Professor Messer Questions

Question 1

Attacker obtains bank account number
and birth date by calling the victim

Answer 1

Vishing

Question 2

Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site

Answer 2

Spoofing

Question 3

Attacker intercepts all communication between a client and a web server

Answer 3

On-path

Question 4

Multiple attackers overwhelm a web server

Answer 4

DDoS

Question 5

A virus alert appears in your browser from Microsoft with a phone number to call for support

Answer 5

Hoax

Question 6

What protocol accepts customer purchases from your primary website

Answer 6

HTTPS

Question 7

What protocol synchronize the time across all of your devices

Answer 7

NTPsec Network Time Protocol (NTP) secure

Question 8

What protocol access your switch using a CLI terminal screen

Answer 8

SSH Secure Shell

Question 9

What protocol do you use to talk with customers on scheduled conference calls

Answer 9

SRTP Secure Real-time Transport Protocol

Question 10

What protocol gathers metrics from routers at remote sites

Answer 10

SNMPv3 Simple Network Management Protocol version 3

Question 11

You’ve hired a third-party to gather information about your company’s servers and data. The third-party will not have direct access to your internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment

Answer 11

Passive footprinting
Passive footprinting focuses on learning as much information from open sources such as social media, corporate websites, and business organizations.

Question 12

Which of these protocols use TLS to provide secure communication?
(Select TWO)
❍ A. HTTPS
❍ B. SSH
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP

Answer 12

The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.

Question 13

Which of these threat actors would be MOST likely to attack systems for direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Competitor

Answer 13

The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital.

Question 14

A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility?
(Select TWO)
❍ A. Partition data
❍ B. Kernel statistics
❍ C. ROM data
❍ D. Temporary file

Answer 14

The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file storage subsystem.

Question 15

An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party.
Which category would BEST describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC

Answer 15

The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).

Question 16

Which of the following standards provides information on privacy and managing PII?
❍ A. ISO 31000
❍ B. ISO 27002
❍ C. ISO 27701
❍ D. ISO 27001

Answer 16

The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701 standard extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy.

Question 17

Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

Question 18

Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media

Answer 18

The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.

Question 19

A CISO (Chief Information Security Officer) would like to decrease the response time when addressing security incidents. Unfortunately, the company does not have the budget to hire additional security engineers.
Which of the following would assist the CISO with this requirement?
❍ A. ISO 27701
❍ B. PKI
❍ C. IaaS
❍ D. SOAR

Answer 19

The Answer: D. SOAR
SOAR (Security Orchestration, Automation, and Response) is designed
to make security teams more effective by automating processes and
integrating third-party security tools.

Question 20

An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours
must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

Answer 20

The Answer:
A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions

Question 21

Rodney, a security engineer, is viewing this record from the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

Answer 21

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.

Question 22

A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Disassociation

Answer 22

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.

Question 23

Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. PEAP
❍ D. EAP-FAST

Answer 23

The Answer: A. Federation
Federation would allow members of one organization to authenticate using the credentials of another organization.

Question 24

A system administrator, Daniel, is working on a contract that will specify
a minimum required uptime for a set of Internet-facing firewalls. Daniel
needs to know how often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe this information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. MTTF

Answer 24

The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail.

Question 25

An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important
meeting. What kind of attack would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Watering hole
❍ D. On-path

Answer 25

The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.

Question 26

A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company’s network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2

Answer 26

The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality with TLS.

Question 27

Which of the following would be commonly provided by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have not installed the latest security patches
❍ B. List of applications in use
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users

Answer 27

The Answer: B. A list of applications in use
E. Verification of encrypted data transfers
A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal
standards and the monitoring and identification of threats.

Question 28

The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. DLL injection
❍ B. Resource exhaustion
❍ C. Race condition
❍ D. Weak configuration

Answer 28

The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, usually
with unexpected results. The file system problem is usually fixed before
a reboot, but a reboot is occurring before the fix can be applied. This has
created a race condition that results in constant reboots.

Question 29

A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password history
❍ D. Password lockout
❍ E. Password recovery

Answer 29

The Answer: B. Password expiration and D. Password lockout
Password expiration would require a new password after the expiration
date. Password lockout would disable an account after a predefined
number of unsuccessful login attempts.

Question 30

What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Physical

Answer 30

The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.

Question 31

A security team has been provided with a non-credentialed vulnerability scan report created by a third-party. Which of the following would they expect to see on this report?
❍ A. A summary of all files with invalid group assignments
❍ B. A list of all unpatched operating system files
❍ C. The version of web server software in use
❍ D. A list of local user accounts

Answer 31

The Answer: C. The version of web server software in use
A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.

Question 32

A business manager is documenting a set of steps for processing orders
if the primary Internet connection fails. Which of these would BEST
describe these steps?
❍ A. Communication plan
❍ B. Continuity of operations
❍ C. Stakeholder management
❍ D. Tabletop exercise
The Answer: B. Continuity of

Answer 32

The Answer: B. Continuity of operations
It’s always useful to have an alternative set of processes to handle any type
of outage or issue. Continuity of operations planning ensures that the
business will continue to operate when these issues occur.

Question 33

A security administrator is concerned about data exfiltration resulting from the use of malicious phone charging stations. Which of the following would be the BEST way to protect against this threat?
❍ A. USB data blocker
❍ B. Personal firewall
❍ C. MFA
❍ D. FDE

Answer 33

The Answer: A. USB data blocker
USB data blockers are physical USB cables that allow power connections
but prevent data connections. With a USB data blocker attached, any
power source can be used without a security concern.

Question 34

A company would like to protect the data stored on laptops used in the field. Which of the following would be the BEST choice for this requirement?
❍ A. MAC
❍ B. SED
❍ C. CASB
❍ D. SOAR

Answer 34

The Answer: B. SED
A SED (Self-Encrypting Drive) provides data protection of a storage
device using full-disk encryption in the drive hardware.

Question 35

A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday,
Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery?
❍ A. 2
❍ B. 3
❍ C. 4
❍ D. 1

Answer 35

The Answer: C. 4
Each incremental backup will archive all of the files that have changed
since the last full or incremental backup. To complete this full restore, the
administrator will need the full backup from Monday and the incremental
backups from Tuesday, Wednesday, and Thursday.

Question 37

A company is creating a security policy that will protect all corporate mobile devices:
* All mobile devices must be automatically locked after a predefined
time period.
* Some mobile devices will be used by the remote sales teams, so the
location of each device needs to be traceable.
* All of the user’s information should be completely separated from
company data.
Which of the following would be the BEST way to establish these security policy rules?
❍ A. Containerization
❍ B. Biometrics
❍ C. COPE
❍ D. VDI
❍ E. Geofencing
❍ F. MDM

Answer 37

The Answer: F. MDM
An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.

Question 38

A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result?
❍ A. Exploit
❍ B. Credentialed
❍ C. Zero-day attack
❍ D. False negative

Answer 38

The Answer: D. False negative
A false negative

Question 39

A security administrator is adding additional authentication controls to
the existing infrastructure. Which of the following should be added by
the security administrator? (Select TWO)
❍ A. TOTP
❍ B. Least privilege
❍ C. Role-based awareness training
❍ D. Separation of duties
❍ E. Job rotation
❍ F. Smart Card

Answer 39

The Answer: A. TOTP and F. Smart Card
TOTP (Time-based One-Time Passwords) and smart cards are
useful authentication controls when used in conjunction with other
authentication factors.

Question 40

A network administrator would like each user to authenticate with their personal username and password when connecting to the company’s wireless network. Which of the following should the network administrator configure on the wireless access points?
❍ A. WPA2-PSK
❍ B. 802.1X
❍ C. WPS
❍ D. WPA2-AES

Answer 40

The Answer: B. 802.1X
802.1X uses a centralized authentication server, and all users can use their
normal credentials to authenticate to an 802.1X network.

Question 41

A security administrator needs to identify all references to a Javascript
file in the HTML of a web page. Which of the following tools should be
used to view the source of the web page and search through the file for a
specific filename? (Select TWO)
❍ A. tail
❍ B. openssl
❍ C. scanless
❍ D. grep
❍ E. Nmap
❍ F. curl
❍ G. head

Answer 41

The Answer: D. grep and F. curl
The curl (Client URL) command will retrieve a web page and display it
as HTML at the command line. The grep command can then be used to
search through the file for a specific string of text.

Question 42

A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have readonly access to the file. Which of the following would describe this access control
model?
❍ A. DAC
❍ B. MAC
❍ C. ABAC
❍ D. RBAC

Answer 42

The Answer: A. DAC
DAC (Discretionary Access Control) is used in many operating systems,
and this model allows the owner of the resource to control who has access.

Question 43

A remote user has received a text message requesting login details to the
corporate VPN server. Which of the following would BEST describe this
message?
❍ A. Brute force
❍ B. Prepending
❍ C. Typosquatting
❍ D. Smishing
The

Answer 43

The Answer: D. Smishing
Smishing, or SMS phishing, is a social engineering attack that asks for personal information using SMS or text messages.

Question 44

A department store policy requires that a floor manager approves each transaction when a gift certificate is used for payment. The security team has found that some of these transactions have been processed without the approval of a manager. Which of the following would provide a separation of duties to enforce this store policy?
❍ A. Use a WAF to monitor all gift certificate transactions
❍ B. Disable all gift certificate transactions for cashiers
❍ C. Implement a discretionary access control policy
❍ D. Require an approval PIN for the cashier and a separate approval PIN for the manager

Answer 44

The Answer: D. Require an approval PIN for the cashier and a separate
approval PIN for the manager
This separation of duties would be categorized as dual control, where two
people must be present to perform the business function. In this example,
the dual control is managed by using two separate PINs (Personal
Identification Numbers) that would not be shared among individuals.

Question 45

Which of the following is true of a rainbow table? (Select TWO)
❍ A. The rainbow table is built in real-time during the attack
❍ B. Rainbow tables are the most effective online attack type
❍ C. Rainbow tables require significant CPU cycles at attack time
❍ D. Different tables are required for different hashing methods
❍ E. A rainbow table won’t be useful if the passwords are salted

Answer 45

The Answers: D. Different tables are required for different hashing
methods, and E. A rainbow table won’t be useful if the passwords
are salted

Question 46

A server administrator at a bank has noticed a decrease in the number of visitors to the bank’s website. Additional research shows that users are being directed to a different IP address than the bank’s web server. Which
of the following would MOST likely describe this attack?
❍ A. Disassociation
❍ B. DDoS
❍ C. Buffer overflow
❍ D. DNS poisoning

Answer 46

The Answer: D. DNS poisoning
A DNS poisoning can modify a DNS server to modify the IP address
provided during the name resolution process. If an attacker modifies the
DNS information, they can direct client computers to any destination IP
address.

Question 47

Which of these cloud deployment models would share resources between a private virtualized data center and externally available cloud services?
❍ A. SaaS
❍ B. Community
❍ C. Hybrid
❍ D. Containerization

Answer 47

The Answer: C. Hybrid
A hybrid cloud model combines both private and public cloud
infrastructures.

Question 48

A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their
systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification?
❍ A. Confirm that no unauthorized accounts have administrator access
❍ B. Validate the account lockout policy
❍ C. Validate the processes and procedures for all outgoing employees
❍ D. Create a report that shows all authentications for a 24-hour period

Answer 48

The Answer: C. Validate the processes and procedures for all outgoing employees
The disabling of an employee account is commonly part of the offboarding
process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees.

Question 49

A network administrator has installed a new access point, but only a portion of the wireless devices are able to connect to the network. Other devices can see the access point, but they are not able to connect even
when using the correct wireless settings. Which of the following security
features was MOST likely enabled?
❍ A. MAC filtering
❍ B. SSID broadcast suppression
❍ C. 802.1X authentication
❍ D. Anti-spoofing

Answer 49

The Answer: A. MAC filtering
Filtering addresses by MAC (Media Access Control) address will limit which devices can connect to the wireless network. If a device is filtered by MAC address, it will be able to see an access point but it will not be able to connect.

Question 50

A security administrator has gathered this information:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT
tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED
Which of the following is being used to create this information?
❍ A. tracert
❍ B. netstat
❍ C. dig
❍ D. netcat
The

Answer 50

The Answer: B. netstat
The netstat command provides a list of network statistics, and the default view shows the traffic sessions between the local device and other devices on the network.

Question 51

An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack?
❍ A. Privilege escalation
❍ B. Spoofing
❍ C. Replay attack
❍ D. DDoS

Answer 51

The Answer: D. DDoS
A DDoS (Distributed Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. Packets from multiple devices that disable a server would be an example of a DDoS attack.

Question 52

A data breach has occurred in a large insurance company. A security
administrator is building new servers and security systems to get all of
the financial systems back online. Which part of the incident response
process would BEST describe these actions?
❍ A. Lessons learned
❍ B. Isolation and containment
❍ C. Reconstitution
❍ D. Precursors

Answer 52

The Answer: C. Reconstitution
The recovery after a breach can be a phased approach that may take months to complete.

Question 53

A manufacturing company has moved an inventory application from their internal systems to a PaaS service. Which of the following would be the
BEST way to manage security policies on this new service?
❍ A. DLP
❍ B. SIEM
❍ C. IPS
❍ D. CASB

Answer 53

The Answer: D. CASB
A CASB (Cloud Access Security Broker) is used to manage compliance with security policies when using cloud-based applications.

Question 54

An organization has identified a significant vulnerability in a firewall that was recently installed for Internet connectivity. The firewall company has stated there are no plans to create a patch for this vulnerability. Which of
the following would BEST describe this issue?
❍ A. Lack of vendor support
❍ B. Improper input handling
❍ C. Improper key management
❍ D. End-of-life

Answer 54

The Answer: A. Lack of vendor support
Security issues can be identified in a system or application at any time, so it’s important to have a vendor that can support their software and correct issues as they are discovered. If a vendor won’t provide security patches, then you may be susceptible to security vulnerabilities.

Question 55

A company has decided to perform a disaster recovery exercise during an annual meeting with the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes required to resolve the disaster. Which of the following
would BEST describe this exercise?
❍ A. After-action report
❍ B. Business impact analysis
❍ C. Alternate business practice
❍ D. Tabletop exercise

Answer 55

The Answer: D. Tabletop exercise
A tabletop exercise allows a disaster recovery team to evaluate and plan disaster recovery processes without performing a full-scale drill.

Question 56

A security administrator needs to identify all computers on the company
network infected with a specific malware variant. Which of the following
would be the BEST way to identify these systems?
❍ A. Honeynet
❍ B. Data masking
❍ C. DNS sinkhole
❍ D. DLP

Answer 56

The Answer: C. DNS sinkhole
A DNS (Domain Name System) sinkhole can be used to redirect and identify devices that may attempt to communicate with an external
command and control (C2) server. The DNS sinkhole will resolve an internal IP address and can report on all devices that attempt to access the malicious domain.

Question 57

A system administrator has been called to a system that is suspected to have a malware infection. The administrator has removed the device from the network and has disconnected all USB flash drives. Which of these incident response steps is the administrator following?
❍ A. Lessons learned
❍ B. Containment
❍ C. Detection
❍ D. Reconstitution

Answer 57

The Answer: B. Containment
The containment phase isolates the system from any other devices to prevent the spread of any malicious software.

Question 58

How can a company ensure that all data on a mobile device is
unrecoverable if the device is lost or stolen?
❍ A. Containerization
❍ B. Geofencing
❍ C. Screen locks
❍ D. Remote wipe

Answer 58

The Answer: D. Remote wipe
Most organizations will use a mobile device manager (MDM) to manage mobile phones and tablets. Using the MDM, specific security policies can be created for each mobile device, including the ability to remotely send a
remote wipe command that will erase all data on a mobile device.

Question 59

A security administrator is collecting information associated with a ransomware infection on the company’s web servers. Which of the following log files would provide information regarding the memory contents of these servers?
❍ A. Web
❍ B. Packet
❍ C. Dump
❍ D. DNS

Answer 59

The Answer: C. Dump
A dump file contains the contents of system memory. In Windows, this
file can be created from the Task Manager.

Question 60

Which part of the PC startup process verifies the digital signature of the OS kernel?
❍ A. Measured Boot
❍ B. Trusted Boot
❍ C. Secure Boot
❍ D. POST

Answer 60

The Answer: B. Trusted Boot
The Trusted Boot portion of the startup process verifies the operating
system kernel signature and starts the ELAM (Early Launch
Anti-Malware) process.

Question 61

Which of these best describes two-factor authentication?
❍ A. A printer uses a password and a PIN
❍ B. The door to a building requires a fingerprint scan
❍ C. An application requires a TOTP code
❍ D. A Windows Domain requires a username, password, and smart card

Answer 61

The Answer: D. A Windows Domain requires a username, password, and smart card

Question 62

A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include:
* The company does not have a way to manage the mobile devices in the field
* Company data on mobile devices in the field introduces additional risk
* Team members have many different kinds of mobile devices
Which of the following deployment models would address
these concerns?
❍ A. Corporate-owned
❍ B. COPE
❍ C. VDI
❍ D. BYOD

Answer 62

The Answer: C. VDI
A VDI (Virtual Desktop Infrastructure) would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices.

Question 63

An organization is installing a UPS for their new data center. Which of
the following would BEST describe this type of control?
❍ A. Compensating
❍ B. Preventive
❍ C. Managerial
❍ D. Detective

Answer 63

The Answer: A. Compensating
A compensating security control doesn’t prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage
occurs.

Question 64

A manufacturing company would like to track the progress of parts as they are used on an assembly line. Which of the following technologies would be the BEST choice for this task?
❍ A. Quantum computing
❍ B. Blockchain
❍ C. Hashing
❍ D. Asymmetric encryption

Answer 64

The Answer: B. Blockchain
The ledger functionality of a blockchain can be used to track or verify components, digital media, votes, and other physical or digital objects.

Question 65

A security administrator has been asked to respond to a potential security breach of the company’s databases, and they need to gather the most volatile data before powering down the database servers. In which order
should they collect this information?
❍ A. CPU registers, temporary files, memory, remote monitoring data
❍ B. Memory, CPU registers, remote monitoring data, temporary files
❍ C. Memory, CPU registers, temporary files, remote monitoring data
❍ D. CPU registers, memory, temporary files, remote monitoring data

Answer 65

The Answer: D. CPU registers, memory, temporary files,
remote monitoring data
The most volatile data disappears quickly, so data such as the CPU
registers and information in memory will be lost before temporary files
and remote monitoring data are no longer available.

Question 66

A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value?
❍ A. Verifies that the file was not corrupted during the file transfer
❍ B. Provides a key for decrypting the ISO after download
❍ C. Authenticates the site as an official ISO distribution site
❍ D. Confirms that the file does not contain any malware

Answer 66

The Answer: A. Verifies that the file was not corrupted during the file transfer
Once the file is downloaded, the administrator can calculate the file’s SHA256 hash and confirm that it matches the value on the website.

Question 67

A company’s security policy requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement?
❍ A. TOTP
❍ B. Biometric scanner
❍ C. PIN
❍ D. SMS

Answer 67

The Answer: B. Biometric scanner
A biometric scanner would require a person to be physically present to verify authentication.

Question 68

Your development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, you find that the database is available for anyone to query
without providing any authentication. Which of these vulnerabilities is MOST associated with this issue?
❍ A. Improper error handling
❍ B. Open permissions
❍ C. Race condition
❍ D. Memory leak

Answer 68

The Answer: B. Open permissions
Just like your local systems, proper permissions and security controls are
also required when information is added to a cloud-based system. If any of your systems leave an open door, your data may be accessible by anyone on the Internet.

Question 70

Employees of an organization have received an email offering a cash bonus for completing an internal training course. The link in the email requires users to login with their Windows Domain credentials, but the link appears to be located on an external server. Which of the following would BEST describe this email?
❍ A. Whaling
❍ B. Vishing
❍ C. Smishing
❍ D. Phishing

Answer 70

The Answer: D. Phishing
Phishing is the process of manipulating a victim to disclose personal or private information. An email asking for login details from a server not under the control of the company would describe a phishing attempt.

Question 71

Which of the following risk management strategies would include the purchase and installation of an NGFW?
❍ A. Transference
❍ B. Mitigation
❍ C. Acceptance
❍ D. Risk-avoidance

Answer 71

The Answer: B. Mitigation
Mitigation is a strategy that decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall).

Question 72

Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance?
❍ A. Compare the production application to the sandbox
❍ B. Perform an integrity measurement
❍ C. Compare the production application to the previous version
❍ D. Perform QA testing on the application instance

Answer 72

The Answer: B. Perform an integrity measurement
An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions.

Question 73

A member of the accounting team was out of the office for two weeks, and an important financial transfer was delayed until they returned.
Which of the following would have prevented this delay?
❍ A. Split knowledge
❍ B. Least privilege
❍ C. Job rotation
❍ D. Dual control

Answer 73

The Answer: C. Job rotation
Job rotation moves employees through different job roles as part of their normal work environment. This policy limits the potential for fraud and allows others to cover responsibilities if someone is out of the office.

Question 74

A security analyst has identified a number of sessions from a single IP address with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of
your DMZ server. Which of the following BEST describes this log information?
❍ A. Someone is performing a vulnerability scan against the
firewall and DMZ server
❍ B. Users are performing DNS lookups
❍ C. A remote user is grabbing banners of the firewall and DMZ server
❍ D. Someone is performing a traceroute to the DMZ server

Answer 74

The Answer: D. Someone is performing a traceroute to the DMZ server
A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control
Message Protocol) TTL Exceeded message back to the original station.

Question 75

An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Session hijacking
❍ D. DDoS

Answer 75

The Answer: A. Buffer overflow
The results of a buffer overflow can cause random results, but sometimes
the actions can be repeatable and controlled. In the best possible case for
the hacker, a buffer overflow can be manipulated to execute code on the
remote device.

Question 76

A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public

Answer 76

The Answer: A. Private
With asymmetric encryption, the private key is used to decrypt
information that has been encrypted with the public key. To ensure
continued access to the encrypted data, the company must have a copy of
each private key.

Question 77

A security administrator is designing an authentication process for a new remote site deployment. They would like the users to provide their credentials when they authenticate in the morning, and they do not want any additional authentication requests to appear during the rest of the day. Which of the following should be used to meet this requirement?
❍ A. TACACS+
❍ B. LDAPS
❍ C. Kerberos
❍ D. 802.1X

Answer 77

The Answer: C. Kerberos
Kerberos uses a ticket-based system to provide SSO (Single Sign-On)
functionality. You only need to authenticate once with Kerberos to gain
access to multiple resources.

Question 78

A manufacturing company would like to use an existing router to separate a corporate network and a manufacturing floor that use the same physical switch. The company does not want to install any additional hardware. Which of the following would be the BEST choice for this
segmentation?
❍ A. Connect the corporate network and the manufacturing floor
with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use personal firewalls on each device
❍ D. Create separate VLANs for the corporate network and the
manufacturing floor

Answer 78

The Answer: D. Create separate VLANs for the corporate network and the manufacturing floor
Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches.

Question 79

When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would
be the MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful
❍ D. The VPN tunnel is configured for full tunnel

Answer 79

The Answer: D. The VPN tunnel is configured for full tunnel
A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A splittunnel would allow work-related traffic to securely traverse the VPN, and
all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel.

Question 80

A data center manager has built a Faraday cage in the data center, and a
set of application servers have been placed into racks inside the Faraday
cage. Which of the following would be the MOST likely reason for the
data center manager to install this configuration of equipment?
❍ A. Protect the servers against any unwanted electromagnetic fields
❍ B. Prevent physical access to the servers without the proper credentials
❍ C. Provide additional cooling to all devices in the cage
❍ D. Adds additional fire protection for the application servers

Answer 80

The Answer: A. Protect the servers against any unwanted electromagnetic fields
A Faraday cage is a mesh of conductive material that will cancel electromagnetic fields.

Question 81

A recent report shows the return of a vulnerability that was previously
patched four months ago. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator
implement to prevent this issue from occurring in the future?
❍ A. Templates
❍ B. Elasticity
❍ C. Master image
❍ D. Continuous monitoring

Answer 81

The Answer: D. Continuous monitoring
It’s common for organizations to continually monitor services for any changes or issues. A nightly vulnerability scan across important servers would identify issues like this one.

Question 82

A security manager would like to ensure that unique hashes are used with an application login process. Which of the following would be the BEST way to add random data when generating a set of stored password hashes?
❍ A. Salting
❍ B. Obfuscation
❍ C. Key stretching
❍ D. Digital signature

Answer 82

The Answer: A. Salting
Adding random data, or salt, to a password when performing the hashing process will create a unique hash, even if other users have chosen the same password.

Question 83

Which cryptographic method is used to add trust to a digital certificate?
❍ A. X.509
❍ B. Hash
❍ C. Symmetric encryption
❍ D. Digital signature

Answer 83

The Answer: D. Digital signature
A certificate authority will digitally sign a certificate to add trust. If you
trust the certificate authority, you can then trust the certificate.

Question 84

An MSP is designing a new server room for a large company. Which of the following should be included in the design to provide redundancy?
(Select TWO)
❍ A. SIEM
❍ B. Temperature monitors
❍ C. RAID arrays
❍ D. Dual power supplies
❍ E. Hot and cold aisles
❍ F. Biometric locks

Answer 84

The Answer: C. RAID arrays and D. Dual power supplies RAID (Redundant Array of Independent Disks) and dual power supplies
can both provide uptime and availability if a drive or component fails. Many RAID configurations can continue to operate if a drive fails, and a system with two power supplies can continue to operate if one of those was to fail.

Question 85

An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data?

Answer 85

The Answer: D. Data custodian
The data custodian manages access rights and sets security controls to the data.

Question 86

An organization’s content management system (CMS) currently labels files and documents as “Unclassified” and “Restricted.” On a recent updated to the CMS, a new classification type of “PII” was added. Which
of the following would be the MOST likely reason for this addition?
❍ A. Healthcare system integration
❍ B. Simplified categorization
❍ C. Expanded privacy compliance
❍ D. Decreased search time

Answer 86

The Answer: C. Expanded privacy compliance
The labeling of PII (Personally Identifiable Information) is often
associated with privacy and compliance concerns.

Question 87

A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys?
❍ A. Use an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

Answer 87

The Answer: A. Use an HSM
An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices.

Question 88

Jennifer is reviewing this security log from her IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String “-“
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token=”

" key="key7" value="
alert(2)
"
Which of the following can be determined from this log information?
(Select TWO)
❍ A. The alert was generated from a malformed User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid client port number

Question 89

Which of the following describes a monetary loss if one event occurs?
❍ A. ALE
❍ B. SLE
❍ C. RTO
❍ D. ARO

Answer 89

The Answer: B. SLE
SLE (Single Loss Expectancy) describes the financial impact of
a single event.

Question 90

What is ALE?

Answer 90

ALE (Annual Loss Expectancy) is the financial loss over an entire 12-month period.

Question 91

What is RTO?

Answer 91

RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level.

Question 92

What is ARO?

Answer 92

The ARO (Annualized Rate of Occurrence) is the number of times an event will occur in a 12-month period.

Question 93

A user with restricted access has typed this text in a search field of an internal web-based application:
USER77’ OR ‘1’=’1
After submitting this search request, all of the database records are displayed on the screen. Which of the following would BEST describe this search?
❍ A. CSRF
❍ B. Buffer overflow
❍ C. SQL injection
❍ D. SSL stripping

Answer 93

The Answer: C. SQL injection
SQL (Structured Query Language) injection takes advantage of poor input validation to circumvent the application and perform queries directly to the database.

Question 94

A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this
user’s issues?
❍ A. On-path
❍ B. Worm
❍ C. RAT
❍ D. Logic bomb

Answer 94

The Answer: C. RAT
A RAT (Remote Access Trojan) is malware that can control a computer using desktop sharing and other administrative functions. Because the installation program is often disguised as something else, the victim often
doesn’t realize they’re installing malware. Once the RAT is installed, the attacker can control the desktop, capture screenshots, reboot the computer, and many other administrative functions.

Question 95

A web-based manufacturing company processes monthly charges to credit
card information saved in the customer’s profile. Which of the following standards would be required to maintain this payment information?
❍ A. GDPR
❍ B. ISO 27001
❍ C. PCI DSS
❍ D. CSA CCM

Answer 95

The Answer: C. PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) specifies
the minimum security requirements for storing and protecting credit card
information

Question 96

A security manager has created a report showing intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these
traffic patterns?
❍ A. ARP poisoning
❍ B. Backdoor
❍ C. Polymorphic virus
❍ D. Trojan horse

Answer 96

The Answer: B. Backdoor
A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for
signs of a compromised system.

Question 97

The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message?
❍ A. IPS
❍ B. DLP
❍ C. SMTP
❍ D. IPsec

Answer 97

The Answer: B. DLP
DLP (Data Loss Prevention) technologies can identify and block the transmission of sensitive data across the network.

Question 98

A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration?
❍ A. The server is a honeypot for attracting potential attackers
❍ B. The server is a cloud storage service for remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-party
programming projects

Answer 98

The Answer: A. The server is a honeypot for attracting potential attackers
A screened subnet is a good location to configure services that can be accessed from the Internet, and building a system that can be easily compromised is a common tactic for honeypot systems.

Question 99

A company’s outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement
encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement?
❍ A. Implement Secure IMAP
❍ B. Require the use of S/MIME
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients

Answer 99

The Answer: B. Require the use of S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers.

Question 100

A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications?
❍ A. Containerization
❍ B. IaaS
❍ C. Proxies
❍ D. CASB

Answer 100

The Answer: A. Containerization
Application containerization uses a single virtual machine to use as a foundation for separate application “containers.” These containers are implemented as isolated instances, and an application in one container is not inherently accessible from other containers on the system.

Question 101

A company has just purchased a new application server, and the security
director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the rollout to production next week. Which of the following would be the
BEST way to determine if any part of the system can be exploited?
❍ A. Tabletop exercise
❍ B. Vulnerability scanner
❍ C. Password cracker
❍ D. Penetration test

Answer 101

The Answer: D. Penetration test
A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment.