Sample Exam 1 Flashcards

1
Q

Match the description with the most accurate attack type.
Not all attack types will be used.
Attack Types:

On-path
RFID cloning
Keylogger
Vishing
Rootkit
DDoS
Injection
Supply chain

Attacker obtains bank account number
and birth date by calling the victim
Select an Attack Type

Attacker accesses a database directly
from a web browser
Select an Attack Type

Attacker intercepts all communication between
a client and a web server
Select an Attack Type

Multiple attackers
overwhelm a web server
Select an Attack Type

Attacker obtains a list of all login credentials used
over the last 24 hours
Select an Attack Type

A

Attacker obtains bank account number
and birth date by calling the victim
Vishing

Attacker accesses a database directly
from a web browser
Injection

Attacker intercepts all communication between
a client and a web server
On-path

Multiple attackers
overwhelm a web server
DDoS

Attacker obtains a list of all login credentials used
over the last 24 hours
Keylogger

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The security team at a manufacturing company is creating a set of
security standards for employees and visitors.
Select the BEST security control for each location.

All of the available security controls will be used once.

Available Security
Controls:

Security guard
Authentication token
Access badge Lighting
Access control vestibule
Fencing
Biometrics

A

Outside Fencing
Building
Parking and
Visitor drop-off
Fencing, Lighting

Reception Building lobby
Security Guard, Access control vestibule

Data
Center
Door
Entrance from
inside building
Access Badge, Biometrics

Server
Administration
Authentication to
server console
in the data center
Authentication token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Select the most appropriate security category.
Some categories may be used more than once.

Technical
Managerial
Operational
Physical

A guard checks the identification of all visitors

All returns must be approved by a Vice President

A generator is used during a power outage

Building doors can be unlocked with an access card

System logs are transferred automatically to a SIEM

A

Operational A guard checks the identification of all visitors

Managerial All returns must be approved by a Vice President

Physical A generator is used during a power outage

Physical Building doors can be unlocked with an access card

Technical System logs are transferred automatically to a SIEM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Match the appropriate authentication factor to each description.
Each authentication factor will be used once.

Something you know
Something you are
Something you have
Somewhere you are

A

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode
Something you have

You enter your PIN to make
a deposit into an ATM
Something you know

You can use your fingerprint to unlock
the door to the data center
Something you are

Your login will not work unless you are
connected to the VPN
Somewhere you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Configure the following stateful firewall rules:
* Block HTTP sessions between the Web Server and the Database Server
* Allow the Storage Server to transfer files to the Video Server over HTTPS
* Allow the Management Server to use a secure terminal on the File Server

A

Rule # Source IP Destination
IP
Protocol
(TCP/UDP) Port # Allow/
Block
1 10.1.1.2 10.2.1.20 TCP 80 Block
2 10.2.1.33 10.1.1.7 TCP 443 Allow
3 10.2.1.47 10.1.1.3 TCP 22 Allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit

A

The Answer: B. Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Vulnerability scanning
Some active reconnaissance tests will query systems directly to see if a
vulnerability currently exists.
C. Supply chain analysis
A supply chain analysis will examine the security associated with a
supplier, and the analysis will not provide any information regarding a
company’s own servers and data.
D. Regulatory audit
A regulatory audit is a detailed security analysis based on existing laws or
private guidelines. A regulatory audit commonly requires access to internal
systems and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company’s email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of
the following would determine the disposition of this message?
❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM

A

The Answer: C. DMARC
DMARC (Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate
owner of the originating email domain can choose to have these messages
accepted, sent to a spam folder, or rejected.
The incorrect answers:
A. SPF
SPF (Sender Policy Framework) is a list of all authorized mail servers for
a specific domain. All legitimate emails would be sent from one of the
servers listed in the SPF configuration.
B. NAC
NAC (Network Access Control) is a way to limit network access to only
authorized users. NAC is not commonly used to manage the transfer of
email messages.
D. DKIM
DKIM (Domain Keys Identified Mail) provides a way to validate all
digitally signed messages from a specific email server. DKIM does not
determine how the receiving server categorizes these digitally signed
messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of these threat actors would be MOST likely to attack systems for
direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT

A

The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.
The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.
C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.
D. Shadow IT
Shadow IT describes part of the organization that works around the
existing IT department to build their own applications and infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security administrator has examined a server recently compromised by
an attacker, and has determined the system was exploited due to a known
operating system vulnerability. Which of the following would BEST
describe this finding?
❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject

A

The Answer: A. Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an
incident. Once the cause is known, it becomes easier to protect against
similar attacks in the future.
The incorrect answers:
B. E-discovery
E-discovery relates to the collection, preparation, review, interpretation,
and production of electronic documents. E-discovery itself is not involved
with the research and determination of an attack’s root cause.
C. Risk appetite
A risk appetite describes the amount of risk an organization is willing to
take before taking any action to reduce that risk. Risk appetite is not part
of a root cause analysis.
D. Data subject
A data subject describes any information relating to an identified or
identifiable natural person, especially when describing or managing private
information about the subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A city is building an ambulance service network for emergency medical
dispatching. Which of the following should have the highest priority?
❍ A. Integration costs
❍ B. Patch availability
❍ C. System availability
❍ D. Power usage

A

The Answer: C. System availability
Requests to emergency services are often critical in nature, and it’s
important for a dispatching system to always be available when a call is
made.
The incorrect answers:
A. Integration costs
When lives are on the line, the cost is not commonly the most important
aspect of a system integration.
B. Patch availability
Although it’s important to always keep systems patched, it’s more
important that a life saving service be available to those who might need it.
D. Power usage
Power usage is not usually the most important consideration when
building a critical healthcare and emergency service infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A system administrator receives a text alert when access rights are
changed on a database containing private customer information. Which
of the following would describe this alert?
❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit

A

The Answer: C. Automation
Automation ensures that compliance checks can be performed on a
regular basis without the need for human intervention. This can be
especially useful to provide alerts when a configuration change causes an
organization to be out of compliance.
The incorrect answers:
A. Maintenance window
A maintenance window describes the scheduling associated with the
change control process. Systems and services generally have limited
availability during a maintenance window.
B. Attestation and acknowledgment
With compliance, the process of attestation and acknowledgment is the
final verification of the formal compliance documentation. An alert from
an automated process would not qualify as attestation.
D. External audit
An external audit can be a valuable tool for verifying the compliance
process, but an automated alert from a monitoring system would not be
part of an external audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A security administrator is concerned about the potential for data
exfiltration using external storage drives. Which of the following would
be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to block
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

A

The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.
The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.
C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.
D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A company creates a standard set of government reports each calendar
quarter. Which of the following would describe this type of data?
❍ A. Data in use
❍ B. Obfuscated
❍ C. Trade secrets
❍ D. Regulated

A

The Answer: D. Regulated
Reports and information created for governmental use are regulated by
laws regarding the disclosure of certain types of data.
The incorrect answers:
A. Data in use
Data in use describes information actively processing in the memory of a
system, such as system RAM, CPU registers, or CPU cache. Government
reports are static documents and are not actively being processed.
B. Obfuscated
Obfuscation describes the modification of data to make something
understandable into something very difficult to understand. Information
contained in a government report is relatively easy to understand and
would not be considered obfuscated data.
C. Trade secrets
Trade secrets are the private details a company uses as part of their normal
business processes, and these trade secrets are not shared with any other
organization or business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours
must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

A

The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server
Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.
52 Practice Exam A - Answers
The incorrect answers:
B. Require government-issued identification during the
onboarding process
Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.
C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.
D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.
F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security engineer, is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

A

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication

A

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Deauthentication
Deauthentication attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO

A

The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.
The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.
C. EAP
EAP (Extensible Authentication Protocol) is an authentication
framework commonly associated with network access control. EAP by
itself does not provide the federation needed to authenticate users to a
third-party access database.
D. SSO
SSO (Single Sign-On) describes the process of enabling a single
authentication to grant access to many different network services.
Obtaining login credentials from a third-party access database does not
describe the process used by SSO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A system administrator is working on a contract that will specify a
minimum required uptime for a set of Internet-facing firewalls. The
administrator needs to know how often the firewall hardware is expected
to fail between repairs. Which of the following would BEST describe this
information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO

A

The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.
The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.
D. RPO
RPO (Recovery Point Objective) describes the minimum data or

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path

A

The Answer: A. Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls.
The incorrect answers:
B. Supply chain
A supply chain attack focuses on the equipment or raw materials used to
deliver products or services to an organization or user. A call to the help
desk would not be categorized as part of the supply chain.
C. Watering hole
A watering hole attack uses a third-party site to perform attacks outside of
a user’s local (and usually more secure) network.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Two companies have been working together for a number of months,
and they would now like to qualify their partnership with a broad formal
agreement between both organizations. Which of the following would
describe this agreement?
❍ A. SLA
❍ B. SOW
❍ C. MOA
❍ D. NDA

A

The Answer: C. MOA
An MOA (Memorandum of Agreement) is a formal document where
both sides agree to a broad set of goals and objectives associated with the
partnership.
The incorrect answers:
A. SLA
An SLA (Service Level Agreement) is commonly provided as a formal
contract between two parties that documents the minimum terms for
services provided. The SLA often provides very specific requirements and
expectations between both parties.
B. SOW
An SOW (Statement of Work) is a detailed list of items to be completed
as part of overall project deliverables. For example, a list of expected job
tasks associated with a firewall installation would be documented in an
SOW.
D. NDA
An NDA (Non-Disclosure Agreement) is a confidentiality agreement
between parties. This question did not mention any requirement for
privacy or confidentiality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following would explain why a company would
automatically add a digital signature to each outgoing email message?
❍ A. Confidentiality
❍ B. Integrity
❍ C. Authentication
❍ D. Availability

A

The Answer: B. Integrity
Integrity refers to the trustworthiness of data. A digital signature allows
the recipient to confirm that none of the data has been changed since the
digital signature was created.
The incorrect answers:
A. Confidentiality
Confidentiality describes the privacy of data. Encrypting traffic sent over
a VPN or encrypting files stored on a flash drive would be an example of
data confidentiality.
C. Authentication
Authentication refers to the process of verifying the identity of an
individual or system. A username and password is a common method
of authentication, but digital signatures are not commonly used as an
authentication method.
D. Availability
Availability describes the ability of an authorized user to access data.
A digital signature does not provide any features associated with the
availability of the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The embedded OS in a company’s time clock appliance is configured to
reset the file system and reboot when a file system error occurs. On one
of the time clocks, this file system error occurs during the startup process
and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. Memory injection
❍ B. Resource consumption
❍ C. Race condition
❍ D. Malicious update

A

The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, and
usually with unexpected results. The file system problem can often be fixed
before a reboot, but the reboot is occurring before the fix can be applied.
This has created a race condition that results in constant reboots.
The incorrect answers:
A. Memory injection
A memory injection is commonly used by malicious software to add code
to the memory of an existing process. The issue in this question was related
to a file system error and was not part of a malicious data injection.
B. Resource consumption
If the time clock was running out of storage space or memory, it would
most likely be unusable. In this example, the issue isn’t based on a lack of
resources.
D. Malicious update
A malicious update occurs when a software patch installs unwanted or
unauthorized code. Many attackers will use software patches to install
their own malicious code during a software update.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A recent audit has found that existing password policies do not include
any restrictions on password attempts, and users are not required to
periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password reuse
❍ D. Account lockout
❍ E. Password managers

A

The Answer: B. Password expiration and D. Account lockout
Password expiration would require a password change after the expiration
date. An account lockout would disable an account after a predefined
number of unsuccessful login attempts.
The incorrect answers:
A. Password complexity
A complex password would make the password more difficult to brute
force, but it would not solve the issues listed in this question.
C. Password reuse
Maintaining a password history would prevent the reuse of any previous
passwords. Restricting password reuse would ensure that a different
password is used each time a password change is processed.
E. Password managers
A password manager would provide a way to securely store and retrieve
passwords, but it would not resolve any issues relating to password
expirations or account lockouts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Directive

A

The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Directive
A directive control is relatively weak control which relies on security
compliance from the end users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
An internal audit has discovered four servers that have not been updated in over a year, and it will take two weeks to test and deploy the latest patches. Which of the following would be the best way to quickly respond to this situation in the meantime? ❍ A. Purchase cybersecurity insurance ❍ B. Implement an exception for all data center services ❍ C. Move the servers to a protected segment ❍ D. Hire a third-party to perform an extensive audit
The Answer: C. Move the servers to a protected segment Segmenting the servers to their own protected network would allow for additional security controls while still maintaining the uptime and availability of the systems. The incorrect answers: A. Purchase cybersecurity insurance Cybersecurity insurance can help plan for financial issues during a significant attack, but it wouldn't provide any assistance for mitigating potential vulnerabilities during this two week period. B. Implement an exception for all data center services Security exceptions should be rare, and they should be very specific to a small number of systems. It would be risky to create a broad security exception for systems which are not in-scope for the identified vulnerability. D. Hire a third-party to perform an extensive audit Audits take time, and hiring a third-party to perform an audit takes even longer. By the time a third-party audit was underway, the problematic systems would have already been tested and patched.
26
A business manager is documenting a set of steps for processing orders if the primary Internet connection fails. Which of these would BEST describe these steps? ❍ A. Platform diversity ❍ B. Continuity of operations ❍ C. Cold site recovery ❍ D. Tabletop exercise
The Answer: B. Continuity of operations It's always useful to have an alternative set of processes to handle any type of outage or issue. Continuity of operations planning ensures that the business will continue to operate when these issues occur. The incorrect answers: A. Platform diversity Using different operating systems and platforms can help mitigate issues associated with a single OS, but it wouldn't provide any mitigation if the primary Internet connection was no longer available. C. Cold site recovery A cold site takes time to build, and the time and expense associated with a disaster recovery switchover would be extensive. By the time a cold site was enabled, the primary Internet connection may already be restored and many alternative recovery options could have potentially been deployed. D. Tabletop exercise A tabletop exercise usually consists of a meeting where members of a recovery team or disaster recovery talk through a disaster scenario.
27
A company would like to examine the credentials of each individual entering the data center building. Which of the following would BEST facilitate this requirement? ❍ A. Access control vestibule ❍ B. Video surveillance ❍ C. Pressure sensors ❍ D. Bollards
The Answer: A. Access control vestibule An access control vestibule is a room designed to restrict the flow of individuals through an area. These are commonly used in high security areas where each person needs to be evaluated and approved before access can be provided. The incorrect answers: B. Video surveillance Although video surveillance can assist with monitoring access to a building or room, it doesn't provide a way to validate the credentials of each visitor. C. Pressure sensors Pressure sensors are commonly used on doors or windows to detect movement in those devices. However, pressure sensors would not be used to check visitor credentials. D. Bollards Bollards and barricades are often used on the exterior of a facility to prevent access to motorized vehicles and channel people through a specific access location.
28
A company stores some employee information in encrypted form, but other public details are stored as plaintext. Which of the following would BEST describe this encryption strategy? ❍ A. Full-disk ❍ B. Record ❍ C. Asymmetric ❍ D. Key escrow
The Answer: B. Record Record-level encryption is commonly used with databases to encrypt individual columns within the database. This would store some information in the database as plaintext and other information as encrypted data. The incorrect answers: A. Full-disk Full-disk encryption ensures that all data on a storage drive is protected. Full-disk encryption protects all data on the drive, and none of the information would remain as the original plaintext. C. Asymmetric Asymmetric encryption uses a public and private key pair to encrypt data. Asymmetric encryption does not store some information as plaintext and other information as encrypted data. D. Key escrow Key escrow describes the storage and management of decryption keys by a third-party. Key escrow does not determine which data is selected for encryption or the method of encryption.
29
A company would like to minimize database corruption if power is lost to a server. Which of the following would be the BEST strategy to follow? ❍ A. Encryption ❍ B. Off-site backups ❍ C. Journaling ❍ D. Replication
The Answer: C. Journaling Journaling writes data to a temporary journal before writing the information to the database. If power is lost, the system can recover the last transaction from the journal when power is restored. The incorrect answers: A. Encryption Encryption would provide confidentiality of the data, but it would not provide any additional integrity features if power was lost. B. Off-site backups Off-site backups can be used to recover a corrupted database, but this does not minimize or prevent database corruption from occurring. D. Replication Replication is used to create a duplicate copy of data. Although this process does provide a backup, it doesn't add any additional integrity and could still potentially corrupt data if power is lost.
30
A company is creating a security policy for corporate mobile devices: * All mobile devices must be automatically locked after a predefined time period. * The location of each device needs to be traceable. * All of the user’s information should be completely separate from company data. Which of the following would be the BEST way to establish these security policy rules? ❍ A. Segmentation ❍ B. Biometrics ❍ C. COPE ❍ D. MDM
The Answer: D. MDM An MDM (Mobile Device Manager) provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices. The incorrect answers: A. Segmentation Segmentation describes the separation of user data from company data, but the implementation all policies is managed by the MDM. B. Biometrics Biometrics can be used as another layer of device security, but you need more than biometrics to implement the required security policies in this question. C. COPE A device that is COPE (Corporately Owned and Personally Enabled) is commonly purchased by the corporation and allows the use of the mobile device for both business and personal use. The use of a COPE device does not provide any policy management of the device.
31
A security engineer runs a monthly vulnerability scan. The scan doesn’t list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result? ❍ A. Exploit ❍ B. Compensating controls ❍ C. Zero-day attack ❍ D. False negative
The Answer: D. False negative A false negative is a result that fails to detect an issue when one actually exists. The incorrect answers: A. Exploit An exploit is an attack against a vulnerability. Vulnerability scans do not commonly attempt to exploit the vulnerabilities that they identify. B. Compensating controls Compensating controls are used to mitigate a vulnerability when an optimal security response may not be available. For example, if a company can't deploy a patch for a vulnerability, they can revoke or limit application access until a patch is provided. C. Zero-day attack A zero-day attack focuses on previously unknown vulnerabilities. In this example, the vulnerability scan isn’t an attack, and the vulnerabilities are already known and patches are available.
32
An IT help desk is using automation to improve the response time for security events. Which of the following use cases would apply to this process? ❍ A. Escalation ❍ B. Guard rails ❍ C. Continuous integration ❍ D. Resource provisioning
The Answer: A. Escalation Automation can recognize security events and escalate a security-related ticket to the incident response team without any additional human interaction. The incorrect answers: B. Guard rails Guard rails are used by application developers to provide a set of automated validations to user input and behavior. Guard rails are not used by the help desk team. C. Continuous integration Continuous integration and testing provides an automated method of constantly developing, testing, and deploying code. The continuous integration process is not used by the help desk. D. Resource provisioning Resource provisioning can be automated during the on-boarding and off-boarding process to quickly create or remove rights and permissions. Resource provisioning is not commonly part of the automation associated with security event notification.
33
A network administrator would like each user to authenticate with their corporate username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA3 ❍ B. 802.1X ❍ C. PSK ❍ D. MFA
The Answer: B. 802.1X 802.1X uses a centralized authentication server, and this allows all users to use their corporate credentials during the login process. The incorrect answers: A. WPA3 WPA3 (Wi-Fi Protected Access 3) is an encryption protocol for 802.11 wireless networking. The WPA3 encryption itself does not include the centralized authentication process described in this question. C. PSK PSK (Pre-Shared Key) is a wireless configuration option that allows everyone on the network to use the same access key or password when connecting to the wireless network. This question requires each person to use unique authentication credentials. D. MFA MFA (Multifactor Authentication) describes the use of multiple types of authentication checks. A username and password is a single factor (something you know), and the use of MFA does not itself require unique username and password credentials for each user.
34
A company's VPN service performs a posture assessment during the login process. Which of the following mitigation techniques would this describe? ❍ A. Encryption ❍ B. Decommissioning ❍ C. Least privilege ❍ D. Configuration enforcement
The Answer: D. Configuration enforcement A posture assessment evaluates the configuration of a system to ensure all configurations and applications are up to date and secure as possible. If a configuration does not meet these standards, the user is commonly provided with options for resolving the issue before proceeding. The incorrect answers: A. Encryption Encryption is an important part of a VPN (Virtual Private Network), but the encryption of network data is not related to the posture assessment process. B. Decommissioning It's important to properly manage data during any decommissioning process, but the decommissioning isn't part of the VPN login process. C. Least privilege Least privilege describes the minimum rights and permissions that would allow an individual to perform their job function. Least privilege is not part of a posture assessment.
35
A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have readonly access to the file. Which of the following would describe this access control model? ❍ A. Discretionary ❍ B. Mandatory ❍ C. Attribute-based ❍ D. Role-based
The Answer: A. Discretionary Discretionary access control is used in many operating systems, and this model allows the owner of the resource to control who has access. The incorrect answers: B. Mandatory Mandatory access control allows access based on the security level assigned to an object. Only users with the object’s assigned security level or higher may access the resource. C. Attribute-based Attribute-based access control combines many different parameters to determine if a user has access to a resource. D. Role-based Role-based access control assigns rights and permissions based on the role of a user. These roles are usually assigned by group.
36
A remote user has received a text message with a link to login and confirm their upcoming work schedule. Which of the following would BEST describe this attack? ❍ A. Brute force ❍ B. Watering hole ❍ C. Typosquatting ❍ D. Smishing
The Answer: D. Smishing Smishing, or SMS (Short Message Service) phishing, is a social engineering attack that asks for sensitive information using SMS or text messages. The incorrect answers: A. Brute force A brute force attack tries multiple password combinations in an effort to identify the correct authentication details. B. Watering hole A watering hole attack will infect a third-party site visited by the victim. Watering hole attacks are not commonly associated with received text messages. C. Typosquatting Typosquatting uses a misspelling of a domain name to convince victims they are visiting a legitimate website. The information provided in this question does not provide any specific domain names or links.
37
A company is formalizing the design and deployment process used by their application programmers. Which of the following policies would apply? ❍ A. Business continuity ❍ B. Acceptable use policy ❍ C. Incident response ❍ D. Development lifecycle
The Answer: D. Development lifecycle A formal software development lifecycle defines the specific policies associated with the design, development, testing, deployment, and maintenance of the application development process. The incorrect answers: A. Business continuity Business continuity plans define the procedures used when the primary business systems are unavailable. The business continuity process is not commonly associated with the application development process. B. Acceptable use policy An acceptable use policy formally defines the proper use of company assets and technology devices. C. Incident response Incident response policies define the procedures to follow when a security incident is identified. Incident response is not part of the application development process
38
A security administrator has copied a suspected malware executable from a user's computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process? ❍ A. Eradication ❍ B. Preparation ❍ C. Recovery ❍ D. Containment
The Answer: D. Containment The isolation and containment process prevents malware from spreading and allows the administrator to analyze the operation of the malware without putting any other devices at risk. The incorrect answers: A. Eradication The eradication phase is associated with completely removing malware from a system. This process usually involves removing all data from a system and installing or re-imaging with a known-good operating system. B. Preparation The preparation process occurs before a security incident is discovered, and it can include the documentation of communication methods, the compiling of mitigation software, or gathering network and application documentation. C. Recovery The recovery phase is associated with the recovery of a system after a security incident. Running malware in a sandbox is not part of the recovery process.
39
A server administrator at a bank has noticed a decrease in the number of visitors to the bank's website. Additional research shows that users are being directed to a different IP address than the bank's web server. Which of the following would MOST likely describe this attack? ❍ A. Deauthentication ❍ B. DDoS ❍ C. Buffer overflow ❍ D. DNS poisoning
The Answer: D. DNS poisoning A DNS poisoning can modify a DNS server to modify the IP address provided during the name resolution process. If an attacker modifies the DNS information, they can direct client computers to any destination IP address. The incorrect answers: A. Deauthentication Deauthentication attacks are commonly associated with wireless networks. The deauthentication attack is used to remove devices from the wireless network, and it does not commonly redirect clients to a different website. B. DDoS A DDoS (Distributed Denial of Service) is used by attackers to cause services to be unavailable. In this example, the bank's website is operational but clients are not resolving the correct IP address. C. Buffer overflow Buffer overflows are associated with application attacks and can cause applications to crash or act in unexpected ways. A buffer overflow would not commonly redirect clients to a different website IP address.
40
Which of the following considerations are MOST commonly associated with a hybrid cloud model? ❍ A. Microservice outages ❍ B. IoT support ❍ C. Network protection mismatches ❍ D. Containerization backups
The Answer: C. Network protection mismatches A hybrid cloud includes more than one private or public cloud. This adds additional complexity to the overall infrastructure, and it's common to inadvertently apply different authentication options and user permissions across multiple cloud providers. The incorrect answers: A. Microservice outages Microservices are used to create a scalable and resilient application instance. However, the availability of a microservice is not specific to a hybrid cloud model. B. IoT support IoT (Internet of Things) support is available in many cloud infrastructure models, and this would not be specific to a hybrid cloud. D. Containerization backups Containerization provides an efficient method of deploying application instances, but the use and backup of these containers is not specific to a hybrid cloud infrastructure.
41
A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification? ❍ A. Confirm that no unauthorized accounts have administrator access ❍ B. Validate the account lockout policy ❍ C. Validate the offboarding processes and procedures ❍ D. Create a report that shows all authentications for a 24-hour period
The Answer: C. Validate the offboarding processes and procedures The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees. The incorrect answers: A. Confirm that no unauthorized accounts have administrator access It’s always a good idea to periodically audit administrator accounts, but this audit won’t provide any validation that all former employee accounts have been disabled. B. Validate the account lockout policy Account lockouts occur when a number of invalid authentication attempts have been made to a valid account. Disabled accounts would not be locked out because they are not currently valid accounts. D. Create a report that shows all authentications for a 24-hour period A list of all authentications would be quite large, and it would not be obvious to see which authentications were made with valid accounts and which authentications were made with former employee accounts.
42
Which of the following is used to describe how cautious an organization might be to taking a specific risk? ❍ A. Risk appetite ❍ B. Risk register ❍ C. Risk transfer ❍ D. Risk reporting
The Answer: A. Risk appetite A risk appetite is a broad description of how much risk-taking is deemed acceptable. An organization's risk appetite posture might be conservative, or they might be more expansionary and willing to take additional risks. The incorrect answers: B. Risk register A risk register identifies and documents the risks associated with each step of a project plan. A risk register is not designed to describe an organization's level of caution associated with each risk. C. Risk transfer Some organizations will transfer their risk to a third-party. For example, many organizations will purchase cybersecurity insurance to minimize the financial impact of a cybersecurity event. D. Risk reporting Risk reporting is the formal process of identifying risk and documenting all details associated with the risk. These reports are commonly designed for the decision making process by the senior management of an organization.
43
A technician is applying a series of patches to fifty web servers during a scheduled maintenance window. After patching and rebooting the first server, the web service fails with a critical error. Which of the following should the technician do NEXT? ❍ A. Contact the stakeholders regarding the outage ❍ B. Follow the steps listed in the backout plan ❍ C. Test the upgrade process in the lab ❍ D. Evaluate the impact analysis associated with the change
The Answer: B. Follow the steps listed in the backout plan The backout plan associated with the change control process provides information on reverting to the previous configuration if an unrecoverable error is found during the change. The incorrect answers: A. Contact the stakeholders regarding the outage The stakeholders don't commonly require a detailed notification of every step during the maintenance window. The final disposition of the change can be communicated to the stakeholders after the maintenance window has concluded. C. Test the upgrade process in the lab The testing phase of the change control process takes place prior to the maintenance window. Once the maintenance window has started, it's too late to perform any additional tests in the lab. D. Evaluate the impact analysis associated with the change An impact analysis determines the risk for making the proposed change. This analysis is created prior to the change control approval, and it would not be very useful when troubleshooting during the maintenance window.
44
An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack? ❍ A. Privilege escalation ❍ B. SQL injection ❍ C. Replay attack ❍ D. DDoS
The Answer: D. DDoS A DDoS (Distributed Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. Packets from multiple devices that disable a server would be an example of a DDoS attack. The incorrect answers: A. Privilege escalation A privilege escalation attack allows a user to exceed their normal rights and permissions. In this example, user permission escalations were not required to perform this attack. B. SQL injection A SQL (Structured Query Language) injection is used to circumvent an application and communicate directly to the application's database. In this question, there was no mention of application vulnerabilities or specific SQL statements. C. Replay attack A replay attack captures information and then replays that information as the method of attack. In this question, no mention was made of a prior data capture.
45
A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions? ❍ A. Lessons learned ❍ B. Containment ❍ C. Recovery ❍ D. Analysis
The Answer: C. Recovery The recovery after a breach can be a phased approach that may take months to complete. The incorrect answers: A. Lessons learned Once the event is over, it’s useful to revisit the process to learn and improve for next time. B. Containment During an incident, it’s useful to separate infected systems from the rest of the network. D. Analysis The analysis phase can include the analysis of log files and alerts. These data source can help warn of a potential attack or evidence an attack is underway.
46
A network team has installed new access points to support an application launch. In less than 24 hours, the wireless network was attacked and private company information was accessed. Which of the following would be the MOST likely reason for this breach? ❍ A. Race condition ❍ B. Jailbreaking ❍ C. Impersonation ❍ D. Misconfiguration
The Answer: D. Misconfiguration There are many different configuration options when installing an access point, and it's likely one of those options allowed an attacker to gain access to the internal network. The incorrect answers: A. Race condition A race condition occurs when two different application processes are executing simultaneously. If the two processes are not aware of each other, the application may have unexpected results. In this example, there's no evidence the access points were experiencing a race condition. B. Jailbreaking Jailbreaking replaces the firmware on a mobile device to gain access to features not normally available in the operating system. Jailbreaking is not commonly associated with wireless access points. C. Impersonation Impersonation is an attacker pretending to be someone or something they are not. In this example, there's no evidence that impersonation was used to breach the wireless network.
47
An organization has identified a significant vulnerability in an Internetfacing firewall. The firewall company has stated the firewall is no longer available for sale and there are no plans to create a patch for this vulnerability. Which of the following would BEST describe this issue? ❍ A. End-of-life ❍ B. Improper input handling ❍ C. Improper key management ❍ D. Incompatible OS
The Answer: A. End-of-life Because the firewall is no longer available for sale, the firewall company has decided to stop supporting and updating the device. A product no longer supported by the manufacturer is consider to be end-of-life. The incorrect answers: B. Improper input handling A best practice for application security is to provide the proper handling of invalid or unnecessary input. A missing patch for the firewall firmware would not be related to input handling. C. Improper key management Cryptographic keys can be used for many security purposes, but managing those keys isn’t part of the patching process from a vendor. D. Incompatible OS The operating system in the firewall would normally be supported by the manufacturer, and the operating systems are not commonly modified on a purpose-built device such as a firewall.
48
A company has decided to perform a disaster recovery exercise during an annual meeting with the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes required to resolve the disaster. Which of the following would BEST describe this exercise? ❍ A. Capacity planning ❍ B. Business impact analysis ❍ C. Continuity of operations ❍ D. Tabletop exercise
The Answer: D. Tabletop exercise A tabletop exercise allows a disaster recovery team to evaluate and plan disaster recovery processes without performing a full-scale drill. The incorrect answers: A. Capacity planning Capacity planning is used to determine how many resources would be required for a particular task. A formal tabletop exercise would not commonly include a capacity planning analysis. B. Business impact analysis A business impact analysis is usually created during the disaster recovery planning process. Once the disaster has occurred, it becomes much more difficult to complete an accurate impact analysis. C. Continuity of operations If an outage occurs, it's common to have a backup plan to provide continuity of operations. This plan can be used for any significant outage and is not specific to disaster recovery testing.
49
A security administrator needs to block users from visiting websites hosting malicious software. Which of the following would be the BEST way to control this access? ❍ A. Honeynet ❍ B. Data masking ❍ C. DNS filtering ❍ D. Data loss prevention
The Answer: C. DNS filtering DNS filtering uses a database of known malicious websites to resolve an incorrect or null IP address. If a user attempts to visit a known malicious site, the DNS resolution will fail and the user will not be able to visit the website. The incorrect answers: A. Honeynet A honeynet is a non-production network created to attract attackers. A honeynet is not used to block traffic to known malicious Internet sites. B. Data masking Data masking provides a way to hide data by substitution, shuffling, encryption, and other methods. Data masking does not provide a method of blocking communication to malicious websites. D. Data loss prevention Data Loss Prevention (DLP) systems can identify and block private information from being transferred between systems. DLP does not provide any direct method of blocking network traffic to known malware repositories.
50
A system administrator has been called to a system with a malware infection. As part of the incident response process, the administrator has imaged the operating system to a known-good version. Which of these incident response steps is the administrator following? ❍ A. Lessons learned ❍ B. Recovery ❍ C. Detection ❍ D. Containment
The Answer: B. Recovery The recovery phase describes the process of returning the system and data to the state prior to the malware infection. With a malware infection, this often requires deleting all data and reinstalling a known-good operating system. The incorrect answers: A. Lessons learned A post-incident meeting can help the incident response participants discuss the phases of the incident that went well and which processes can be improved for future events. C. Detection The detection of the malware is an early phase in the incident response process. If the administrator is imaging a system, the malware was previously detected and any critical documents were already recovered. D. Containment The containment phase isolates the system from any other devices to prevent the spread of any malicious software. The containment phase generally occurs immediately after
51
A company has placed a SCADA system on a segmented network with limited access from the rest of the corporate network. Which of the following would describe this process? ❍ A. Load balancing ❍ B. Least privilege ❍ C. Data retention ❍ D. Hardening
The Answer: D. Hardening The hardening process for an industrial SCADA (Supervisory Control and Data Acquisition) system might include network segmentation, additional firewall controls, and the implementation of access control lists. The incorrect answers: A. Load balancing A load balancer is used to distribute transactions across multiple systems. A single system was the only device referenced in this question, so a load balancing option would not be available. B. Least privilege Least privilege defines the minimum rights and permissions for completing a specific task. In this example, there was no mention of specific tasks or their necessary permissions. C. Data retention Data retention is important for long-term storage of important information. In this example, the mandated storage of data was not a consideration.
52
An administrator is viewing the following security log: Which of the following would describe this attack? Dec 30 08:40:03 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:05 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:09 web01 445 more authentication failures; rhost=10.101.88.230 user=root ❍ A. Spraying ❍ B. Downgrade ❍ C. Brute force ❍ D. DDoS
The Answer: C. Brute force A brute force attack discovers password by attempting a large combination of letters, numbers, and special characters until a match is found. In this example, the notification of over four hundred attempts would qualify as a brute force attack. The incorrect answers: A. Spraying A spraying attack is similar to a brute force attack, but spraying limits the number of attempts to prevent alerts or an account lockout. A spraying attack often uses accounts passwords stolen from other sites or a short list of the most common passwords. B. Downgrade A downgrade attack is often used to force an insecure encryption algorithm or the disabling of encryption entirely. In this example, no evidence of a downgrade attack is contained in the security log. D. DDoS A DDoS (Distributed Denial of Service) would involve many different devices to cause a system outage. In this example, a single IP address was logged and there was no evidence of a service outage.
53
During a morning login process, a user's laptop was moved to a private VLAN and a series of updates were automatically installed. Which of the following would describe this process? ❍ A. Account lockout ❍ B. Configuration enforcement ❍ C. Decommissioning ❍ D. Sideloading
The Answer: B. Configuration enforcement Many organizations will perform a posture assessment during the login process to verify the proper security controls are in place. If the device does not pass the assessment, the system can be quarantined and any missing security updates can then be installed. The incorrect answers: A. Account lockout In this example, there were no errors or notifications regarding the account or authentication status. C. Decommissioning The decommissioning process is often used to permanently remove devices from the network. In this example, the laptop mitigation would allow the device to return to the network once the updates were complete. D. Sideloading Sideloading describes the installation of software on a mobile device through the use of third-party operating systems or websites.
54
Which of the following describes two-factor authentication? ❍ A. A printer uses a password and a PIN ❍ B. The door to a building requires a fingerprint scan ❍ C. An application requires a pseudo-random code ❍ D. A Windows Domain requires a password and smart card
The Answer: D. A Windows Domain requires a password and smart card The multiple factors of authentication for this Windows Domain are a password (something you know), and a smart card (something you have). The incorrect answers: A. A printer uses a password and a PIN A password and a PIN (Personal Identification Number) are both something you know, so only one authentication factor is used. B. The door to a building requires a fingerprint scan A biometric scan (something you are) is a single factor of authentication. C. An application requires a pseudo-random code Pseudo-random authentication codes are often provided using a hardware dongle or mobile app. This single factor of authentication is something you have.
55
A company is deploying a new application to all employees in the field. Some of the problems associated with this roll out include: * The company does not have a way to manage the devices in the field * Team members have many different kinds of mobile devices * The same device needs to be used for both corporate and private use Which of the following deployment models would address these concerns? ❍ A. CYOD ❍ B. SSO ❍ C. COPE ❍ D. BYOD
The Answer: C. COPE A COPE (Corporate-owned, Personally Enabled) device would solve the issue of device standardization and would allow the device to be used for both corporate access and personal use. The incorrect answers: A. CYOD CYOD (Choose Your Own Device) allows the user to pick the make and model of their device. This would not solve the issue of different kinds of mobile devices used in the field. B. SSO SSO (Single Sign-On) is used to authenticate once when accessing multiple resources. SSO would not resolve any of the listed issues. D. BYOD With BYOD (Bring Your Own Device), the employee uses their personal device at work. This would not address the issue of mobile device management or standardization of mobile devices.
56
An organization is installing a UPS for their new data center. Which of the following would BEST describe this control type? ❍ A. Compensating ❍ B. Directive ❍ C. Deterrent ❍ D. Detective
The Answer: A. Compensating A compensating security control doesn’t prevent an attack, but it does restore from an attack using other means. In this example, the UPS (Uninterruptible Power Supply) does not stop a power outage, but it does provide alternative power if an outage occurs. The incorrect answers: B. Directive A directive control provides security controls using instructions and guidance. A UPS is not categorized as a directive control. C. Deterrent A deterrent control discourages an intrusion attempt. A UPS is used after power has been lost, so it would not be categorized as a deterrent. D. Detective A detective control may not prevent access, but it can identify and record intrusion attempts.
57
A manufacturing company would like to track the progress of parts used on an assembly line. Which of the following technologies would be the BEST choice for this task? ❍ A. Secure enclave ❍ B. Blockchain ❍ C. Hashing ❍ D. Asymmetric encryption
The Answer: B. Blockchain The ledger functionality of a blockchain can be used to track or verify components, digital media, votes, and other physical or digital objects. The incorrect answers: A. Secure enclave A secure enclave is a protected area for secret information, and the secure enclave is often implemented as a hardware processor in a device. C. Hashing Cryptographic hashes are commonly used to provide integrity verifications, but they don't necessarily include any method of tracking components on an assembly line. D. Asymmetric encryption Asymmetric encryption uses different keys for encryption and decryption. Asymmetric encryption does not provide any method for tracking objects on an assembly line.
58
A company's website has been compromised and the website content has been replaced with a political message. Which of the following threat actors would be the MOST likely culprit? ❍ A. Insider ❍ B. Organized crime ❍ C. Shadow IT ❍ D. Hacktivist
The Answer: D. Hacktivist A hacktivist is motivated by a particular philosophy, and their goal is to spread their message by defacing web sites and releasing private documents. The incorrect answers: A. Insider An insider has access to many company services, but the motivations of an insider threat would not commonly result in the posting of political information. B. Organized crime Organized crime actors are motivated by money. It would be unusual for an organized crime hack to include the posting of political messages. C. Shadow IT A shadow IT group is mostly interested in building their own systems and applications, and they would not commonly deface a website in an attempt to spread a specific political message.
59
A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? ❍ A. Verifies that the file was not corrupted during the file transfer ❍ B. Provides a key for decrypting the ISO after download ❍ C. Authenticates the site as an official ISO distribution site ❍ D. Confirms that the file does not contain any malware
The Answer: A. Verifies that the file was not corrupted during the file transfer Once the file is downloaded, the administrator can calculate the file’s SHA256 hash and confirm that it matches the value on the website. The incorrect answers: B. Provides a key for decrypting the ISO after download ISO files containing public information are usually distributed without any encryption, and a hash value would not commonly be used as a decryption key. C. Authenticates the site as an official ISO distribution site Although it’s important to download files from known good sites, providing a hash value on a site would not provide any information about the site’s authentication. D. Confirms that the file does not contain any malware A hash value doesn’t inherently provide any protection against malware.
60
A company's security policy requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement? ❍ A. USB security key ❍ B. Biometric scanner ❍ C. PIN ❍ D. SMS
The Answer: B. Biometric scanner A biometric scanner would require a person to be physically present to verify the authentication. The incorrect answers: A. USB security key A security key can be used to store a certificate on a USB (Universal Serial Bus) drive. The security key is commonly used as an authentication method for a user or application, and it doesn't provide any information about the location of the security key. C. PIN Although a PIN (Personal Identification Number) can be used as an authentication factor, the use of the PIN does not guarantee that a person is physically present. D. SMS SMS (Short Message Service), or text messages, are commonly used as authentication factors. However, the use of a mobile device to receive the SMS message does not guarantee that the owner of the mobile device is physically present.
61
A development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, a security administrator finds the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue? ❍ A. Legacy software ❍ B. Open permissions ❍ C. Race condition ❍ D. Malicious update
The Answer: B. Open permissions Just like local systems, proper permissions and security controls are required when applications are installed to a cloud-based system. If permissions are not properly configured, the application data may be accessible by anyone on the Internet. The incorrect answers: A. Legacy software Legacy software often describes an older application with limited support options. The application and database in this example is a new installation and would not normally be categorized as legacy. C. Race condition If two processes occur simultaneously without coordination between the processes, unexpected results could occur. In this example, a single vulnerability scan has identified the issue and other processes do not appear to be involved. D. Malicious update A malicious update involves the installation of unwanted software during a normal update process. In this example, an update was not performed and the resulting public access would not generally be part of a malicious update.
62
Employees of an organization have received an email with a link offering a cash bonus for completing an internal training course. Which of the following would BEST describe this email? ❍ A. Watering hole attack ❍ B. Cross-site scripting ❍ C. Zero-day ❍ D. Phishing campaign
The Answer: D. Phishing campaign A phishing campaign is an internal process used to test the security habits of the user community. An email with a link from a server not under the control of the company could be an email sent by the IT department as part of a phishing campaign. The incorrect answers: A. Watering hole attack A watering hole attack is used as an alternative to attacking a victim's device directly. With a watering hole attack, an attacker will compromise a site used by the victim and will simply wait for the victim to visit. B. Cross-site scripting Cross-site scripting takes advantage of the trust already existing in a web browser. In this example, there's no evidence of a vulnerable web application or a specific browser-based vulnerability. C. Zero-day A zero-day attack describes a vulnerability where a software patch or similar mitigation is not immediately available. A link in an email by itself does not describe a zero-day attack.
63
Which of the following risk management strategies would include the purchase and installation of an NGFW? ❍ A. Transfer ❍ B. Mitigate ❍ C. Accept ❍ D. Avoid
The Answer: B. Mitigate Mitigation is a strategy that decreases the threat level. This is commonly done through the use of additional security systems and monitoring, such as an NGFW (Next-Generation Firewall). The incorrect answers: A. Transfer Transferring risk would move the risk from one entity to another. Adding an NGFW would not transfer any risk to another party. C. Accept The acceptance of risk is a position where the owner understands the risk and has decided to accept the potential results. D. Avoidance With risk avoidance, the owner of the risk decides to stop participating in a high-risk activity. This effectively avoids the risky activity and prevents any future issues.
64
An organization is implementing a security model where all application requests must be validated at a policy enforcement point. Which of the following would BEST describe this model? ❍ A. Public key infrastructure ❍ B. Zero trust ❍ C. Discretionary access control ❍ D. Federation
The Answer: B. Zero trust Zero trust describes a model where nothing is inherently trusted and everything must be verified to gain access. A central policy enforcement point is commonly used to implement a zero trust architecture. The incorrect answers: A. Public key infrastructure A public key infrastructure (PKI) uses public and private keys to provide confidentiality and integrity. Asymmetric encryption and digital signatures are used as foundational technologies in PKI. C. Discretionary access control. Discretionary access control is an authorization method where the owner of the data determines the scope and type of access. A discretionary access control model does not specifically define how the authorization is implemented. D. Federation Federation provides a way to manage authentication to a third-party database. Federation does not describe the use of a policy enforcement point.
65
A company is installing a new application in a public cloud. Which of the following determines the assignment of data security in this cloud infrastructure? ❍ A. Playbook ❍ B. Audit committee ❍ C. Responsibility matrix ❍ D. Right-to-audit clause
The Answer: C. Responsibility matrix A cloud responsibility matrix is usually published by the provider to document the responsibilities for all cloud-based services. For example, the customer responsibilities for an IaaS (Infrastructure as a Service) implementation will be different than SaaS (Software as a Service). The incorrect answers: A. Playbook A playbook provides conditional steps to follow when managing an organization's processes and procedures. For example, the process of recovering from a virus infection would be documented in a playbook. B. Audit committee An audit committee oversees the risk management activities for an organization. For example, the committee would be responsible for verifying the security implementation documented in the responsibility matrix. D. Right-to-audit clause A right-to-audit clause is often included in a third-party contract to define the terms and conditions around periodic audits. This is often part of a larger product or services contract.
66
When decommissioning a device, a company documents the type and size of storage drive, the amount of RAM, and any installed adapter cards. Which of the following describes this process? ❍ A. Destruction ❍ B. Sanitization ❍ C. Certification ❍ D. Enumeration
The Answer: D. Enumeration Enumeration describes the detailed listing of all parts in a particular device. For a computer, this could include the CPU type, memory, storage drive details, keyboard model, and more. The incorrect answers: A. Destruction Destruction involves physically damaging a device or component to prevent any future use or data access. Although the company may choose to destroy these computers at a later date, this question does not describe the destruction process. B. Sanitization Sanitization deletes data from storage media and allows the storage device to be used in the future. For example, a sector-by-sector format would sanitize a hard drive and allow the drive to be installed into another computer without the concern of a data breach. C. Certification If a third-party is providing destruction services, they often will certify the work and document which device serial numbers were destroyed as part of their service.
67
An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack? ❍ A. Buffer overflow ❍ B. Replay attack ❍ C. Cross-site scripting ❍ D. DDoS
The Answer: A. Buffer overflow The results of a buffer overflow can cause random results, but sometimes the actions can be repeatable and controlled. In the best possible case for the hacker, a buffer overflow can be manipulated to execute code on the remote device. The incorrect answers: B. Replay attack A replay attack does not require the sending of more information than expected, and often a replay attack consists of normal traffic and expected application input. C. Cross-site scripting A cross-site scripting attack allows a third party to take advantage of the trust a browser might have with another website. This question involves an API call and does not appear to reference a browser or third-party website. D. DDoS A DDoS (Distributed Denial of Service) renders a service unavailable, and it involves the input of many devices to operate. A DDoS would not require sending more information than expected, and it rarely results in the execution of arbitrary code.
68
A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup option. Which of these keys should the organization place into escrow? ❍ A. Private ❍ B. CA ❍ C. Session ❍ D. Public
The Answer: A. Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key. The incorrect answers: B. CA A CA (Certificate Authority) key is commonly used to validate the digital signature from a trusted CA. This is not commonly used for user data encryption. C. Session Session keys are commonly used temporarily to provide confidentiality during a single session. Once the session is complete, the keys are discarded. Session keys are not used to provide long-term data encryption. D. Public In asymmetric encryption, a public key is already available to everyone. It would not be necessary to escrow a public key.
69
A company is in the process of configuring and enabling host-based firewalls on all user devices. Which of the following threats is the company addressing? ❍ A. Default credentials ❍ B. Vishing ❍ C. Instant messaging ❍ D. On-path
The Answer: C. Instant messaging Instant messaging is commonly used as an attack vector, and one way to help protect against malicious links delivered by instant messaging is a host-based firewall. The incorrect answers: A. Default credentials Users commonly login with unique credentials that are specific to the user. A host-based firewall would not identify the use of a default username and password. B. Vishing Vishing, or voice phishing, occurs over a phone or other voice communication method. A host-based firewall would not be able to protect against a voice-related attack vector. D. On-path A on-path attack describes a third-party in the middle of a communications path. The victims of an on-path attack are usually not aware an attack is taking place, so a host-based firewall would not be able to detect an on-path attack.
70
A manufacturing company would like to use an existing router to separate a corporate network from a manufacturing floor. Both networks use the same physical switch, and the company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? ❍ A. Connect the corporate network and the manufacturing floor with a VPN ❍ B. Build an air gapped manufacturing floor network ❍ C. Use host-based firewalls on each device ❍ D. Create separate VLANs for the corporate network and the manufacturing floor
The Answer: D. Create separate VLANs for the corporate network and the manufacturing floor Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches. The incorrect answers: A. Connect the corporate network and the manufacturing floor with a VPN A VPN (Virtual Private Network) would encrypt all information between the two networks, but it would not provide any segmentation. This process would also commonly require additional hardware to provide VPN connectivity. B. Build an air gapped manufacturing floor network An air gapped network would require separate physical switches on each side of the gap, and this would require the purchase of an additional switch. C. Use host-based firewalls on each device While personal firewalls provide protection for individual devices, they do not segment networks. It’s also uncommon for personal firewalls to be installed on manufacturing equipment.
71
An organization needs to provide a remote access solution for a newly deployed cloud-based application. This application is designed to be used by mobile field service technicians. Which of the following would be the best option for this requirement? ❍ A. RTOS ❍ B. CRL ❍ C. Zero-trust ❍ D. SASE
The Answer: D. SASE A SASE (Secure Access Service Edge) solution is a next-generation VPN technology designed to optimize the process of secure communication to cloud services. The incorrect answers: A. RTOS An RTOS (Real-time Operating System) is an OS designed for industrial equipment, automobiles, and other time-sensitive applications. B. CRL A CRL (Certificate Revocation List) is used to determine if a certificate has been administratively revoked. A CRL would not provide any remote access functionality. C. Zero-trust Zero-trust is a security strategy where all devices on the network are verified before connecting to another device. Zero-trust does not provide remote access functions.
72
A company is implementing a quarterly security awareness campaign. Which of the following would MOST likely be part of this campaign? ❍ A. Suspicious message reports from users ❍ B. An itemized statement of work ❍ C. An IaC configuration file ❍ D. An acceptable use policy document
The Answer: A. Suspicious message reports from users A security awareness campaign often involves automated phishing attempts, and most campaigns will include a process for users to report a suspected phishing attempt to the IT security team. The incorrect answers: B. An itemized statement of work A statement of work (SOW) is commonly used for service engagements. The SOW provides a list of deliverables for the professional services, and this list is often used to determine if the services were completed. C. An IaC configuration file An IaC (Infrastructure as Code) configuration file describes an infrastructure configuration commonly used by cloud-based systems. An IaC configuration file would not be used by a security awareness campaign. D. An acceptable use policy document An acceptable use policy (AUP) is defined by an employer to describe the proper use of technology and systems within an organization. The AUP itself is not part of a security awareness campaign.
73
A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? ❍ A. Containerization ❍ B. Data masking ❍ C. 802.1X ❍ D. Change management
The Answer: D. Change management The change management process includes a testing phase that can help identify potential issues relating to an application change or upgrade. The incorrect answers: A. Containerization Containerization is an efficient method of deploying application instances, but it doesn't provide any mitigation for security vulnerabilities. B. Data masking Data masking can be used to limit access to sensitive data, but it does not prevent the implementation of a security vulnerability. C. 802.1X 802.1X is a standard for port-based network access control, and it can help manage the authentication process of network users. 802.1X does not provide any mitigation for security vulnerabilities.
74
A security manager would like to ensure that unique hashes are used with an application login process. Which of the following would be the BEST way to add random data when generating a set of stored password hashes? ❍ A. Salting ❍ B. Obfuscation ❍ C. Key stretching ❍ D. Digital signature
The Answer: A. Salting Adding random data, or salt, to a password when performing the hashing process will create a unique hash, even if other users have chosen the same password. The incorrect answers: B. Obfuscation Obfuscation is the process of making something difficult for humans to read or understand. The obfuscation process isn't commonly associated with adding random information to hashes. C. Key stretching Key stretching uses a cryptographic key multiple times for additional protection against brute force attacks. Key stretching by itself does not commonly add random data to the hashing process. D. Digital signature Digital signatures use a hash and asymmetric encryption to provide integrity of data. Digital signatures aren't commonly used for storing passwords.
75
Which cryptographic method is used to add trust to a digital certificate? ❍ A. Steganography ❍ B. Hash ❍ C. Symmetric encryption ❍ D. Digital signature
The Answer: D. Digital signature A certificate authority will digitally sign a certificate to add trust. If you trust the certificate authority, you can therefore trust the certificate. The incorrect answers: A. Steganography Steganography is a technique for hiding information inside of another media type. Steganography is a method of obfuscating data and does not provide a method of adding trust to a certificate. B. Hash A hash can help verify that the certificate has not been altered, but it does not provide additional third-party trust. C. Symmetric encryption Symmetric encryption provides data confidentiality, but it doesn't add any additional trust to the encryption process.
76
A company is using SCAP as part of their security monitoring processes. Which of the following would BEST describe this implementation? ❍ A. Train the user community to better identify phishing attempts ❍ B. Present the results of an internal audit to the board ❍ C. Automate the validation and patching of security issues ❍ D. Identify and document authorized data center visitors
The Answer: C. Automate the validation and patching of security issues SCAP (Security Content Automation Protocol) focuses on the standardization of vulnerability management across multiple security tools. This allows different tools to identify and act on the same security criteria. The incorrect answers: A. Train the user community to better identify phishing attempts Security awareness training is an important part of an overall security strategy, but the training process does not generally involve SCAP. B. Present the results of an internal audit to the board A presentation of audit results can provide important feedback, but the presentation itself does not generally use SCAP. D. Identify and document authorized data center visitors The identification and documentation process for visitors is an important security policy, but it does not generally require the use of SCAP.
77
An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data processor ❍ B. Data owner ❍ C. Data subject ❍ D. Data custodian
The Answer: D. Data custodian The data custodian manages access rights and sets security controls to the data. The incorrect answers: A. Data processor The data processor manages the operational use of the data, but not the rights and permissions to the information. B. Data owner The data owner is usually a higher-level executive who makes business decisions regarding the data. C. Data subject The data subjects are the individuals who have their personal information contained in this customer information database.
78
An organization’s content management system currently labels files and documents as “Public” and “Restricted.” On a recent update, a new classification type of “Private” was added. Which of the following would be the MOST likely reason for this addition? ❍ A. Minimized attack surface ❍ B. Simplified categorization ❍ C. Expanded privacy compliance ❍ D. Decreased search time
The Answer: C. Expanded privacy compliance The labeling of data as private is often associated with compliance and confidentiality concerns. The incorrect answers: A. Minimized attack surface The categorization of data has little impact on the size of the potential attack surface associated with a system. B. Simplified categorization Adding additional categories would not commonly be considered a simplification. D. Decreased search time Adding additional classifications would not necessarily provide any decreased search times.
79
A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys? ❍ A. Integrate an HSM ❍ B. Implement full disk encryption on the web servers ❍ C. Use a TPM ❍ D. Upgrade the web servers to use a UEFI BIOS
The Answer: A. Integrate an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices. The incorrect answers: B. Implement full disk encryption on the web servers Full-disk encryption would only protect the keys if someone does not have the proper credentials, and it won’t help consolidate all of the web server keys to a central point. C. Use a TPM A TPM (Trusted Platform Module) is used on individual devices to provide cryptographic functions and securely store encryption keys. Individual TPMs would not provide any consolidation of web server private keys. D. Upgrade the web servers to use a UEFI BIOS A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/ Output System) does not provide any additional security or consolidation features for web server private keys.
80
A security technician is reviewing this security log from an IPS: ALERT 2023-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" Which of the following can be determined from this log information? (Select TWO) ❍ A. The alert was generated from a malformed User Agent header ❍ B. The alert was generated from an embedded script ❍ C. The attacker’s IP address is 222.43.112.74 ❍ D. The attacker’s IP address is 64.235.145.35 ❍ E. The alert was generated due to an invalid client port number
The Answer: B. The alert was generated from an embedded script and C. The attacker’s IP address is 222.43.112.74 The details of the IPS (Intrusion Prevention System) alert show a script value embedded into JSON (JavaScript Object Notation) data. The IPS log also shows the flow of the attack with an arrow in the middle. The attacker was IP address 222.43.112.74 with port 3332, and the victim was 64.235.145.35 over port 80. The incorrect answers: A. The alert was generated from a malformed User Agent header The user agent information is provided as additional supporting data associated with the alert. The agent itself is not the cause of this alert. D. The attacker’s IP address is 64.235.145.35 The attacker’s IP address is listed first, so the victim's IP address is 64.235.145.35. E. The alert was generated due to an invalid client port number The port number associated with the client, 3332, is a valid port number and not associated with the cause of the alert.
81
Which of the following describes a monetary loss if one event occurs? ❍ A. ALE ❍ B. SLE ❍ C. RTO ❍ D. ARO
The Answer: B. SLE SLE (Single Loss Expectancy) describes the financial impact of a single event. The incorrect answers: A. ALE ALE (Annual Loss Expectancy) is the financial loss over an entire 12-month period. C. RTO RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level. D. ARO The ARO (Annualized Rate of Occurrence) is the number of times an event will occur in a 12-month period.
82
A user with restricted access has typed this text in a search field of an internal web-based application: USER77' OR '1'='1 After submitting this search request, all database records are displayed on the screen. Which of the following would BEST describe this search? ❍ A. Cross-site scripting ❍ B. Buffer overflow ❍ C. SQL injection ❍ D. SSL stripping
The Answer: C. SQL injection SQL (Structured Query Language) injection takes advantage of poor input validation to circumvent the application and allows the attacker to query the database directly. The incorrect answers: A. Cross-site scripting Cross-site scripting takes advantage of a third-party trust to a web application. The attack demonstrated in this question does not use another user's credentials or access rights to obtain information. B. Buffer overflow A buffer overflow uses an application vulnerability to submit more information than an application can properly manage. The attack syntax in this question is specific to SQL injections, and it does not appear to be manipulating a buffer overflow vulnerability. D. SSL stripping SSL stripping is a downgrade attack that modifies web site addresses to allow access to encrypted information. The attack in this question does not appear to include a third-party.
83
A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues? ❍ A. On-path ❍ B. Worm ❍ C. Trojan horse ❍ D. Logic bomb
The Answer: C. Trojan horse Since a Trojan horse is usually disguised as legitimate software, the victim often doesn’t realize they’re installing malware. Once the Trojan is installed, the attacker can install additional software to control the infected system. The incorrect answers: A. On-path An on-path attack commonly occurs without any knowledge to the parties involved, and there’s usually no additional notification that an attack is underway. B. Worm A worm is malware that can replicate itself between systems without any user intervention, so a spreadsheet that requires additional a user to click warning messages would not be categorized as a worm. D. Logic bomb A logic bomb is malware that installs and operates silently until a certain event occurs. Once the logic bomb has been triggered, the results usually involve loss of data or a disabled operating system.
84
A web-based manufacturing company processes monthly charges to credit card information saved in the customer's profile. All of the customer information is encrypted and protected with additional authentication factors. Which of the following would be the justification for these security controls? ❍ A. Chain of custody ❍ B. Password vaulting ❍ C. Compliance reporting ❍ D. Sandboxing
The Answer: C. Compliance reporting The storage of sensitive information such as customer details and payment information may require additional reporting to ensure compliance with the proper security controls. The incorrect answers: A. Chain of custody Chain of custody describes the control and integrity of collected evidence. Chain of custody would not involve the implementation of encryption and authentication factors in this example. B. Password vaulting Password vaults are used as secure storage and retrieval of authentication credentials. The protection of user data is not associated with password vaulting. D. Sandboxing Sandboxing is the process of running a service or system in a protected environment. This sandbox allows for testing and analysis without affecting other systems that may currently be in production.
85
A security manager has created a report showing intermittent network communication from certain workstations on the internal network to one external IP address. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. On-path attack ❍ B. Keylogger ❍ C. Replay attack ❍ D. Brute force
The Answer: B. Keylogger A keylogger captures keystrokes and occasionally transmits this information to the attacker for analysis. The traffic patterns identified by the security manager could potentially be categorized as malicious keylogger transfers. The incorrect answers: A. On-path attack An on-path attack is an exploit often associated with a device monitoring data in the middle of a conversation. This question did not provide any evidence of third-party monitoring. C. Replay attack A replay attack is often used by an attacker to gain access to a service through the use of credentials gathered from a previous authentication. Internal devices communicating to an external server would not be a common pattern for a replay attack. D. Brute force A brute force attack attempts to find authentication credentials by attempting to guess a password. In this example, the source of the traffic and the traffic patterns don't match those seen with common brute force attempts.
86
The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message? ❍ A. IPS ❍ B. DLP ❍ C. RADIUS ❍ D. IPsec
The Answer: B. DLP DLP (Data Loss Prevention) technologies can identify and block the transmission of sensitive data across the network. The incorrect answers: A. IPS IPS (Intrusion Prevention System) signatures are useful for identifying known vulnerabilities, but they don't commonly provide a way to identify and block PII (Personally Identifiable Information) or sensitive data. C. RADIUS RADIUS (Remote Authentication Dial-In User Service) is an authentication protocol commonly used to validate user credentials. RADIUS would not be used to identify sensitive data transfers. D. IPsec IPsec (Internet Protocol Security) is a protocol suite for authenticating and encrypting network communication. IPsec does not include any features for identifying and alerting on sensitive information.
87
A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration? ❍ A. The server is a honeypot for attracting potential attackers ❍ B. The server is a cloud storage service for remote users ❍ C. The server will be used as a VPN concentrator ❍ D. The server is a development sandbox for third-party programming projects
The Answer: A. The server is a honeypot for attracting potential attackers A screened subnet is a good location to configure services that can be accessed from the Internet, and building a system that can be easily compromised is a common tactic for honeypot systems. The incorrect answers: B. The server is a cloud storage service for remote users Although cloud storage is a useful service, configuring storage on a server with an open guest account is not a best practice. C. The server will be used as a VPN concentrator VPN (Virtual Private Networking) concentrators should be installed on secure devices, and configuring an open guest account would not be considered a secure configuration. D. The server is a development sandbox for third-party programming projects It would not be secure to configure a development sandbox on a system with an open guest account.
88
A security administrator is configuring a DNS server with a SPF record. Which of the following would be the reason for this configuration? ❍ A. Transmit all outgoing email over an encrypted tunnel ❍ B. List all servers authorized to send emails ❍ C. Digitally sign all outgoing email messages ❍ D. Obtain disposition instructions for emails marked as spam
The Answer: B. List all servers authorized to send emails SPF (Sender Policy Framework) is used to publish a list of all authorized email servers for a specific domain. The incorrect answers: A. Transmit all outgoing email over an encrypted tunnel The option to use encrypted protocols for email transfer is configured in the email server and not in the DNS (Domain Name System) server. C. Digitally sign all outgoing email messages DKIM (Domain Keys Identified Mail) is used to publish the public key used for the digital signature for all outgoing email. D. Obtain disposition instructions for emails marked as spam A DMARC (Domain-based Message Authentication, Reporting, and Conformance) record announces the preferred email disposition if a message is identified as spam. DMARC options include accepting the messages, sending them to a spam folder, or simply rejecting the emails.
89
A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications? ❍ A. Containerization ❍ B. IoT ❍ C. Proxy ❍ D. RTOS
The Answer: A. Containerization Application containerization uses a single virtual machine to use as a foundation for separate application "containers." These containers are implemented as isolated instances, and an application in one container is not inherently accessible from other containers on the system. The incorrect answers: B. IoT IoT (Internet of Things) is a broad category of embedded devices often installed in our homes and businesses. IoT devices are not commonly associated with the application deployment process. C. Proxy Proxies can be used as security devices, but they aren't commonly used for deploying application instances. D. RTOS RTOS (Real-Time Operating Systems) are designed for time-sensitive applications and services. Manufacturing equipment and transportation systems often incorporate an RTOS.
90
A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the roll out to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited? ❍ A. Tabletop exercise ❍ B. Vulnerability scanner ❍ C. DDoS ❍ D. Penetration test
The Answer: D. Penetration test A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment. The incorrect answers: A. Tabletop exercise A tabletop exercise is used to talk through a security event with an incident response team around a conference room table. This is commonly performed as a training device instead of performing a full-scale disaster drill. B. Vulnerability scanner Vulnerability scanners may identify a vulnerability, but they do not actively attempt to exploit the vulnerability. C. DDoS A DDoS (Distributed Denial of Service) attack is often used to disable a service or application, but it doesn't provide any particular information regarding an application vulnerability.