Prof Messer Practice Test B

Question 1

A security administrator has performed an audit of the organization’s
production web servers, and the results have identified banner
information leakage, web services running from a privileged account, and
inconsistencies with SSL certificates. Which of the following would be the
BEST way to resolve these issues?
❍ A. Server hardening
❍ B. Multi-factor authentication
❍ C. Enable HTTPS
❍ D. Run operating system updates

Answer 1

Server hardening

Many applications and services include secure configuration guides that
can assist in hardening the system. These hardening steps will make the
system as secure as possible while simultaneously allowing the application
to run efficiently.

Question 2

A shipping company stores information in small regional warehouses
around the country. The company keeps an IPS online at each warehouse
to watch for suspicious traffic patterns. Which of the following would
BEST describe the security control used at the warehouse?
❍ A. Managerial
❍ B. Compensating
❍ C. Physical
❍ D. Detective

Answer 2

D. Detective
An IPS can detect and record any intrusion attempt.

Question 3

The Vice President of Sales has asked the IT team to create daily backups
of the sales data. The Vice President is an example of a:
❍ A. Data owner
❍ B. Data protection officer
❍ C. Data steward
❍ D. Data processor

Answer 3

Data owner

The data owner is accountable for specific data, and is often a senior officer
of the organization.

Question 4

A security engineer is preparing to conduct a penetration test. Part of the
preparation involves reading through social media posts for information
about a third-party website. Which of the following describes this
practice?
❍ A. Partially known environment
❍ B. OSINT
❍ C. Exfiltration
❍ D. Active footprinting

Answer 4

OSINT
OSINT (Open Source Intelligence) describes the process of obtaining
information from open sources, such as social media sites, corporate
websites, online forums, and other publicly available locations.

Question 5

A company would like to automate their response when a virus is
detected on company devices. Which of the following would be the
BEST way to implement this function?
❍ A. Active footprinting
❍ B. IaaS
❍ C. Vulnerability scan
❍ D. SOAR

Answer 5

SOAR
SOAR (Security Orchestration, Automation, and Response) provides
security teams with integration and automation of processes and
procedures.

Question 6

A user in the accounting department has received an email from the
CEO requesting payment for a recently purchased tablet. However, there
doesn’t appear to be a purchase order associated with this request. Which
of the following would be the MOST likely attack associated with
this email?
❍ A. Spear phishing
❍ B. Watering hole attack
❍ C. Invoice scam
❍ D. Credential harvesting

Answer 6

Invoice scam
Invoice scams attempt to take advantage of the miscommunication
between different parts of the organization. Fake invoices are submitted by
the attacker, and these invoices can sometimes be incorrectly paid without
going through the expected verification process.

Question 7

A company has been informed of a hypervisor vulnerability that could
allow users on one virtual machine to access resources on another
virtual machine. Which of the following would BEST describe this
vulnerability?
❍ A. Containerization
❍ B. Service integration
❍ C. SDN
❍ D. VM escape

Answer 7

VM escape

A VM (Virtual Machine) escape is a vulnerability that allows
communication between separate VMs.

Question 8

While working from home, users are attending a project meeting over
a web conference. When typing in the meeting link, the browser is
unexpectedly directed to a different website than the web conference.
Users in the office do not have any issues accessing the conference site.
Which of the following would be the MOST likely reason for this issue?
❍ A. Bluejacking
❍ B. Wireless disassociation
❍ C. DDoS
❍ D. DNS poisoning

Answer 8

DNS poisoning
An attacker that gains access to a DNS (Domain Name System) server
can modify the configuration files and redirect users to a different website.
Anyone using a different DNS server may not see any problems with
connectivity to the original site.

Question 9

A company is launching a new internal application that will not start
until a username and password is entered and a smart card is plugged into
the computer. Which of the following BEST describes this process?
❍ A. Federation
❍ B. Accounting
❍ C. Authentication
❍ D. Authorization

Answer 9

Authentication

The process of proving who you say you are is authentication. In this
example, the password and smart card are two factors of authentication,
and both reasonably prove that the person logging in is authentic.

Question 10

An online retailer is planning a penetration test as part of their PCI
DSS validation. A third-party organization will be performing the test,
and the online retailer has provided the Internet-facing IP addresses for
their public web servers but no other details. What penetration testing
methodology is the online retailer using?
❍ A. Known environment
❍ B. Passive footprinting
❍ C. Partially known environment
❍ D. Ping scan

Answer 10

Partially known environment

A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.

Question 11

A manufacturing company makes radar used by commercial and military
organizations. A recently proposed policy change would allow the use of
mobile devices inside the facility. Which of the following would be the
MOST significant security issue associated with this change in policy?
❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Photo and video use

Answer 11

Photo and video use
The exfiltration of company confidential information is relatively simple
with an easily transportable camera or video recorder. Organizations
associated with sensitive products or services must always be aware of the
potential for information leaks using photos or video.

Question 12

A company is designing an application that will have a high demand and
will require significant computing resources during the summer. During
the winter, there will be little to no application use and resource use
should be minimal. Which of these characteristics BEST describe this
application requirement?
❍ A. Availability
❍ B. Orchestration
❍ C. Imaging
❍ D. Elasticity

Answer 12

Elasticity

Elasticity is the process of providing resources when demand increases and
scaling down when the demand is low.

Question 13

Vala, a security analyst, has received an alert from her IPS regarding active
exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat
❍ B. Nmap
❍ C. Nessus
❍ D. Wireshark

Answer 13

Wireshark

Wireshark is a protocol analyzer, and it can provide information about
every frame that traverses the network. From a security perspective, the
protocol decode can show the exploitation process and details about the
payloads used during the attempt.

Question 14

A user in the accounting department would like to send a spreadsheet
with sensitive information to a list of third-party vendors. Which of the
following could be used to transfer this spreadsheet to the vendors?
❍ A. SNMPv3
❍ B. SRTP
❍ C. DNSSEC
❍ D. FTPS

Answer 14

FTPS (File Transfer Protocol Secure) provides mechanisms for
transferring files using encrypted communication.

Question 15

A system administrator would like to segment the network to give the
marketing, accounting, and manufacturing departments their own private
network. The network communication between departments would
be restricted for additional security. Which of the following should be
configured on this network?
❍ A. VPN
❍ B. RBAC
❍ C. VLAN
❍ D. NAT

Answer 15

VLAN
A VLAN (Virtual Local Area Network) is a common method of logically
segmenting a network. The devices in each segmented VLAN can only
communicate with other devices in the same VLAN. A router is used to
connect VLANs, and this router can often be used to control traffic flows
between VLANs.

Question 16

A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?
❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap

Answer 16

Jump server

A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s network.

Question 17

Sam, a security administrator, is configuring the authentication process
used by technicians when logging into a router. Instead of using accounts
that are local to the router, Sam would like to pass all login requests to a
centralized database. Which of the following would be the BEST way to
implement this requirement?
❍ A. PAP
❍ B. RADIUS
❍ C. IPsec
❍ D. MS-CHAP

Answer 17

RADIUS

The RADIUS (Remote Authentication Dial-In User Service) protocol
is a common method of centralizing authentication for users. Instead of
having separate local accounts on different devices, users can authenticate
with account information that is maintained in a centralized database.

Question 18

A company has connected their wireless access points and have enabled
WPS. Which of the following security issues would be associated with
this configuration?
❍ A. Brute force
❍ B. Client hijacking
❍ C. Cryptographic vulnerability
❍ D. Spoofing

Answer 18

Brute force

A WPS personal identification number (PIN) was designed to have only
11,000 possible iterations, making a brute force attack possible if the
access point doesn’t provide any protection against multiple guesses.

Question 19

An IPS report shows a series of exploit attempts were made against
externally facing web servers. The system administrator of the web servers
has identified a number of unusual log entries on each system. Which of
the following would be the NEXT step in the incident response process?
❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network

Answer 19

Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may
have been exploited. In that situation, the servers should be isolated to
prevent access to or from those systems.

Question 20

In the past, an organization has relied on the curated Apple App Store to
avoid issues associated with malware and insecure applications. However,
the IT department has discovered an iPhone in the shipping department
that includes applications that are not available on the Apple App Store.
How did the shipping department user install these apps on their
mobile device?
❍ A. Sideloading
❍ B. MMS install
❍ C. OTA updates
❍ D. Tethering

Answer 20

Sideloading

If Apple’s iOS has been circumvented using jailbreaking, then apps can be
installed without using the Apple App Store. This installation process that
circumvents the App Store is called sideloading.

Question 21

A security administrator is designing a storage array that would maintain
an exact replica of all data without striping. The array needs to operate
normally if a single drive was to fail. Which of the following would be the
BEST choice for this storage system?
❍ A. RAID 1
❍ B. RAID 5
❍ C. RAID 0
❍ D. RAID 10

Answer 21

RAID 1
RAID (Redundant Array of Independent Disks) type 1 maintains a mirror
(or exact duplicate) of data across multiple drives. If a single drive was to
fail, the mirror would continue to operate with the redundant data.

Question 22

A transportation company has moved their reservation system to a
cloud-based infrastructure. The security manager would like to monitor
data transfers, identify potential threats, and ensure that all data transfers
are encrypted. Which of the following would be the BEST choice for
these requirements?
❍ A. VPN
❍ B. CASB
❍ C. NGFW
❍ D. DLP

Answer 22

CASB
A CASB (Cloud Access Security Broker) is used to implement and
manage security policies when working in a cloud-based environment.

Question 23

A security administrator attends an annual industry convention with
other security professionals from around the world. Which of the
following attacks would be MOST likely in this situation?
❍ A. Smishing
❍ B. Supply chain
❍ C. Impersonation
❍ D. Watering hole

Answer 23

Watering hole

A watering hole attack infects a third-party visited by the intended
victims. An industry convention would be a perfect location to attack
security professionals.

Question 24

An organization has developed an in-house mobile device app for order
processing. The developers would like the app to identify revoked server
certificates without sending any traffic over the corporate Internet
connection. Which of the following MUST be configured to allow this
functionality?
❍ A. CSR
❍ B. OCSP stapling
❍ C. Key escrow
❍ D. Hierarchical CA

Answer 24

OCSP stapling
The use of OCSP (Online Certificate Status Protocol) requires
communication between the client and the CA that issued a certificate.
If the CA is an external organization, then validation checks will
communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status
information on an internal server and “stapling” the OCSP status into the
SSL/TLS handshake.

Question 25

Sam, a security administrator, is configuring an IPsec tunnel to a remote
site. Which protocol should she enable to protect all of the data traversing
the VPN tunnel?
❍ A. AH
❍ B. Diffie-Hellman
❍ C. ESP
❍ D. SHA-2

Answer 25

ESP
The ESP (Encapsulation Security Payload) protocol encrypts the data that
traverses the VPN.

Question 26

A security administrator has identified a DoS attack against the
company’s web server from an IPv4 address on the Internet. Which of
the following security tools would provide additional details about the
attacker’s location? (Select TWO)
❍ A. tracert
❍ B. arp
❍ C. ping
❍ D. ipconfig
❍ E. dig
❍ F. netcat

Answer 26

A. tracert and E. dig

Tracert (traceroute) provides a summary of hops between two devices. In
this example, tracert can be used to determine the local ISP’s IP addresses
and more information about the physical location of the attacker.

The
dig (Domain Information Groper) command can be used to perform a
reverse-lookup of the IPv4 address and determine the IP address block
owner that may be responsible for this traffic.

Question 27

A hacker is planning an attack on a large corporation. Which of the
following would provide the attacker with details about the company’s
domain names and IP addresses?
❍ A. Information sharing center
❍ B. Vulnerability databases
❍ C. Automated indicator sharing
❍ D. Open-source intelligence

Answer 27

Open-source intelligence

Open-source intelligence, or OSINT, describes reconnaissance gathering
from publicly available sources. In this example, information about domain
names and IP address would be easily retrieved from a query to a public
DNS (Domain Name System) server.

Question 28

A security administrator would like to test a server to see if a specific
vulnerability exists. Which of the following would be the BEST choice
for this task?
❍ A. FTK Imager
❍ B. Autopsy
❍ C. Metasploit
❍ D. Netcat

Answer 28

C. Metasploit

Metasploit is an exploitation framework that can use known vulnerabilities
to gain access to remote systems. Metasploit performs penetration tests
and can verify the existence of a vulnerability.

Question 29

A company has signed an SLA with an Internet service provider. Which
of the following would BEST describe the content of this SLA?
❍ A. The customer will connect to partner locations over an IPsec tunnel
❍ B. The service provider will provide 99.999% uptime
❍ C. The customer applications use HTTPS over tcp/443
❍ D. Customer application use will be busiest on the 15th
of each month

Answer 29

The service provider will provide 99.999% uptime

An SLA (Service Level Agreement) is a contract that specifies the
minimum terms for provided services. It’s common to include uptime,
response times, and other service metrics in an SLA.

Question 30

Which of the following would be the BEST way to protect credit card
account information when performing real-time purchase authorizations?
❍ A. Masking
❍ B. DLP
❍ C. Tokenization
❍ D. NGFW

Answer 30

Tokenization

Tokenization is a technique that replaces user data with a non-sensitive
placeholder, or token. Tokenization is commonly used on mobile devices to
purchase using a credit card without transmitting the credit card number.

Question 31

A government transport service has installed access points that support
WPA3. Which of the following technologies would provide enhanced
security for PSK while using WPA3?
❍ A. 802.1X
❍ B. SAE
❍ C. WEP
❍ D. WPS

Answer 31

SAE

WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key)
authentication process by privately deriving session keys instead of sending
the key hashes across the network.

Question 32

A user in the marketing department is unable to connect to the wireless
network. After authenticating with a username and password, the user
receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The AP is configured with WPA3 encryption and 802.1X authentication.
Which of the following is the MOST likely reason for this login issue?
❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding
❍ C. The user’s computer does not support WPA3 encryption
❍ D. The user is in a location with an insufficient wireless signal
❍ E. The client computer does not have the proper certificate installed

Answer 32

The client computer does not have the proper
certificate installed
The error message states that the server credentials could not be validated.
This indicates that the certificate authority that signed the server’s
certificate is either different than the CA certificate installed on the
client’s workstation, or the client workstation does not have an installed
copy of the CA’s certificate. This validation process ensures that the client
is communicating to a trusted server and there are no man-in-the-middle
attacks occurring.

Question 33

Jack, a security administrator, has been tasked with hardening all of
the internal web servers to prevent on-path attacks and to protect the
application traffic from protocol analysis. These requirements should be
implemented without changing the configuration on the client systems.
Which of the following should Jack include in his project plan?
(Select TWO)
❍ A. Add DNSSEC records on the internal DNS servers
❍ B. Use HTTPS over port 443 for all server communication
❍ C. Use IPsec for client connections
❍ D. Create a web server certificate and sign it with the internal CA
❍ E. Require FTPS for all file transfers

Answer 33

B. Use HTTPS over port 443 for all server communication,
and
D. Create a web server certificate and sign it with the internal CA
Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol
will ensure that all network communication is protected between the web
server and the client devices. If someone manages to capture the network
traffic, they would be viewing encrypted data. A signed certificate from a
trusted internal CA (Certificate Authority) allows web browsers to trust
that the web server is the legitimate server endpoint. If someone attempts
an on-path attack, the certificate presented will not validate and a warning
message will appear in the browser.

Question 34

To process the company payroll, a manager logs into a third-party
browser-based application and enters the hours worked for each
employee. The financial transfers and physical check mailings are all
provided by the third-party company. The manager does not maintain any
servers or virtual machines within his company. Which of the following
would BEST describe this application model?
❍ A. PaaS
❍ B. Private
❍ C. SaaS
❍ D. IaaS

Answer 34

C. SaaS

The SaaS (Software as a Service) model generally has no local application
installation, no ongoing maintenance tasks, and no local infrastructure
requirements. A third-party provides the application and the support, and
the user simply logs in, uses the service, and logs out.

Question 35

Which of the following BEST describes the modification of application
source code that removes white space, shortens variable names, and
rearranges the text into a compact format?
❍ A. Confusion
❍ B. Obfuscation
❍ C. Encryption
❍ D. Diffusion

Answer 35

Obfuscation

Obfuscation is the process of taking something that is normally
understandable and making it very difficult to understand. Many
developers will obfuscate their source code to prevent others from
following the logic used in the application.

Question 36

A third-party vulnerability scan reports that a company’s web server
software version is susceptible to a memory leak vulnerability. Which
of the following would be the expected result if this vulnerability was
exploited?
❍ A. DDoS
❍ B. Data theft
❍ C. Unauthorized system access
❍ D. Rootkit installation

Answer 36

A. DDoS

A DDoS (Distributed Denial of Service) can easily exploit a memory leak.
Unused memory is not properly released, and eventually the leak uses all
available memory. The system eventually crashes due to lack of resources.

Question 37

Which of the following applies scientific principles to provide a
post-event analysis of an intrusion?
❍ A. MITRE ATT&CK framework
❍ B. ISO 27701
❍ C. Diamond model
❍ D. NIST RMF

Answer 37

Diamond model

The diamond model was created by the United State intelligence
community as a way to standardize the attack reporting and the analysis of
the intrusions.

Question 38

Which of the following would be the MOST likely result of plaintext
application communication?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Resource exhaustion
❍ D. Directory traversal

Answer 38

Replay attack

To perform a replay attack, the attacker needs to capture the original
non-encrypted content. If an application is not using encrypted
communication, the data capture process is a simple process for
the attacker.

Question 39

Daniel, a system administrator, believes that certain configuration files on
a Linux server have been modified from their original state. Daniel has
reverted the configurations to their original state, but he would like to be
notified if they are changed again. Which of the following would be the
BEST way to provide this functionality?
❍ A. HIPS
❍ B. File integrity check
❍ C. Application allow list
❍ D. WAF

Answer 39

File integrity check

A file integrity check (i.e., Tripwire, System File Checker, etc.) can be used
to monitor and alert if there are any changes to a file.

Question 40

A security administrator is updating the network infrastructure to support
802.1X authentication. Which of the following would be the BEST
choice for this configuration?
❍ A. LDAP
❍ B. HTTPS
❍ C. SNMPv3
❍ D. MS-CHAP

Answer 40

LDAP

LDAP (Lightweight Directory Access Protocol) is a common protocol
to use for centralized authentication. Other protocols such as RADIUS,
TACACS+, or Kerberos would also be valid options for 802.1X
authentication.

Question 41

Your company owns a purpose-built appliance that doesn’t provide any
access to the operating system and doesn’t provide a method to upgrade
the firmware. Which of the following describes this appliance?
❍ A. End-of-life
❍ B. Weak configuration
❍ C. Improper input handling
❍ D. Embedded system

Answer 41

Embedded system

An embedded system usually does not provide access to the OS and may
not even provide a method of upgrading the system firmware.

Question 42

Last month, a finance company disposed of seven-year-old printed
customer account summaries that were no longer required for auditing
purposes. A recent online search has now found that images of these
documents are available as downloadable torrents. Which of the following
would MOST likely have prevented this information breach?
❍ A. Pulping
❍ B. Degaussing
❍ C. NDA
❍ D. Fenced garbage disposal areas

Answer 42

Pulping

Pulping places the papers into a large washing tank to remove the ink, and
the paper is broken down into pulp and recycled. The information on the
paper is not recoverable after pulping.

Question 43

A security manager believes that an employee is using their laptop to
circumvent the corporate Internet security controls through the use of
a cellular hotspot. Which of the following could be used to validate this
belief? (Select TWO)
❍ A. HIPS
❍ B. UTM appliance logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 43

A. HIPS and D. Host-based firewall logs
If the laptop is not communicating across the corporate network, then
the only evidence of the traffic would be contained on the laptop itself. A
HIPS (Host-based Intrusion Prevention System) and host-based firewall
logs may contain information about recent traffic flows to systems outside
of the corporate network.

Question 44

A security administrator is researching an issue with conference room
users at a remote site. When connected to the wireless network, users
receive an IP address that is not part of the corporate addressing
scheme. Communication over this network also appears to have slower
performance than the wireless connections elsewhere in the building.
Which of the following would be the MOST likely reason for
these issues?
❍ A. Rogue access point
❍ B. Domain hijack
❍ C. DDoS
❍ D. MAC flooding

Answer 44

Rogue access point

A rogue access point is an unauthorized access point added by a user
or attacker. This access point may not necessarily be malicious, but it
does create significant security concerns and unauthorized access to the
corporate network.

Question 45

A company has identified a compromised server, and the security team
would like to know if an attacker has used this device to move between
systems. Which of the following would be the BEST way to provide this
information?
❍ A. DNS server logs
❍ B. Penetration test
❍ C. NetFlow logs
❍ D. Email header

Answer 45

NetFlow logs

NetFlow information can provide a summary of network traffic,
application usage, and details of network conversations. The NetFlow logs
will show all conversations from this device to any others in the network.

Question 46

A new malware variant takes advantage of a vulnerability in a popular
email client. Once installed, the malware forwards all email attachments
containing credit card information to an external email address. Which of
the following would limit the scope of this attack?
❍ A. Enable MFA on the email client
❍ B. Scan outgoing traffic with DLP
❍ C. Require users to enable the VPN when using email
❍ D. Update the list of malicious URLs in the firewall

Answer 46

Scan outgoing traffic with DLP

DLP (Data Loss Prevention) systems are designed to identify sensitive
data transfers. If the DLP finds a data transfer with financial details,
personal information, or other private information, the DLP can block the
data transfer.

Question 47

An organization has identified a security breach and has removed the
affected servers from the network. Which of the following is the NEXT
step in the IR process?
❍ A. Eradication
❍ B. Preparation
❍ C. Recovery
❍ D. Identification
❍ E. Containment

Answer 47

Eradication

The IR (Incident Response) process is preparation, identification,
containment, eradication, recovery, and lessons learned. Once a system has
been contained, any malware or breached user accounts should be removed
from the system.

Question 48

Which of the following would be the MAIN reasons why a system
administrator would use a TPM when configuring full disk encryption?
(Select TWO)
❍ A. Allows the encryption of multiple volumes
❍ B. Uses burned-in cryptographic keys
❍ C. Stores certificates in a hardware security module
❍ D. Protects against EMI leakage
❍ E. Includes built-in protections against brute-force attacks

Answer 48

B. Uses burned-in cryptographic keys and
E. Includes built-in protections against brute-force attacks.

A TPM (Trusted Platform Module) is hardware that is part of a
computer’s motherboard, and it’s specifically designed to assist and protect
with cryptographic functions. Full disk encryption (FDE) can use the
burned-in TPM keys to verify that the local device hasn’t changed, and
there are security features in the TPM that will prevent brute-force or
dictionary attacks against the full disk encryption login credentials.

Question 49

A security administrator would like to create an access control where each
file or folder is assigned a security clearance level, such as “confidential”
or “secret.” The security administrator would then assign a maximum
security level to each user. What type of access control would be used in
this network?
❍ A. Mandatory
❍ B. Rule-based
❍ C. Discretionary
❍ D. Role-based

Answer 49

A. Mandatory

Mandatory access control uses a series of security levels (i.e., public,
private, secret) and assigns those levels to each object in the operating
system. Users are assigned a security level, and they would only have access
to objects that meet or are below that assigned security level.

Question 50

Cameron, a security administrator, is reviewing a report that shows a
number of devices on internal networks attempting to connect with
servers in the data center network. Which of the following security
controls should Cameron add to prevent internal systems from accessing
data center devices?
❍ A. VPN
❍ B. IPS
❍ C. NAT
❍ D. ACL

Answer 50

D. ACL

An ACL (Access Control List) is a security control commonly
implemented on routers to allow or restrict traffic flows through the
network.

Question 51

A virus scanner has identified a macro virus in a word processing file
attached to an email. Which of the following information could be
obtained from the metadata of this file?
❍ A. IPS signature name and number
❍ B. Operating system version
❍ C. Date and time when the file was created
❍ D. Alert disposition

Answer 51

C. Date and time when the file was created

The data and time the file was created is commonly found in the metadata
of a file.

Question 52

Which of the following would be the best way to describe the estimated
number of laptops that might be stolen in a fiscal year?
❍ A. ALE
❍ B. SLE
❍ C. ARO
❍ D. MTTR

Answer 52

ARO
The ARO (Annualized Rate of Occurrence) describes the number
of instances that an event would occur in a year. For example, if the
organization expect to lose seven laptops to theft in a year, the ARO for
laptop theft is seven.