Professor Messer - Security+ SY0-701: Exam B

Question 1

What is the first step of the incident Response Plan?

Answer 1

Preparation

Question 2

What is the second step of the incident Response Plan?

Answer 2

Detection

Question 3

What is the third step of the incident Response Plan?

Answer 3

Analysis

Question 4

What is the fourth step of the incident Response Plan?

Answer 4

Containment

Question 5

What is the fifth step of the incident Response Plan?

Answer 5

Eradication

Question 6

What is the sixth step of the incident Response Plan?

Answer 6

Recovery

Question 7

What is the seventh step of the incident response plan?

Answer 7

Lesson Learned

Question 8

What is Data in-transit?

Answer 8

Data in-transit moves across the network

Question 9

Data at rest is…

Answer 9

Data at-rest is located on a storage device.

Question 10

Data in-use is….

Answer 10

Data in-use is in the memory of a device.

Question 11

A shipping company stores information in small regional warehouses
around the country. The company maintains an IPS at each warehouse to
watch for suspicious traffic patterns. Which of the following would BEST
describe the security control used at the warehouse?

❍ A. Deterrent
❍ B. Compensating
❍ C. Directive
❍ D. Detective

Answer 11

An IPS can detect, alert, and log an intrusion attempt. The IPS could also
be categorized as a preventive control, since it has the ability to actively
block known attacks.

Question 12

Security Control: Deterrent

Answer 12

A deterrent discourages an intrusion attempt, but it doesn’t directly
prevent the access. An application splash screen or posted warning sign
would be categorized as a deterrent.

Question 13

Security Control: Compensating

Answer 13

A compensating control can’t prevent an attack, but it can provide an
alternative when an attack occurs. For example, a compensating control
would include the re-imaging of a compromised server.

Question 14

Security Control: Directive

Answer 14

Directive control types are guidelines offered to help direct a subject
towards security compliance. Training users on the proper storage of
sensitive files would be an example of a directive control.

Question 15

A security engineer is preparing to conduct a penetration test of a thirdparty website. Part of the preparation involves reading through social
media posts for information about this site. Which of the following
describes this practice?

❍ A. Partially known environment
❍ B. OSINT
❍ C. Exfiltration
❍ D. Active reconnaissance

Answer 15

OSINT (Open Source Intelligence) describes the process of obtaining
information from open sources such as social media sites, corporate
websites, online forums, and other publicly available locations.

Question 16

Partially known environment

Answer 16

A partially known environment describes how aware an attacker might be
about a test. The attacker may have access to some information about the
test, but not all information is disclosed.

Question 17

Penetration test: Exfiltration

Answer 17

Exfiltration describes the theft of data by an attacker

Question 18

Penetration test: Active Reconnaissance

Answer 18

Active reconnaissance would show some evidence of data gathering.

For example, performing a ping scan or DNS query wouldn’t exploit a vulnerability, but it would show that someone was gathering information

Question 19

A company would like to orchestrate the response when a virus is
detected on company devices. Which of the following would be the
BEST way to implement this function?

❍ A. Active reconnaissance
❍ B. Log aggregation
❍ C. Vulnerability scan
❍ D. Escalation scripting

Answer 19

Escalation scripting
Scripting and automation can provide methods to automate or orchestrate
the escalation response when a security issue is detected.

Question 20

Log aggregation

Answer 20

Log aggregation provides a method of centralizing evidence and log files
for reporting and future analysis.

Question 21

Vulnerability scanning

Answer 21

A vulnerability scan will identify any known vulnerabilities that may be
associated with a system.

Question 22

Buffer Overflow attack

Answer 22

A buffer overflow vulnerability is associated with application input that exceeds the expected input size. A buffer overflow would cause an
application to fail or perform unusually

Question 23

Amplified DDoS

Answer 23

An amplified DDOS (Distributed Denial of Service) would attack a
service from many different devices and cause the service to be unavailable.
This attack sends specially crafted packets to maximize the amount of
traffic seen in the response. I

Question 24

Penetration Methodology: Bench mark

Answer 24

Security benchmarks describe a set of best practices to apply to an application, operating system, or any other service.

Question 25

Penetration Methodology: Passive reconnaissance

Answer 25

Passive reconnaissance is the process of gathering information from
publicly available sites, such as social media or corporate websites.

Question 26

A manufacturing company produces radar used by commercial and
military organizations. A recently proposed policy change would allow the
use of mobile devices inside the facility. Which of the following would be
the MOST significant threat vector issue associated with this change in
policy?

❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Loss of intellectual property

Answer 26

Loss of intellectual property
The exfiltration of confidential information and intellectual property is
relatively simple with an easily transportable mobile phone. Organizations
associated with sensitive products or services must always be aware of the
potential for information leaks using files, photos, or video.

Question 27

A technician at an MSP has been asked to manage devices on third-party
private network. The technician needs command line access to internal
routers, switches, and firewalls. Which of the following would provide the
necessary access?

❍ A. HSM
❍ B. Jump server
❍ C. NAC
❍ D. Air gap

Answer 27

A jump server is a highly secured device commonly used to access secure
areas of another network. The technician would first connect to the jump
server using SSH or a VPN tunnel, and then “jump” from the jump server
to other devices on the inside of the protected network. This would allow
technicians at an MSP (Managed Service Provider) to securely access
devices on their customer’s private networks.

Question 28

HSM

Answer 28

An HSM (Hardware Security Module) is a secure method of
cryptographic key backup and hardware-based cryptographic offloading

Question 29

NAC

Answer 29

NAC (Network Access Control) is a broad term describing access control
based on a health check or posture assessment. NAC will deny access to
devices that don’t meet the minimum security requirements.

Question 30

A transportation company is installing new wireless access points in their
corporate office. The manufacturer estimates the access points will operate
an average of 100,000 hours before a hardware-related outage. Which of
the following describes this estimate?

❍ A. MTTR
❍ B. RPO
❍ C. RTO
❍ D. MTBF

Answer 30

MTBF
The MTBF (Mean Time Between Failures) is the average time expected
between outages. This is usually an estimation based on the internal device
components and their expected operational lifetime.

Question 31

MTTR

Answer 31

MTTR (Mean Time to Repair) is the time required to repair a product or
system after a failure.

Question 32

RPO

Answer 32

RPO
RPO (Recovery Point Objectives) define how much data loss would be
acceptable during a recovery

Question 33

RTO

Answer 33

RTO (Recovery Time Objectives) define the minimum objectives required
to get up and running to a particular service level.

Question 34

A security administrator is configuring the authentication process used by
technicians when logging into wireless access points and switches. Instead
of using local accounts, the administrator would like to pass all login
requests to a centralized database. Which of the following would be the
BEST way to implement this requirement?

❍ A. COPE
❍ B. AAA
❍ C. IPsec
❍ D. SIEM

Answer 34

Using AAA (Authentication, Authorization, and Accounting) is a common method of centralizing authentication. Instead of having separate
local accounts on different devices, users can authenticate with account information maintained in a centralized database.

Question 35

DAC

Answer 35

With discretionary access control (DAC), access and permissions are
determined by the owner or originator of the files or resources.

Question 36

A recent security audit has discovered usernames and passwords which
can be easily viewed in a packet capture. Which of the following did the
audit identify?

❍ A. Weak encryption
❍ B. Improper patch management
❍ C. Insecure protocols
❍ D. Open ports

Answer 36

Insecure protocols
An insecure authentication protocol will transmit information “in the
clear,” or without any type of encryption or protection.

Question 37

An organization has previously purchased insurance to cover a
ransomware attack, but the costs of maintaining the policy have increased
above the acceptable budget. The company has now decided to cancel
the insurance policies and address potential ransomware issues internally.
Which of the following would best describe this action?

❍ A. Mitigation
❍ B. Acceptance
❍ C. Transference
❍ D. Risk-avoidance

Answer 37

Acceptance
Risk acceptance is a business decision that places the responsibility of the
risky activity on the organization itself.

Mitigation
If the organization was to purchase additional backup facilities and update
their backup processes to include offline backup storage, they would be
mitigating the risk of a ransomware infection.

Transference
Purchasing insurance to cover a risky activity is a common method of
transferring risk from the organization to the insurance company

Risk-avoidance
To avoid the risk of ransomware, the organization would need to
completely disconnect from the Internet and disable all methods that
ransomware might use to infect a system. This risk response technique
would most likely not apply to ransomware.

Question 38

An IPS report shows a series of exploit attempts were made against
externally facing web servers. The system administrator of the web servers
has identified a number of unusual log entries on each system. Which of
the following would be the NEXT step in the incident response process?

❍ A. Check the IPS logs for any other potential attacks
❍ B. Create a plan for removing malware from the web servers
❍ C. Disable any breached user accounts
❍ D. Disconnect the web servers from the network

Answer 38

Disconnect the web servers from the network
The unusual log entries on the web server indicate that the system may
have been exploited. In that situation, the servers should be contained to
prevent all connectivity to those systems.

Question 39

Side loading

Answer 39

If Apple’s iOS has been circumvented using jailbreaking, a user can install
apps without using the Apple App Store. Circumventing a curated app
store to install an app manually is called side loading

Question 40

VM escape

Answer 40

VM (Virtual Machine) escape describes the unauthorized access of one
VM from a different VM on the same hypervisor. An app installation on a
phone is not related to virtual machines.

Question 41

Cross-site scripting

Answer 41

Cross-site scripting is an attack that uses the trust in a browser to gain
access to a third-party site.

Question 42

Attestation

Answer 42

Attestation is commonly one of the last steps when performing an audit.
This attestation is an opinion of the truth or accuracy of a company’s
security position.

Question 43

Self-assessment

Answer 43

A self-assessment describes an organization performing their own security
checks.

Question 44

A security administrator attends an annual industry convention with
other security professionals from around the world. Which of the
following attacks would be MOST likely in this situation?
❍ A. Smishing
❍ B. Supply chain
❍ C. SQL injection
❍ D. Watering hole

Answer 44

A watering hole attack infects a third-party visited by the intended
victims. An industry convention would be a perfect location to attack
security professionals.

Question 45

An organization has developed an in-house mobile device app for order
processing. The developers would like the app to identify revoked server
certificates without sending any traffic over the corporate Internet
connection. Which of the following must be configured to allow this
functionality?

❍ A. CSR generation
❍ B. OCSP stapling
❍ C. Key escrow
❍ D. Wildcard

Answer 45

The use of OCSP (Online Certificate Status Protocol) requires
communication between the client and the issuing CA (Certificate
Authority). If the CA is an external organization, then validation checks
will communicate across the Internet. The certificate holder can verify
their own status and avoid client Internet traffic by storing the status
information on an internal server and “stapling” the OCSP status into the
SSL/TLS handshake.

Question 46

CSR generation

Answer 46

A CSR (Certificate Signing Request) is used during the key creation
process. The certificate is sent to the CA to be signed as part of the CSR.

Question 47

Wildcard Certificate

Answer 47

Wildcard

A wildcard certificate can be used across many different systems matching
the fully qualified domain name associated with the wildcard.

Question 48

A security administrator has been asked to build a network link to secure
all communication between two remote locations. Which of the following
would be the best choice for this task?

❍ A. SCAP
❍ B. Screened subnet
❍ C. IPsec
❍ D. Network access control

Answer 48

IPsec
IPsec (Internet Protocol Security) is commonly used to create a VPN
(Virtual Private Network) protected tunnel between devices or locations.

Question 49

Race Condition

Answer 49

A race condition is a programming issue where a portion of the
application is making changes not seen by other parts of the application.

For example, before allowing someone to log in, a security system first receives their username and password and then checks it against a database before allowing access. Attackers can exploit this fact by interfering with processes to access secure areas and content in what’s known as a race condition attack.

Question 50

Tokenization

Answer 50

Tokenization replaces sensitive data with a non-sensitive placeholder.
Tokenization is commonly used for NFC (Near-Field Communication)
payment systems, and sends a single-use token across the network instead
of the actual credit card information.

Question 51

A security administrator receives a report each week showing a Linux
vulnerability associated with a Windows server. Which of the following
would prevent this information from appearing in the report?

❍ A. Alert tuning
❍ B. Application benchmarking
❍ C. SIEM aggregation
❍ D. Data archiving

Answer 51

Alert tuning
Our monitoring systems are not always perfect, and many require ongoing
tuning to properly configure alerts and notifications of important events.

Question 52

An administrator is designing a network to be compliant with a security
standard for storing credit card numbers. Which of the following would
be the BEST choice to provide this compliance?

❍ A. Implement RAID for all storage systems
❍ B. Connect a UPS to all servers
❍ C. DNS should be available on redundant servers
❍ D. Perform regular audits and vulnerability scans

Answer 52

Perform regular audits and vulnerability scans
A focus of credit card storage compliance is to keep credit card
information private. The only option matching this requirement is
scheduled audits and ongoing vulnerability scans.

Question 53

A user in the marketing department is unable to connect to the wireless
network. After authenticating with a username and password, the user
receives this message:
– – –
The connection attempt could not be completed.
The Credentials provided by the server could not be validated.
Radius Server: radius.example.com
Root CA: Example.com Internal CA Root Certificate
– – –
The access point is configured with WPA3 encryption and 802.1X
authentication.
Which of the following is the MOST likely reason for this login issue?

❍ A. The user’s computer is in the incorrect VLAN
❍ B. The RADIUS server is not responding
❍ C. The user’s computer does not support WPA3 encryption
❍ D. The user is in a location with an insufficient wireless signal
❍ E. The client computer does not have the proper certificate installed

Answer 53

The client computer does not have the proper
certificate installed
The error message states that the server credentials could not be validated.
This indicates that the certificate authority that signed the server’s
certificate is either different than the CA certificate installed on the
client’s workstation, or the client workstation does not have an installed
copy of the CA’s certificate. This validation process ensures that the client
is communicating to a trusted server and there are no on-path attacks
occurring.

Question 54

Which of the following vulnerabilities would be the MOST significant
security concern when protecting against a hacktivist?

❍ A. Data center access with only one authentication factor
❍ B. Spoofing of internal IP addresses when accessing an intranet server
❍ C. Employee VPN access uses a weak encryption cipher
❍ D. Lack of patch updates on an Internet-facing database server

Answer 54

Lack of patch updates on an Internet-facing
database server
One of the easiest ways for a third-party to obtain information is through
an existing Internet connection. A hacktivist could potentially exploit an
unpatched server to obtain unauthorized access to the operating system
and data.

Question 55

Which of the following would be the MOST likely result of plaintext
application communication?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Resource consumption
❍ D. Directory traversal

Answer 55

. Replay attack
To perform a replay attack, the attacker needs to capture the original
non-encrypted content. If an application is not using encrypted
communication, the data capture process is a relatively simple process for
the attacker.

Question 56

A security administrator is updating the network infrastructure to support
802.1X. Which of the following would be the BEST choice for this
configuration?

❍ A. LDAP
❍ B. SIEM
❍ C. SNMP traps
❍ D. SPF

Answer 56

LDAP
802.1X is a standard for authentication, and LDAP (Lightweight
Directory Access Protocol) is a common protocol used for centralized
authentication. Other protocols such as RADIUS, TACACS+, or Kerberos
would also be options for 802.1X authentication.

Question 57

. A company owns a time clock appliance, but the time clock doesn’t
provide any access to the operating system and it doesn’t provide a
method to upgrade the firmware. Which of the following describes this
appliance?

❍ A. End-of-life
❍ B. ICS
❍ C. SDN
❍ D. Embedded system

Answer 57

An embedded system often does not provide access to the OS and may
not provide a method of upgrading the system firmware.

Question 58

What is SDN?

Answer 58

An SDN (Software Defined Network) is commonly used as a method of
deploying network components by separating a device into a data plane,
control plane, and management plane.

Question 59

. A company has deployed laptops to all employees, and each laptop is
enumerated during each login. Which of the following is supported with
this configuration?
❍ A. If the laptop hardware is modified, the security team is alerted
❍ B. Any malware identified on the system is automatically deleted
❍ C. Users are required to use at least two factors of authentication
❍ D. The laptop is added to a private VLAN after the login process

Answer 59

If the laptop hardware is modified, the security team
is alerted
The enumeration process identifies and reports on the hardware and
software installed on the laptop. If this configuration is changed, an alert
can be generated.

Question 60

A security manager believes that an employee is using their laptop to
circumvent the corporate Internet security controls through the use of
a cellular hotspot. Which of the following could be used to validate this
belief? (Select TWO)

❍ A. HIPS
❍ B. UTM logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 60

The Answer: A. HIPS and D. Host-based firewall logs
If the laptop is not communicating across the corporate network, then
the only evidence of the traffic would be contained on the laptop itself.
A HIPS (Host-based Intrusion Prevention System) logs and host-based
firewall logs may contain information about recent traffic flows to systems
outside of the corporate network.

Question 61

. An application developer is creating a mobile device app that will require
a true random number generator real-time memory encryption. Which of
the following technologies would be the BEST choice for this app?

❍ A. HSM
❍ B. Secure enclave
❍ C. NGFW
❍ D. Self-signed certificates

Answer 61

Secure enclave
A secure enclave describes a hardware processor designed for security. The
secure enclave monitors the boot process, create true random numbers,
store root cryptography keys, and much more.

Question 62

A security administrator has been tasked with storing and protecting
customer payment and shipping information for a three-year period.
Which of the following would describe the source of this data?
❍ A. Controller
❍ B. Owner
❍ C. Data subject
❍ D. Processor

Answer 62

Data subject
In data privacy, the data subject describes an individual with personal data.
Payment details and shipping addresses describe personal information
from a data subject.

Question 63

Controller of Data

Answer 63

Controller
A data controller manages the processing of the data. A payroll
department would be an example of a data controller.

Question 64

Owner of Data

Answer 64

The data owner is commonly accountable for all of the data, and the owner
often manages the people and systems associated with processing and
securing the data.

Question 65

Processor of Data

Answer 65

A data processor manages the data on behalf of the data controller. If the
data controller is the payroll department, a third-party payroll company
would be the data processor

Question 66

Which of the following would be the main reasons why a system
administrator would use a TPM when configuring full disk encryption?
(Select TWO)

❍ A. Allows the encryption of multiple volumes
❍ B. Uses burned-in cryptographic keys
❍ C. Stores certificates in a hardware security module
❍ D. Maintains a copy of the CRL
❍ E. Includes built-in protections against brute-force attacks

Answer 66

B. Uses burned-in cryptographic keys and

E. Includes built-in protections against brute-force attacks
A TPM (Trusted Platform Module) is part of a computer’s motherboard,
and it’s specifically designed to assist and protect with cryptographic
functions. Full disk encryption (FDE) can use the burned-in TPM keys
to verify the local device hasn’t changed, and there are security features in
the TPM to prevent brute-force or dictionary attacks against the full disk
encryption login credentials

Question 67

A security administrator is using an access control where each file or
folder is assigned a security clearance level, such as “confidential” or
“secret.” The security administrator then assigns a maximum security level
to each user. What type of access control is used in this network?

❍ A. Mandatory
❍ B. Rule-based
❍ C. Discretionary
❍ D. Role-based

Answer 67

The Answer: A. Mandatory
Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating
system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level.

The incorrect answers:
B. Rule-based
Rule-based access control determines access based on a series of systemenforced rules. An access rule might require a particular browser be used
to complete a web page form, or access to a file or system is only allowed
during certain times of the day.

C. Discretionary
Discretionary access control allows the owner of an object to assign access.
If a user creates a spreadsheet, the user can then assign users and groups to
have a particular level of access to that spreadsheet.

D. Role-based
Role-based access control assigns a user’s permissions based on their role
in the organization. For example, a manager would have a different set of
rights and permissions than a team lead.

Question 68

Which of the following would be the best way to describe the estimated
number of laptops that might be stolen in a fiscal year?

❍ A. ALE
❍ B. SLE
❍ C. ARO
❍ D. MTTR

Answer 68

The ARO (Annualized Rate of Occurrence) describes the number of
instances estimated to occur in a year. For example, if the organization
expect to lose seven laptops to theft in a year, the ARO for laptop theft is
seven.

Question 69

ALE

Answer 69

The ALE (Annual Loss Expectancy) is the expected cost for all events in a
single year. If it costs $1,000 to replace a single laptop (the SLE) and you
expect to lose seven laptops in a year (the ARO), the ALE for laptop theft
is $7,000.

Question 70

SLE

Answer 70

SLE (Single Loss Expectancy) is the monetary loss if a single event
occurs. If one laptop is stolen, the cost to replace that single laptop is the
SLE, or $1,000.