Professor Messer Practice questions Flashcards
You’ve hired a third-party to gather information about your company’s
servers and data. The third-party will not have direct access to your
internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment
The Answer: B. Passive footprinting
Passive footprinting focuses on learning as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Backdoor testing
Some active reconnaissance tests will directly query systems to see if a
backdoor has been installed.
C. OS fingerprinting
To fingerprint an operating system, you must actively query and receive
responses across the network.
D. Partially known environment
A partially known environment penetration test is a focused approach
that usually provides detailed information about specific systems or
applications.
Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP
The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
The incorrect answers:
B. SSH
SSH (Secure Shell) can use symmetric or asymmetric encryption, but
those ciphers are not associated with TLS.
D. SNMPv2
SNMPv2 (Simple Network Management Protocol version 2) does not
implement TLS, or any encryption, within the network communication.
E. DNSSEC
DNSSEC (DNS security extensions) do not provide any confidentiality
of data.
F. SRTP
SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)
protocol used for encrypting conversations. SRTP protocol commonly uses
AES (Advanced Encryption Standard) for confidentiality.
Which of these threat actors would be MOST likely to attack systems for direct financial gain? ❍ A. Organized crime ❍ B. Hacktivist ❍ C. Nation state ❍ D. Competitor
The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.
The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.
C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.
D. Competitor
A competitor doesn’t have any direct financial gain by disrupting a
website or stealing customer lists, and often their objective is to disable
a competitor’s business or to harm their reputation. If there is a financial
gain, it would often be an indirect result of an attack.
A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table
The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file
storage subsystem.
The incorrect answers:
B. Kernel statistics
Kernel statistics are stored in memory.
C. ROM data
ROM data is a type of memory storage.
E. Process table
The process table keeps track of system processes, and it stores this
information in RAM.
An IPS at your company has found a sharp increase in traffic from
all-in-one printers. After researching, your security team has found a
vulnerability associated with these devices that allows the device to be
remotely controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC
The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).
The incorrect answers:
A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.
B. RTOS
RTOS (Real-time Operating Systems) are commonly used in
manufacturing and automobiles.
D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).
. Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 ❍ B. ISO 27002 ❍ C. ISO 27701 ❍ D. ISO 27001
The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701
standard extends the ISO 27001 and 27002 standards to include detailed
management of PII (Personally Identifiable Information) and data privacy.
The incorrect answers:
A. ISO 31000
The ISO 31000 standard sets international standards for risk management
practices.
B. ISO 27002
Information security controls are the focus of the ISO 27002 standard.
D. ISO 27001
The ISO 27001 standard is the foundational standard for Information
Security Management Systems (ISMS).
Elizabeth, a security administrator, is concerned about the potential for
data exfiltration using external storage drives. Which of the following
would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM
The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.
The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.
C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.
D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.
A CISO (Chief Information Security Officer) would like to decrease
the response time when addressing security incidents. Unfortunately, the
company does not have the budget to hire additional security engineers.
Which of the following would assist the CISO with this requirement?
❍ A. ISO 27701
❍ B. PKI
❍ C. IaaS
❍ D. SOAR
The Answer: D. SOAR
SOAR (Security Orchestration, Automation, and Response) is designed
to make security teams more effective by automating processes and
integrating third-party security tools.
The incorrect answers:
A. ISO 27701
The ISO (International Organization for Standardization) 27701 standard
focuses on privacy and securing PII.
B. PKI
A PKI (Public Key Infrastructure) describes the processes and procedures
associated with maintaining digital certificates.
C. IaaS
IaaS (Infrastructure as a Service) describes a cloud service that provides
the hardware required for deploying application instances and other cloudbased applications.
An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
• Access records from all devices must be saved and archived
• Any data access outside of normal working hours
must be immediately reported
• Data access must only occur inside of the country
• Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server
The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server
Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.
The incorrect answers:
B. Require government-issued identification during the
onboarding process
Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.
C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.
D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.
F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.
Rodney, a security engineer, is viewing this record from the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.
A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Disassociation
The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Disassociation
Disassociation attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.
Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. PEAP
❍ D. EAP-FAST
The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.
The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.
C. PEAP
PEAP (Protected Extensible Authentication Protocol) provides a method
of authentication over a protected TLS (Transport Layer Security) tunnel,
but it doesn’t provide the federation needed for these requirements.
D. EAP-FAST
EAP-FAST (Extensible Authentication Protocol - Flexible
Authentication via Secure Tunneling) is an updated version of LEAP
(Lightweight EAP) that was commonly used after WEP (Wired
Equivalent Privacy) was replaced with WPA (Wi-Fi Protected Access).
A system administrator, Daniel, is working on a contract that will specify
a minimum required uptime for a set of Internet-facing firewalls. Daniel
needs to know how often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe this information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. MTTF
The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.
The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.
D. MTTF
MTTF (Mean Time to Failure) is the expected lifetime of a nonrepairable product or system.
An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Vishing
❍ D. On-path
The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.
The incorrect answers:
B. Tailgating
A tailgating attack follows someone else with proper credentials through a
door. This allows the attack to gain access to an area that’s normally locked.
C. Vishing
Vishing (voice phishing) attacks use the phone to obtain private
information from others. In this example, the attacker was not asking for
confidential information.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly
. A security administrator has been using EAP-FAST wireless
authentication since the migration from WEP to WPA2. The company’s
network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the
network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2
The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport
Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality
with TLS.
The incorrect answers:
A. EAP-TLS
EAP-TLS does not provide a mechanism for using multiple
authentication types within a TLS tunnel.
B. PEAP
PEAP (Protected Extensible Authentication Protocol) encapsulates EAP
within a TLS tunnel, but does not provide a method of encapsulating
other authentication methods.
D. EAP-MSCHAPv2
EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake
Authentication Protocol v2) is a common implementation of PEAP.
Which of the following would be commonly provided
by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not installed the
latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use
E. Verification of encrypted data transfers
A CASB (Cloud Access Security Broker) can be used to apply security
policies to cloud-based implementations. Two common functions of a
CASB are visibility into application use and data security policy use. Other
common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.
The incorrect answers:
A. List of all internal Windows devices that have not installed the latest
security patches
A CASB focuses on policies associated with cloud-based services and not
internal devices.
C. Centralized log storage facility
Using Syslog to centralize log storage is most commonly associated with a
SIEM (Security Information and Event Manager).
D. List of network outages for the previous month
A network availability report would be outside the scope of a CASB.
F. VPN connectivity for remote users
VPN concentrators are commonly used to provide security connectivity
for remote users.
The embedded OS in a company’s time clock appliance is configured to
reset the file system and reboot when a file system error occurs. On one
of the time clocks, this file system error occurs during the startup process
and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. DLL injection
❍ B. Resource exhaustion
❍ C. Race condition
❍ D. Weak configuration
The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, usually
with unexpected results. The file system problem is usually fixed before
a reboot, but a reboot is occurring before the fix can be applied. This has
created a race condition that results in constant reboots.
The incorrect answers:
A. DLL injection
One method of exploiting an application is to take advantage of the
libraries reference by the application rather than the application itself.
DLL (Dynamic Link Library) injection manipulates the library as the
attack vector.
B. Resource exhaustion
If the time clock was running out of storage space or memory, it would
most likely be unusable. In this example, the issue isn’t based on a lack of
resources.
D. Weak configuration
If the system is poorly configured, there may be unintended access to a
service or data. This time clock issue wasn’t related to any misconfiguration
or weak configuration on the time clock appliance.
A recent audit has found that existing password policies do not include
any restrictions on password attempts, and users are not required to
periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password history
❍ D. Password lockout
❍ E. Password recovery
The Answer: B. Password expiration and D. Password lockout
Password expiration would require a new password after the expiration
date. Password lockout would disable an account after a predefined
number of unsuccessful login attempts.
The incorrect answers:
A. Password complexity
A complex password would make it more difficult to brute force, but it
would not solve the issues listed in this question.
C. Password history
Having a password history would prevent the reuse of any previous
passwords.
E. Password recovery
The password recovery process provides a method for users to recover an
account that has been locked out or has a forgotten password.
What kind of security control is associated with a login banner? ❍ A. Preventive ❍ B. Deterrent ❍ C. Corrective ❍ D. Detective ❍ E. Compensating ❍ F. Physical
The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Physical
A physical control is real-world security, such as a fence or door lock.
A security team has been provided with a non-credentialed vulnerability
scan report created by a third-party. Which of the following would they
expect to see on this report?
❍ A. A summary of all files with invalid group assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts
The Answer: C. The version of web server software in use
A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.
The incorrect answers:
A. A summary of all files with invalid group assignments
Viewing file permissions and rights requires authentication to the
operating system, so you would not expect to see this information if the
scan did not have credentials.
B. A list of all unpatched operating system files
Viewing detailed information about the operating system files requires
authentication to the OS, and an uncredentialed scan does not have those
permissions.
D. A list of local user accounts
Local user accounts are usually protected by the operating system, so you
would need to have credentials to view this information.
A business manager is documenting a set of steps for processing orders
if the primary Internet connection fails. Which of these would BEST
describe these steps?
❍ A. Communication plan
❍ B. Continuity of operations
❍ C. Stakeholder management
❍ D. Tabletop exercise
The Answer: B. Continuity of operations
It’s always useful to have an alternative set of processes to handle any type
of outage or issue. Continuity of operations planning ensures that the
business will continue to operate when these issues occur.
The incorrect answers:
A. Communication plan
A communication plan is a predefined list of contacts and processes used
to inform key members of the organization.
C. Stakeholder management
Stakeholder management describes the ongoing relationship between the
IT team and the business customer.
D. Tabletop exercise
A tabletop exercise usually consists of a meeting where members of a
recovery team or disaster recovery talk through a disaster scenario.
A security administrator is concerned about data exfiltration resulting
from the use of malicious phone charging stations. Which of the
following would be the BEST way to protect against this threat?
❍ A. USB data blocker
❍ B. Personal firewall
❍ C. MFA
❍ D. FDE
The Answer: A. USB data blocker
USB data blockers are physical USB cables that allow power connections
but prevent data connections. With a USB data blocker attached, any
power source can be used without a security concern.
The incorrect answers:
B. Personal firewall
Personal firewall software is useful for blocking inbound network traffic,
but it won’t provide much security for physical USB connections.
C. MFA
MFA (Multi-Factor Authentication) is used during the authentication
process. Incorporating multiple authentication factors won’t prohibit the
transfer of data over a USB connection.
D. FDE
FDE (Full Disk Encryption) is a security method for encrypting all
data stored on a device. In this example, the encryption applied to the
storage would not prevent the transfer of data through a malicious USB
connection.
A company would like to protect the data stored on laptops used in
the field. Which of the following would be the BEST choice for this
requirement?
❍ A. MAC
❍ B. SED
❍ C. CASB
❍ D. SOAR
The Answer: B. SED
A SED (Self-Encrypting Drive) provides data protection of a storage
device using full-disk encryption in the drive hardware.
The incorrect answers:
A. MAC
MAC (Mandatory Access Control) is an access control system that assigns
labels to objects in an operating system. MAC would not prevent external
access to data on a laptop’s storage drive.
C. CASB
CASB (Cloud Access Security Broker) is a solution for administering
and managing security policies in the cloud. CASB will not provide any
security for data stored on laptops and other mobile devices.
D. SOAR
SOAR (Security Orchestration, Automation, and Response) describes
a process for automating security activities. SOAR would not provide a
mechanism for protecting data on a laptop’s storage drive.
A file server has a full backup performed each Monday at 1 AM.
Incremental backups are performed at 1 AM on Tuesday, Wednesday,
Thursday, and Friday. The system administrator needs to perform a full
recovery of the file server on Thursday afternoon. How many backup sets
would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1
The Answer: C. 4
Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.
The incorrect answers:
A. 2
If the daily backup was differential, the administrator would only need the
full backup and the differential backup from Thursday.
B. 3
Since the incremental backup only archives files that have changed, he will
need all three daily incremental backups as well as Monday’s full backup.
D. 1
To recover incremental backups, you’ll need the full backup and all
incremental backups since the full backup.
. A company is creating a security policy that will protect all corporate
mobile devices:
• All mobile devices must be automatically locked after a predefined
time period.
• Some mobile devices will be used by the remote sales teams, so the
location of each device needs to be traceable.
• All of the user’s information should be completely separated from
company data.
Which of the following would be the BEST way to establish these
security policy rules?
❍ A. Containerization
❍ B. Biometrics
❍ C. COPE
❍ D. VDI
❍ E. Geofencing
❍ F. MDM
The Answer: F. MDM
An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.
The incorrect answers:
A. Containerization
Mobile device containerization allows an organization to securely
separate user data from company data on a mobile device. Implementing
this strategy usually requires a mobile device manager (MDM), and
containerization alone won’t address all of the required security policies.
B. Biometrics
Biometrics can be used as another layer of device security, but you need
more than biometrics to implement the required security policies in this
question.
C. COPE
A device that is COPE (Corporately Owned and Personally Enabled) is
commonly purchased by the corporation and allows the use of the mobile
device for both business and personal use. The use of a COPE device does
not address all of the required security policies.
D. VDI
A VDI (Virtual Desktop Infrastructure) separates the applications from
the mobile device. This is useful for securing data, but it doesn’t implement
all of the requirements in this question.
E. Geofencing
Geofencing could be used to prevent mobile device use from other
countries, but you would still need an MDM to implement the other
requirements.
. A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability
was announced last week and none of the servers are patched yet. Which
of the following best describes this result?
❍ A. Exploit
❍ B. Credentialed
❍ C. Zero-day attack
❍ D. False negative
The Answer: D. False negative
A false negative is a result that fails to detect an issue when one
actually exists.
The incorrect answers:
A. Exploit
An exploit is an attack against a vulnerability. Vulnerability scans do not
commonly attempt to exploit the vulnerabilities that they identify.
B. Credentialed
A credentialed scan would authenticate to the operating system and have
access to files that would normally only be available to authorized users.
C. Zero-day attack
A zero-day attack focuses on previously unknown vulnerabilities. In this
example, the vulnerability scan isn’t an attack, and the vulnerabilities are
already known and patches are available.
. A security administrator is adding additional authentication controls to the existing infrastructure. Which of the following should be added by the security administrator? (Select TWO) ❍ A. TOTP ❍ B. Least privilege ❍ C. Role-based awareness training ❍ D. Separation of duties ❍ E. Job rotation ❍ F. Smart Card
The Answer: A. TOTP and F. Smart Card
TOTP (Time-based One-Time Passwords) and smart cards are
useful authentication controls when used in conjunction with other
authentication factors.
The incorrect answers:
B. Least privilege
Least privilege is a security principle that limits access to resources based
on a person’s job role. Least privilege is managed through security policy
and is not an authentication control.
C. Role-based awareness training
Role-based awareness training is specialized training that is based on a
person’s control of data within an organization. This training is not part of
the authentication process.
D. Separation of duties
A security policy that separates duties across different individuals is
separation of duties. This separation is not part of the authentication
process.
E. Job rotation
Job rotation is a security policy that moves individuals into different job
roles on a regular basis. This rotation is not part of the authentication
process.
A network administrator would like each user to authenticate with
their personal username and password when connecting to the
company’s wireless network. Which of the following should the network
administrator configure on the wireless access points?
❍ A. WPA2-PSK
❍ B. 802.1X
❍ C. WPS
❍ D. WPA2-AES
The Answer: B. 802.1X
802.1X uses a centralized authentication server, and all users can use their
normal credentials to authenticate to an 802.1X network.
The incorrect answers:
A. WPA2-PSK
The PSK (Pre-shared Key) is the shared password that this network
administration would like to avoid using in the future.
C. WPS
WPS (Wi-Fi Protected Setup) connects users to a wireless network using
a shared PIN (Personal Identification Number).
D. WPA2-AES
WPA2 (Wi-Fi Protected Access 2) encryption with AES (Advanced
Encryption Standard) is a common encryption method for wireless
networks, but it does not provide any centralized authentication
functionality
A security administrator needs to identify all references to a Javascript
file in the HTML of a web page. Which of the following tools should be
used to view the source of the web page and search through the file for a
specific filename? (Select TWO)
❍ A. tail
❍ B. openssl
❍ C. scanless
❍ D. grep
❍ E. Nmap
❍ F. curl
❍ G. head
The Answer: D. grep and F. curl
The curl (Client URL) command will retrieve a web page and display it
as HTML at the command line. The grep command can then be used to
search through the file for a specific string of text.
The incorrect answers:
A. tail
The tail command will display the information at the end of a file.
B. openssl
OpenSSL is a cryptography library that is commonly used to support
SSL/TLS encryption on web servers.
C. scanless
Scanless is a utility that can perform a port scan using a proxy service.
E. Nmap
The Nmap utility is a popular port scanning and reconnaissance utility.
G. head
The head command will display the information at the start of a file
A user has assigned individual rights and permissions to a file on their
network drive. The user adds three additional individuals to have readonly access to the file. Which of the following would describe this access
control model?
❍ A. DAC
❍ B. MAC
❍ C. ABAC
❍ D. RBAC
The Answer: A. DAC
DAC (Discretionary Access Control) is used in many operating systems,
and this model allows the owner of the resource to control who has access.
The incorrect answers:
B. MAC
MAC (Mandatory Access Control) allows access based on the security
level assigned to an object. Only users with the object’s assigned security
level or higher may access the resource.
C. ABAC
ABAC (Attribute-based Access Control) combines many different
parameters to determine if a user has access to a resource.
D. RBAC
RBAC (Role-based Access Control) assigns rights and permissions based
on the role of a user. These roles are usually assigned by group.
A remote user has received a text message requesting login details to the
corporate VPN server. Which of the following would BEST describe this
message?
❍ A. Brute force
❍ B. Prepending
❍ C. Typosquatting
❍ D. Smishing
The Answer: D. Smishing
Smishing, or SMS phishing, is a social engineering attack that asks for
personal information using SMS or text messages.
The incorrect answers:
A. Brute force
A brute force attack is an attack that tries multiple password combinations
in an effort to identify the correct authentication details.
B. Prepending
Prepending adds information before a domain name in an attempt to fool
the victim into visiting a website managed by the attacker.
C. Typosquatting
Typosquatting is a technique that uses a misspelling of a domain name to
convince victims they are visiting a legitimate website.
. A department store policy requires that a floor manager approves each
transaction when a gift certificate is used for payment. The security team
has found that some of these transactions have been processed without
the approval of a manager. Which of the following would provide a
separation of duties to enforce this store policy?
❍ A. Use a WAF to monitor all gift certificate transactions
❍ B. Disable all gift certificate transactions for cashiers
❍ C. Implement a discretionary access control policy
❍ D. Require an approval PIN for the cashier and a separate
approval PIN for the manager
The Answer: D. Require an approval PIN for the cashier and a separate
approval PIN for the manager
This separation of duties would be categorized as dual control, where two
people must be present to perform the business function. In this example,
the dual control is managed by using two separate PINs (Personal
Identification Numbers) that would not be shared among individuals.
The incorrect answers:
A. Use a WAF to monitor all gift certificate transactions
A WAF (Web Application Firewall) is commonly used to monitor
the input to web-based applications. WAFs do not commonly ensure
separation of duties.
B. Disable all gift certificate transactions for cashiers
A separation of duties would give each person half of the information
needed to complete the transaction, or it would require both persons to
be present. Limiting the transaction to one person would not provide any
separation between duties.
C. Implement a discretionary access control policy
A discretionary access control policy (DAC) is commonly used in
operating system to allow the data owner to decide who has access to data.
A DAC would not provide a way to manage separation of duties.
Which of the following is true of a rainbow table? (Select TWO)
❍ A. The rainbow table is built in real-time during the attack
❍ B. Rainbow tables are the most effective online attack type
❍ C. Rainbow tables require significant CPU cycles at attack time
❍ D. Different tables are required for different hashing methods
❍ E. A rainbow table won’t be useful if the passwords are salted
The Answers: D. Different tables are required for different hashing
methods, and E. A rainbow table won’t be useful if the passwords
are salted
A rainbow table is built prior to an attack to match a specific password
hashing technique. If a different hashing technique is used, a completely
different rainbow table must be built.
The use of a salt will modify the expected results of a hash. Since a salted
hash will not be predictable, the rainbow table can’t be built for these
hashes.
The incorrect answers:
A. The rainbow table is built in real-time during the attack
One of the benefits of a rainbow table is that the table is built before an
attack begins. This provides a significant speed increase at attack time.
B. Rainbow tables are the most effective online attack type
Rainbow tables are almost exclusively used as an offline attack type. The
most common use of a rainbow table is for the attacker to obtain a list
of password hashes from a system and then use the rainbow tables while
offline.
C. Rainbow tables require significant CPU cycles at attack time
Rainbow tables are built prior to an attack, so most of the CPU (Central
Processing Unit) calculations and time is spent building the tables before
an attack begins.
A server administrator at a bank has noticed a decrease in the number
of visitors to the bank’s website. Additional research shows that users are
being directed to a different IP address than the bank’s web server. Which
of the following would MOST likely describe this attack?
❍ A. Disassociation
❍ B. DDoS
❍ C. Buffer overflow
❍ D. DNS poisoning
The Answer: D. DNS poisoning
A DNS poisoning can modify a DNS server to modify the IP address
provided during the name resolution process. If an attacker modifies the
DNS information, they can direct client computers to any destination IP
address.
The incorrect answers:
A. Disassociation
Disassociation attacks are commonly associated with wireless networks.
The disassociation attack is used to remove devices from the wireless
network, and it does not commonly redirect clients to a different website.
B. DDoS
A DDoS (Distributed Denial of Service) is used by attackers to
cause services to be unavailable. In this example, the bank’s website is
operational but clients are not resolving the correct IP address.
C. Buffer overflow
Buffer overflows are associated with application attacks and can cause
applications to crash or act in unexpected ways. A buffer overflow would
not commonly redirect clients to a different website IP address.
Which of these cloud deployment models would share resources between
a private virtualized data center and externally available cloud services?
❍ A. SaaS
❍ B. Community
❍ C. Hybrid
❍ D. Containerization
The Answer: C. Hybrid
A hybrid cloud model combines both private and public cloud
infrastructures.
The incorrect answers:
A. SaaS
Software as a Service (SaaS) is a cloud deployment model that provides
on-demand software without any context about the software’s location.
B. Community
A community cloud model allows multiple organizations to share the
same cloud resources, regardless of the resource’s location.
D. Containerization
Containerization can be used with mobile devices to partition user data
and corporate data.
A company hires a large number of seasonal employees, and their
system access should normally be disabled when the employee leaves
the company. The security administrator would like to verify that their
systems cannot be accessed by any of the former employees. Which of the
following would be the BEST way to provide this verification?
❍ A. Confirm that no unauthorized accounts have administrator access
❍ B. Validate the account lockout policy
❍ C. Validate the processes and procedures for all outgoing employees
❍ D. Create a report that shows all authentications for a 24-hour period
The Answer: C. Validate the processes and procedures for all
outgoing employees
The disabling of an employee account is commonly part of the offboarding
process. One way to validate an offboarding policy is to perform an audit
of all accounts and compare active accounts with active employees.
The incorrect answers:
A. Confirm that no unauthorized accounts have administrator access
It’s always a good idea to periodically audit administrator accounts, but
this audit won’t provide any validation that all former employee accounts
have been disabled.
B. Validate the account lockout policy
Account lockouts occur when a number of invalid authentication attempts
have been made to a valid account. Disabled accounts would not be locked
out because they are not currently valid accounts.
D. Create a report that shows all authentications for a 24-hour period
A list of all authentications would be quite large, and it would not be
obvious to see which authentications were made with valid accounts and
which authentications were made with former employee accounts.
A network administrator has installed a new access point, but only a
portion of the wireless devices are able to connect to the network. Other
devices can see the access point, but they are not able to connect even
when using the correct wireless settings. Which of the following security
features was MOST likely enabled?
❍ A. MAC filtering
❍ B. SSID broadcast suppression
❍ C. 802.1X authentication
❍ D. Anti-spoofing
The Answer: A. MAC filtering
Filtering addresses by MAC (Media Access Control) address will limit
which devices can connect to the wireless network. If a device is filtered by
MAC address, it will be able to see an access point but it will not be able
to connect.
The incorrect answers:
B. SSID broadcast suppression
A suppressed SSID (Service Set Identifier) broadcast will hide the name
from the list of available wireless networks. Properly configured client
devices can still connect to the wireless network, even with the SSID
suppression.
C. 802.1X authentication
With 802.1X authentication, users will be prompted for a username and
password to gain access to the wireless network. Enabling 802.1X would
not restrict properly configured devices.
D. Anti-spoofing
Anti-spoofing features are commonly used with routers to prevent
communication from spoofed IP addresses. This issue in this question
doesn’t appear to involve any spoofed addresses.
. A security administrator has gathered this information:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT
tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED
Which of the following is being used to create this information?
❍ A. tracert
❍ B. netstat
❍ C. dig
❍ D. netcat
The Answer: B. netstat
The netstat command provides a list of network statistics, and the default
view shows the traffic sessions between the local device and other devices
on the network.
The incorrect answers:
A. tracert
Traceroute lists the route between devices and shows the IP address
information of the routers at each hop.
C. dig
The dig (Domain Information Groper) command queries DNS servers
for the fully-qualified domain name and IP address information of other
devices.
D. netcat
The netcat command is used for reading or writing data to the network.
The netcat command itself doesn’t provide any statistical information
about the network connection.
. An attacker has discovered a way to disable a server by sending specially
crafted packets from many remote devices to the operating system. When
the packet is received, the system crashes and must be rebooted to restore
normal operations. Which of the following would BEST describe this
attack?
❍ A. Privilege escalation
❍ B. Spoofing
❍ C. Replay attack
❍ D. DDoS
The Answer: D. DDoS
A DDoS (Distributed Denial of Service) is an attack that overwhelms or
disables a service to prevent the service from operating normally. Packets
from multiple devices that disable a server would be an example of a
DDoS attack.
The incorrect answers:
A. Privilege escalation
A privilege escalation attack allows a user to exceed their normal rights
and permissions. In this example, user permission escalations were not
required to perform this attack.
B. Spoofing
Spoofing is when a device pretends to be a different device or pretends to
be something they aren’t. This attack explanation did not appear to emulate
or pretend to be a different user or address than the actual attacker.
C. Replay attack
A replay attack captures information and then replays that information
as the method of attack. In this question, no mention was made of a prior
data capture.
A data breach has occurred in a large insurance company. A security
administrator is building new servers and security systems to get all of
the financial systems back online. Which part of the incident response
process would BEST describe these actions?
❍ A. Lessons learned
❍ B. Isolation and containment
❍ C. Reconstitution
❍ D. Precursors
The Answer: C. Reconstitution
The recovery after a breach can be a phased approach that may take
months to complete.
The incorrect answers:
A. Lessons learned
Once the event is over, it’s useful to revisit the process to learn and
improve for next time.
B. Isolation and containment
During an incident, it’s useful to separate infected systems from the rest of
the network.
D. Precursors
Log files and alerts can often warn you of potential problems.
A manufacturing company has moved an inventory application from their
internal systems to a PaaS service. Which of the following would be the
BEST way to manage security policies on this new service?
❍ A. DLP
❍ B. SIEM
❍ C. IPS
❍ D. CASB
The Answer: D. CASB
A CASB (Cloud Access Security Broker) is used to manage compliance
with security policies when using cloud-based applications.
The incorrect answers:
A. DLP
DLP (Data Loss Prevention) can identify and block PII (Personally
Identifiable Information) and other private details from being transferred
across the network.
B. SIEM
A SIEM (Security Information and Event Manager) is a management
system for log consolidation and reporting. A SIEM cannot managed
cloud-based security policies.
C. IPS
An IPS (Intrusion Prevention System) can identify and block known
vulnerabilities on the network, but it does not provide policy management
for cloud-based systems.
An organization has identified a significant vulnerability in a firewall
used for Internet connectivity. The firewall company has stated there are
no plans to create a patch for this vulnerability. Which of the following
would BEST describe this issue?
❍ A. Lack of vendor support
❍ B. Improper input handling
❍ C. Improper key management
❍ D. End-of-life
The Answer: A. Lack of vendor support
Security issues can be identified in a system or application at any time, so
it’s important to have a vendor that can support their software and correct
issues as they are discovered. If a vendor won’t provide security patches,
then you may be susceptible to security vulnerabilities.
The incorrect answers:
B. Improper input handling
A best practice for application security is to provide the proper handling
of invalid or unnecessary input. Adding a patch to firewall software for a
vulnerability would probably not be related to input handling.
C. Improper key management
Cryptographic keys can be used for many security purposes, but managing
those keys isn’t part of the patching process from a vendor.
D. End-of-life
In this case, the firewall is a relatively new product. If the product was no
longer officially sold or supported by the company, this would be an endof-life issue.
A company has decided to perform a disaster recovery exercise during an
annual meeting with the IT directors and senior directors. A simulated
disaster will be presented, and the participants will discuss the logistics
and processes required to resolve the disaster. Which of the following
would BEST describe this exercise?
❍ A. After-action report
❍ B. Business impact analysis
❍ C. Alternate business practice
❍ D. Tabletop exercise
The Answer: D. Tabletop exercise
A tabletop exercise allows a disaster recovery team to evaluate and plan
disaster recovery processes without performing a full-scale drill.
The incorrect answers:
A. After-action report
An after-action report is commonly created after a disaster recovery drill
to document which aspects of the plan worked or did not work.
B. Business impact analysis
A business impact analysis is usually created during the disaster recovery
planning process. Once the disaster has occurred, it becomes much more
difficult to complete an accurate impact analysis.
C. Alternate business practice
An alternate business practice may be one of the steps in completing a
disaster recovery exercise, but it does not describe the exercise itself.
A security administrator needs to identify all computers on the company
network infected with a specific malware variant. Which of the following
would be the BEST way to identify these systems?
❍ A. Honeynet
❍ B. Data masking
❍ C. DNS sinkhole
❍ D. DLP
The Answer: C. DNS sinkhole
A DNS (Domain Name System) sinkhole can be used to redirect and
identify devices that may attempt to communicate with an external
command and control (C2) server. The DNS sinkhole will resolve an
internal IP address and can report on all devices that attempt to access the
malicious domain.
The incorrect answers:
A. Honeynet
A honeynet is a non-production network that has been specifically created
to attract attackers. A honeynet is not commonly used to identify infected
devices.
B. Data masking
Data masking provides a way to hide data by substitution, shuffling,
encryption, and other methods. Data masking does not provide a method
of identifying infected devices.
D. DLP
DLP (Data Loss Prevention) systems can identify and block private
information from transferring between systems. DLP does not provide any
direct method of identifying devices infected with malware.
A system administrator has been called to a system that is suspected to
have a malware infection. The administrator has removed the device from
the network and has disconnected all USB flash drives. Which of these
incident response steps is the administrator following?
❍ A. Lessons learned
❍ B. Containment
❍ C. Detection
❍ D. Reconstitution
The Answer: B. Containment
The containment phase isolates the system from any other devices to
prevent the spread of any malicious software.
The incorrect answers:
A. Lessons learned
A post-incident meeting can help the incident response participants
discuss the phases of the incident that went well and which processes can
be improved for future events.
C. Detection
The detection phase occurred prior to the system administrator arriving
and identified the potential infection.
D. Reconstitution
The reconstitution phase will recover the system and data back to the state
prior to the malware infection.
. How can a company ensure that all data on a mobile device is
unrecoverable if the device is lost or stolen?
❍ A. Containerization
❍ B. Geofencing
❍ C. Screen locks
❍ D. Remote wipe
The Answer: D. Remote wipe
Most organizations will use a mobile device manager (MDM) to manage
mobile phones and tablets. Using the MDM, specific security policies can
be created for each mobile device, including the ability to remotely send a
remote wipe command that will erase all data on a mobile device.
The incorrect answers:
A. Containerization
Containerization on a mobile device will separate the user’s data from the
company information. This allows the company to control their corporate
data without modifying or accessing the end user’s data.
B. Geofencing
Geofencing would allow the company to limit functionality or access
based on the location of the mobile device. Geofencing does not securely
wipe data from a device.
C. Screen locks
Screen locks are important, but won’t help when you need to permanently
remove data from a device.
A security administrator is collecting information associated with a
ransomware infection on the company’s web servers. Which of the
following log files would provide information regarding the memory
contents of these servers?
❍ A. Web
❍ B. Packet
❍ C. Dump
❍ D. DNS
The Answer: C. Dump
A dump file contains the contents of system memory. In Windows, this
file can be created from the Task Manager.
The incorrect answers:
A. Web
Web server logs will document web pages that were accessed, but it doesn’t
show what information may be contained in the system RAM.
B. Packet
A packet trace would provide information regarding network
communication, but it would not include any details regarding the
contents of memory.
D. DNS
DNS (Domain Name System) server logs can show which domain names
were accessed by internal systems, and this information can help identify
systems that may be infected. However, the DNS log doesn’t include any
information about the memory contents of a server.
. Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot ❍ C. Secure Boot ❍ D. POST
The Answer: B. Trusted Boot
The Trusted Boot portion of the startup process verifies the operating
system kernel signature and starts the ELAM (Early Launch
Anti-Malware) process.
The incorrect answers:
A. Measured Boot
Measured Boot occurs after the Trusted Boot process and verifies that
nothing on the computer has been changed by malicious software or other
processes.
C. Secure Boot
Secure Boot is a UEFI BIOS boot feature that checks the digital signature
of the bootloader. The Trusted Boot process occurs after Secure Boot has
completed.
D. POST
POST (Power-On Self-Test) is a hardware check performed prior to
booting an operating system.
Which of these best describes two-factor authentication?
❍ A. A printer uses a password and a PIN
❍ B. The door to a building requires a fingerprint scan
❍ C. An application requires a TOTP code
❍ D. A Windows Domain requires a username, password,
and smart card
The Answer: D. A Windows Domain requires a username,
password, and smart card
The multiple factors of authentication used to login to this Windows
Domain are a password (something you know), and a smart card
(something you have).
The incorrect answers:
A. A printer uses a password and a PIN
A password and a PIN (Personal Identification Number) are both
something you know, so only one authentication factor is used.
B. The door to a building requires a fingerprint scan
A biometric scan (something you are) is a single factor of authentication.
C. An application requires a TOTP code
TOTP (Time-based One-Time Password) is usually provided using a
hardware dongle or mobile app. This single factor of authentication is
something you have.
. A company is deploying a new mobile application to all of its employees
in the field. Some of the problems associated with this rollout include:
• The company does not have a way to manage the mobile devices
in the field
• Company data on mobile devices in the field introduces additional risk
• Team members have many different kinds of mobile devices
Which of the following deployment models would address
these concerns?
❍ A. Corporate-owned
❍ B. COPE
❍ C. VDI
❍ D. BYOD
The Answer: C. VDI
A VDI (Virtual Desktop Infrastructure) would allow the field teams to
access their applications from many different types of devices without the
requirement of a mobile device management or concern about corporate
data on the devices.
The incorrect answers:
A. Corporate-owned
A corporate-owned device would solve the issue of device standardization,
but the corporate data would be stored on the mobile devices in the field.
B. COPE
COPE (Corporate Owned and Personally Enabled) devices are purchased
by the company but are used as both a corporate device and a personal
device. This would standardize the devices, but the corporate data would
still be at-risk in the field.
D. BYOD
BYOD (Bring Your Own Device) means that the employee would choose
the mobile platform. This would not address the issue of mobile device
management, data security in the field, or standardization of mobile
devices and apps.
An organization is installing a UPS for their new data center. Which of
the following would BEST describe this type of control?
❍ A. Compensating
❍ B. Preventive
❍ C. Administrative
❍ D. Detective
The Answer: A. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means. In this example, the UPS does
not stop a power outage, but it does provide alternative power if an outage
occurs.
The incorrect answers:
B. Preventive
A preventive control physically limits access to a device or area.
C. Administrative
An administrative control sets a policy that is designed to control how
people act.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
A manufacturing company would like to track the progress of parts as
they are used on an assembly line. Which of the following technologies
would be the BEST choice for this task?
❍ A. Quantum computing
❍ B. Blockchain
❍ C. Hashing
❍ D. Asymmetric encryption
The Answer: B. Blockchain
The ledger functionality of a blockchain can be used to track or verify
components, digital media, votes, and other physical or digital objects.
The incorrect answers:
A. Quantum computing
Quantum computing uses quantum theory to perform high-speed
calculations. Quantum computing doesn’t inherently provide any tracking
mechanisms.
C. Hashing
Cryptographic hashes are commonly used to provide integrity
verifications, but they don’t necessarily include any method of tracking
components on an assembly line.
D. Asymmetric encryption
Asymmetric encryption uses different keys for encryption and decryption.
Asymmetric encryption does not provide any method for tracking objects
on an assembly line.
. A security administrator has been asked to respond to a potential security
breach of the company’s databases, and they need to gather the most
volatile data before powering down the database servers. In which order
should they collect this information?
❍ A. CPU registers, temporary files, memory, remote monitoring data
❍ B. Memory, CPU registers, remote monitoring data, temporary files
❍ C. Memory, CPU registers, temporary files, remote monitoring data
❍ D. CPU registers, memory, temporary files, remote monitoring data
The Answer: D. CPU registers, memory, temporary files,
remote monitoring data
The most volatile data disappears quickly, so data such as the CPU
registers and information in memory will be lost before temporary files
and remote monitoring data are no longer available.
The incorrect answers:
A. CPU registers, temporary files, memory, remote monitoring data
Memory is more volatile than temporary files.
B. Memory, CPU registers, remote monitoring data, temporary files
CPU registers are more volatile than memory, and temporary files are
more volatile than remote monitoring data.
C. Memory, CPU registers, temporary files, remote monitoring data
CPU registers are more volatile than information in memory.
. A Linux administrator is downloading an updated version of her Linux
distribution. The download site shows a link to the ISO and a SHA256
hash value. Which of these would describe the use of this hash value?
❍ A. Verifies that the file was not corrupted during the file transfer
❍ B. Provides a key for decrypting the ISO after download
❍ C. Authenticates the site as an official ISO distribution site
❍ D. Confirms that the file does not contain any malware
The Answer: A. Verifies that the file was not corrupted during
the file transfer
Once the file is downloaded, the administrator can calculate the file’s
SHA256 hash and confirm that it matches the value on the website.
The incorrect answers:
B. Provides a key for decrypting the ISO after download
ISO files containing public information are usually distributed without
any encryption, and a hash value would not commonly be used as a
decryption key.
C. Authenticates the site as an official ISO distribution site
Although it’s important to download files from known good sites,
providing a hash value on a site would not provide any information about
the site’s authentication.
D. Confirms that the file does not contain any malware
A hash value doesn’t inherently provide any protection against malware.
A company’s security policy requires that login access should only
be available if a person is physically within the same building as the
server. Which of the following would be the BEST way to provide this
requirement?
❍ A. TOTP
❍ B. Biometric scanner
❍ C. PIN
❍ D. SMS
The Answer: B. Biometric scanner
A biometric scanner would require a person to be physically present to
verify authentication.
The incorrect answers:
A. TOTP
A TOTP (Time-based One-Time Password) generator may be associated
with a single person, but the TOTP code does not guarantee that a person
is physically present.
C. PIN
Although a PIN (Personal Identification Number) can be used as an
authentication factor, the use of the PIN does not guarantee that a person
is physically present.
D. SMS
SMS messages are commonly used as authentication factors. However, the
use of a mobile device to receive the SMS message does not guarantee that
the owner of the mobile device is physically present.
Your development team has installed a new application and database to
a cloud service. After running a vulnerability scanner on the application
instance, you find that the database is available for anyone to query
without providing any authentication. Which of these vulnerabilities is
MOST associated with this issue?
❍ A. Improper error handling
❍ B. Open permissions
❍ C. Race condition
❍ D. Memory leak
The Answer: B. Open permissions
Just like your local systems, proper permissions and security controls are
also required when information is added to a cloud-based system. If any of
your systems leave an open door, your data may be accessible by anyone on
the Internet.
The incorrect answers:
A. Improper error handling
This issue wasn’t associated with any error messages, so this wouldn’t be
categorized as a problem with error handling.
C. Race condition
If two processes occur simultaneously without any prior consideration,
bad things could happen. In this example, a single vulnerability scan has
identified the issue and other processes do not appear to be involved.
D. Memory leak
An application with a memory leak will gradually use more and more
memory until the system or application crashes. The issue in this question
was related to permissions and not available resources.
Employees of an organization have received an email offering a cash
bonus for completing an internal training course. The link in the email
requires users to login with their Windows Domain credentials, but the
link appears to be located on an external server. Which of the following
would BEST describe this email?
❍ A. Whaling
❍ B. Vishing
❍ C. Smishing
❍ D. Phishing
The Answer: D. Phishing
Phishing is the process of manipulating a victim to disclose personal or
private information. An email asking for login details from a server not
under the control of the company would describe a phishing attempt.
The incorrect answers:
A. Whaling
Whaling is phishing targeted towards individuals at a higher level of an
organization. These persons are usually in upper management or have
access to the financial operations of the company.
B. Vishing
Vishing, or voice phishing, is using voice communication for the phishing
process. This phishing attempt used an email message, so it would not be
categorized as vishing.
C. Smishing
Smishing, or SMS phishing, is an attacker using SMS or text messaging
when phishing. Smishing text messages often include a link to a server
where personal information or login credentials may be requested by the
attacker.
Which of the following risk management strategies would include the purchase and installation of an NGFW? ❍ A. Transference ❍ B. Mitigation ❍ C. Acceptance ❍ D. Risk-avoidance
The Answer: B. Mitigation
Mitigation is a strategy that decreases the threat level. This is commonly
done through the use of additional security systems and monitoring, such
as an NGFW (Next-Generation Firewall).
The incorrect answers:
A. Transference
Transference would move the risk from one entity to another. Adding an
NGFW would not transfer any risk to another party.
C. Acceptance
The acceptance of risk is a position where the owner understands the risk
and has decided to accept the potential results.
D. Risk-avoidance
With risk-avoidance, the owner of the risk decides to stop participating in
a high-risk activity. This effectively avoids the risky activity and prevents
any future issues.
Which of the following would be the BEST way to confirm the secure
baseline of a deployed application instance?
❍ A. Compare the production application to the sandbox
❍ B. Perform an integrity measurement
❍ C. Compare the production application to the previous version
❍ D. Perform QA testing on the application instance
The Answer: B. Perform an integrity measurement
An integrity measurement is designed to check for the secure baseline
of firewall settings, patch levels, operating system versions, and any other
security components associated with the application. These secure baselines
may vary between different application versions.
The incorrect answers:
A. Compare the production application to the sandbox
A sandbox is commonly used as a development environment. Security
baselines in a production environment can be quite different when
compared to the code in a sandbox.
C. Compare the production application to the previous version
The newer version of an application may have very different security
requirements than previous versions.
D. Perform QA testing on the application instance
QA (Quality Assurance) testing is commonly used for finding bugs and
verifying application functionality. The primary task of QA is not generally
associated with verifying security baselines.
A member of the accounting team was out of the office for two weeks,
and an important financial transfer was delayed until they returned.
Which of the following would have prevented this delay?
❍ A. Split knowledge
❍ B. Least privilege
❍ C. Job rotation
❍ D. Dual control
The Answer: C. Job rotation
Job rotation moves employees through different job roles as part of their
normal work environment. This policy limits the potential for fraud and
allows others to cover responsibilities if someone is out of the office.
The incorrect answers:
A. Split knowledge
The use of split knowledge limits the information that any one person
would know. In this example, having knowledge of part of the process
would not have helped with processing the financial transfer.
B. Least privilege
Least privilege is a security policy that limits the rights and permissions
of a user to only those tasks required for their job role. In this example,
having properly configured privileges would not have provided any
contingency for this delayed transaction.
D. Dual control
With dual control, two persons must be present to perform a business
function. In this example, one of the employees is out of the office and
dual control would not be possible.
A security analyst has identified a number of sessions from a single IP
address with a TTL equal to zero. One of the sessions has a destination of
the Internet firewall, and a session immediately after has a destination of
your DMZ server. Which of the following BEST describes this
log information?
❍ A. Someone is performing a vulnerability scan against the
firewall and DMZ server
❍ B. Users are performing DNS lookups
❍ C. A remote user is grabbing banners of the firewall and DMZ server
❍ D. Someone is performing a traceroute to the DMZ server
The Answer: D. Someone is performing a traceroute to the DMZ server
A traceroute maps each hop by slowly incrementing the TTL (Time
to Live) value during each request. When the TTL reaches zero, the
receiving router drops the packet and sends an ICMP (Internet Control
Message Protocol) TTL Exceeded message back to the original station.
The incorrect answers:
A. Someone is performing a vulnerability scan against the
firewall and DMZ server
Vulnerability scans are usually very specific requests, and they won’t get
to their destination if the TTL is zero. The question did not provide any
information that would indicate an active vulnerability scan.
B. Users are performing DNS lookups
Properly working DNS (Domain Name System) responses would not have
a TTL of zero, and nothing in the question indicated information that
would commonly be included in a DNS query.
C. A remote user is grabbing banners of the firewall and DMZ server
Banners can provide useful reconnaissance information about a service, but
the TTL of zero and the lack of connection to a specific service would not
indicate a banner grabbing session.
. An attacker has sent more information than expected in a single API
call, and this has allowed the execution of arbitrary code. Which of the
following would BEST describe this attack?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Session hijacking
❍ D. DDoS
The Answer: A. Buffer overflow
The results of a buffer overflow can cause random results, but sometimes
the actions can be repeatable and controlled. In the best possible case for
the hacker, a buffer overflow can be manipulated to execute code on the
remote device.
The incorrect answers:
B. Replay attack
A replay attack does not require the sending of more information than
expected, and often a replay attack consists of normal traffic and expected
application input.
C. Session hijacking
Session hijacking doesn’t require any data overflows, and commonly the
hijack occurs without any unusual input.
D. DDoS
A DDoS (Distributed Denial of Service) renders a service unavailable,
and it involves the input of many devices to operate. A DDoS would not
require sending more information than expected, and it rarely results in
the execution of arbitrary code.
A company encourages users to encrypt all of their confidential materials
on a central server. The organization would like to enable key escrow as a
backup. Which of these keys should the organization place into escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public
The Answer: A. Private
With asymmetric encryption, the private key is used to decrypt
information that has been encrypted with the public key. To ensure
continued access to the encrypted data, the company must have a copy of
each private key
The incorrect answers:
B. CA
A CA (Certificate Authority) key is commonly used to validate the digital
signature from a trusted CA. This is not commonly used for user data
encryption.
C. Session
Session keys are commonly used temporarily to provide confidentiality
during a single session. Once the session is complete, the keys are
discarded. Session keys are not used to provide long-term data encryption.
D. Public
In asymmetric encryption, a public key is already available to everyone. It
would not be necessary to escrow a public key.
A security administrator is designing an authentication process for a
new remote site deployment. They would like the users to provide their
credentials when they authenticate in the morning, and they do not want
any additional authentication requests to appear during the rest of the
day. Which of the following should be used to meet this requirement?
❍ A. TACACS+
❍ B. LDAPS
❍ C. Kerberos
❍ D. 802.1X
The Answer: C. Kerberos
Kerberos uses a ticket-based system to provide SSO (Single Sign-On)
functionality. You only need to authenticate once with Kerberos to gain
access to multiple resources.
The incorrect answers:
A. TACACS+
TACACS+ (Terminal Access Controller Access-Control System) is a
common authentication method, but it does not provide any single signon functionality.
B. LDAPS
LDAPS (Lightweight Directory Access Protocol Secure) is a standard for
accessing a network directory. This can provide an authentication method,
but it does not provide any single sign-on functionality.
D. 802.1X
802.1X is a standard for port-based network access control (PNAC), but it
does not inherently provide any single sign-on functionality.
A manufacturing company would like to use an existing router to
separate a corporate network and a manufacturing floor that use the same
physical switch. The company does not want to install any additional
hardware. Which of the following would be the BEST choice for this
segmentation?
❍ A. Connect the corporate network and the manufacturing floor
with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use personal firewalls on each device
❍ D. Create separate VLANs for the corporate network and the
manufacturing floor
The Answer: D. Create separate VLANs for the corporate network and
the manufacturing floor
Creating VLANs (Virtual Local Area Networks) will segment a network
without requiring additional switches.
The incorrect answers:
A. Connect the corporate network and the manufacturing floor
with a VPN
A VPN (Virtual Private Network) would encrypt all information between
the two networks, but it would not provide any segmentation. This process
would also commonly require additional hardware to provide VPN
connectivity.
B. Build an air gapped manufacturing floor network
An air gapped network would require separate physical switches on each
side of the gap, and this would require the purchase of an additional
switch.
C. Use personal firewalls on each device
While personal firewalls provide protection for individual devices, they
do not segment networks. It’s also uncommon for personal firewalls to be
installed on manufacturing equipment.
When a home user connects to the corporate VPN, they are no longer
able to print to their local network printer. Once the user disconnects
from the VPN, the printer works normally. Which of the following would
be the MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful
❍ D. The VPN tunnel is configured for full tunnel
The Answer: D. The VPN tunnel is configured for full tunnel
A split tunnel is a VPN (Virtual Private Network) configuration that
only sends a portion of the traffic through the encrypted tunnel. A split
tunnel would allow work-related traffic to securely traverse the VPN, and
all other traffic would use the non-tunneled option. In this example, the
printer traffic is being redirected through the VPN instead of the local
home network because of the non-split/full tunnel.
The incorrect answers:
A. The VPN uses IPSec instead of SSL
There are many protocols that can be used to send traffic through
an encrypted tunnel. IPsec is commonly used for site-to-site VPN
connections, and SSL (Secure Sockets Layer) is commonly used for enduser VPN connections. However, either protocol can technically be used
for any VPN tunnel, and the choice of protocol would have no difference
on the operation of the local printer.
B. Printer traffic is filtered by the VPN client
VPN clients are usually tasked with sending traffic unfiltered through the
encrypted tunnel. Although data could be filtered at some point along the
communication path, it’s not commonly filtered by the VPN client.
C. The VPN is stateful
A stateful communication is commonly associated with firewalls, and it
refers to the firewall’s ability to track traffic flows. Stateful communication
would not be a technology commonly associated with a VPN, and it would
not be part of the user’s printing issue.
A data center manager has built a Faraday cage in the data center, and a
set of application servers have been placed into racks inside the Faraday
cage. Which of the following would be the MOST likely reason for the
data center manager to install this configuration of equipment?
❍ A. Protect the servers against any unwanted electromagnetic fields
❍ B. Prevent physical access to the servers without the proper credentials
❍ C. Provide additional cooling to all devices in the cage
❍ D. Adds additional fire protection for the application servers
The Answer: A. Protect the servers against any unwanted
electromagnetic fields
A Faraday cage is a mesh of conductive material that will cancel
electromagnetic fields.
The incorrect answers:
B. Prevent physical access to the servers without the proper credentials
A Faraday cage does not provide any protection against system logins.
C. Provide additional cooling to all devices in the cage
A Faraday cage does not provide any additional cooling features.
D. Adds additional fire protection for the application servers
A Faraday cage does not provide any additional fire protection features.
. A recent report shows the return of a vulnerability that was previously
patched four months ago. After researching this issue, the security team
has found that a recent patch has reintroduced this vulnerability on
the servers. Which of the following should the security administrator
implement to prevent this issue from occurring in the future?
❍ A. Templates
❍ B. Elasticity
❍ C. Master image
❍ D. Continuous monitoring
The Answer: D. Continuous monitoring
It’s common for organizations to continually monitor services for any
changes or issues. A nightly vulnerability scan across important servers
would identify issues like this one.
The incorrect answers:
A. Templates
Templates can be used to easily build the basic structure of an application
instance. These templates are not used to identify or prevent the
introduction of vulnerabilities.
B. Elasticity
Elasticity is important when scaling resources as the demand increases or
decreases. Unfortunately, elasticity will not help with the identification of
vulnerabilities.
C. Master image
A master image is used to quickly copy a server for easy deployment.
This image will need to be updated and maintained to prevent the issues
associated with unexpected vulnerabilities.
A security manager would like to ensure that unique hashes are used with
an application login process. Which of the following would be the BEST
way to add random data when generating a set of stored password hashes?
❍ A. Salting
❍ B. Obfuscation
❍ C. Key stretching
❍ D. Digital signature
The Answer: A. Salting
Adding random data, or salt, to a password when performing the hashing
process will create a unique hash, even if other users have chosen the same
password.
The incorrect answers:
B. Obfuscation
Obfuscation is the process of making something difficult for humans to
read or understand. The obfuscation process isn’t commonly associated
with adding random information to hashes.
C. Key stretching
Key stretching is a process that uses a key multiple times for additional
protection against brute force attacks. Key stretching by itself does not
commonly add random data to the hashing process.
D. Digital signature
Digital signatures use a hash and asymmetric encryption to provide
integrity of data. Digital signatures aren’t commonly used for storing
passwords.
Which cryptographic method is used to add trust to a digital certificate? ❍ A. X.509 ❍ B. Hash ❍ C. Symmetric encryption ❍ D. Digital signature
The Answer: D. Digital signature
A certificate authority will digitally sign a certificate to add trust. If you
trust the certificate authority, you can then trust the certificate.
The incorrect answers:
A. X.509
The X.509 standard defines the structure of a certificate. This standard
format makes it easy for everyone to view the contents of a certificate, but
it doesn’t provide any additional trust.
B. Hash
A hash can help verify that the certificate has not been altered, but it does
not provide additional third-party trust.
C. Symmetric encryption
Symmetric encryption has the same issue as asymmetric encryption. The
information in a certificate commonly needs to be viewable by others.
. An MSP is designing a new server room for a large company. Which of the following should be included in the design to provide redundancy? (Select TWO) ❍ A. SIEM ❍ B. Temperature monitors ❍ C. RAID arrays ❍ D. Dual power supplies ❍ E. Hot and cold aisles ❍ F. Biometric locks
The Answer: C. RAID arrays and D. Dual power supplies
RAID (Redundant Array of Independent Disks) and dual power supplies
can both provide uptime and availability if a drive or component fails.
Many RAID configurations can continue to operate if a drive fails, and
a system with two power supplies can continue to operate if one of those
was to fail.
The incorrect answers:
A. SIEM
A SIEM (Security Information and Event Manager) is a useful part of any
network configuration, but it does not provide for uptime and availability
during a failure.
B. Temperature monitors
Temperature monitors can provide an early-warning notification of an
HVAC (Heating, Ventilation, and Air Conditioning) issue, but they don’t
provide any redundancy if the cooling system fails.
E. Hot and cold aisles
Hot and cold aisles will provide the most efficient cooling, but they don’t
provide any redundant features.
F. Biometric locks
Biometric locks are commonly found on server room and data center
entrances, but they don’t provide any redundancy for the systems inside.
An organization maintains a large database of customer information for
sales tracking and customer support. Which person in the organization
would be responsible for managing the access rights to this data?
❍ A. Data processor
❍ B. Data owner
❍ C. Privacy officer
❍ D. Data custodian
The Answer: D. Data custodian
The data custodian manages access rights and sets security controls
to the data.
The incorrect answers:
A. Data processor
The data processor manages the operational use of the data, but not the
rights and permissions to the information.
B. Data owner
The data owner is usually a higher-level executive who makes business
decisions regarding the data.
C. Privacy officer
A privacy officer sets privacy policies and implements privacy processes
and procedures.
An organization’s content management system (CMS) currently labels
files and documents as “Unclassified” and “Restricted.” On a recent
updated to the CMS, a new classification type of “PII” was added. Which
of the following would be the MOST likely reason for this addition?
❍ A. Healthcare system integration
❍ B. Simplified categorization
❍ C. Expanded privacy compliance
❍ D. Decreased search time
The Answer: C. Expanded privacy compliance
The labeling of PII (Personally Identifiable Information) is often
associated with privacy and compliance concerns.
The incorrect answers:
A. Healthcare system integration
Healthcare data would most likely be labeled as PHI (Protected Health
Information). Personal information isn’t necessarily health-related.
B. Simplified categorization
Adding additional categories would not commonly be considered a
simplification.
D. Decreased search time
Adding additional classifications would not necessarily provide any
decreased search times.
A corporate security team would like to consolidate and protect the
private keys across all of their web servers. Which of these would be the
BEST way to securely store these keys?
❍ A. Use an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS
The Answer: A. Use an HSM
An HSM (Hardware Security Module) is a high-end cryptographic
hardware appliance that can securely store keys and certificates for all
devices.
The incorrect answers:
B. Implement full disk encryption on the web servers
Full-disk encryption would only protect the keys if someone does not have
the proper credentials, and it won’t help consolidate all of the web server
keys to a central point.
C. Use a TPM
A TPM (Trusted Platform Module) is used on individual devices to
provide cryptographic functions and securely store encryption keys.
Individual TPMs would not provide any consolidation of web server
private keys.
D. Upgrade the web servers to use a UEFI BIOS
A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/
Output System) does not provide any additional security or consolidation
features for web server private keys.
Jennifer is reviewing this security log from her IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String “-“
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token=”” key=”key7” value=”alert(2)”
Which of the following can be determined from this log information?
(Select TWO)
❍ A. The alert was generated from a malformed User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid client port number
The Answer: B. The alert was generated from an embedded script and
C. The attacker’s IP address is 222.43.112.74
The details of the IPS (Intrusion Prevention System) alert show a script
value embedded into JSON ( JavaScript Object Notation) data. The IPS
log also shows the flow of the attack with an arrow in the middle. The
attacker was IP address 222.43.112.74 with port 3332, and the victim was
64.235.145.35 over port 80.
The incorrect answers:
A. The alert was generated from a malformed User Agent header
The user agent information is provided as additional supporting data
associated with the alert. The agent itself is not the cause of this alert.
D. The attacker’s IP address is 64.235.145.35
The attacker’s IP address is listed first, so the victim’s IP address is
64.235.145.35.
E. The alert was generated due to an invalid client port number
The port number associated with the client, 3332, is a valid port number
and not associated with the cause of the alert.
Which of the following describes a monetary loss if one event occurs? ❍ A. ALE ❍ B. SLE ❍ C. RTO ❍ D. ARO
The Answer: B. SLE
SLE (Single Loss Expectancy) describes the financial impact of
a single event.
The incorrect answers:
A. ALE
ALE (Annual Loss Expectancy) is the financial loss over an entire
12-month period.
C. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
D. ARO
The ARO (Annualized Rate of Occurrence) is the number of times an
event will occur in a 12-month period
A user with restricted access has typed this text in a search field of an
internal web-based application:
USER77’ OR ‘1’=’1
After submitting this search request, all of the database records are
displayed on the screen. Which of the following would BEST describe
this search?
❍ A. CSRF
❍ B. Buffer overflow
❍ C. SQL injection
❍ D. SSL stripping
The Answer: C. SQL injection
SQL (Structured Query Language) injection takes advantage of poor
input validation to circumvent the application and perform queries directly
to the database.
The incorrect answers:
A. CSRF
CSRF (Cross-Site Request Forgery) takes advantage of a third-party trust
to a web application. The attack demonstrated in this question does not
use another user’s credentials or access rights to obtain information.
B. Buffer overflow
A buffer overflow uses an application vulnerability to submit more
information than an application can properly manage. The attack syntax
in this question is specific to SQL injections, and it does not appear to be
manipulating a buffer overflow vulnerability.
D. SSL stripping
SSL stripping allows an on-path attack to rewrite web site addresses to
gain access to encrypted information. The attack in this question does not
include a third-party or on-path entity.
A user has opened a helpdesk ticket complaining of poor system
performance, excessive pop up messages, and the cursor moving
without anyone touching the mouse. This issue began after they opened
a spreadsheet from a vendor containing part numbers and pricing
information. Which of the following is MOST likely the cause of this
user’s issues?
❍ A. On-path
❍ B. Worm
❍ C. RAT
❍ D. Logic bomb
The Answer: C. RAT
A RAT (Remote Access Trojan) is malware that can control a computer
using desktop sharing and other administrative functions. Because the
installation program is often disguised as something else, the victim often
doesn’t realize they’re installing malware. Once the RAT is installed, the
attacker can control the desktop, capture screenshots, reboot the computer,
and many other administrative functions.
The incorrect answers:
A. Man-in-the-middle
A man-in-the-middle attack commonly occurs without any knowledge to
the parties involved, and there’s usually no additional notification that an
attack is underway.
B. Worm
A worm is malware that can replicate itself between systems without any
user intervention, so a spreadsheet that requires additional a user to click
warning messages would not be categorized as a worm.
D. Logic bomb
A logic bomb is malware that installs and operates silently until a certain
event occurs. Once the logic bomb has been triggered, the results usually
involve loss of data or a disabled operating system.
. A web-based manufacturing company processes monthly charges to credit
card information saved in the customer’s profile. Which of the following
standards would be required to maintain this payment information?
❍ A. GDPR
❍ B. ISO 27001
❍ C. PCI DSS
❍ D. CSA CCM
The Answer: C. PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) specifies
the minimum security requirements for storing and protecting credit card
information.
The incorrect answers:
A. GDPR
GDPR (General Data Protection Regulation) is a European Union
regulation that governs data protection and privacy for individuals
in the EU.
B. ISO 27001
The ISO (International Organization for Standardization) 27001 standard
focuses on the requirements for an Information Security Management
System (ISMS).
D. CSA CCM
The CSA CCM (Cloud Security Alliance Cloud Controls Matrix)
provides documents for implementing and managing cloud-specific
security controls.
A security manager has created a report showing intermittent network
communication from external IP addresses to certain workstations on the
internal network. These traffic patterns occur at random times during the
day. Which of the following would be the MOST likely reason for these
traffic patterns?
❍ A. ARP poisoning
❍ B. Backdoor
❍ C. Polymorphic virus
❍ D. Trojan horse
The Answer: B. Backdoor
A backdoor would allow an attacker to access a system at any time without
any user intervention. If there are inbound traffic flows that cannot be
identified, it may be necessary to isolate that computer and examine it for
signs of a compromised system.
The incorrect answers:
A. ARP poisoning
ARP (Address Resolution Protocol) poisoning is a local exploit that is
often associated with a man-in-the-middle attack. The attacker must be on
the same local IP subnet as the victim, so this is not often associated with
an external attack.
C. Polymorphic virus
Polymorphic viruses will modify themselves each time they are
downloaded. Although a virus could potentially install a backdoor,
a polymorphic virus would not be able to install itself without user
intervention.
D. Trojan horse
A Trojan horse is malware that is hidden inside of a seemingly harmless
application. Once the Trojan horse is executed, the malware will be
installed onto the victim’s computer. Trojan horse malware could possibly
install backdoor malware, but the Trojan horse itself would not be the
reason for these traffic patterns.
The security policies in a manufacturing company prohibit the
transmission of customer information. However, a security administrator
has received an alert that credit card numbers were transmitted as an
email attachment. Which of the following was the MOST likely source
of this alert message?
❍ A. IPS
❍ B. DLP
❍ C. SMTP
❍ D. IPsec
The Answer: B. DLP
DLP (Data Loss Prevention) technologies can identify and block the
transmission of sensitive data across the network.
The incorrect answers:
A. IPS
IPS (Intrusion Prevention System) signatures are useful for identifying
known vulnerabilities, but they don’t commonly provide a way to identify
and block PII (Personally Identifiable Information) or sensitive data.
C. SMTP
SMTP (Simple Mail Transfer Protocol) is a protocol used to transfer
email messages between servers. SMTP does not identify the transmission
of sensitive data.
D. IPsec
IPsec (Internet Protocol Security) is a protocol suite for authenticating
and encrypting network communication. IPsec does not include any
features for identifying and alerting on sensitive information.
A security administrator has configured a virtual machine in a screened
subnet with a guest login account and no password. Which of the
following would be the MOST likely reason for this configuration?
❍ A. The server is a honeypot for attracting potential attackers
❍ B. The server is a cloud storage service for remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-party
programming projects
The Answer: A. The server is a honeypot for attracting potential attackers
A screened subnet is a good location to configure services that can be
accessed from the Internet, and building a system that can be easily
compromised is a common tactic for honeypot systems.
The incorrect answers:
B. The server is a cloud storage service for remote users
Although cloud storage is a useful service, configuring storage on a server
with an open guest account is not a best practice.
C. The server will be used as a VPN concentrator
VPN (Virtual Private Networking) concentrators should be installed
on secure devices, and configuring an open guest account would not be
considered a secure configuration.
D. The server is a development sandbox for third-party
programming projects
It would not be secure to configure a development sandbox on a system
with an open guest account.
A company’s outgoing email server currently uses SMTP with no
encryption. The security administrator would like to implement
encryption between email clients without changing the existing
server-to-server communication. Which of the following would be the
BEST way to implement this requirement?
❍ A. Implement Secure IMAP
❍ B. Require the use of S/MIME
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients
The Answer: B. Require the use of S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way
to integrate public key encryption and digital signatures into most modern
email clients. This would encrypt all email information from client to
client, regardless of the communication used between email servers.
The incorrect answers:
A. Implement Secure IMAP
Secure IMAP (Internet Message Access Protocol) would encrypt
communication downloaded from an email server, but it would not provide
any security for outgoing email messages.
C. Install an SSL certificate on the email server
An SSL certificate on an email server could potentially be used to encrypt
server-to-server communication, but the security administrator is looking
for an encryption method between email clients.
D. Use a VPN tunnel between email clients
Email communication does not occur directly between email clients, so
configuring a VPN between all possible email recipients would not be a
valid implementation.
A company would like to securely deploy applications without the
overhead of installing a virtual machine for each system. Which of the
following would be the BEST way to deploy these applications?
❍ A. Containerization
❍ B. IaaS
❍ C. Proxies
❍ D. CASB
The Answer: A. Containerization
Application containerization uses a single virtual machine to use as a
foundation for separate application “containers.” These containers are
implemented as isolated instances, and an application in one container is
not inherently accessible from other containers on the system.
The incorrect answers:
B. IaaS
IaaS (Infrastructure as a Service) is a cloud-based service that provides
the basic infrastructure for installing operating systems and applications.
By itself, IaaS does not provide any method of application deployments or
virtual machines.
C. Proxies
Proxies can be used as security devices, but they aren’t used for deploying
application instances without virtual machines.
D. CASB
A CASB (Cloud Access Security Broker) is a cloud security solution to
manage visibility, compliance, threat prevention, and other security features
for cloud-based applications.
A company has just purchased a new application server, and the security
director wants to determine if the system is secure. The system is currently
installed in a test environment and will not be available to users until the
rollout to production next week. Which of the following would be the
BEST way to determine if any part of the system can be exploited?
❍ A. Tabletop exercise
❍ B. Vulnerability scanner
❍ C. Password cracker
❍ D. Penetration test
The Answer: D. Penetration test
A penetration test can be used to actively exploit potential vulnerabilities
in a system or application. This could cause a denial of service or loss of
data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment.
The incorrect answers:
A. Tabletop exercise
A tabletop exercise is used to talk through a security event with an
incident response team around a conference room table. This is commonly
performed as a training device instead of performing a full-scale disaster
drill.
B. Vulnerability scanner
Vulnerability scanners may identify a vulnerability, but they do not actively
attempt to exploit the vulnerability.
C. Password cracker
A password cracker is usually an offline brute force tool used against a
list of password hashes. A password cracker may be able to identify weak
passwords, but it would not identify any other types of vulnerabilities.
A security administrator has performed an audit of the organization’s
production web servers, and the results have identified banner
information leakage, web services running from a privileged account, and
inconsistencies with SSL certificates. Which of the following would be the
BEST way to resolve these issues?
❍ A. Server hardening
❍ B. Multi-factor authentication
❍ C. Enable HTTPS
❍ D. Run operating system updates
The Answer: A. Server hardening
Many applications and services include secure configuration guides that
can assist in hardening the system. These hardening steps will make the
system as secure as possible while simultaneously allowing the application
to run efficiently
The incorrect answers:
B. Multi-factor authentication
Although multi-factor authentication is always a good best practice,
simply enabling multiple authentication methods would not resolve the
issues identified during the audit.
C. Enable HTTPS
Most web servers will use HTTPS to ensure that network communication
is encryption. However, the encrypted network traffic would not correct
the issues identified during the audit.
D. Run operating system updates
Keeping the system up to date is another good best practice, but the
issues identified during the audit were not bugs related to the operating
systems. All of the issues identified in the audit appear to be related to the
configuration of the web server, so any resolution will focus on correcting
these configuration issues.
A shipping company stores information in small regional warehouses
around the country. The company keeps an IPS online at each warehouse
to watch for suspicious traffic patterns. Which of the following would
BEST describe the security control used at the warehouse?
❍ A. Administrative
❍ B. Compensating
❍ C. Physical
❍ D. Detective
The Answer: D. Detective
An IPS can detect and record any intrusion attempt.
The incorrect answers:
A. Administrative
Administrative controls would control how people act, such as security
policies and standard operating procedures.
B. Compensating
A compensating control can’t prevent an attack, but it can compensate
when an attack occurs. For example, a compensating control would be the
re-imaging process or a server restored from backup if an attack had been
identified.
C. Physical
A physical control would block access. For example, a door lock or security
guard would be a physical control.
The Vice President of Sales has asked the IT team to create daily backups
of the sales data. The Vice President is an example of a:
❍ A. Data owner
❍ B. Data protection officer
❍ C. Data steward
❍ D. Data processor
The Answer: A. Data owner
The data owner is accountable for specific data, and is often a senior officer
of the organization.
The incorrect answers:
B. Data protection officer
The data protection officer (DPO) is responsible for the organization’s
data privacy. The DPO commonly sets processes and procedures for
maintaining the privacy of data.
C. Data steward
The data steward manages access rights to the data. In this example, the IT
team would be the data steward.
D. Data processor
The data processor is often a third-party that processes data on behalf of
the data controller
. A security engineer is preparing to conduct a penetration test. Part of the
preparation involves reading through social media posts for information
about a third-party website. Which of the following describes this
practice?
❍ A. Partially known environment
❍ B. OSINT
❍ C. Exfiltration
❍ D. Active footprinting
The Answer: B. OSINT
OSINT (Open Source Intelligence) describes the process of obtaining
information from open sources, such as social media sites, corporate
websites, online forums, and other publicly available locations.
The incorrect answers:
A. Partially known environment
A partially known environment test describes how much information
the attacker knows about the test. The attacker may have access to some
information about the test, but not all information is disclosed.
C. Exfiltration
Exfiltration describes the theft of data by an attacker.
D. Active footprinting
Active footprinting would show some evidence of data gathering. For
example, performing a ping scan or DNS query wouldn’t exploit a
vulnerability, but it would show that someone was gathering information.
A company would like to automate their response when a virus is
detected on company devices. Which of the following would be the
BEST way to implement this function?
❍ A. Active footprinting
❍ B. IaaS
❍ C. Vulnerability scan
❍ D. SOAR
The Answer: D. SOAR
SOAR (Security Orchestration, Automation, and Response) provides
security teams with integration and automation of processes and
procedures.
The incorrect answers:
A. Active footprinting
Active footprinting will gather information about a system, but it does not
provide any ongoing monitoring or response features.
B. IaaS
IaaS (Infrastructure as a Service) is a type of cloud service that provides
the basic hardware required to install an OS and application. IaaS does not
provide ongoing monitoring for security events or automation features.
C. Vulnerability scan
A vulnerability scan will identify any known vulnerabilities that may be
associated with a system. However, a vulnerability scan will not identify
real-time infections or automate the response.
A user in the accounting department has received an email from the
CEO requesting payment for a recently purchased tablet. However, there
doesn’t appear to be a purchase order associated with this request. Which
of the following would be the MOST likely attack associated with
this email?
❍ A. Spear phishing
❍ B. Watering hole attack
❍ C. Invoice scam
❍ D. Credential harvesting
The Answer: C. Invoice scam
Invoice scams attempt to take advantage of the miscommunication
between different parts of the organization. Fake invoices are submitted by
the attacker, and these invoices can sometimes be incorrectly paid without
going through the expected verification process.
The incorrect answers:
A. Spear phishing
Spear phishing is a directed attack that attempts to obtain private or
personal information. In this example, the result was to obtain payment
and not to gather private information.
B. Watering hole attack
A watering hole attack requires users to visit a central website or location.
This example did not require the user to visit any third-party websites.
D. Credential harvesting
Credential harvesting attempts to transfer password files and
authentication information from other computers.
A company has been informed of a hypervisor vulnerability that could
allow users on one virtual machine to access resources on another
virtual machine. Which of the following would BEST describe this
vulnerability?
❍ A. Containerization
❍ B. Service integration
❍ C. SDN
❍ D. VM escape
The Answer: D. VM escape
A VM (Virtual Machine) escape is a vulnerability that allows
communication between separate VMs.
The incorrect answers:
A. Containerization
Containerization is an application deployment architecture that uses a
self-contained group of application code and dependencies. Many separate
containers can run on a single system
B. Service integration
Service Integration and Management (SIAM) allows the integration of
many different service providers into a single management system. This
simplifies the application management and deployment process when
using separate cloud providers.
C. SDN
SDN (Software-Defined Networking) separates the control plane of
networking devices from the data plane. This allows for more automation
and dynamic changes to the infrastructure.
While working from home, users are attending a project meeting over
a web conference. When typing in the meeting link, the browser is
unexpectedly directed to a different website than the web conference.
Users in the office do not have any issues accessing the conference site.
Which of the following would be the MOST likely reason for this issue?
❍ A. Bluejacking
❍ B. Wireless disassociation
❍ C. DDoS
❍ D. DNS poisoning
The Answer: D. DNS poisoning
An attacker that gains access to a DNS (Domain Name System) server
can modify the configuration files and redirect users to a different website.
Anyone using a different DNS server may not see any problems with
connectivity to the original site.
The incorrect answers:
A. Bluejacking
Bluejacking allows a third-party to send unsolicited messages to another
device using Bluetooth. The attack in this example did not use Bluetooth
as an attack vector.
B. Wireless disassociation
Wireless disassociation would cause users on a wireless network to
constantly disconnect. Wireless disassociation would not cause a
redirection of a website URL (Uniform Resource Locator).
C. DDoS
DDOS (Distributed Denial of Service) would attack a service from many
different devices and cause the service to be unavailable. In this example,
the service did not have any availability problems to valid users.
A company is launching a new internal application that will not start
until a username and password is entered and a smart card is plugged into
the computer. Which of the following BEST describes this process?
❍ A. Federation
❍ B. Accounting
❍ C. Authentication
❍ D. Authorization
The Answer: C. Authentication
The process of proving who you say you are is authentication. In this
example, the password and smart card are two factors of authentication,
and both reasonably prove that the person logging in is authentic.
The Answer: C. Authentication
The process of proving who you say you are is authentication. In this
example, the password and smart card are two factors of authentication,
and both reasonably prove that the person logging in is authentic.
The incorrect answers:
A. Federation
Federation provides a way to authenticate and authorize between two
different organizations. In this example, the authentication process uses
internal information without any type of connection or trust to a
third-party.
B. Accounting
Accounting will document information regarding a user’s session, such as
login time, data sent and received, files transferred, and logout time.
D. Authorization
The authorization process assigns users to resources. This process
commonly occurs after the authentication process is complete.
. An online retailer is planning a penetration test as part of their PCI
DSS validation. A third-party organization will be performing the test,
and the online retailer has provided the Internet-facing IP addresses for
their public web servers but no other details. What penetration testing
methodology is the online retailer using?
❍ A. Known environment
❍ B. Passive footprinting
❍ C. Partially known environment
❍ D. Ping scan
The Answer: C. Partially known environment
A partially known environment test is performed when the attacker knows
some information about the victim, but not all information is available.
The incorrect answers:
A. Known environment
A known environment test is performed when the attacker has complete
details about the victim’s systems and infrastructure.
B. Passive footprinting
Passive footprinting is the process of gathering information from publicly
available sites, such as social media or corporate websites.
D. Ping scan
A ping scan is a type of network scan that can identify devices connected
to the network. A ping scan is not a type of penetration test.
A manufacturing company makes radar used by commercial and military
organizations. A recently proposed policy change would allow the use of
mobile devices inside the facility. Which of the following would be the
MOST significant security issue associated with this change in policy?
❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Photo and video use
The Answer: D. Photo and video use
The exfiltration of company confidential information is relatively simple
with an easily transportable camera or video recorder. Organizations
associated with sensitive products or services must always be aware of the
potential for information leaks using photos or video.
The incorrect answers:
A. Unauthorized software on rooted devices
Although unauthorized software use can be a security issue, it isn’t as
significant as the exfiltration of company confidential information.
B. Remote access clients on the mobile devices
It’s sometimes convenient to have a remote access client available, and this
type of access can certainly be a concern if the proper security is not in
place. However, the much more significant security issue in this list would
be associated with the ease of photos and videography when working with
confidential information.
C. Out of date mobile operating systems
Having an outdated operating system can potentially include security
vulnerabilities, but these vulnerabilities do not have the significance of an
active data exfiltration method.
A company is designing an application that will have a high demand and
will require significant computing resources during the summer. During
the winter, there will be little to no application use and resource use
should be minimal. Which of these characteristics BEST describe this
application requirement?
❍ A. Availability
❍ B. Orchestration
❍ C. Imaging
❍ D. Elasticity
The Answer: D. Elasticity
Elasticity is the process of providing resources when demand increases and
scaling down when the demand is low.
The incorrect answers:
A. Availability
Availability describes the ability to use a service, but it doesn’t directly
describe the ability of the service resources to grow or shrink based on
demand.
B. Orchestration
The process of automating the configuration, maintenance, and operation
of an application instance is called orchestration. The description of the
application requirement didn’t mention the use of automation when
scaling resources.
C. Imaging
Imaging is a technique that allows a system administrator to build a
specific operating system and application configuration. This configuration
can then be saved as an “image” and easily deployed to other systems.
. Vala, a security analyst, has received an alert from her IPS regarding active
exploit attempts from the Internet. Which of the following would provide
detailed information about these exploit attempts?
❍ A. Netstat
❍ B. Nmap
❍ C. Nessus
❍ D. Wireshark
The Answer: D. Wireshark
Wireshark is a protocol analyzer, and it can provide information about
every frame that traverses the network. From a security perspective, the
protocol decode can show the exploitation process and details about the
payloads used during the attempt.
The incorrect answers:
A. Netstat
The netstat command can display connectivity information about a device,
but it won’t provide any additional details about an exploit attempt.
B. Nmap
An Nmap scan is a useful tool for understanding the potential exploit
vectors of a device, but it won’t show information about an active
exploitation attempt.
C. Nessus
Nessus is a vulnerability scanner that can help identify potential exploit
vectors, but it’s not useful for showing active exploitation attempts by a
third-party.
A user in the accounting department would like to send a spreadsheet
with sensitive information to a list of third-party vendors. Which of the
following could be used to transfer this spreadsheet to the vendors?
❍ A. SNMPv3
❍ B. SRTP
❍ C. DNSSEC
❍ D. FTPS
The Answer: D. FTPS
FTPS (File Transfer Protocol Secure) provides mechanisms for
transferring files using encrypted communication.
The incorrect answers:
A. SNMPv3
SNMPv3 (Simple Network Management Protocol version 3) uses
encrypted communication to manage devices, but it is not used for secure
file transfers between devices.
B. SRTP
SRTP (Secure Real-Time Transport Protocol) is used for secure voice
over IP and media communication across the network.
C. DNSSEC
DNSSEC (Domain Name System Secure Extensions) are used on DNS
servers to validate DNS responses using public key cryptography.
A system administrator would like to segment the network to give the
marketing, accounting, and manufacturing departments their own private
network. The network communication between departments would
be restricted for additional security. Which of the following should be
configured on this network?
❍ A. VPN
❍ B. RBAC
❍ C. VLAN
❍ D. NAT
The Answer: C. VLAN
A VLAN (Virtual Local Area Network) is a common method of logically
segmenting a network. The devices in each segmented VLAN can only
communicate with other devices in the same VLAN. A router is used to
connect VLANs, and this router can often be used to control traffic flows
between VLANs.
The incorrect answers:
A. VPN
A VPN (Virtual Private Network) is an encryption technology that can
be used to secure network connections between sites or remote enduser communication. VPNs are not commonly used to segment internal
network communication.
B. RBAC
RBAC (Role-Based Access Control) describes a control mechanism for
managing rights and permissions in an operating system. RBAC is not
used for network segmentation.
D. NAT
NAT (Network Address Translation) is used to modify the source or
destination IP address or port number of a network traffic flow. NAT
would not be used when segmenting internal networks.
A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?
❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap
The Answer: B. Jump server
A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s network.
The incorrect answers:
A. HSM
An HSM (Hardware Security Module) is a secure method of
cryptographic key backup and hardware-based cryptographic offloading.
C. NAC
NAC (Network Access Control) is a broad term describing access control
based on a health check or posture assessment. NAC will deny access to
devices that don’t meet the minimum security requirements.
D. Air gap
An air gap is a segmentation strategy that separates devices or networks by
physically disconnecting them from each other.
A transportation company is installing new wireless access points in their
corporate offices. The manufacturer estimates that the access points will
operate an average of 100,000 hours before a hardware-related outage.
Which of the following describes this estimate?
❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF
The Answer: D. MTBF
The MTBF (Mean Time Between Failures) is the average time expected
between outages. This is usually an estimation based on the internal device
components and their expected operational lifetime.
The incorrect answers:
A. MTTR
MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.
B. RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery.
C. RTO
RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.