track versions but don’t do testing themselves. Atomic operations ensure that actions like commits don’t overwrite other commits in progress. File locking allows a developer to check out a file while it is being worked on, and tagging and labeling helps developers track files and versions.

Question 14

What hardware component is used to generate, store, and manage cryptographic keys?

A CPU

A NSA

A TPM

A CCA

Answer 14

C. A TPM, or trusted platform module, is a hardware‐based, cryptographic processor that is used to generate, store, and manage cryptographic keys. It is also used to help ensure platform integrity by allowing boot validation processes to occur in a secure manner. A CPU is the main processor for a system, NSA is the National Security Agency, and a CCA is a chosen ciphertext attack, a type of attack against cryptographic systems where the attacker can cause a cryptographic system to encrypt known text for analysis.

Question 15

Chris wants to check to see if a certificate has been revoked. What protocol can he use to validate the current status of a certificate?

TLS

OCRS

SSL

OCSP

Answer 15

D. The Online Certificate Status Protocol (OCSP) is used to validate certificate status, including checking to see if the certificate is on a certificate revocation list (CRL). TLS is Transport Layer Security, a protocol used to encrypt data in transit between systems that relies on cryptographic certificates, but it is not used to validate the status of certificates on a CRL. Despite SSL itself being outmoded, the term SSL is commonly used to refer to TLS—but here, neither TLS nor SSL is the right option. OCRS was made up for this question.

Question 16

Brian’s organization uses a process where a secure module boots systems, then monitors them as each boot stage proceeds. It validates each signed boot stage and reports on whether the boot process was correct or not when complete. What is the secure module used to verify these stages called?

Answer 16

B. A root of trust–based secure boot process validates each signed component as it starts and ensures that the trusted components are all loaded as part of the boot process. Changes to the components are reported as exceptions, meaning that the boot process cannot be properly verified or trusted. Secure initiation manager, boot hash, cryptographic boot manager were made up for this question.

Question 17

A vulnerability scan shows that an embedded device that Alice is responsible for has a vulnerability. She knows the vendor is no longer in business and that there is no updated firmware or software update for the device. To resolve the issue, Alice places a firewall between the device and the rest of the network and creates rules that prevent the vulnerable service from being available to other devices. What type of control has Alice deployed?

Answer 17

Alice has deployed a compensating control since she cannot apply controls like patching, configuration, or updates. Directive controls provide formal directions to staff, detective controls detect issues rather than preventing them directly, and procedural controls are not a type of control type used on the Security+ exam.

Question 18

Jason knows that his Apple system uses a separate portion of its SoC (system on chip) to store keys and biometric information. What is this specialized component called?

A TPM

A HSM

A secure enclave

A screened subnet

Answer 18

C. Apple devices use a specialized, separate coprocessor that uses encrypted memory and storage as well as dedicated cryptographic functions called a secure enclave. This is distinct from a TPM or HSM, and a screened subnet is a networking concept for a space that will be exposed to the less secure zones while needing to remain secure.

Question 19

Jack knows that there are three common types of database encryption. Which of the following is not a common type of database encryption?

Sensitivity‐based encryption

Transparent data encryption

Field‐level encryption

Column‐level encryption

Answer 19

A. Transparent data encryption, field‐level, and column‐level encryption are all common types of database encryption. Sensitivity‐based encryption is not and was made up for this question.

Question 20

Renee wants to ensure that her logs support nonrepudiation. What should she do to ensure this?

Encrypt, then hash the logs.

Hash the logs and then digitally sign them.

Digitally sign the log file, then encrypt it.

Hash, then encrypt the logs.

Answer 20

B. Calculating a cryptographic hash allows the log’s hash to be compared against copies to validate that they match. Digitally signing the hash ensures that it can be verified to be the original. Encrypting the log does not allow it to be verified against an original. Without a digital signature, a hash does not meet Renee’s requirement for nonrepudiation.

Question 21

What are considerations like database and network connectivity, authentication system access, and network time availability considered in the context of change management processes?

Allowed services

Standard operating procedures

Denied services

Dependencies

Answer 21

D. Database and network connectivity, authentication system access, and network time availability are all common dependencies that must be considered when making changes. Applications and services may fail to start properly if these dependencies are not available when they attempt to start.

Question 22

What role does the policy engine play in a zero‐trust environment?

It creates new administrative policies based on user behavior.

It grants access based on policies created by administrators and based on security systems data.

It enforces policies by monitoring connections between clients and servers.

It suggests new administrative policies based on usage patterns for adoption by the organization.

Answer 22

B. Policy engines decide whether to grant access to resources based on policies created by administrators and based on data provided by tools like endpoint detection and response tools, threat intelligence feeds, and security information and event management tools. It does not create or suggest administrative policies, and it does not directly enforce policies—that occurs at a policy enforcement point, typically through a zero‐trust agent on the client and at the resource or service side.

Question 23

Damian issues the following command on his Linux server:

openssl req -new -newkey rsa:2048 -nodes -keyout exampleserver.key -out exampleserver.csr

What has he done?

Answer 23

Damian has created a certificate signing request, which he can submit to a certificate authority (CA).

Question 24

Nick’s organization sets aside Saturday nights from 2 a.m. to 4 a.m. for scheduled maintenance. What is this type of reserved time typically called?

Answer 24

Preplanned times when maintenance is done and outages may occur is known as a maintenance window.

Question 25

Megan wants to assess the impact of a change as part of her change management process. Which of the following is most likely to help her assess impact?

A backout plan

An estimate of the downtime expected

A list of stakeholders

A list of dependencies for impacted systems

Answer 25

B. An estimate of the downtime expected as part of the change will help Megan to assess the impact of the change on her organization’s business operations. A backout plan is useful if something goes wrong and can help estimate impact if that happens, but it does not identify impact under normal circumstances. A list of stakeholders can help when communicating with stakeholders to notify them of what will occur, but without the estimate of downtime, Megan will not be able to ask them what the impact would be. Finally, a list of dependencies is helpful to ensure that the change does not have unexpected issues and can help with the impact assessment to determine if other systems may be impacted, but the downtime expected remains the most important item.

Question 26

Michelle believes that an image she has discovered in an attacker’s directory of files contains additional information that has been hidden in it. What is this type of obfuscation called?

Steganography

Image hashing

PNG warping

Image blocking

Answer 26

A. Steganography is the art of hiding additional data in images. Michelle can use steganography detection tools to attempt to find the data, but attackers may use custom tools that could avoid detection as well. The other options were made up for this question.

Question 27

Yasmine submits the Windows BitLocker key to a central repository after she encryptions the machine. The central repository allows files to be uploaded, but not read, and is protected with access requiring special permissions. What type of solution is Yasmine’s company using?

A hardware security module

Perfect forward secrecy

Key escrow

Private keys

Answer 27

C. Yasmine’s company has implemented a key escrow process where encryption keys are retained by the organization in case the files on the drive need to be accessed by someone with proper authority. A hardware security module (HSM) is a hardware device used to create and store encryption keys, among other encryption‐related functions. Perfect forward secrecy (PFS) is a term used in encryption systems that change keys frequently to ensure that even if a key is hacked, the attacker’s access to data will exist in a limited window. Private keys are part of asymmetric encryption schemes and do not reflect the full solution Yasmine’s organization is using.

Question 28

Valerie wants to authenticate her systems using her AAA system. Which of the following options is best suited to system authentication?

Asymmetric authentication

Certificate‐based authentication

Symmetric authentication

PIN‐based authentication

Answer 28

B. Certificates are commonly used for system authentication in AAA systems. While asymmetric and symmetric are forms of encryption, they are not authentication schemes, and PIN‐based authentication is not commonly used for system authentication.

Question 29

Valentine wants to detect if an intruder has accessed a secured file server. Which of the following techniques will work best with a data loss prevention tool to identify data exfiltration?

A honeypot

A honeynet

A honeyfile

A honeytoken

Answer 29

C. Honeyfiles are files that are intentionally made to look attractive while being configured for detection by data loss prevention and intrusion prevention/detection systems. A honeypot is an intentionally vulnerable system that is used to monitor attacker behavior and techniques for analysis. Honeynets are networks that are configured to be intentionally vulnerable and that operate much like honeypots at a network level. Honeytokens are credentials that are not actually used but that are monitored for use in case an attacker is able to capture them.

Question 30

Frankie wants to validate the integrity of a file by comparing it against an original copy. Which of the following solutions both fulfills this requirement and avoids known security issues?

Hash the original file and the current file using MD5 and compare the hashes.

Hash the original file and the current file using SHA‐1 and compare the hashes.

Hash the original file and the current file using SHA‐256 and compare the hashes.

Hash the original file and the current file using AES and compare the hashes.

Answer 30

C. SHA‐256 is the current, secure hashing standard. While it is unlikely that a malicious actor would exploit known flaws in MD5 and SHA‐1, in most normal operations SHA‐256 remains the preferred option when it is available. The Advanced Encryption Standard (AES) is used for encryption, not hashing.

Question 31

Joanna’s organization has a policy that requires a user’s password to be immediately reset to lock accounts if the account is determined to have been successfully phished. What type of control is this?

A detective control

A directive control

A compensating control

A preventive control

Answer 31

B. Policies are examples of directive controls. This could also be considered a corrective control, but that is not one of the options listed. Detective controls identify security events that have already occurred, and this does not detect the compromised account—it directs what must happen afterward. A compensating control mitigates risks due to exceptions in the security policy like a violation of policy due to an inability to implement a specific technical control like patching. A preventive control attempts to stop a security issue before it occurs. Here, the issue has already occurred. The policy of directive control tells staff what do to, and the action of locking the account is a corrective control.

Question 32

Jackie wants to implement an AAA system for her network. What AAA protocol is commonly used for network devices?

OpenID

SAML

RADIUS

TANGENT

Answer 32

C. RADIUS is commonly used for AAA for network devices. OpenID and SAML are more commonly associated with federated services, and TANGENT is not an AAA protocol or server.

Question 33

Valerie’s organization has deployed a zero‐trust solution, and Valerie receives an authentication prompt when she is attempting to access a file server. What component of the zero‐trust architecture is she interacting with?

A policy enforcement point

A policy administrator

The policy engine

The trust manager

Answer 33

A. Valerie is interacting with a policy enforcement point, the agent and resource‐side elements that validate trust by requiring authentication and authorization before allowing access to a resource. The policy enforcement point will validate her access through the policy engine, which will be configured by the policy administrator. Trust managers are not a typical component of the zero‐trust model.

Question 34

Quentin wants to deploy a single sign‐on system to allow his users to log in to cloud services. Which of the following technologies is he most likely to deploy?

OpenID

Kerberos

LDAP

TACACS+

Answer 34

A. OpenID is an open standard for decentralized authentication that is used by many cloud service providers. Kerberos, LDAP, and TACACS+ are all most commonly associated with on‐site usage.

Question 35

Theresa wants to use a cloud‐hosted security solution that will allow her to safely store and manage secrets. What type of solution should she select?

A TPM

A CA

A KMS

A CSR

Answer 35

C. A KMS, or key management system, is a solution that allows you to safely store and manage secrets like keys and certificates. Centralizing a KMS allows organizations to effectively manage their secrets, including tracking their life cycle and rotation. A TPM is used for hardware security on physical systems, a CA is a certificate authority used to create and sign certificates, and a CSR is a certificate signing request.

Question 36

What role does a subordinate CA have in a CA hierarchy?

Subordinate CAs issue certificates based on subdomains.

Subordinate CAs provide control over certificate issuance while avoiding the cost of being a root CA.

Subordinate CAs validate root CA activities to ensure auditability.

Subordinate CAs review certificate signing requests before forwarding them to the root CA.

Answer 36

B. Subordinate CAs avoid the cost of maintaining a root CA while providing control over certificates that are issued and allowing specialized support for different types of certificates like SSL and S/MIME. Subordinate CAs can issue certificates for any allowed domain or subdomain, are not required to ensure auditability, and can sign certificates themselves.

Question 37

What purpose do third‐party certificates serve for customers of cloud services?

They reduce costs by using bring‐your‐own certificates.

They allow certificates for domains other than the service provider’s domain.

They provide control over cryptographic security for the customer.

They allow more flexibility in TLS version selection.

Answer 37

C. Third‐party certificates allow customers to have full control over the certificate, including the private key and certificate signing request. By bringing your own certificate, encrypted traffic cannot be decrypted by the cloud provider. Using provider‐provided or ‐created certificates leads to a potential risk if the provider is malicious or compromised and private keys managed by the provider are compromised. Bringing your own certificate does not necessarily reduce costs. Providers typically allow certificate signing requests for customer domains and subdomains as needed and supported by the service.

Question 38

Skip wants to implement a deterrent control to prevent physical security issues for his organization. Which of the following controls should he select?

A fence

A generator

Access badges

A camera system

Answer 38

A. Fencing is considered a deterrent because it will discourage potential intruders from accessing facilities. Generators are used to ensure availability and are a preventive control. Access badges are a technical and preventive control in most cases. A camera system is a detective, technical control.

Question 39

What holds the position of the root of trust in a certificate chain?

A hardened hardware device

A TPM

A root certificate

A wildcard certificate

Answer 39

C. The root certificate, or top certificate for a certificate chain, is the root of trust of the chain, and it must be kept secure so the entire certificate and CA hierarchy can be trusted. Hardened hardware devices may be used to store it, but they are not the actual root itself. A TPM is used to store system‐specific security data, and wildcard certificates cover more than one subdomain for an organization.

Question 40

Annie notices that her browser shows that the certificate for the site she is visiting is not valid. After performing some checks, she sees that the certificate is on the CA’s certificate revocation list. Which of the following is not a reason for a certificate to be on a CRL?

The CA is compromised.

The certificate’s private key was compromised.

The certificate was signed with a stolen key.

The certificate expired.

Answer 40

D. Certificates expire, but expiration does not place them on a CRL. That avoids extremely long CRLs in most cases, and the expired certificate contains sufficient information to know that the certificate is expired without being on a CRL. Reasons to add a certificate to a CLR include the CA being compromised, the certificate’s private key being compromised, a mis‐issued certificate, certificate detail changes that require a reissued certificate, or certificates that were fraudulently signed, typically by a subordinate CA that was exploited or had poor practices.

Question 41

Mikayla’s zero‐trust system has received a request for access with an identity, and the basic criteria for access have been met. What should the system do next before providing access to the resource requested?

Check the remote system’s security status.

Require reauthentication using MFA.

Check the user’s rights to ensure they can access the resource.

Determine its level of confidence in the request.

Answer 41

D. A zero‐trust system should validate its level of confidence in a request that it receives once the basic criteria have been met. This may involve checking the access against known patterns of access by the user, validating current threat feed information, or checking other details that will help ensure the security and authenticity of the request.

Question 42

Charles sets up an RDP server on an isolated network segment and places a file on it called passwords.xlsx. He then configures his IPS and DLP systems to monitor for that file exiting the network segment. What type of tool has Charles deployed?

A honeyfile

A SQL trap

A red flag

A trigger file

Answer 42

A. While many honeyfiles use canary tokens, simply monitoring for known files exiting systems that should not be accessed under normal circumstances is also a valid means to construct a honeypot and honeyfile‐based detection system. Charles can use the file and the isolated system to detect attackers who attempt to exfiltrate the file. The other answers were made up for this question.

Question 43

Lucca is using precomputed rainbow tables to attempt to crack hashed passwords from a data breach. He knows that two users have the same password, but the hashes do not match. What password hash security technique has Lucca most likely encountered?

Password encryption

Salting

Hash rotation

Password mismatching

Answer 43

B. Salting uses a unique, randomly generated string that is added to each password before it is hashed. That means that even matching passwords will not have the same hash. This prevents rainbow tables from being effectively used against password hashes due to the added computational load it creates for precomputing hashes.

Question 44

Isaac is concerned that the passwords that his users are creating are too short and can be easily brute‐forced if their hashes were compromised. Rather than make his users remember longer passwords, he would like to implement a technical solution to help make the hashes more resistant to cracking. What solution can he use to help with this?

Implement pass‐the‐hash algorithms.

Use a collision‐resistant hashing algorithm.

Implement key stretching techniques.

Encrypt passwords rather than hashing them.

Answer 44

C. Implementing key stretching techniques can help short—and thus weak—passwords resist brute‐force hash cracking techniques. They won’t help against brute‐force password guessing attacks, so Isaac will need to implement other controls against that type of attack. Pass‐the‐hash attacks reuse hashes, and thus aren’t a technique used to prevent brute‐force attacks against hashed passwords. Collision resistance is a requirement for an effective hashing algorithm and should be part of any password hash storage implementation. Encrypting passwords is not a recommended practice because it leaves passwords in the hands of the organization rather than hashes and requires the organization to decrypt passwords to check them when they are used, creating frequent opportunities for exposure.

Question 45

Christina wants to implement access badges printed with picture IDs for her organization, but she wants to use a wireless reader. What access badge technology is commonly implemented in scenarios like this?

Wi‐Fi‐enabled access badges

RFID access badges

Bluetooth‐enabled access badges

NFC access badges

Answer 45

B. RFID badges are the most commonly implemented wireless identification badges. Wi‐Fi and Bluetooth both require additional power for devices and thus are not a good fit for a badge, and NFC‐enabled badges have not come into common use at this time, although they are increasingly available for mobile device–enabled badges.

Question 46

Which of the following is not a common factor in adaptive authentication for zero trust?

Where the user is logging in from

Whether the user has logged in recently from another device

What device the user is logging in from

If the device is configured correctly

Answer 46

B. Adaptive authentication looks at the context of a login, including where they’re logging in from—both geographically, and from a network trust perspective, what device they’re logging in from, and if the device is configured correctly. In modern, multidevice usage, whether the user has logged in recently from another device isn’t as likely to be considered, but if the devices were in different countries it would likely raise a flag!

Question 47

Juan’s organization is designing their zero‐trust model. Which of the following statements is true for network security zones?

All communication is secured, regardless of the network security zone it occurs in.

Communication receives additional security in low‐trust zones.

Communication receives less security in high‐trust zones.

All zero‐trust networks are considered secured zones.

Answer 47

A. One of the basic tenets of zero‐trust architecture is that all communication is secured, regardless of the security zone or trust zone that it occurs in. Additional security should not be required, nor should communications receive less security in higher trust zones. All zero‐trust networks are considered potential risk areas—thus the zero in zero trust!

Question 48

What advantage do microwave sensors have over infrared sensors?

They can detect heat signatures.

They are cheaper than infrared sensors.

They can penetrate some types of walls.

They do not interfere with sensitive equipment.

Answer 48

C. Microwave sensors work in temperature ranges that infrared sensors do not, and they can penetrate walls and some small spaces allowing more complete coverage. Microwave sensors cannot detect heat signatures, are not cheaper than infrared sensors, and can interfere with some types of sensitive equipment.

Question 49

Michelle wants to store secrets for her organization in a cloud service. She wants to ensure the greatest level of security for her organization, and she is willing to spend more money to provide that security. What solution should she look for?

A shared cloud TPM

A shared cloud HSM

A dedicated hardware cloud TPM

A dedicated hardware cloud HSM

Answer 49

D. A dedicated, hardware‐based, cloud‐hosted hardware security module (HSM) is an appropriate solution for Michelle’s needs. Cloud providers often provide shared HSMs as a service, which can increase perceived risk due to the shared underlying hardware. Dedicated hardware is typically available at a higher cost. Trusted platform modules (TPMs) are used to provide secure boot and related services, not to store secrets for an organization.

Question 50

Rick checks the certificate for the site he is viewing and sees that it reads *.example.com. What type of certificate is this, and why is it in use?

It is a self‐signed certificate, and it is used for testing purposes.

It is a wildcard certificate and is used for testing purposes.

It is a wildcard certificate and is used for multiple subdomains.

It is a self‐signed certificate and is used for multiple subdomains.

Answer 50

C. Wildcard certificates have a * in them, denoting that they can be used for any subdomain. For example, in this question, the wildcard would match any *.example.com subdomain like test.example.com and sales.example.com. Self‐signed certificates will not link to a root or intermediate CA, and thus cannot be verified with CAs.

Question 51

John wants to write a procedure that addresses what to do if an employee inadvertently discloses their password due to a phishing attempt. What type of control is John considering?

A directive control

A proactive control

A deterrent control

A preventive control

Answer 51

A. Policies and procedures are examples of directive controls. Deterrent controls attempt to dissuade attackers from taking action. Preventive controls attempt to stop security issues from occurring. Proactive controls are not a control category used on the Security+ exam.

Question 52

Jim wants to implement an authentication framework for his wireless network. Which of the following is most commonly used for wireless network authentication?

EAP

MS‐CHAP

Kerberos

LDAP

Answer 52

A. EAP is commonly used for authentication to wireless networks. MS‐CHAP is used with PPTP‐based VPNs, Kerberos is used for organizationwide authentication, and LDAP is used as part of authentication in Microsoft Active Directory domains, among other uses.

Question 53

Anna has been told that her organization has deployed microwave sensors in the organization’s warehouses. What are microwave sensors most frequently used to detect?

Answer 53

Microwave sensors are commonly used to detect motion and have advantages over infrared sensors because they can work in a greater temperature range as well as traveling through some obstacles that would not allow infrared to penetrate them.

Question 54

When is data on a drive that uses full‐disk encryption at the greatest risk?

During the system boot process

When the system is off

When the system is logged in and in use

When the system is being shut down

Answer 54

C. In order for a drive to be used, it must be accessible to the operating system, meaning that when the system is logged in and in use data can be accessed. When full‐disk encryption systems are booting and not logged in or when they are being shut down, they are typically not in a greater risk state, and they are most secure when shut down.

Question 55

What data obfuscation technique relies on a lookup table that allows you to match the data you want to secure to a randomly generated value to ensure that the actual value is not easily accessible?

Answer 55

B. Tokenization commonly uses randomly generated values that are assigned to replace existing known values. The token is stored in a lookup table, allowing the token to be checked against the table if needed. Hashing relies on a hash function, which is not mentioned here; randomization is not a data obfuscation technique; and masking replaces some or all of a sensitive field with a replacement character to ensure the data is unreadable when displayed.

Question 56

Which of the following is not a step taken when a transaction is entered in a blockchain?

The value of the block is determined.

The transaction is sent to a peer‐to‐peer network of computers.

The transaction is validated using equations.

A transaction history is maintained as part of the blockchain.

Answer 56

A. While cryptocurrency is a common use of blockchain technology, it isn’t the only use. Values of blocks are not determined as part of transactions—in fact, even in cryptocurrency uses, values are determined by prices set on exchanges as sellers and buyers exchange cryptocurrencies.

Question 57

Yariv discovers that he has exposed his private key to other users in his organization by sending it via email instead of his public key. What should he do?

Ask the other users to delete any copies of his private key that they may have.

Immediately add his key to a CRL and reissue the key.

Create a new keypair and notify others that he has replaced his keypair.

Continue to operate as normal as long as the private key was not used maliciously.

Answer 57

C. Once a private key has been exposed, it should not be considered secure, even in an organization of trusted users. Since Yariv exposed his private key via email, he cannot ensure that it is not available in another user’s email archives, and he must immediately create a new keypair and advise individuals that he works with of his new public key.

Question 58

Julia wants to detect if an intruder enters a space using a sensor system. Which of the following is not typically used to detect intruders?

Infrared sensors

Pressure sensors

Microwave sensors

Ultrasonic sensors

Answer 58

C. Microwave sensors are not commonly used to detect intruders. Infrared and ultrasonic sensors are commonly used, and pressure sensors may be used in special circumstances.

Question 59

What can a root SSL (TLS) certificate do?

Remove a certificate from a CRL

Generate a signing key and use it to sign a new certificate

Authorize new CA users

Allow key stretching

Answer 59

B. Root certificates are at the root of trust in a CA hierarchy and allow signing keys to be created and used to sign certificates. They are not used to authorize new CA users or to remove certificates from a CRL. Key stretching is used to make weak keys stronger, not as part of cryptographic certificates.

Question 60

Christina wants to authenticate individuals as part of her AAA implementation. What will she need to do to authenticate users?

Match users to roles and ensure that rights are assigned.

Conduct biometric enrollments for every user.

Use identity proofing for each user she creates.

Ensure that users provide an identity and one or more authentication factors.

Answer 60

D. Authentication requires that users provide (claim) an identity and then provide one or more authentication factors like a password, biometric factor, or multifactor code. Authorization relies on matching users and roles to allow users to perform tasks once they are authenticated. Biometric enrollments and identity proofing may be desirable but are not necessarily required for any given authentication system.