Sample Exam 1 Flashcards
Match the description with the most accurate attack type.
Not all attack types will be used.
Attack Types:
On-path
RFID cloning
Keylogger
Vishing
Rootkit
DDoS
Injection
Supply chain
Attacker obtains bank account number
and birth date by calling the victim
Select an Attack Type
Attacker accesses a database directly
from a web browser
Select an Attack Type
Attacker intercepts all communication between
a client and a web server
Select an Attack Type
Multiple attackers
overwhelm a web server
Select an Attack Type
Attacker obtains a list of all login credentials used
over the last 24 hours
Select an Attack Type
Attacker obtains bank account number
and birth date by calling the victim
Vishing
Attacker accesses a database directly
from a web browser
Injection
Attacker intercepts all communication between
a client and a web server
On-path
Multiple attackers
overwhelm a web server
DDoS
Attacker obtains a list of all login credentials used
over the last 24 hours
Keylogger
The security team at a manufacturing company is creating a set of
security standards for employees and visitors.
Select the BEST security control for each location.
All of the available security controls will be used once.
Available Security
Controls:
Security guard
Authentication token
Access badge Lighting
Access control vestibule
Fencing
Biometrics
Outside Fencing
Building
Parking and
Visitor drop-off
Fencing, Lighting
Reception Building lobby
Security Guard, Access control vestibule
Data
Center
Door
Entrance from
inside building
Access Badge, Biometrics
Server
Administration
Authentication to
server console
in the data center
Authentication token
Select the most appropriate security category.
Some categories may be used more than once.
Technical
Managerial
Operational
Physical
A guard checks the identification of all visitors
All returns must be approved by a Vice President
A generator is used during a power outage
Building doors can be unlocked with an access card
System logs are transferred automatically to a SIEM
Operational A guard checks the identification of all visitors
Managerial All returns must be approved by a Vice President
Physical A generator is used during a power outage
Physical Building doors can be unlocked with an access card
Technical System logs are transferred automatically to a SIEM
Match the appropriate authentication factor to each description.
Each authentication factor will be used once.
Something you know
Something you are
Something you have
Somewhere you are
Description Authentication Factor
During the login process, your phone receives a
text message with a one-time passcode
Something you have
You enter your PIN to make
a deposit into an ATM
Something you know
You can use your fingerprint to unlock
the door to the data center
Something you are
Your login will not work unless you are
connected to the VPN
Somewhere you are
Configure the following stateful firewall rules:
* Block HTTP sessions between the Web Server and the Database Server
* Allow the Storage Server to transfer files to the Video Server over HTTPS
* Allow the Management Server to use a secure terminal on the File Server
Rule # Source IP Destination
IP
Protocol
(TCP/UDP) Port # Allow/
Block
1 10.1.1.2 10.2.1.20 TCP 80 Block
2 10.2.1.33 10.1.1.7 TCP 443 Allow
3 10.2.1.47 10.1.1.3 TCP 22 Allow
A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit
The Answer: B. Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Vulnerability scanning
Some active reconnaissance tests will query systems directly to see if a
vulnerability currently exists.
C. Supply chain analysis
A supply chain analysis will examine the security associated with a
supplier, and the analysis will not provide any information regarding a
company’s own servers and data.
D. Regulatory audit
A regulatory audit is a detailed security analysis based on existing laws or
private guidelines. A regulatory audit commonly requires access to internal
systems and data.
A company’s email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of
the following would determine the disposition of this message?
❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM
The Answer: C. DMARC
DMARC (Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate
owner of the originating email domain can choose to have these messages
accepted, sent to a spam folder, or rejected.
The incorrect answers:
A. SPF
SPF (Sender Policy Framework) is a list of all authorized mail servers for
a specific domain. All legitimate emails would be sent from one of the
servers listed in the SPF configuration.
B. NAC
NAC (Network Access Control) is a way to limit network access to only
authorized users. NAC is not commonly used to manage the transfer of
email messages.
D. DKIM
DKIM (Domain Keys Identified Mail) provides a way to validate all
digitally signed messages from a specific email server. DKIM does not
determine how the receiving server categorizes these digitally signed
messages.
Which of these threat actors would be MOST likely to attack systems for
direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT
The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.
The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.
C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.
D. Shadow IT
Shadow IT describes part of the organization that works around the
existing IT department to build their own applications and infrastructure.
A security administrator has examined a server recently compromised by
an attacker, and has determined the system was exploited due to a known
operating system vulnerability. Which of the following would BEST
describe this finding?
❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject
The Answer: A. Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an
incident. Once the cause is known, it becomes easier to protect against
similar attacks in the future.
The incorrect answers:
B. E-discovery
E-discovery relates to the collection, preparation, review, interpretation,
and production of electronic documents. E-discovery itself is not involved
with the research and determination of an attack’s root cause.
C. Risk appetite
A risk appetite describes the amount of risk an organization is willing to
take before taking any action to reduce that risk. Risk appetite is not part
of a root cause analysis.
D. Data subject
A data subject describes any information relating to an identified or
identifiable natural person, especially when describing or managing private
information about the subject.
A city is building an ambulance service network for emergency medical
dispatching. Which of the following should have the highest priority?
❍ A. Integration costs
❍ B. Patch availability
❍ C. System availability
❍ D. Power usage
The Answer: C. System availability
Requests to emergency services are often critical in nature, and it’s
important for a dispatching system to always be available when a call is
made.
The incorrect answers:
A. Integration costs
When lives are on the line, the cost is not commonly the most important
aspect of a system integration.
B. Patch availability
Although it’s important to always keep systems patched, it’s more
important that a life saving service be available to those who might need it.
D. Power usage
Power usage is not usually the most important consideration when
building a critical healthcare and emergency service infrastructure.
A system administrator receives a text alert when access rights are
changed on a database containing private customer information. Which
of the following would describe this alert?
❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit
The Answer: C. Automation
Automation ensures that compliance checks can be performed on a
regular basis without the need for human intervention. This can be
especially useful to provide alerts when a configuration change causes an
organization to be out of compliance.
The incorrect answers:
A. Maintenance window
A maintenance window describes the scheduling associated with the
change control process. Systems and services generally have limited
availability during a maintenance window.
B. Attestation and acknowledgment
With compliance, the process of attestation and acknowledgment is the
final verification of the formal compliance documentation. An alert from
an automated process would not qualify as attestation.
D. External audit
An external audit can be a valuable tool for verifying the compliance
process, but an automated alert from a monitoring system would not be
part of an external audit.
A security administrator is concerned about the potential for data
exfiltration using external storage drives. Which of the following would
be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to block
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM
The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.
The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.
C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.
D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.
A company creates a standard set of government reports each calendar
quarter. Which of the following would describe this type of data?
❍ A. Data in use
❍ B. Obfuscated
❍ C. Trade secrets
❍ D. Regulated
The Answer: D. Regulated
Reports and information created for governmental use are regulated by
laws regarding the disclosure of certain types of data.
The incorrect answers:
A. Data in use
Data in use describes information actively processing in the memory of a
system, such as system RAM, CPU registers, or CPU cache. Government
reports are static documents and are not actively being processed.
B. Obfuscated
Obfuscation describes the modification of data to make something
understandable into something very difficult to understand. Information
contained in a government report is relatively easy to understand and
would not be considered obfuscated data.
C. Trade secrets
Trade secrets are the private details a company uses as part of their normal
business processes, and these trade secrets are not shared with any other
organization or business.
An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours
must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server
The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server
Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.
52 Practice Exam A - Answers
The incorrect answers:
B. Require government-issued identification during the
onboarding process
Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.
C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.
D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.
F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.
A security engineer, is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.
A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication
The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Deauthentication
Deauthentication attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.
Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO
The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.
The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.
C. EAP
EAP (Extensible Authentication Protocol) is an authentication
framework commonly associated with network access control. EAP by
itself does not provide the federation needed to authenticate users to a
third-party access database.
D. SSO
SSO (Single Sign-On) describes the process of enabling a single
authentication to grant access to many different network services.
Obtaining login credentials from a third-party access database does not
describe the process used by SSO.
A system administrator is working on a contract that will specify a
minimum required uptime for a set of Internet-facing firewalls. The
administrator needs to know how often the firewall hardware is expected
to fail between repairs. Which of the following would BEST describe this
information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO
The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.
The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.
D. RPO
RPO (Recovery Point Objective) describes the minimum data or
An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path
The Answer: A. Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls.
The incorrect answers:
B. Supply chain
A supply chain attack focuses on the equipment or raw materials used to
deliver products or services to an organization or user. A call to the help
desk would not be categorized as part of the supply chain.
C. Watering hole
A watering hole attack uses a third-party site to perform attacks outside of
a user’s local (and usually more secure) network.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.
Two companies have been working together for a number of months,
and they would now like to qualify their partnership with a broad formal
agreement between both organizations. Which of the following would
describe this agreement?
❍ A. SLA
❍ B. SOW
❍ C. MOA
❍ D. NDA
The Answer: C. MOA
An MOA (Memorandum of Agreement) is a formal document where
both sides agree to a broad set of goals and objectives associated with the
partnership.
The incorrect answers:
A. SLA
An SLA (Service Level Agreement) is commonly provided as a formal
contract between two parties that documents the minimum terms for
services provided. The SLA often provides very specific requirements and
expectations between both parties.
B. SOW
An SOW (Statement of Work) is a detailed list of items to be completed
as part of overall project deliverables. For example, a list of expected job
tasks associated with a firewall installation would be documented in an
SOW.
D. NDA
An NDA (Non-Disclosure Agreement) is a confidentiality agreement
between parties. This question did not mention any requirement for
privacy or confidentiality.
Which of the following would explain why a company would
automatically add a digital signature to each outgoing email message?
❍ A. Confidentiality
❍ B. Integrity
❍ C. Authentication
❍ D. Availability
The Answer: B. Integrity
Integrity refers to the trustworthiness of data. A digital signature allows
the recipient to confirm that none of the data has been changed since the
digital signature was created.
The incorrect answers:
A. Confidentiality
Confidentiality describes the privacy of data. Encrypting traffic sent over
a VPN or encrypting files stored on a flash drive would be an example of
data confidentiality.
C. Authentication
Authentication refers to the process of verifying the identity of an
individual or system. A username and password is a common method
of authentication, but digital signatures are not commonly used as an
authentication method.
D. Availability
Availability describes the ability of an authorized user to access data.
A digital signature does not provide any features associated with the
availability of the data.
The embedded OS in a company’s time clock appliance is configured to
reset the file system and reboot when a file system error occurs. On one
of the time clocks, this file system error occurs during the startup process
and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. Memory injection
❍ B. Resource consumption
❍ C. Race condition
❍ D. Malicious update
The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, and
usually with unexpected results. The file system problem can often be fixed
before a reboot, but the reboot is occurring before the fix can be applied.
This has created a race condition that results in constant reboots.
The incorrect answers:
A. Memory injection
A memory injection is commonly used by malicious software to add code
to the memory of an existing process. The issue in this question was related
to a file system error and was not part of a malicious data injection.
B. Resource consumption
If the time clock was running out of storage space or memory, it would
most likely be unusable. In this example, the issue isn’t based on a lack of
resources.
D. Malicious update
A malicious update occurs when a software patch installs unwanted or
unauthorized code. Many attackers will use software patches to install
their own malicious code during a software update.
A recent audit has found that existing password policies do not include
any restrictions on password attempts, and users are not required to
periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password reuse
❍ D. Account lockout
❍ E. Password managers
The Answer: B. Password expiration and D. Account lockout
Password expiration would require a password change after the expiration
date. An account lockout would disable an account after a predefined
number of unsuccessful login attempts.
The incorrect answers:
A. Password complexity
A complex password would make the password more difficult to brute
force, but it would not solve the issues listed in this question.
C. Password reuse
Maintaining a password history would prevent the reuse of any previous
passwords. Restricting password reuse would ensure that a different
password is used each time a password change is processed.
E. Password managers
A password manager would provide a way to securely store and retrieve
passwords, but it would not resolve any issues relating to password
expirations or account lockouts.
What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Directive
The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Directive
A directive control is relatively weak control which relies on security
compliance from the end users.