Practice Test SYO-701 Security Architecture

Question 1

Enrique is concerned about backup data being infected by malware. The company backs up key servers to digital storage on a backup server. Which of the following would be most effective in preventing the backup data being infected by malware?

Place the backup server on a separate VLAN.

Air gap the backup server.

Place the backup server on a different network segment.

Use a honeynet.

Answer 1

B. Air gapping refers to the server not being on a network. This means literally that there is “air” between the server and the network. This prevents malware from infecting the backup server. A separate virtual local area network (VLAN) or physical network segment can enhance security but is not as effective as air gapping. A honeynet is used to detect attacks against a network, but it doesn’t provide effective defense against malware in this scenario.

Question 2

Which of the following is not an advantage of a serverless architecture?

It does not require a system administrator.

It can scale as function call frequency increases.

It can scale as function call frequency decreases.

It is ideal for complex applications.

Answer 2

D. Serverless architectures do not require a system administrator because the provider manages the underlying function‐as‐a‐service (FaaS) capability. It can also scale up or scale down as needed, allowing it to be very flexible. Serverless architectures are typically not ideal for complex applications and instead tend to work better for microservices.

Question 3

Derek has been asked to implement his organization’s service‐oriented architecture as a set of microservices. What does he need to implement?

A set of loosely coupled services with specific purposes

A set of services that run on very small systems

A set of tightly coupled services with custom‐designed protocols to ensure continuous operation

A set of services using third‐party applications in a connected network enabled with industry standard protocols

Answer 3

A. A microservice architecture builds applications as a set of loosely coupled services that provide specific functions using lightweight protocols. It doesn’t specifically define the size of the systems, but it is not a tightly coupled environment. Protocol choice is often open standards–based, but the emphasis is on lightweight protocols. There is not a requirement that services be in‐house or third party exclusively.

Question 4

Ben has been asked to explain the security implications for an embedded system that his organization is considering building and selling. Which of the following is not a typical concern for embedded systems?

Limited processor power

An inability to patch

Lack of authentication capabilities

Lack of bulk storage

Answer 4

D. Embedded systems can bring a broad range of security implications, many of which are driven by the limited capabilities of the processors and hardware they are frequently built with. Low‐power consumption designs may lack computational power and thus have challenges implementing strong cryptography, network connectivity, and other similar problems. Patching embedded systems can be challenging both because of where they are deployed and because of a lack of connectivity for them—in fact, in many environments, you may not want the devices to be connected to your network. Since many don’t have a screen, keyboard, or a network connection, authentication is also a problem. Few embedded devices, however, need bulk storage, making the lack of bulk storage a problem that typically isn’t a major concern.

Question 5

Madhuri has configured a backup that will back up all of the changes to a system since the last time that a full backup occurred. What type of backup has she set up?

A snapshot

A full backup

An incremental backup

A differential

Answer 5

D. Differential backups back up all of the changes since the last full backup. An incremental backup backs up all changes since the last incremental backup. A snapshot captures machine state and the full drive at a bitwise level, and full backups are a complete copy of a system but typically do not include the memory state.

Question 6

Nathaniel wants to improve the fault tolerance of a server in his datacenter. If he wants to ensure that a power outage does not cause the server to lose power, what is the first control he should deploy from the following list?

A UPS

A generator

Dual power supplies

Managed power units (PDUs)

Answer 6

A. An uninterruptable power supply (UPS) should be Nathaniel’s first priority. Ensuring that power is not disrupted during an outage and can be maintained for a short period until alternate power like a generator can come online is critical, and a UPS can provide that capability. A generator alone will take longer to come online, resulting in an outage. Dual power supplies can help to build resilience by allowing multiple power sources and avoiding issues if a power supply does fail, but that is not the focus of the question. A managed power distribution unit (PDU) provides remote management and power monitoring but will not prevent power loss in an outage.

Question 7

Mia is a network administrator for a bank. She is responsible for secure communications with her company’s customer website. Which of the following would be the best for her to implement?

SSL

PPTP

IPSec

TLS

Answer 7

D. Transport Layer Security (TLS) provides a reliable method of encrypting web traffic. It supports mutual authentication and is considered secure. Although Secure Sockets Layer (SSL) can encrypt web traffic, TLS was created in 1999 as its successor. Although many network administrators still use the term SSL, in most cases today what you are using is actually TLS, not the outdated SSL. Point‐to‐point Tunneling Protocol (PPTP) and Internet Protocol Security (IPSec) are protocols for establishing a VPN, not for encrypting web traffic.

Question 8

Elaine wants to adopt appropriate response and recovery controls for natural disasters. What type of control should she use to prepare for a multi‐hour power outage caused by a tornado?

A hot site

A generator

A PDU

A UPS

Answer 8

B. A generator is the most appropriate answer to a multi‐hour outage. Although a hot site would allow her organization to stay online, the cost of a hot site is much higher than that of a generator. A PDU, or power distribution unit, is used to manage and distribute power, not to handle power outages. Finally, UPS systems are not typically designed to handle long outages. Instead, they condition power and ensure that systems remain online long enough for a generator to take over providing power.

Question 9

Mark is responsible for managing his company’s load balancer and wants to use a load‐balancing scheduling technique that will take into account the current server load and active sessions. Which of the following techniques should he choose?

Round‐robin

Weighted response time

Least connection

Source IP hashing

Answer 9

C. Least connection–based load balancing takes load into consideration and sends the next request to the server with the least number of active sessions. Round‐robin simply distributes requests to each server in order, whereas weighted time uses health checks to determine which server responds the most quickly on an ongoing basis and then sends the traffic to that server. Finally, source IP hashing uses the source and destination IP addresses to generate a hash key and then uses that key to track sessions, allowing interrupted sessions to be reallocated to the same server, and thus allowing the sessions to continue.

Question 10

Ramon is building a new web service and is considering which parts of the service should use Transport Layer Security (TLS). Components of the application include:

Authentication

A payment form

User data, including address and shopping cart

A user comments and reviews section

Where should he implement TLS?

At points 1 and 2, and 4

At points 2 and 3, and 4

At points 1, 2, and 3

At all points in the infrastructure

Answer 10

D. The safest and most secure answer is that Ramon should simply implement TLS for the entire site. Although TLS does introduce some overhead, modern systems can handle large numbers of simultaneous TLS connections, making a secure website an easy answer in almost all cases.

Question 11

Charles wants to use IPSec and needs to be able to determine the IPSec policy for traffic based on the port it is being sent to on the remote system. Which IPSec mode should he use?

IPSec tunnel mode

IPSec PSK mode

IPSec IKE mode

IPSec transport mode

Answer 11

D. Unlike IPSec’s tunnel mode, IPSec transport mode allows different policies per port. The IP addresses in the outer header for transport mode packets are used to determine the policy applied to the packet. IPSec doesn’t have a PSK mode, but WPA2 does. IKE is used to set up security associations in IPSec but doesn’t allow this type of mode setting.

Question 12

What two connection methods are used for most geofencing applications?

Cellular and GPS

USB and Bluetooth

GPS and Wi‐Fi

Cellular and Bluetooth

Answer 12

C. Global Positioning System (GPS) data and data about local Wi‐Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. When a known Wi‐Fi signal is gained or lost, the geofencing application knows it is within range of that network. GPS data is even more useful because it can work in most locations and provide accurate location data. Although Bluetooth is sometimes used for geofencing, its limited range means that it is a third choice. Cellular information would require accurate tower‐based triangulation, which means it is not typically used for geofencing applications, and of course USB is a wired protocol.

Question 13

Binary data is an example of what type of data?

Non‐human‐readable

Encrypted

Human‐readable

Masked

Answer 13

A. Binary data is a form of non‐human‐readable data. Encrypted data may be in binary format, but not all binary data is encrypted. Binary data is not human‐readable, nor is it masked, which hides elements of data to allow for it to be used without exposing the underlying data.

Question 14

Tom is responsible for VPN connections in his company. His company uses IPSec for VPNs. What is the primary purpose of AH in IPSec?

Encrypt the entire packet.

Encrypt just the header.

Authenticate the entire packet.

Authenticate just the header.

Answer 14

C. Authentication headers (AHs) provide complete packet integrity, authenticating the packet and the header. Authentication headers do not provide any encryption at all, and authentication headers authenticate the entire packet, not just the header.

Question 15

Abigail is responsible for setting up a network‐based intrusion prevention system (NIPS) on her network. The NIPS is located in one particular network segment. She is looking for a passive method to get a copy of all traffic to the NIPS network segment so that it can analyze the traffic. Which of the following would be her best choice?

Using a network tap

Using port mirroring

Setting the NIPS on a VLAN that is connected to all other segments

Setting up a NIPS on each segment

Answer 15

A. Network taps copy all traffic to another destination, allowing traffic visibility without a device inline. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the network‐based intrusion prevention system (NIPS) but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configurations can cause looping. Configuring loop detection can prevent looped ports. Putting a network NIPS on every segment can be very expensive and require extensive configuration work. Setting up a NIPS on each segment would also dramatically increase administrative efforts.

Question 16

Janice is explaining how IPSec works to a new network administrator. She is trying to explain the role of IKE. Which of the following most closely matches the role of IKE in IPSec?

It encrypts the packet.

It establishes the SAs.

It authenticates the packet.

It establishes the tunnel.

Answer 16

B. Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. The security associations have all the settings (i.e., cryptographic algorithms, hashes) for the tunnel. IKE is not directly involved in encrypting or authenticating. IKE itself does not establish the tunnel—it establishes the SAs.

Question 17

Emily manages the IDS/IPS for her network. She has a network‐based intrusion prevention system (NIPS) installed and properly configured. It is not detecting obvious attacks on one specific network segment. She has verified that the NIPS is properly configured and working properly. What would be the most efficient way for her to address this?

Implement port mirror/monitor mode for that segment.

Install a NIPS on that segment.

Upgrade to a more effective NIPS.

Isolate that segment on its own VLAN.

Answer 17

A. The NIPS is not seeing the traffic on that network segment. By implementing port mirroring, the traffic from that segment can be copied to the segment where the NIPS is installed. Installing a network IPS on the segment would require additional resources. This would work but is not the most efficient approach. Nothing in this scenario suggests that the NIPS is inadequate. It just is not seeing all the traffic. Finally, isolating the segment to its own VLAN would isolate that network segment but would still not allow the NIPS to analyze the traffic from that segment.

Question 18

Claire has been notified of a zero‐day flaw in a web application. She has the exploit code, including a SQL injection attack that is being actively exploited. How can she quickly react to prevent this issue from impacting her environment if she needs the application to continue to function?

Deploy a detection rule to her IDS.

Manually update the application code after reverse‐engineering it.

Deploy a fix via her WAF.

Install the vendor‐provided patch.

Answer 18

C. Claire’s best option is to deploy a detection and fix via her web application firewall (WAF) that will detect the SQL injection (SQLi) attempt and prevent it. An intrusion detection system (IDS) only detects attacks and cannot stop them. Manually updating the application code after reverse‐engineering it will take time, and she may not even have the source code or the ability to modify it. Finally, vendor patches for zero days typically take some time to come out even in the best of circumstances, meaning that Claire could be waiting on a patch for quite a while if that is the option she chooses.

Question 19

Next‐generation firewalls include many cutting‐edge features. Which of the following is not a common next‐generation firewall capability?

Geolocation

IPS and/or IDS

Sandboxing

SQL injection

Answer 19

D. Although next‐generation firewalls (NGFWs) provide may defensive capabilities, SQL injection (SQLi) is an attack instead of a defense. In addition to geolocation, intrusion detection system (IDS) and intrusion prevention system (IPS), and sandboxing capabilities, many next‐generation firewalls include web application firewalls, load balancing, IP reputation and URL filtering, and antimalware and antivirus features.

Question 20

Jason is considering deploying a network intrusion prevention system (IPS) and wants to be able to detect advanced persistent threats (APTs). What type of IPS detection method is most likely to detect the behaviors of an APT after it has gathered baseline information about normal operations?

Signature‐based IPS detections

Heuristic‐based IPS detections

Malicious tool hash IPS detections

Anomaly‐based IPS detections

Answer 20

D. Anomaly‐based detection systems build a behavioral baseline for networks and then assess differences from those baselines. They may use heuristic capabilities on top of those, but the question specifically asks about baselined operations pointing to an anomaly‐based system. Heuristic‐based detections look for behaviors that are typically malicious, and signature‐based or hash‐based detections look for known malicious tools or files.

Question 21

Jerome needs to explain the key difference between high availability and fault tolerance to his management. What is the major difference between the two?

High availability is designed to avoid service interruptions almost entirely, whereas fault‐tolerant environments have minimal service disruptions.

High availability provides services, whereas fault tolerance handles issues.

High availability focuses on data, whereas fault tolerance focuses on infrastructure.

High availability has minimal service interruptions, whereas fault‐tolerant environments are designed to avoid service interruptions almost entirely.

Answer 21

D. High‐availability designs are less expensive because they attempt to minimize service interruptions, whereas fault‐tolerant designs seek to avoid service interruptions almost entirely, and thus cost significantly more. Both focus on service availability and typically use both hardware and software tools to meet their goals.

Question 22

Mateo wants to conduct a fail over test for his datacenter. What will he need to do to accomplish this?

Turn off all systems in his datacenter.

Simulate what would occur during a datacenter outage.

Force a fail over using his network or other systems.

Cause an outage of a critical system.

Answer 22

C. Datacenters should have a fail over process that can be manually executed in case of emergency. Mateo should use that process to fail over to his organization’s fail over site. Turning off every system in a datacenter is not recommended as this may lead to other unexpected failures. Simulation is not a fail over test, and creating an outage of a critical system typically will not cause an entire datacenter to fail over.

Question 23

Brandon deploys a server in a VLAN used for IoT devices. He then creates firewall rules that allow users in a system administration network to SSH to that server so that they can manage systems in the protected network segment. What type of solution has Brandon deployed?

A UTM

A jump server

An ICS server

A VPN

Answer 23

B. Jump servers are used to access secured zones and are typically carefully controlled and monitored because they are the single point of entry from untrusted environments. A Unified Threat Management (UTM) is a security device that combines firewall features with a variety of other security functions. ICS stands for Industrial Control System. This is not an ICS, although the IoT devices it allows connections to may be a form of ICS. VPNs, or virtual private networks, encapsulate and protect network traffic as it moves through untrusted networks.

Question 24

What key network technology is the core of an SASE implementation?

TLS

VLANs

IPSec

SD‐WAN

Answer 24

D. Software‐defined wide area networks (SD‐WANs) are the core component of secure access, secure edge technology. Additional tools like zero trust functionality, cloud access security brokers, and firewalls are all combined to build a complete SASE implementation.

Question 25

Nick’s organization houses tape‐based backups for their critical data in their primary datacenter. What resilience issue could result in the event of a major disaster?

The tapes may not have been validated and might not be able to be restored.

A single disaster could destroy both the facility and the tapes.

The tapes may not last for the expected lifetime of the backups.

Tapes are relatively slow and may not allow for timely restoration.

Answer 25

B. The biggest issue for resilience is that placing backups in the same facility as the devices or systems they are backing up means that a single disaster could destroy both. Nick should consider off‐site backup storage. Tape recovery can be slow, but this is a restoration timeframe issue, not a resilience issue. Tape lifetime is typically quite long, and backups are usually rolled over in time periods shorter than a year for most organizations. Finally, validation of backups can be a concern, but there is no description in the question that would lead to conclusions about testing.

Question 26

Which of the following is not a common security concern with real‐time operating systems?

Inability to install security tools

Lack of updates or patches

Likelihood of malware infection

Vulnerability concerns

Answer 26

C. While RTOS issues with vulnerabilities, the inability to install security tools. and a lack of patches for RTOS‐based devices are all common security concerns, they are not as frequently targeted by malware infections.

Question 27

Chris wants to create a token to substitute for data in a database. Which of the following is not a common attribute for tokens?

They don’t have exploitable meaning themselves.

They are easily reversible to identify the original data, even without the tokenization scheme.

They frequently rely on one‐way hash functions.

Tokens must be mapped to matching original data.

Answer 27

B. Tokens should not be easily reversible. Instead, they should require access to the original tokenization function or a mapping to the original data. Tokens should not have intrinsic meaning or value, and frequently rely on hash functions as part of their generation process to ensure this.

Question 28

Pete’s organization has had a system fail and Pete wants to recover from backup. Which of the following backup methods will typically result in the fastest restoration timeframe?

Snapshots

Replication

Journaling

Tape backup

Answer 28

B. Replication is typically the fastest means to recovery since the replica system is running and ready to take over. Snapshot recovery is normally the next fastest, followed by restoration from other storage. Journaling can introduce additional slowdowns depending on how long it has been since the last backup, as the journal is replayed from the time that occurred to the time of failure.

Question 29

Henry accesses a database server from his workstation. What data state best describes the data while it is on the network?

Data at rest

Data in use

Data on the wire

Data in transit

Answer 29

D. The Security+ exam outline recognizes three data states: data at rest, data in transit, and data in use. When Henry accesses the data and it is transferred via the network, it is data in transit. When he is working with the data, including modifying or otherwise using it, it is data in use. When it resides on the drives the database is stored in, it is data at rest. Data on the wire is not a common term for this—data in motion and data in transit are both common in industry usage, and the Security+ exam outline uses data in transit.

Question 30

Yasmine wants to ensure that her organization has appropriate connectivity as part of their infrastructure design for their primary site. Which of the following concerns should she review to ensure that physical disasters do not disable her company’s operations?

Service provider path diversity

Ensuring both fiber and copper connectivity are used

Implementing SD‐WAN

Geographic dispersion

Answer 30

A. Path diversity ensures that the connectivity to the facility does not take the same path. This helps to prevent the moment network managers dread when a single accident—or construction equipment in the wrong place—tears up multiple fiber or copper paths, taking organizations offline. Diversity of the cabling type is not a requirement or need, SD‐WAN does not directly address physical disasters, and geographic dispersion is not possible at a single site.

Question 31

Carlos uses a remote desktop tool to connect to a server through a firewall that protects his organization’s database servers. He then uses software on the server to manage the database servers. What type of solution is Carlos using?

A network tap

SASE

SD‐WAN

A jump server

Answer 31

D. Carlos is using a jump server that is used to connect from an untrusted or lower trust zone from outside of a firewall. A network tap is used to provide copies of network traffic for analysis. SASE combines SD‐WAN and other security technologies to provide network security services regardless of where systems are for enterprises. SD‐WAN (software‐defined wide area networking) is used to manage network connectivity through commodity Internet providers and other services.

Question 32

Yuri wants to use an off‐site backup location. What challenge can off‐site backup locations create for organizations?

It is difficult to validate the integrity of the backups.

Retrieving the backups may slow down recovery.

The backups cannot be easily updated.

Off‐site backups may be impacted by the same disaster.

Answer 32

B. Off‐site backup locations are typically chosen so that they will not be impacted by the same disaster. That means that recovery may be slow if the backups either need to be physically retrieved or must be downloaded via an Internet connection. Backup integrity is typically verified as part of the backup process, and this can be checked easily. Off‐site backups are typically updated as part of the backup process, and this should not be an issue.

Question 33

What term best describes a set of loosely coupled, fine‐grained services that communicate via lightweight protocols, allowing organizations to easily build new services without additional dependencies or infrastructure?

Containerization

IoT

Software‐defined infrastructure

Microservices

Answer 33

D. Microservices are loosely coupled and fine‐grained, and they are intended to be easy to deploy without significant overhead or dependencies. They rely on lightweight protocols like HTTP to make them easier to deploy in common infrastructures. Containers are used to allow applications to be easily deployed without moving a complete operating system but with the required libraries and components to function. The Internet of Things (IoT) describes Internet‐enabled devices of all sorts, including embedded systems. Software‐defined infrastructure is commonly used for cloud services.

Question 34

Malia wants to protect data in use. Which technique is not a good solution to ensuring that data in use is protected?

Encryption

Control access to the data

Hashing data

Limiting where data is processed

Answer 34

C. Use of encryption through secure enclaves and restricted processing environments, controlling access to the data, and limiting where data is processed are all useful controls. Hashing the data does not leave it in a usable form since hashes transform the data, and thus is not a useful solution.

Question 35

Jaime wants to manage connectivity, including both MPLS and broadband Internet services, for her organization. What technology should she select to enable her to manage multiple connection types using a software‐based control system?

SASE

SDN

SD‐WAN

VSAN

Answer 35

C. SD‐WAN, or software‐defined wide area network, is a virtual wide area network architecture that relies on a software‐based controller to manage multiple connections and connection types. MPLS, LTE, and broadband are commonly managed using SD‐WAN technology. SASE, or Secure Access Service Edge, is used to provide end‐to‐end security in modern environments with systems and users spread throughout many locations and networks. SDN, or software‐defined networking, is a code‐based network management scheme. However, SD‐WAN is the correct answer for wide area networks that rely on things like MPLS and broadband rather than on‐premises networks. VSAN, or virtual SAN, is a virtual storage area network.

Question 36

Sade works for a large organization that wants to ensure that their connectivity is properly secured. What type of security device should she select if throughput and advanced security capabilities are both important factors in selection?

A UTM device

An NGFW device

A WAF

A proxy server

Answer 36

B. NGFW devices are typically deployed where throughput and advanced security features are both needed. UTM devices are more common in small to mid‐sized organizations where they can be set up and will often require less management and configuration. A WAF is appropriate for web services, but does not provide enough protection for an entire organization’s Internet connectivity. A proxy server is useful for filtering traffic but has the same issues with limited functionality.

Question 37

Ed is building a continuity of operations plan (COOP) for his organization. What three scenarios does a COOP address?

Loss of personnel, loss of systems, loss of availability

Natural disasters, human‐made disasters, mistakes or errors

Loss of access to a facility, damage to a facility, natural disasters

Loss of access to a facility, loss of personnel, and loss of services

Answer 37

D. COOP plans address loss of access to some or all of a facility, personnel, or services. Other items may cause those losses, but the focus is on continued operations addressing the key components of an organization’s business or purpose—facilities, staff, and services.

Question 38

Which of the following properly describes a SPAN port configured on a switch or router for monitoring?

Active and inline

Passive and inline

Active and a monitor

Passive and a monitor

Answer 38

C. Switch Port Analyzer (SPAN) ports, also known as mirrored ports, configured on a network switch or router are active because the device is powered and are a monitor because they simply copy traffic rather than being inline.

Question 39

Renee wants to choose a control that will protect her organization against SQL injection attacks. Which of the following is likely to be the most effective control for attacks that are announced without prior notice and that require a very quick response?

Web application penetration testing

A WAF

Static code review

SASE

Answer 39

B. A major advantage of WAFs is the ability to use thread and rule feeds from vendors that quickly respond to new threats and attacks. At the same time, Renee can also build WAF rules faster than it would take to deploy code fixes in many cases. Penetration testing and static code review are both slow processes and are not suited to the rapid respond described. SASE is used to protect diverse endpoints in many locations, not to counter SQL injection (SQLi) against a web service.

Question 40

Kendra is designing a web application infrastructure and wants to use a load balanced cluster. Which of the following considerations is not directly addressed by using a load balancer?

Availability

Responsiveness

Scalability

Risk transference

Answer 40

D. Load balancers can help with availability by automatically removing failed notes from a load balanced group. They can help with responsiveness by distributing load to the least loaded systems in a load balanced pool, and they can help with scalability by allowing systems to transparently be added or removed from the pool. They don’t directly help with risk transference since risk transference usually requires a contract or insurance.

Question 41

Chuck has deployed a cloud‐based security environment that combines SD‐WAN, zero trust, cloud access security broker (CASB), and firewall services to replace traditional VPNs. What sort of service has Chuck deployed?

SaaS

SASE

SONET

SCM

Answer 41

B. Secure access service edge (SASE) deployments combine SD‐WAN with a variety of cloud‐hosted security services, including zero trust and CASB tools to replace VPNs. This provides an edge device–oriented security architecture with end‐to‐end security. SaaS is involved but is not a specific enough answer. SONET is a communication protocol used for fiber networks. Supply chain management (SCM) is not a term used in this context.

Question 42

Kaito has deployed a system that accepts traffic from web browsers and distributes it to systems based on the number of connections that each server has. He has assigned each server a rating based on how powerful it is. Each time a new request comes in, requests are sent to the system with the lowest number of connections after taking into account the relative rating of each server. What type of load balancing is Kaito using?

Source IP hashing

Resource‐based

Weighted least connection

Round‐robin

Answer 42

C. Kaito is using a weighted least connection load balancing approach, which distributes traffic based on both a server weight and connection number count. Source IP hashing uses a hash of the source and destination IP addresses to determine which server receives the connection. This also allows for interrupted sessions to go to the same server. Resource‐based load balancing takes into account the availability of resources like CPU, memory, and network bandwidth for a server. Round‐robin load balancing simply distributes connections as they come in by moving through a list of servers.

Question 43

Geoff is considering whether to deploy on‐premises infrastructure or cloud‐hosted infrastructure. His most important requirements in order are:

Ease of scalability

Management overhead

Cost

If Geoff wants to run a containerized service that can handle very large loads, what model should he select?

SaaS

PaaS

IaaS

On‐premises

Answer 43

C. An infrastructure‐as‐a‐service (IaaS) cloud‐hosted model where a third‐party provider focuses on scalability and administration of a containerization service will meet Geoff’s needs. When scaling from low to very large load is a common event, the ability to grow or shrink in a cloud environment can also provide significant cost savings over paying for an on‐premises option that can handle the full scaling event. Software as a service (SaaS) and platform as a service (PaaS) provide full applications or platforms, not containerization environments.

Question 44

Alaina’s organization is required to comply with the PCI DSS standard. What type of data is she most likely dealing with?

Intellectual property

Trade secrets

Financial information

Regulated information

Answer 44

C. PCI DSS is a credit card data security standard, meaning that Alaina is most likely dealing with financial information. PCI DSS does not directly address intellectual property or trade secrets, and it’s not a regulation.

Question 45

Marco is preparing to brief his organization’s leadership about challenges that may result from adopting a hybrid cloud design. Which of the following is the primary concern that he should highlight?

Jurisdictional challenges

Increased complexity

Increased cost

Regulatory challenges

Answer 45

B. Increased complexity can include jurisdictional challenges, increased cost, and regulatory challenges as well as visibility challenges, management overhead increases, and a wide range of additional challenges from operating in multiple locations and models.

Question 46

Jacob is concerned about attacks against his virtual machines that would target the hypervisor. What term describes this type of attack?

VM escape

Hypervisor escalation

VM shell attacks

Container breaches

Answer 46

A. Virtual machine (VM) escape attacks attempt to access or gain control of the underlying hypervisor through virtual machines. While uncommon, if this occurred it could result in serious issues due to the number of systems run on a single hypervisor host particularly in cloud or shared environments. The other options were made up for the question.

Question 47

Jill knows that IPSec uses a number of common protocols. Which of the following is not a key IPSec protocol?

AH

ISA

ESP

IKE

Answer 47

B. AH (Authentication Header), ESP (Encapsulating Security Payload), and IKE (Internet Key Exchange) are all important IPSec (Internet Protocol Security) protocols. ISA is not an IPSec protocol.

Question 48

Why can’t hashing be used to securely store data that needs to be accessed in its original form?

Hashing takes too long to reverse.

Hashing uses symmetric encryption.

Hashing uses a one‐way function.

Hashing uses asymmetric encryption.

Answer 48

C. Hashing uses a one‐way function and should not be able to be reversed. This means that you can use hashing to securely store a password because you can hash the password, then compare hashes without needing to know the password. If you hash a database field, however, there’s no way to know what the original data was from the hash. Hashing should not be reversible, and it does not use symmetric or asymmetric encryption.

Question 49

The ability to obtain third‐party support for a device or system is an example of which consideration?

Availability

Risk transference

Compute

Responsiveness

Answer 49

B. Third‐party support availability is an example of risk transference where the support contract moves the risk to the contractor. Availability and responsiveness may be considerations for the contractor, but the ability to obtain support doesn’t imply either of these. Compute is most commonly a concern where embedded devices or hardware solutions may not have sufficient computational power to meet new needs.

Question 50

What security advantage does a serverless model provide?

Cost savings

No need to patch infrastructure

No vulnerable functions

No need to log events

Answer 50

B. Serverless deployments remove the need to patch underlying infrastructure. They may still have vulnerable functions and should be logged. Cost savings is not a direct security advantage.

Question 51

Erin uses a journaling backup scheme for her database. After a system outage she needs to restore from her backups. If her organization uses a daily backup scheme that runs at midnight, and the issue occurred at 2 a.m., how much data is Erin likely to lose?

Two hours of data

One day and two hours of data

One week of data

Little or no data

Answer 51

D. Journaling tracks transactions as they occur. Unless the journal itself was lost, Melissa should be able to restore the backup, then replay the journal to ensure the organization loses very little data.

Question 52

Maria’s organization uses a cloud backup provider and performs encrypted backups for their IaaS infrastructure and data. If the data needs to be restored, what will Maria need to do?

Ask the vendor for the recovery key.

Provide the recovery key.

Restore the recovery key from backup and use it.

Generate a new recovery key and restore from backup.

Answer 52

B. Encrypted backups require the encryption key, so Maria’s organization will need to preserve and protect the recovery key in a secure manner that does not rely on the backups. This is often done via multiple physical copies of the key stored in secured locations with geographic diversity or using both physical and cloud secure storage like a key management system (KMS).

Question 53

Erin’s organization uses a backup schedule that creates a full backup once a week, then creates differential backups once a day on all other days. If the full backup was done four days ago, and Erin needs to restore from it, how many backups will she have to restore in total?

One

Two

Three

Four

Answer 53

D. Erin will need to restore the full backup, then apply the differential backups from each of the remaining three days for a total of four backups.

Question 54

What advantage does an IPSec VPN have over a TLS VPN when protecting traffic?

It operates at the network layer rather than the transport layer.

It supports stronger encryption types.

It does not rely on tunneling.

It does not provide advantages over TLS, and TLS should be used instead when possible.

Answer 54

A. IPSec VPNs operate at the network layer instead of the transport layer. That means less information is visible to potential attackers. Both support strong encryption, IPSec VPNs do support tunneling, and not relying on tunneling is not an advantage in most use cases.

Question 55

Vera wants to manage multiple commercial Internet services for her organization to ensure connectivity. What technology should she select to manage and maintain this?

SASE

SDN

IPSec

SD‐WAN

Answer 55

D. Vera can use a SD‐WAN, or software‐defined wide area network, to manage multiple connections dynamically, ensuring connectivity and performance for her organization. SASE is used to secure networks and device connectivity in modern organizations with complex and mobile boundaries. SDN is software‐defined networking and manages networks as code. IPSec is a suite of protocols used to secure network traffic.

Question 56

Kathleen wants to monitor her datacenter’s environmental status. What solution should she invest in to meet this need?

An HVAC system

UPS systems

Environmental sensor appliances

A load balancer

Answer 56

C. Environmental sensor appliances are frequently deployed to datacenters and network closets to monitor for potential issues like high temperatures. Heating, ventilation, and air‐conditioning (HVAC) systems monitor and control temperatures, but datacenters commonly add additional monitoring tools in case the HVAC system fails or other issues arise. UPS systems are not used for environmental monitoring, and load balancers are used to distribute load to servers and services.

Question 57

Valerie wants to connect one of her company’s remote locations back to the organization’s main network. What type of solution can she use for a persistent connection between the networks that will securely tunnel data across a commodity Internet connection?

A TLS VPN

A web proxy

An IPSec VPN

An 802.1X tunnel

Answer 57

C. An IPSec VPN is a common option for organizations that need to create a secure VPN tunnel between two locations. A VPN connection is established by network devices at both locations and traffic is able to travel securely over commodity Internet connections. TLS VPNs are more commonly used for individuals to connect to an organization’s network. Web proxies are used to filter and control web traffic, not for this purpose. 802.1X is used to authenticate to networks and protect them from unauthorized connections, not to create secure, multisite tunnels.

Question 58

Mark wants to protect data in use. Which of the following options should he select to protect data in use?

Hashing

A secure enclave

Containerization

Tunneling data

Answer 58

B. A secure enclave is one way of protecting data in use. This relies on secured hardware that stores data that is in use and that only allows processes that run in the enclave from accessing data. Hashing, containerization, and using tunneling do not provide security for data in use.

Question 59

Lucca has deployed an SD‐WAN controller. Which of the following types of connectivity will not typically be managed with an SD‐WAN solution?

Wi‐Fi

MPLS

Broadband

LTE

Answer 59

A. Wi‐Fi and other on premises network solutions are not typically part of an SD‐WAN implementation. SD‐WAN focuses on wide area networks, which are outside the on‐premises network borders of organizations, and thus technologies like MPLS, broadband, and LTE are used with SD‐WAN controllers.

Question 60

Monica wants to prevent users from sharing data and cares more about control than flexibility. What type of access control model is best suited to ensuring central control over file access?

Role BAC

DAC

MAC

Rule BAC

Answer 60

C. Mandatory access control (MAC) is used in scenarios where users should not have the ability to grant access to files. Role‐based access control and rule‐based access control both provide more flexibility, and they are more commonly used than mandatory access control in cases where that is desired. Discretionary access control (DAC) allows users to grant access to other users and does not fit the requirements either.

Question 61

Marco wants to build a set of services for financial transactions for his company. The services need to be capable of scaling quickly to very large numbers of transactions, and need to be able to operate without major dependencies on other components of the architecture. What architecture should he select to best meet these needs?

Containerization

Virtualization

Microservices

SCADA

Answer 61

C. A microservices design will allow for each component or service to be separate and lightweight, allowing them to be developed independently and thus easier to fix without complex dependencies. Containerization would allow for easy deployment of applications to different service environments, but the focus for containerization is on portability, not on the design requirements listed. Virtualization requires even more resources because operating systems are virtualized, but it suffers from the same lack of a direct means of addressing the needs explained in the question. SCADA stands for supervisory control and data acquisition and is used to manage complex industrial or controls’ environments, not service environments like the question describes.

Question 62

The company that Jayne works for has moved their web application infrastructure to a serverless model. Jayne’s security team has informed her that they believe the application is undergoing a large‐scale resource exhaustion‐based distributed denial‐of‐service attack. If the application is running in Microsoft’s serverless Azure environment, what is the most critical concern Jayne should have about the attack?

Loss of data

Cost of the resource usage

Inability to review logs

Vulnerabilities in the application

Answer 62

B. A large‐scale denial‐of‐service attack that is using resources can be costly. Microsoft’s cloud will be able to scale to meet the demand, but Jayne’s organization may spend large amounts of money without benefiting any legitimate customers. Loss of data is unlikely because the application is being heavily used without any underlying issue for the application’s data. Log files will still be created, but the size and scale of the logs may drive cost. There is nothing in the scenario that demonstrates a vulnerability, and resource exhaustion attacks do not require a vulnerability to be successful.