Professor Messer Questions Flashcards
Attacker obtains bank account number
and birth date by calling the victim
Vishing
Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site
Spoofing
Attacker intercepts all communication between a client and a web server
On-path
Multiple attackers overwhelm a web server
DDoS
A virus alert appears in your browser from Microsoft with a phone number to call for support
Hoax
What protocol accepts customer purchases from your primary website
HTTPS
What protocol synchronize the time across all of your devices
NTPsec Network Time Protocol (NTP) secure
What protocol access your switch using a CLI terminal screen
SSH Secure Shell
What protocol do you use to talk with customers on scheduled conference calls
SRTP Secure Real-time Transport Protocol
What protocol gathers metrics from routers at remote sites
SNMPv3 Simple Network Management Protocol version 3
You’ve hired a third-party to gather information about your company’s servers and data. The third-party will not have direct access to your internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment
Passive footprinting
Passive footprinting focuses on learning as much information from open sources such as social media, corporate websites, and business organizations.
Which of these protocols use TLS to provide secure communication?
(Select TWO)
❍ A. HTTPS
❍ B. SSH
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP
The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
Which of these threat actors would be MOST likely to attack systems for direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Competitor
The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital.
A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility?
(Select TWO)
❍ A. Partition data
❍ B. Kernel statistics
❍ C. ROM data
❍ D. Temporary file
The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file storage subsystem.
An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party.
Which category would BEST describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC
The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).
Which of the following standards provides information on privacy and managing PII?
❍ A. ISO 31000
❍ B. ISO 27002
❍ C. ISO 27701
❍ D. ISO 27001
The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701 standard extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy.
Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM
Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.
A CISO (Chief Information Security Officer) would like to decrease the response time when addressing security incidents. Unfortunately, the company does not have the budget to hire additional security engineers.
Which of the following would assist the CISO with this requirement?
❍ A. ISO 27701
❍ B. PKI
❍ C. IaaS
❍ D. SOAR
The Answer: D. SOAR
SOAR (Security Orchestration, Automation, and Response) is designed
to make security teams more effective by automating processes and
integrating third-party security tools.
An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours
must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server
The Answer:
A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions
Rodney, a security engineer, is viewing this record from the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Disassociation
The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. PEAP
❍ D. EAP-FAST
The Answer: A. Federation
Federation would allow members of one organization to authenticate using the credentials of another organization.
A system administrator, Daniel, is working on a contract that will specify
a minimum required uptime for a set of Internet-facing firewalls. Daniel
needs to know how often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe this information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. MTTF
The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail.
An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important
meeting. What kind of attack would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Watering hole
❍ D. On-path
The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.
A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company’s network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2
The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality with TLS.
Which of the following would be commonly provided by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not installed the latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use
E. Verification of encrypted data transfers
A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.
The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. DLL injection
❍ B. Resource exhaustion
❍ C. Race condition
❍ D. Weak configuration
The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, usually
with unexpected results. The file system problem is usually fixed before
a reboot, but a reboot is occurring before the fix can be applied. This has
created a race condition that results in constant reboots.
A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password history
❍ D. Password lockout
❍ E. Password recovery
The Answer: B. Password expiration and D. Password lockout
Password expiration would require a new password after the expiration
date. Password lockout would disable an account after a predefined
number of unsuccessful login attempts.
What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Physical
The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
A security team has been provided with a non-credentialed vulnerability scan report created by a third-party. Which of the following would they expect to see on this report?
❍ A. A summary of all files with invalid group assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts
The Answer: C. The version of web server software in use
A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.
A business manager is documenting a set of steps for processing orders
if the primary Internet connection fails. Which of these would BEST
describe these steps?
❍ A. Communication plan
❍ B. Continuity of operations
❍ C. Stakeholder management
❍ D. Tabletop exercise
The Answer: B. Continuity of
The Answer: B. Continuity of operations
It’s always useful to have an alternative set of processes to handle any type
of outage or issue. Continuity of operations planning ensures that the
business will continue to operate when these issues occur.
A security administrator is concerned about data exfiltration resulting from the use of malicious phone charging stations. Which of the following would be the BEST way to protect against this threat?
❍ A. USB data blocker
❍ B. Personal firewall
❍ C. MFA
❍ D. FDE
The Answer: A. USB data blocker
USB data blockers are physical USB cables that allow power connections
but prevent data connections. With a USB data blocker attached, any
power source can be used without a security concern.
A company would like to protect the data stored on laptops used in the field. Which of the following would be the BEST choice for this requirement?
❍ A. MAC
❍ B. SED
❍ C. CASB
❍ D. SOAR
The Answer: B. SED
A SED (Self-Encrypting Drive) provides data protection of a storage
device using full-disk encryption in the drive hardware.
A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday,
Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1
The Answer: C. 4
Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.
A company is creating a security policy that will protect all corporate mobile devices:
* All mobile devices must be automatically locked after a predefined
time period.
* Some mobile devices will be used by the remote sales teams, so the
location of each device needs to be traceable.
* All of the user’s information should be completely separated from
company data.
Which of the following would be the BEST way to establish these security policy rules?
❍ A. Containerization
❍ B. Biometrics
❍ C. COPE
❍ D. VDI
❍ E. Geofencing
❍ F. MDM
The Answer: F. MDM
An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.
A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result?
❍ A. Exploit
❍ B. Credentialed
❍ C. Zero-day attack
❍ D. False negative
The Answer: D. False negative
A false negative
A security administrator is adding additional authentication controls to
the existing infrastructure. Which of the following should be added by
the security administrator? (Select TWO)
❍ A. TOTP
❍ B. Least privilege
❍ C. Role-based awareness training
❍ D. Separation of duties
❍ E. Job rotation
❍ F. Smart Card
The Answer: A. TOTP and F. Smart Card
TOTP (Time-based One-Time Passwords) and smart cards are
useful authentication controls when used in conjunction with other
authentication factors.
A network administrator would like each user to authenticate with their personal username and password when connecting to the company’s wireless network. Which of the following should the network administrator configure on the wireless access points?
❍ A. WPA2-PSK
❍ B. 802.1X
❍ C. WPS
❍ D. WPA2-AES
The Answer: B. 802.1X
802.1X uses a centralized authentication server, and all users can use their
normal credentials to authenticate to an 802.1X network.