Prof Messer Practice Test B Flashcards by justin davis

A security administrator has performed an audit of the organization’s
production web servers, and the results have identified banner
information leakage, web services running from a privileged account, and
inconsistencies with SSL certificates. Which of the following would be the
BEST way to resolve these issues?
❍ A. Server hardening
❍ B. Multi-factor authentication
❍ C. Enable HTTPS
❍ D. Run operating system updates

Server hardening

Many applications and services include secure configuration guides that
can assist in hardening the system. These hardening steps will make the
system as secure as possible while simultaneously allowing the application
to run efficiently.

How well did you know this?

Not at all

Perfectly

A shipping company stores information in small regional warehouses
around the country. The company keeps an IPS online at each warehouse
to watch for suspicious traffic patterns. Which of the following would
BEST describe the security control used at the warehouse?
❍ A. Managerial
❍ B. Compensating
❍ C. Physical
❍ D. Detective

D. Detective
An IPS can detect and record any intrusion attempt.

How well did you know this?

Not at all

Perfectly

The Vice President of Sales has asked the IT team to create daily backups
of the sales data. The Vice President is an example of a:
❍ A. Data owner
❍ B. Data protection officer
❍ C. Data steward
❍ D. Data processor

Data owner

The data owner is accountable for specific data, and is often a senior officer
of the organization.

How well did you know this?

Not at all

Perfectly

A security engineer is preparing to conduct a penetration test. Part of the
preparation involves reading through social media posts for information
about a third-party website. Which of the following describes this
practice?
❍ A. Partially known environment
❍ B. OSINT
❍ C. Exfiltration
❍ D. Active footprinting

OSINT
OSINT (Open Source Intelligence) describes the process of obtaining
information from open sources, such as social media sites, corporate
websites, online forums, and other publicly available locations.

How well did you know this?

Not at all

Perfectly

A company would like to automate their response when a virus is
detected on company devices. Which of the following would be the
BEST way to implement this function?
❍ A. Active footprinting
❍ B. IaaS
❍ C. Vulnerability scan
❍ D. SOAR

SOAR
SOAR (Security Orchestration, Automation, and Response) provides
security teams with integration and automation of processes and
procedures.

How well did you know this?

Not at all

Perfectly

A user in the accounting department has received an email from the
CEO requesting payment for a recently purchased tablet. However, there
doesn’t appear to be a purchase order associated with this request. Which
of the following would be the MOST likely attack associated with
this email?
❍ A. Spear phishing
❍ B. Watering hole attack
❍ C. Invoice scam
❍ D. Credential harvesting

Invoice scam
Invoice scams attempt to take advantage of the miscommunication
between different parts of the organization. Fake invoices are submitted by
the attacker, and these invoices can sometimes be incorrectly paid without
going through the expected verification process.

How well did you know this?

Not at all

Perfectly

A company has been informed of a hypervisor vulnerability that could
allow users on one virtual machine to access resources on another
virtual machine. Which of the following would BEST describe this
vulnerability?
❍ A. Containerization
❍ B. Service integration
❍ C. SDN
❍ D. VM escape

VM escape

A VM (Virtual Machine) escape is a vulnerability that allows
communication between separate VMs.

How well did you know this?

Not at all

Perfectly

While working from home, users are attending a project meeting over
a web conference. When typing in the meeting link, the browser is
unexpectedly directed to a different website than the web conference.
Users in the office do not have any issues accessing the conference site.
Which of the following would be the MOST likely reason for this issue?
❍ A. Bluejacking
❍ B. Wireless disassociation
❍ C. DDoS
❍ D. DNS poisoning

DNS poisoning
An attacker that gains access to a DNS (Domain Name System) server
can modify the configuration files and redirect users to a different website.
Anyone using a different DNS server may not see any problems with
connectivity to the original site.

How well did you know this?

Not at all

Perfectly

A company is launching a new internal application that will not start
until a username and password is entered and a smart card is plugged into
the computer. Which of the following BEST describes this process?
❍ A. Federation
❍ B. Accounting
❍ C. Authentication
❍ D. Authorization

Authentication

The process of proving who you say you are is authentication. In this
example, the password and smart card are two factors of authentication,
and both reasonably prove that the person logging in is authentic.

How well did you know this?

Not at all

Perfectly

An online retailer is planning a penetration test as part of their PCI
DSS validation. A third-party organization will be performing the test,
and the online retailer has provided the Internet-facing IP addresses for
their public web servers but no other details. What penetration testing
methodology is the online retailer using?
❍ A. Known environment
❍ B. Passive footprinting
❍ C. Partially known environment
❍ D. Ping scan

Partially known environment

A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.

How well did you know this?

Not at all

Perfectly

A manufacturing company makes radar used by commercial and military
organizations. A recently proposed policy change would allow the use of
mobile devices inside the facility. Which of the following would be the
MOST significant security issue associated with this change in policy?
❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Photo and video use

Photo and video use
The exfiltration of company confidential information is relatively simple
with an easily transportable camera or video recorder. Organizations
associated with sensitive products or services must always be aware of the
potential for information leaks using photos or video.

How well did you know this?

Not at all

Perfectly

A company is designing an application that will have a high demand and
will require significant computing resources during the summer. During
the winter, there will be little to no application use and resource use
should be minimal. Which of these characteristics BEST describe this
application requirement?
❍ A. Availability
❍ B. Orchestration
❍ C. Imaging
❍ D. Elasticity

Elasticity

Elasticity is the process of providing resources when demand increases and
scaling down when the demand is low.

How well did you know this?

Not at all

Perfectly

Vala, a security analyst, has received an alert from her IPS regarding active
exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat
❍ B. Nmap
❍ C. Nessus
❍ D. Wireshark

Wireshark

Wireshark is a protocol analyzer, and it can provide information about
every frame that traverses the network. From a security perspective, the
protocol decode can show the exploitation process and details about the
payloads used during the attempt.

How well did you know this?

Not at all

Perfectly

A user in the accounting department would like to send a spreadsheet
with sensitive information to a list of third-party vendors. Which of the
following could be used to transfer this spreadsheet to the vendors?
❍ A. SNMPv3
❍ B. SRTP
❍ C. DNSSEC
❍ D. FTPS

FTPS (File Transfer Protocol Secure) provides mechanisms for
transferring files using encrypted communication.

How well did you know this?

Not at all

Perfectly

A system administrator would like to segment the network to give the
marketing, accounting, and manufacturing departments their own private
network. The network communication between departments would
be restricted for additional security. Which of the following should be
configured on this network?
❍ A. VPN
❍ B. RBAC
❍ C. VLAN
❍ D. NAT

VLAN
A VLAN (Virtual Local Area Network) is a common method of logically
segmenting a network. The devices in each segmented VLAN can only
communicate with other devices in the same VLAN. A router is used to
connect VLANs, and this router can often be used to control traffic flows
between VLANs.

How well did you know this?

Not at all

Perfectly

A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?
❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap

Jump server

A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s network.

How well did you know this?

Not at all

Perfectly

Sam, a security administrator, is configuring the authentication process
used by technicians when logging into a router. Instead of using accounts
that are local to the router, Sam would like to pass all login requests to a
centralized database. Which of the following would be the BEST way to
implement this requirement?
❍ A. PAP
❍ B. RADIUS
❍ C. IPsec
❍ D. MS-CHAP

RADIUS

The RADIUS (Remote Authentication Dial-In User Service) protocol
is a common method of centralizing authentication for users. Instead of
having separate local accounts on different devices, users can authenticate
with account information that is maintained in a centralized database.

How well did you know this?

Not at all

Perfectly

A company has connected their wireless access points and have enabled
WPS. Which of the following security issues would be associated with
this configuration?
❍ A. Brute force
❍ B. Client hijacking
❍ C. Cryptographic vulnerability
❍ D. Spoofing

Brute force

A WPS personal identification number (PIN) was designed to have only
11,000 possible iterations, making a brute force attack possible if the
access point doesn’t provide any protection against multiple guesses.

How well did you know this?

Not at all

Perfectly

An IPS report shows a series of exploit attempts were made against
externally facing web servers. The system administrator of the web servers
has identified a number of unusual log entries on each system. Which of
the following would be the NEXT step in the incident response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network

Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may
have been exploited. In that situation, the servers should be isolated to
prevent access to or from those systems.

How well did you know this?

Not at all

Perfectly

In the past, an organization has relied on the curated Apple App Store to
avoid issues associated with malware and insecure applications. However,
the IT department has discovered an iPhone in the shipping department
that includes applications that are not available on the Apple App Store.
How did the shipping department user install these apps on their
mobile device?
❍ A. Sideloading
❍ B. MMS install
❍ C. OTA updates
❍ D. Tethering

Sideloading

If Apple’s iOS has been circumvented using jailbreaking, then apps can be
installed without using the Apple App Store. This installation process that
circumvents the App Store is called sideloading.

How well did you know this?

Not at all

Perfectly

A security administrator is designing a storage array that would maintain
an exact replica of all data without striping. The array needs to operate
normally if a single drive was to fail. Which of the following would be the
BEST choice for this storage system?
❍ A. RAID 1
❍ B. RAID 5
❍ C. RAID 0
❍ D. RAID 10

RAID 1
RAID (Redundant Array of Independent Disks) type 1 maintains a mirror
(or exact duplicate) of data across multiple drives. If a single drive was to
fail, the mirror would continue to operate with the redundant data.

A transportation company has moved their reservation system to a
cloud-based infrastructure. The security manager would like to monitor
data transfers, identify potential threats, and ensure that all data transfers
are encrypted. Which of the following would be the BEST choice for
these requirements?
❍ A. VPN
❍ B. CASB
❍ C. NGFW
❍ D. DLP

CASB
A CASB (Cloud Access Security Broker) is used to implement and
manage security policies when working in a cloud-based environment.

A security administrator attends an annual industry convention with
other security professionals from around the world. Which of the
following attacks would be MOST likely in this situation?
❍ A. Smishing
❍ B. Supply chain
❍ C. Impersonation
❍ D. Watering hole

Watering hole

A watering hole attack infects a third-party visited by the intended
victims. An industry convention would be a perfect location to attack
security professionals.

An organization has developed an in-house mobile device app for order
processing. The developers would like the app to identify revoked server
certificates without sending any traffic over the corporate Internet
connection. Which of the following MUST be configured to allow this
functionality?
❍ A. CSR
❍ B. OCSP stapling
❍ C. Key escrow
❍ D. Hierarchical CA

OCSP stapling
The use of OCSP (Online Certificate Status Protocol) requires
communication between the client and the CA that issued a certificate.
If the CA is an external organization, then validation checks will
communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status
information on an internal server and “stapling” the OCSP status into the
SSL/TLS handshake.

Sam, a security administrator, is configuring an IPsec tunnel to a remote site. Which protocol should she enable to protect all of the data traversing the VPN tunnel? ❍ A. AH ❍ B. Diffie-Hellman ❍ C. ESP ❍ D. SHA-2

ESP The ESP (Encapsulation Security Payload) protocol encrypts the data that traverses the VPN.

A security administrator has identified a DoS attack against the company’s web server from an IPv4 address on the Internet. Which of the following security tools would provide additional details about the attacker’s location? (Select TWO) ❍ A. tracert ❍ B. arp ❍ C. ping ❍ D. ipconfig ❍ E. dig ❍ F. netcat

A. tracert and E. dig Tracert (traceroute) provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP’s IP addresses and more information about the physical location of the attacker. The dig (Domain Information Groper) command can be used to perform a reverse-lookup of the IPv4 address and determine the IP address block owner that may be responsible for this traffic.

A hacker is planning an attack on a large corporation. Which of the following would provide the attacker with details about the company’s domain names and IP addresses? ❍ A. Information sharing center ❍ B. Vulnerability databases ❍ C. Automated indicator sharing ❍ D. Open-source intelligence

Open-source intelligence Open-source intelligence, or OSINT, describes reconnaissance gathering from publicly available sources. In this example, information about domain names and IP address would be easily retrieved from a query to a public DNS (Domain Name System) server.

A security administrator would like to test a server to see if a specific vulnerability exists. Which of the following would be the BEST choice for this task? ❍ A. FTK Imager ❍ B. Autopsy ❍ C. Metasploit ❍ D. Netcat

C. Metasploit Metasploit is an exploitation framework that can use known vulnerabilities to gain access to remote systems. Metasploit performs penetration tests and can verify the existence of a vulnerability.

A company has signed an SLA with an Internet service provider. Which of the following would BEST describe the content of this SLA? ❍ A. The customer will connect to partner locations over an IPsec tunnel ❍ B. The service provider will provide 99.999% uptime ❍ C. The customer applications use HTTPS over tcp/443 ❍ D. Customer application use will be busiest on the 15th of each month

The service provider will provide 99.999% uptime An SLA (Service Level Agreement) is a contract that specifies the minimum terms for provided services. It’s common to include uptime, response times, and other service metrics in an SLA.

Which of the following would be the BEST way to protect credit card account information when performing real-time purchase authorizations? ❍ A. Masking ❍ B. DLP ❍ C. Tokenization ❍ D. NGFW

Tokenization Tokenization is a technique that replaces user data with a non-sensitive placeholder, or token. Tokenization is commonly used on mobile devices to purchase using a credit card without transmitting the credit card number.

A government transport service has installed access points that support WPA3. Which of the following technologies would provide enhanced security for PSK while using WPA3? ❍ A. 802.1X ❍ B. SAE ❍ C. WEP ❍ D. WPS

SAE WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key) authentication process by privately deriving session keys instead of sending the key hashes across the network.

A user in the marketing department is unable to connect to the wireless network. After authenticating with a username and password, the user receives this message: -- -- -- The connection attempt could not be completed. The Credentials provided by the server could not be validated. Radius Server: radius.example.com Root CA: Example.com Internal CA Root Certificate -- -- -- The AP is configured with WPA3 encryption and 802.1X authentication. Which of the following is the MOST likely reason for this login issue? ❍ A. The user’s computer is in the incorrect VLAN ❍ B. The RADIUS server is not responding ❍ C. The user’s computer does not support WPA3 encryption ❍ D. The user is in a location with an insufficient wireless signal ❍ E. The client computer does not have the proper certificate installed

The client computer does not have the proper certificate installed The error message states that the server credentials could not be validated. This indicates that the certificate authority that signed the server’s certificate is either different than the CA certificate installed on the client’s workstation, or the client workstation does not have an installed copy of the CA’s certificate. This validation process ensures that the client is communicating to a trusted server and there are no man-in-the-middle attacks occurring.

Jack, a security administrator, has been tasked with hardening all of the internal web servers to prevent on-path attacks and to protect the application traffic from protocol analysis. These requirements should be implemented without changing the configuration on the client systems. Which of the following should Jack include in his project plan? (Select TWO) ❍ A. Add DNSSEC records on the internal DNS servers ❍ B. Use HTTPS over port 443 for all server communication ❍ C. Use IPsec for client connections ❍ D. Create a web server certificate and sign it with the internal CA ❍ E. Require FTPS for all file transfers

B. Use HTTPS over port 443 for all server communication, and D. Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is protected between the web server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser.

To process the company payroll, a manager logs into a third-party browser-based application and enters the hours worked for each employee. The financial transfers and physical check mailings are all provided by the third-party company. The manager does not maintain any servers or virtual machines within his company. Which of the following would BEST describe this application model? ❍ A. PaaS ❍ B. Private ❍ C. SaaS ❍ D. IaaS

C. SaaS The SaaS (Software as a Service) model generally has no local application installation, no ongoing maintenance tasks, and no local infrastructure requirements. A third-party provides the application and the support, and the user simply logs in, uses the service, and logs out.

Which of the following BEST describes the modification of application source code that removes white space, shortens variable names, and rearranges the text into a compact format? ❍ A. Confusion ❍ B. Obfuscation ❍ C. Encryption ❍ D. Diffusion

Obfuscation Obfuscation is the process of taking something that is normally understandable and making it very difficult to understand. Many developers will obfuscate their source code to prevent others from following the logic used in the application.

A third-party vulnerability scan reports that a company's web server software version is susceptible to a memory leak vulnerability. Which of the following would be the expected result if this vulnerability was exploited? ❍ A. DDoS ❍ B. Data theft ❍ C. Unauthorized system access ❍ D. Rootkit installation

A. DDoS A DDoS (Distributed Denial of Service) can easily exploit a memory leak. Unused memory is not properly released, and eventually the leak uses all available memory. The system eventually crashes due to lack of resources.

Which of the following applies scientific principles to provide a post-event analysis of an intrusion? ❍ A. MITRE ATT&CK framework ❍ B. ISO 27701 ❍ C. Diamond model ❍ D. NIST RMF

Diamond model The diamond model was created by the United State intelligence community as a way to standardize the attack reporting and the analysis of the intrusions.

Which of the following would be the MOST likely result of plaintext application communication? ❍ A. Buffer overflow ❍ B. Replay attack ❍ C. Resource exhaustion ❍ D. Directory traversal

Replay attack To perform a replay attack, the attacker needs to capture the original non-encrypted content. If an application is not using encrypted communication, the data capture process is a simple process for the attacker.

Daniel, a system administrator, believes that certain configuration files on a Linux server have been modified from their original state. Daniel has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to provide this functionality? ❍ A. HIPS ❍ B. File integrity check ❍ C. Application allow list ❍ D. WAF

File integrity check A file integrity check (i.e., Tripwire, System File Checker, etc.) can be used to monitor and alert if there are any changes to a file.

A security administrator is updating the network infrastructure to support 802.1X authentication. Which of the following would be the BEST choice for this configuration? ❍ A. LDAP ❍ B. HTTPS ❍ C. SNMPv3 ❍ D. MS-CHAP

LDAP LDAP (Lightweight Directory Access Protocol) is a common protocol to use for centralized authentication. Other protocols such as RADIUS, TACACS+, or Kerberos would also be valid options for 802.1X authentication.

Your company owns a purpose-built appliance that doesn’t provide any access to the operating system and doesn't provide a method to upgrade the firmware. Which of the following describes this appliance? ❍ A. End-of-life ❍ B. Weak configuration ❍ C. Improper input handling ❍ D. Embedded system

Embedded system An embedded system usually does not provide access to the OS and may not even provide a method of upgrading the system firmware.

Last month, a finance company disposed of seven-year-old printed customer account summaries that were no longer required for auditing purposes. A recent online search has now found that images of these documents are available as downloadable torrents. Which of the following would MOST likely have prevented this information breach? ❍ A. Pulping ❍ B. Degaussing ❍ C. NDA ❍ D. Fenced garbage disposal areas

Pulping Pulping places the papers into a large washing tank to remove the ink, and the paper is broken down into pulp and recycled. The information on the paper is not recoverable after pulping.

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO) ❍ A. HIPS ❍ B. UTM appliance logs ❍ C. Web application firewall events ❍ D. Host-based firewall logs ❍ E. Next-generation firewall logs

A. HIPS and D. Host-based firewall logs If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network.

A security administrator is researching an issue with conference room users at a remote site. When connected to the wireless network, users receive an IP address that is not part of the corporate addressing scheme. Communication over this network also appears to have slower performance than the wireless connections elsewhere in the building. Which of the following would be the MOST likely reason for these issues? ❍ A. Rogue access point ❍ B. Domain hijack ❍ C. DDoS ❍ D. MAC flooding

Rogue access point A rogue access point is an unauthorized access point added by a user or attacker. This access point may not necessarily be malicious, but it does create significant security concerns and unauthorized access to the corporate network.

A company has identified a compromised server, and the security team would like to know if an attacker has used this device to move between systems. Which of the following would be the BEST way to provide this information? ❍ A. DNS server logs ❍ B. Penetration test ❍ C. NetFlow logs ❍ D. Email header

NetFlow logs NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network.

A new malware variant takes advantage of a vulnerability in a popular email client. Once installed, the malware forwards all email attachments containing credit card information to an external email address. Which of the following would limit the scope of this attack? ❍ A. Enable MFA on the email client ❍ B. Scan outgoing traffic with DLP ❍ C. Require users to enable the VPN when using email ❍ D. Update the list of malicious URLs in the firewall

Scan outgoing traffic with DLP DLP (Data Loss Prevention) systems are designed to identify sensitive data transfers. If the DLP finds a data transfer with financial details, personal information, or other private information, the DLP can block the data transfer.

An organization has identified a security breach and has removed the affected servers from the network. Which of the following is the NEXT step in the IR process? ❍ A. Eradication ❍ B. Preparation ❍ C. Recovery ❍ D. Identification ❍ E. Containment

Eradication The IR (Incident Response) process is preparation, identification, containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system.

Which of the following would be the MAIN reasons why a system administrator would use a TPM when configuring full disk encryption? (Select TWO) ❍ A. Allows the encryption of multiple volumes ❍ B. Uses burned-in cryptographic keys ❍ C. Stores certificates in a hardware security module ❍ D. Protects against EMI leakage ❍ E. Includes built-in protections against brute-force attacks

B. Uses burned-in cryptographic keys and E. Includes built-in protections against brute-force attacks. A TPM (Trusted Platform Module) is hardware that is part of a computer’s motherboard, and it’s specifically designed to assist and protect with cryptographic functions. Full disk encryption (FDE) can use the burned-in TPM keys to verify that the local device hasn’t changed, and there are security features in the TPM that will prevent brute-force or dictionary attacks against the full disk encryption login credentials.

A security administrator would like to create an access control where each file or folder is assigned a security clearance level, such as “confidential” or “secret.” The security administrator would then assign a maximum security level to each user. What type of access control would be used in this network? ❍ A. Mandatory ❍ B. Rule-based ❍ C. Discretionary ❍ D. Role-based

A. Mandatory Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level.

Cameron, a security administrator, is reviewing a report that shows a number of devices on internal networks attempting to connect with servers in the data center network. Which of the following security controls should Cameron add to prevent internal systems from accessing data center devices? ❍ A. VPN ❍ B. IPS ❍ C. NAT ❍ D. ACL

D. ACL An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network.

A virus scanner has identified a macro virus in a word processing file attached to an email. Which of the following information could be obtained from the metadata of this file? ❍ A. IPS signature name and number ❍ B. Operating system version ❍ C. Date and time when the file was created ❍ D. Alert disposition

C. Date and time when the file was created The data and time the file was created is commonly found in the metadata of a file.

Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year? ❍ A. ALE ❍ B. SLE ❍ C. ARO ❍ D. MTTR

ARO The ARO (Annualized Rate of Occurrence) describes the number of instances that an event would occur in a year. For example, if the organization expect to lose seven laptops to theft in a year, the ARO for laptop theft is seven.