Sec+ Objective 2 Test Questions

Question 1

A company’s website has been compromised and the website content has been replaced with a political message. Which of the following threat actors would be the MOST likely culprit?

❍ A. Insider
❍ B. Organized crime
❍ C. Shadow IT
❍ D. Hacktivist

Answer 1

D. Hacktivist

A hacktivist is motivated by a particular philosophy, and their goal is to spread their message by defacing web sites and releasing private documents. (2.1)

Question 2

A user in the accounting department has received a text message from the CEO. The message requests payment by cryptocurrency for a recently purchased tablet. Which of the following would BEST describe this attack?

❍ A. Brand impersonation
❍ B. Watering hole attack
❍ C. Smishing
❍ D. Typosquatting

Answer 2

C. Smishing

Smishing is phishing using SMS (Short Message Service), and is more commonly referenced as text messaging. A message allegedly from the CEO asking for an unusual payments using cryptocurrency or gift cards would be categorized as smishing. (2.1)

Question 3

Which of these threat actors would be MOST likely to install a company’s internal application on a public cloud provider?

❍ A. Organized crime
❍ B. Nation state
❍ C. Shadow IT
❍ D. Hacktivist

Answer 3

C. Shadow IT

Shadow IT is an internal organization within the company but is not part of the IT department. Shadow IT often circumvents or ignores existing IT policies to build their own infrastructure with company resources. (2.1)

Question 4

Which of the following vulnerabilities would be the MOST significant security concern when protecting against a hacktivist?

❍ A. Data center access with only one authentication factor
❍ B. Spoofing of internal IP addresses when accessing an intranet server
❍ C. Employee VPN access uses a weak encryption cipher
❍ D. Lack of patch updates on an Internet-facing database server

Answer 4

D. Lack of patch updates on an Internet-facing
database server

One of the easiest ways for a third-party to obtain information is through an existing Internet connection. A hacktivist could potentially exploit an unpatched server to obtain unauthorized access to the operating system and data. (2.1)

Question 5

A company maintains a server farm in a large data center. These servers are used internally and are not accessible from outside of the data center. The security team has discovered a group of servers was breached before the latest security patches were applied. Breach attempts were not logged on any other servers. Which of these threat actors would be MOST likely involved in this breach?

❍ A. Organized crime
❍ B. Insider
❍ C. Nation state
❍ D. Unskilled attacker

Answer 5

B. Insider

None of these servers are accessible from the outside, and the only servers with any logged connections were also susceptible to the latest vulnerabilities. To complete this attack, there would need a very specific knowledge of the vulnerable systems and a way to communicate with those servers. (2.1)

Question 6

Which of the following would be the MOST significant security concern when protecting against organized crime?

❍ A. Prevent users from posting passwords near their workstations
❍ B. Require identification cards for all employees and guests
❍ C. Maintain reliable backup data
❍ D. Use access control vestibules at all data center locations

Answer 6

C. Maintain reliable backup data

A common objective for organized crime is an organization’s data, and attacks from organized crime can sometimes encrypt or delete data. A good set of backups can often resolve these issues quickly and without any ransomware payments to an organized crime syndicate. (2.1)

Question 7

Which of these threat actors would be MOST likely to attack systems for direct financial gain?

❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT

Answer 7

A. Organized crime

An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital. (2.1)

Question 8

Which of the following external threat actors commonly has limited resources and relatively low attack sophistication?

A) Unskilled
B) Shadow IT
C) Organized crime
D) Nation state
E) Hacktivist

Answer 8

A) Unskilled

Unskilled Attackers: Basically the opposite of a Nation State. Low skill, resources, and capability. Motivated by causing disruption and general chaos. They usually run pre-made scripts to attack your organization without really knowing how any of it works. Anyone can do this. Can be internal or external. (2.1)

Question 9

A security technician has noticed unusual behavior from an employee who has access to sensitive customer data. The employee’s actions are suspicious, indicating potential malicious intent. What type of threat actor is the employee most likely categorized as?

A) Organized crime
B) Nation-state
C) Hacktivist
D) Insider threat

Answer 9

D) Insider threat

Insider Threat: A threat from the inside of your organization. Someone on the outside can squeazel their way in and then betray you. Motivated by revenge and financial gain. In this circumstance, your organization is their funding. They have institutional knowledge, and know what vulnerable systems to hit. (2.1)

Question 10

What are common characteristics of external threat actors? (Select two)

A) Limited access to internal systems
B) Often motivated by financial gain
C) Typically have less sophisticated tools
D) Usually driven by political or ideological beliefs

Answer 10

A) Limited access to internal systems
and
B) Often motivated by financial gain

Threat Actor: The entity responsible for an event that has an impact on the safety of another entity. Also called a malicious actor.
The three important attributes to nail down when identifying a threat actor are
1) Are they internal or external
2) How much funding/resources do they have
3) What’s their level of sophistication/capability (2.1)

Question 11

In a wartime scenario, which threat actors are most likely to be active?

A) Nation-state
B) Insider threats
C) Organized crime
D) Hacktivists

Answer 11

A) Nation-state

Nation State: A threat actor external to your organization associated with a government or national security of that government. They could have many motivations for attacking you, with lots of sophistication, capability, and resources. (2.1)

Question 12

A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?

❍ A. Create an operating system security policy to block
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

Answer 12

A. Create an operating system security policy to prevent the use of removable media

Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive. (2.2)

Question 13

An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call?

❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path

Answer 13

A. Social engineering

This social engineering attack uses impersonation to take advantage of authority and urgency principles in an effort to convince someone else to circumvent normal security controls. (2.2)

Question 14

A remote user has received a text message with a link to login and confirm their upcoming work schedule. Which of the following would BEST describe this attack?

❍ A. Brute force
❍ B. Watering hole
❍ C. Typosquatting
❍ D. Smishing

Answer 14

D. Smishing

Smishing, or SMS (Short Message Service) phishing, is a social engineering attack that asks for sensitive information using SMS or text messages. (2.2)

Question 15

A company is in the process of configuring and enabling host-based firewalls on all user devices. Which of the following threats is the company addressing?

❍ A. Default credentials
❍ B. Vishing
❍ C. Instant messaging
❍ D. On-path

Answer 15

C. Instant messaging

Instant messaging is commonly used as an attack vector, and one way to help protect against malicious links delivered by instant messaging is a host-based firewall. (2.2)

Question 16

A manufacturing company produces radar used by commercial and military organizations. A recently proposed policy change would allow the use of mobile devices inside the facility. Which of the following would be the MOST significant threat vector issue associated with this change in policy?

❍ A. Unauthorized software on rooted devices
❍ B. Remote access clients on the mobile devices
❍ C. Out of date mobile operating systems
❍ D. Loss of intellectual property

Answer 16

D. Loss of intellectual property

The exfiltration of confidential information and intellectual property is relatively simple with an easily transportable mobile phone. Organizations associated with sensitive products or services must always be aware of the potential for information leaks using files, photos, or video. (2.2)

Question 17

An attacker has identified a number of devices on a corporate network with the username of “admin” and the password of “admin.” Which of the following describes this situation?

❍ A. Open service ports
❍ B. Default credentials
❍ C. Unsupported systems
❍ D. Phishing

Answer 17

B. Default credentials

When a device is first installed, it will often have a default set of credentials such as admin/password or admin/admin. If these default credentials are never changed, they would allow access by anyone who knows the default configuration. (2.2)

Question 18

A security administrator attends an annual industry convention with other security professionals from around the world. Which of the following attacks would be MOST likely in this situation?

❍ A. Smishing
❍ B. Supply chain
❍ C. SQL injection
❍ D. Watering hole

Answer 18

D. Watering hole

A watering hole attack infects a third-party visited by the intended victims. An industry convention would be a perfect location to attack security professionals. (2.2)

Question 19

When connected to the wireless network, users at a remote site receive an IP address which is not part of the corporate address scheme. Communication over this network is also slower than the wireless connections elsewhere in the building. Which of the following would be the MOST likely reason for these issues?

❍ A. Rogue access point
❍ B. Domain hijack
❍ C. DDoS
❍ D. Encryption is enabled

Answer 19

A. Rogue access point

A rogue access point is an unauthorized access point added by a user or attacker. This access point may not necessarily be malicious, but it does create significant security concerns and unauthorized access to the corporate network. (2.2)

Question 20

A company’s network team has been asked to build an IPsec tunnel to a new business partner. Which of the following security risks would be the MOST important to consider?

❍ A. Supply chain attack
❍ B. Unsupported systems
❍ C. Business email compromise
❍ D. Typosquatting

Answer 20

A. Supply chain attack

A direct connection to a third-party creates potential access for an attacker. Most organizations will include a firewall to help monitor and protect against any supply chain attacks. (2.2)

Question 21

What are supply chain vectors?

Answer 21

Third parties gaining access to your systems through established infrastructure in equipment, using an authorized vendor program to jump to an unauthorized system, and the utilization of counterfeit networking equipment.

Question 22

An access point in a corporate headquarters office has the following configuration:

IP address: 10.1.10.1
Subnet mask: 255.255.255.0
DHCPv4 Server: Enabled
SSID: Wireless
Wireless Mode: 802.11n
Security Mode: WEP-PSK
Frequency band: 2.4 GHz
Software revision: 2.1
MAC Address: 60:3D:26:71:FF:AA
IPv4 Firewall: Enabled

Which of the following would apply to this configuration?

❍ A. Invalid frequency band
❍ B. Weak encryption
❍ C. Incorrect IP address and subnet mask
❍ D. Invalid software version

Answer 22

B. Weak encryption

A common issue is weak or outdated security configurations. Older encryptions such as DES and WEP should be updated to use newer and stronger encryption technologies. (2.2)

Question 23

What type of cyber-attack occurs when employees of a company are tricked by a fake website that looks legitimate?

A) Identity theft
B) Misinformation
C) Watering-hole
D) Spear phishing

Answer 23

C) Watering-hole

Watering Hole Attack: An attacker, who cannot gain access to your network by conventional means, “poisons” a third party website that all of your employees visit, thus getting a foot in the door, and attacking your network indirectly. (2.2)

Question 24

A security professional has noticed an increase in phone calls to employees, where the callers pose as IT support staff and request sensitive information such as login credentials. Some employees have unknowingly provided this information. Which technique is most likely being used to deceive employees through phone calls?

A) Typosquatting
B) Watering-hole
C) Vishing
D) Whaling

Answer 24

C) Vishing

Vishing: Voice fishing. An attacker lying to you over the phone to get your information. (2.2)

Question 25

Frank was contacted by phone a person claiming to be an executive vice president urgently requesting that his password be reset. He insisted on the security urgency at hand and informed Frank that his supervisor would be contacted unless he complied immediately. Frank suspected that this was a social engineering attack. Which principles of human manipulation did the attacker attempt on Frank? Choose three.

A) Authority
B) Fright
C) Intimidation
D) Urgency
E) Scarcity
F) Trust

Answer 25

A) Authority
C) Intimidation
D) Urgency

Authority is a doubly correct answer here because the caller is made by someone impersonating an authority figure but also because of the threat to contact Frank’s supervisor. The threat consists of the threat to contact Frank’s supervisor. The urgency is referenced twice so clearly belongs to the correct choice. Neither trust nor scarcity apply in this scenario and Fright is a nonsense detractor as it is not a recognized category of human manipulation for social engineering. (2.2)

Question 26

A security researcher has been notified of a potential hardware vulnerability. Which of the following should the researcher evaluate as a potential security issue?

❍ A. Firmware versions
❍ B. Firewall configuration
❍ C. SQL requests
❍ D. XSS attachments

Answer 26

A. Firmware versions

Firmware describes the software inside of a hardware device and is often used as the operating system of the hardware. Issues with hardware vulnerabilities are usually resolved by updating firmware in the vulnerable system. (2.3)

Question 27

An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type?

❍ A. Downgrade
❍ B. SQL injection
❍ C. Cross-site scripting
❍ D. On-path

Answer 27

B. SQL injection

A SQL (Structured Query Language) injection takes advantage of poorly written web applications. These web applications do not properly restrict the user input, and the resulting attack bypasses the application and “injects” SQL commands directly into the database itself. (2.3)

Question 28

What is SQL injection?

Answer 28

Structured Query Language Injection. The most common database management system language is SQL. The injection occurs when an attacker puts their own SQL requests into an existing application. The application doesn’t normally allow this because it (should) be performing checks. Usually done within a web browser.

Question 29

The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following BEST describes this issue?

❍ A. Memory injection
❍ B. Resource consumption
❍ C. Race condition
❍ D. Malicious update

Answer 29

C. Race condition

A race condition occurs when two processes occur at similar times, and usually with unexpected results. The file system problem can often be fixed before a reboot, but the reboot is occurring before the fix can be applied. This has created a race condition that results in constant reboots. (2.3)

Question 30

What is a race condition?

Answer 30

Where two events happen at nearly the same time with an application, and the application doesn’t take into account that the two events are happening simultaneously.

Question 31

A network team has installed new access points to support an application launch. In less than 24 hours, the wireless network was attacked and private company information was accessed. Which of the following would be the MOST likely reason for this breach?

❍ A. Race condition
❍ B. Jailbreaking
❍ C. Impersonation
❍ D. Misconfiguration

Answer 31

D. Misconfiguration

There are many different configuration options when installing an access point, and it’s likely one of those options allowed an attacker to gain access to the internal network. (2.3)

Question 32

An organization has identified a significant vulnerability in an Internetfacing firewall. The firewall company has stated the firewall is no longer available for sale and there are no plans to create a patch for this vulnerability. Which of the following would BEST describe this issue?

❍ A. End-of-life
❍ B. Improper input handling
❍ C. Improper key management
❍ D. Incompatible OS

Answer 32

A. End-of-life

Because the firewall is no longer available for sale, the firewall company has decided to stop supporting and updating the device. A product no longer supported by the manufacturer is consider to be end-of-life. (2.3)

Question 33

An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack?

❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Cross-site scripting
❍ D. DDoS

Answer 33

A. Buffer overflow

The results of a buffer overflow can cause random results, but sometimes the actions can be repeatable and controlled. In the best possible case for the hacker, a buffer overflow can be manipulated to execute code on the remote device. (2.3)

Question 34

What is a buffer overflow?

Answer 34

Where an attacker can write more than what’s expected into a particular area of memory and that additional information that they’re writing overflows into another area of memory. It’s a difficult attack to perform, because additional information written onto an application often causes a system to crash.

Question 35

A user with restricted access has typed this text in a search field of an internal web-based application:

USER77’ OR ‘1’=’1

After submitting this search request, all database records are displayed on the screen. Which of the following would BEST describe this search?

❍ A. Cross-site scripting
❍ B. Buffer overflow
❍ C. SQL injection
❍ D. SSL stripping

Answer 35

C. SQL injection

SQL (Structured Query Language) injection takes advantage of poor input validation to circumvent the application and allows the attacker to query the database directly. (2.3)

Question 36

A company has been informed of a hypervisor vulnerability that could allow users on one virtual machine to access resources on another virtual machine. Which of the following would BEST describe this vulnerability?

❍ A. Containerization
❍ B. Jailbreaking
❍ C. SDN
❍ D. Escape

Answer 36

D. Escape

A VM (Virtual Machine) escape is a vulnerability that allows communication between separate VMs. (2.3)

Question 37

In the past, an organization has relied on the curated Apple App Store to avoid issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping department with applications not available on the Apple App Store. How did the shipping department user install these apps on their mobile device?

❍ A. Side loading
❍ B. Malicious update
❍ C. VM escape
❍ D. Cross-site scripting

Answer 37

A. Side loading

If Apple’s iOS has been circumvented using jailbreaking, a user can install apps without using the Apple App Store. Circumventing a curated app store to install an app manually is called side loading. (2.3)

Question 38

A network IPS has created this log entry:

Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured
Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1
Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244
Transmission Control Protocol, Src Port: 3863, Dst Port: 1433
Application Data: SELECT * FROM users WHERE username=’x’
or ‘x’=’x’ AND password=’x’ or ‘x’=’x’

Which of the following would describe this log entry?

❍ A. Phishing
❍ B. Brute force
❍ C. SQL injection
❍ D. Cross-site scripting

Answer 38

C. SQL injection

The SQL injection is contained in the application data. The attacker was attempting to circumvent the authentication through the use of equivalent SQL statements (‘x’=’x’). (2.3)

Question 39

A security professional is responsible for managing the virtualized infrastructure of a large organization. They have heard about the concept of “VM escape” and its potential security implications. What does the term VM escape refer to in the context of virtualization security?

A) The process of migrating a virtual machine from one host to another
B) A security breach where a malicious actor gains control of the host system from within a virtual machine
C) The practice of cloning virtual machines for backup purposes
D) The deployment of virtual machines across multiple physical hosts for load balancing

Answer 39

B) A security breach where a malicious actor gains control of the host system from within a virtual machine

VM Escape: When a VM is able to break out of its self-contained system and interact with the host operating system or hardware on the same hypervisor. (2.3)

Question 40

A security administrator is reviewing authentication logs. The logs show a large number of accounts with at least three failed authentication attempts during the previous week. Which of the following would BEST explain this report data?

❍ A. Downgrade attack
❍ B. Phishing
❍ C. Injection
❍ D. Spraying

Answer 40

D. Spraying

A spraying attack attempts to discover login credentials using a small number of authentication attempts. If the password isn’t discovered in those few attempts, the brute force process stops before any account lockouts occur. An attacker could potentially perform a spraying attack across many accounts without any noticeable alerts or alarms. (2.4)

Question 41

What is spraying?

Answer 41

Trying to login with the most popular passwords. If the attacker is unsuccessful, they move onto the next account before getting locked out.

Question 42

A system administrator is viewing this output from a file integrity monitoring report:

15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll
15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll
15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll
15:43:43 - Repair complete

Which of the following malware types is the MOST likely cause of this
output?

❍ A. Ransomware
❍ B. Logic bomb
❍ C. Rootkit
❍ D. Keylogger

Answer 42

C. Rootkit

A rootkit modifies operating system files to become part of the core OS. The kernel, user, and networking libraries in Windows are core operating system files. (2.4)

Question 43

What type of vulnerability would be associated with this log information?

GET http://example.com/show.asp?view=../../Windows/
system.ini HTTP/1.1

❍ A. Buffer overflow
❍ B. Directory traversal
❍ C. DoS
❍ D. Cross-site scripting

Answer 43

B. Directory traversal

Directory traversal attempts to read or access files outside the scope of the web server’s file directory. The pair of dots in a file path (..) refers to the parent directory, so this example is attempt to move back two parent directories before proceeding into the /Windows directory. In a properly configured web server, this traversal should not be possible. (2.4)

Question 44

What are directory traversals?

Answer 44

Web server configuration vulnerability. Allows an attacker to read or write files to a web server that are normally outside the scope of the website’s directory.

Question 45

An attacker has gained access to an application through the use of packet captures. Which of the following would be MOST likely used by the attacker?

❍ A. Overflow
❍ B. Forgery
❍ C. Replay
❍ D. Injection

Answer 45

C. Replay

A replay attack uses previously transmitted information to gain access to an application or service. This information is commonly captured in network packets and replayed to the service. (2.4)

Question 46

What is a replay attack?

Answer 46

An attacker gathers information shared across the network and then replays what a user did on their computer to communicate with the server, essentially imitating the victim’s computer. Stop this with encrypting your info end to end.

Question 47

A company is receiving complaints of slowness and disconnections to their Internet-facing web server. A network administrator monitors the Internet link and finds excessive bandwidth utilization from thousands of different IP addresses. Which of the following would be the MOST likely reason for these performance issues?

❍ A. DDoS
❍ B. DNS spoofing
❍ C. RFID cloning
❍ D. Wireless jamming

Answer 47

A. DDoS

A DDoS (Distributed Denial of Service) is the failure of a service caused by many different remote devices. In this example, the DDoS is related to a bandwidth utilization exhaustion caused by excessive server requests. (2.4)

Question 48

Which of the following malware types would cause a workstation to participate in a DDoS?

❍ A. Bot
❍ B. Logic bomb
❍ C. Ransomware
❍ D. Keylogger

Answer 48

A. Bot

A bot (robot) is malware that installs itself on a system and then waits for instructions. It’s common for botnets to use thousands of bots to perform DDoS (Distributed Denial of Service) attacks. (2.4)

Question 49

A network technician at a bank has noticed a significant decrease in traffic to the bank’s public website. After additional investigation, the technician finds that users are being directed to a web site which looks similar to the bank’s site but is not under the bank’s control. Flushing the local DNS cache and changing the DNS entry does not have any effect. Which of the following has most likely occurred?

❍ A. DDoS
❍ B. Disassociation attack
❍ C. Buffer overflow
❍ D. Domain hijacking

Answer 49

D. Domain hijacking

Domain hijacking will modify the primary DNS (Domain Name System) settings for a domain and allow an attacker to direct users to an IP address controlled by the attacker. (2.4)

Question 50

A user connects to a third-party website and receives this message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST likely reason for this message?

❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication

Answer 50

C. On-path

An on-path attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error would appear in the browser as a warning. (2.4)

Question 51

A server administrator at a bank has noticed a decrease in the number of visitors to the bank’s website. Additional research shows that users are being directed to a different IP address than the bank’s web server. Which of the following would MOST likely describe this attack?

❍ A. Deauthentication
❍ B. DDoS
❍ C. Buffer overflow
❍ D. DNS poisoning

Answer 51

D. DNS poisoning

A DNS poisoning can modify a DNS server to modify the IP address provided during the name resolution process. If an attacker modifies the DNS information, they can direct client computers to any destination IP address. (2.4)

Question 52

What is DNS poisoning?

Answer 52

Redirecting people to whatever IP address you like by modifying a DNS server, modifying the host file on a client, or by sending a fake response to a valid DNS request.

Question 53

An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack?

❍ A. Privilege escalation
❍ B. SQL injection
❍ C. Replay attack
❍ D. DDoS

Answer 53

D. DDoS

A DDoS (Distributed Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. Packets from multiple devices that disable a server would be an example of a DDoS attack. (2.4)

Question 54

A security manager has created a report showing intermittent network communication from certain workstations on the internal network to one external IP address. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns?

❍ A. On-path attack
❍ B. Keylogger
❍ C. Replay attack
❍ D. Brute force

Answer 54

B. Keylogger

A keylogger captures keystrokes and occasionally transmits this information to the attacker for analysis. The traffic patterns identified by the security manager could potentially be categorized as malicious keylogger transfers. (2.4)

Question 55

While working from home, users are attending a project meeting over a web conference. When typing in the meeting link, the browser is unexpectedly directed to a different website than the web conference. Users in the office do not have any issues accessing the conference site. Which of the following would be the MOST likely reason for this issue?

❍ A. Buffer overflow
❍ B. Wireless disassociation
❍ C. Amplified DDoS
❍ D. DNS poisoning

Answer 55

D. DNS poisoning

An attacker with access to a DNS (Domain Name System) server can modify the DNS configuration files and redirect users to a different website. Anyone using a different DNS server may not see any problems with connectivity to the original site. (2.4)

Question 56

A Linux administrator has received a ticket complaining of response issues with a database server. After connecting to the server, the administrator views this information:

Filesystem Size Used Avail Use% Mounted on
/dev/xvda1 158G 158G 0 100% /

Which of the following would BEST describe this information?

❍ A. Buffer overflow
❍ B. Resource consumption
❍ C. SQL injection
❍ D. Race condition

Answer 56

B. Resource consumption

The available storage on the local filesystem has been depleted, and the information shows 0 bytes available. More drive space would need to be available for the server to return to normal response times. (2.4)

Question 57

An attacker has created multiple social media accounts and is posting information in an attempt to get the attention of the media. Which of the following would BEST describe this attack?

❍ A. On-path
❍ B. Watering hole
❍ C. Misinformation campaign
❍ D. Phishing

Answer 57

C. Misinformation campaign

Misinformation campaigns are carefully crafted attacks that exploit social media and traditional media. (2.4)

Question 58

A security administrator has found a keylogger installed in an update of the company’s accounting software. Which of the following would prevent the transmission of the collected logs?

❍ A. Prevent the installation of all software
❍ B. Block all unknown outbound network traffic at the Internet firewall
❍ C. Install host-based anti-virus software
❍ D. Scan all incoming email attachments at the email gateway

Answer 58

B. Block all unknown outbound network traffic at the
Internet firewall

Keylogging software has two major functions; record user input, and transmit that information to a remote location. Local file scanning and software best-practices can help prevent the initial installation, and controlling outbound network traffic can block unauthorized file transfers. (2.4)

Question 59

A security administrator has created a new policy prohibiting the use of MD5 hashes due to collision problems. Which of the following describes the reason for this new policy?

❍ A. Two different messages have different hashes
❍ B. The original message can be derived from the hash
❍ C. Two identical messages have the same hash
❍ D. Two different messages share the same hash

Answer 59

D. Two different messages share the same hash

A well-designed hashing algorithm will create a unique hash value for every possible input. If two different inputs create the same hash, the hash algorithm has created a collision. (2.4)

Question 60

In terms of cryptographic attacks, what is a collision?

Answer 60

A single hash that is exactly the same across two different plaintexts.

Question 61

Which of the following would be the MOST likely result of plaintext application communication?

❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Resource consumption
❍ D. Directory traversal

Answer 61

B. Replay attack

To perform a replay attack, the attacker needs to capture the original non-encrypted content. If an application is not using encrypted communication, the data capture process is a relatively simple process for the attacker. (2.4)

Question 62

A user in the mail room has reported an overall slowdown of his shipping management software. An anti-virus scan did not identify any issues, but a more thorough malware scan identified a kernel driver which is not part of the original operating system installation. Which of the following malware was installed on this system?

❍ A. Rootkit
❍ B. Logic bomb
❍ C. Bloatware
❍ D. Ransomware
❍ E. Keylogger

Answer 62

A. Rootkit

A rootkit often modifies core system files and becomes effectively invisible to the rest of the operating system. The modification of system files and specialized kernel-level drivers are common rootkit techniques. (2.4)

Question 63

A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user’s overall workstation performance degraded and it now takes twice as much time to perform any tasks on the computer. Which of the following is the BEST description of this malware infection?

❍ A. Ransomware
❍ B. Bloatware
❍ C. Logic bomb
❍ D. Trojan

Answer 63

D. Trojan

A Trojan horse is malicious software that pretends to be something benign. The user will install the software with the expectation that it will perform a particular function, but in reality it is installing malware on the computer. (2.4)

Question 64

An organization has discovered an attacker entering the building using an employee access card, but the employee still has their original card. Which of the following is the most likely explanation?

A) Privilege escalation
B) RFID cloning
C) Brute force
D) Spraying
E) Injection

Answer 64

B) RFID cloning

RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)

Question 65

A security technician notices that a piece of malware is rapidly spreading through the organization’s network, creating copies of itself and consuming network resources. What type of malware attack is described in the scenario, and what is its primary characteristic?

A) The scenario describes a worm attack known for its ability to self-replicate
B) The scenario describes a trojan attack known for its deceptive appearance
C) The scenario describes spyware known for its rapid spread through networks
D) The scenario describes a logic bomb known for consuming network resources

Answer 65

A) The scenario describes a worm attack known for its ability to self-replicate

Worm: Malware similar to a virus that can move around from system to system without any user intervention. (2.4)

Question 66

A security engineer notices that several logs from critical network devices, such as firewalls and intrusion detection systems, are missing for a period of several hours, during which a security incident may have occurred. What should the security engineer do to address it?

A) Missing logs indicate that the network devices were not generating any log data during that time, and there is no cause for concern.

B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.

C) The missing logs are a result of log rotation, and the security engineer should configure longer log retention periods.

D) The published documentation regarding log storage is accurate, and no action is required.

Answer 66

B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.

Missing Logs: Deleted log information is an indication of compromise that someone is (sloppily) trying to cover their tracks. (2.4)

Question 67

A security professional notices that an unauthorized device has been used to copy the signals from legitimate RFID tags, allowing unauthorized access to a secure area. What type of physical attack is described in the scenario, and how does it work?

A) Environmental attack
B) Brute force attack
C) Cloning attack
D) Social engineering

Answer 67

C) Cloning attack

RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)

Question 68

A security technician discovers that an attacker has gained access to a network and positioned themselves in a way that allows them to intercept and manipulate network traffic. What type of attack is described in the scenario, and how is the attacker positioned?

A) The scenario describes a malicious code attack targeting network devices
B) The scenario describes an on-path attack
C) The scenario describes a rootkit installed on a server
D) The scenario describes a security professional conduction a penetration test

Answer 68

B) The scenario describes an on-path attack

On-Path attacks: The attacks formerly known as man-in-the-middle attacks. Attackers getting in between two systems and watching, capturing, and modifying the traffic that flows between them. The attacker is “on your path” (2.4)

Question 69

A company’s VPN service performs a posture assessment during the login process. Which of the following mitigation techniques would this describe?

❍ A. Encryption
❍ B. Decommissioning
❍ C. Least privilege
❍ D. Configuration enforcement

Answer 69

D. Configuration enforcement

A posture assessment evaluates the configuration of a system to ensure all configurations and applications are up to date and secure as possible. If a configuration does not meet these standards, the user is commonly provided with options for resolving the issue before proceeding. (2.5)

Question 70

During a morning login process, a user’s laptop was moved to a private VLAN and a series of updates were automatically installed. Which of the following would describe this process?

❍ A. Account lockout
❍ B. Configuration enforcement
❍ C. Decommissioning
❍ D. Sideloading

Answer 70

B. Configuration enforcement

Many organizations will perform a posture assessment during the login process to verify the proper security controls are in place. If the device does not pass the assessment, the system can be quarantined and any missing security updates can then be installed. (2.5)

Question 71

A manufacturing company would like to use an existing router to separate a corporate network from a manufacturing floor. Both networks use the same physical switch, and the company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation?

❍ A. Connect the corporate network and the manufacturing floor
with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use host-based firewalls on each device
❍ D. Create separate VLANs for the corporate network and the
manufacturing floor

Answer 71

D. Create separate VLANs for the corporate network and
the manufacturing floor

Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches. (2.5)

Question 72

A security administrator has performed an audit of the organization’s production web servers, and the results have identified default configurations, web services running from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues?

❍ A. Server hardening
❍ B. Multi-factor authentication
❍ C. Enable HTTPS
❍ D. Run operating system updates

Answer 72

A. Server hardening

Many applications and services include secure configuration guides to assist in hardening the system. These hardening steps will make the system as secure as possible while simultaneously allowing the application to run efficiently. (2.5)

Question 73

A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would be restricted for additional security. Which of the following should be configured on this network?

❍ A. VPN
❍ B. RBAC
❍ C. VLAN
❍ D. SDN

Answer 73

C. VLAN

A VLAN (Virtual Local Area Network) is a common method of using a switch to logically segment a network. The devices in each segmented VLAN can only communicate with other devices in the same VLAN. A router is used to connect VLANs, and this router can often be used to control traffic flows between the VLANs. (2.5)

Question 74

A security administrator has been tasked with hardening all internal web servers to control access from certain IP address ranges and ensure all transferred data remains confidential. Which of the following should the administrator include in his project plan? (Select TWO)

❍ A. Change the administrator password
❍ B. Use HTTPS for all server communication
❍ C. Uninstall all unused software
❍ D. Enable a host-based firewall
❍ E. Install the latest operating system update

Answer 74

B. Use HTTPS for all server communication,
and
D. Enable a host-based firewall

Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is encrypted between the web server and the client devices. A host-based firewall can be used to allow or disallow traffic from certain IP address ranges. (2.5)

Question 75

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO)

❍ A. HIPS
❍ B. UTM logs
❍ C. Web application firewall events
❍ D. Host-based firewall logs
❍ E. Next-generation firewall logs

Answer 75

A. HIPS
and
D. Host-based firewall logs

If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) logs and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network. (2.5)

Question 76

A security administrator is reviewing a report showing a number of devices on internal networks are connecting with servers in the data center network. Which of the following security systems should be added to prevent internal systems from accessing data center devices?

❍ A. VPN
❍ B. IPS
❍ C. SIEM
❍ D. ACL

Answer 76

D. ACL

An ACL (Access Control List) is a security control commonly implemented on routers to allow or restrict traffic flows through the network. (2.5)

Question 77

A security administrator is installing a web server with a newly built operating system. Which of the following would be the best way to harden this OS?

❍ A. Create a backup schedule
❍ B. Install a device certificate
❍ C. Remove unnecessary software
❍ D. Disable power management features

Answer 77

C. Remove unnecessary software

The process of hardening an operating system makes it more difficult to attack. In this example, the only step that would limit the attack surface is to remove any unnecessary or unused software. (2.5)

Question 78

A company has identified a web server data breach resulting in the theft of financial records from 150 million customers. A security update to the company’s web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring?

❍ A. Patch management
❍ B. Full disk encryption
❍ C. Disabling unnecessary services
❍ D. Application allow lists

Answer 78

A. Patch management

This question describes an actual breach which occurred in 2017 to web servers at a large credit bureau. This breach resulted in the release of almost 150 million customer names, Social Security numbers, addresses, and birth dates. A web server vulnerability announced in March of 2017 was left unpatched, and attackers exploited the vulnerability two months later. The attackers were in the credit bureau network for 76 days before they were discovered. A formal patch management process would have clearly identified this vulnerability and would have given the credit bureau the opportunity to mitigate or patch the vulnerability well before it would have been exploited. (2.5)

Question 79

An application team has been provided with a hardened version of Linux to use with a new application installation, and this includes installing a web service and the application code on the server. Which of the following would BEST protect the application from attacks?

❍ A. Build a backup server for the application
❍ B. Run the application in a cloud-based environment
❍ C. Implement a secure configuration of the web service
❍ D. Send application logs to the SIEM via syslog

Answer 79

C. Implement a secure configuration of the web service

The tech support resources for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible. (2.5)

Question 80

Which of the answers listed below refers to software technology designed to provide confidentiality for an entire data storage device?

A) TPM
B) FDE
C) EFS
D) HSM

Answer 80

B) FDE (Full Disk Encryption)

Encryption Hardening Techniques: Ensure file systems are encrypted, either EFS or FDE, and encrypt your network with a VPN. (2.5)

Question 81

An organization wants to enhance its security measures to prevent employees from inadvertently installing harmful applications. What is the most effective strategy?

A) Regular malware scans
B) VPN implementation
C) Implementing an application allow list
D) User access control

Answer 81

C) Implementing an application allow list

Application Allow/Deny List: Ensuring only legitimate applications are used on a system. Allow List = Nothing runs unless it’s approved. Deny List = Everything can run except the things denied. (2.5)

Question 82

A security administrator is responsible for securing servers in a data center. They implement a security measure to control incoming and outgoing network traffic on each server to protect against unauthorized access and network-based attacks. What hardening technique is the security administrator primarily implementing to enhance server security in this scenario?

A) Default password changes
B) Host-based firewall
C) Encryption
D) Removal of unnecessary software

Answer 82

B) Host-based firewall

Host-based firewall: Software based firewall that runs behind the scenes on every endpoint. Allows or disallows incoming or outgoing application traffic. Identifies and blocks unknown processes. (2.5)

Question 83

In a corporate network, the IT department wants to implement a solution that divides the network based on security requirements. What mitigation technique is the IT department planning to implement to enhance network security in this scenario?

A) Least privilege
B) Patching
C) Segmentation
D) Encryption

Answer 83

C) Segmentation

Physical segmentation: Devices confined within a specific network that are unable to access other networks because the physical devices between the two networks are not physically connected.
Logical segmentation: Devices ARE connected to the same physical switch, but they are separated on the switch via VLANs. (2.5 and 4.3)