Sec+ Objective 4 Test Questions Flashcards

Question 1

Q

A company is creating a security policy for corporate mobile devices:

All mobile devices must be automatically locked after a predefined time period.
The location of each device needs to be traceable.
All of the user’s information should be completely separate from company data.

Which of the following would be the BEST way to establish these security policy rules?

❍ A. Segmentation
❍ B. Biometrics
❍ C. COPE
❍ D. MDM

Answer

A

D. MDM

An MDM (Mobile Device Manager) provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices. (4.1)

Question 2

Q

A company has placed a SCADA system on a segmented network with limited access from the rest of the corporate network. Which of the following would describe this process?

❍ A. Load balancing
❍ B. Least privilege
❍ C. Data retention
❍ D. Hardening

Answer

A

D. Hardening

The hardening process for an industrial SCADA (Supervisory Control and Data Acquisition) system might include network segmentation, additional firewall controls, and the implementation of access control lists. (4.1)

Question 3

Q

What is SCADA?

Answer

A

Supervisory Control and Data Acquisition System. Also known as ICS, Industrial Control Systems. Basically large scale industrial networking. Various building controls talking to one another through the network. Managed usually at one computer.

Question 4

Q

A company is deploying a new application to all employees in the field. Some of the problems associated with this roll out include:

The company does not have a way to manage the devices in the field
Team members have many different kinds of mobile devices
The same device needs to be used for both corporate and private use

Which of the following deployment models would address these concerns?

❍ A. CYOD
❍ B. SSO
❍ C. COPE
❍ D. BYOD

Answer

A

C. COPE

A COPE (Corporate-owned, Personally Enabled) device would solve the issue of device standardization and would allow the device to be used for both corporate access and personal use. (4.1)

Question 5

Q

A security administrator is configuring the authentication process used by technicians when logging into wireless access points and switches. Instead of using local accounts, the administrator would like to pass all login requests to a centralized database. Which of the following would be the BEST way to implement this requirement?

❍ A. COPE
❍ B. AAA
❍ C. IPsec
❍ D. SIEM

Answer

A

B. AAA

Using AAA (Authentication, Authorization, and Accounting) is a common method of centralizing authentication. Instead of having separate local accounts on different devices, users can authenticate with account information maintained in a centralized database. (4.1)

Question 6

Q

A company is installing access points in all of their remote sites. Which of the following would provide confidentiality for all wireless data?

❍ A. 802.1X
❍ B. WPA3
❍ C. RADIUS
❍ D. MDM

Answer

A

B. WPA3

WPA3 (Wi-Fi Protected Access 3) is an encryption protocol used on wireless networks. All data sent over a WPA3-protected wireless network will be encrypted. (4.1)

Question 7

Q

A security administrator has identified an internally developed application which allows modification of SQL queries through the web-based frontend. Which of the following changes would resolve this vulnerability?

❍ A. Store all credentials as salted hashes
❍ B. Verify the application’s digital signature
❍ C. Validate all application input
❍ D. Obfuscate the application’s source code

Answer

A

C. Validate all application input

Input validation would examine the input from the client and make sure that the input is expected and not malicious. In this example, validating the input would prevent any SQL (Structured Query Language) injection through the web front-end. (4.1)

Question 8

Q

In terms of application security, what is input validation?

Answer

A

Basically editing application code. Application developers perform input validation when information is going into their application. It ensures that any unexpected data that’s put into one of those inputs will not be interpreted by the application. They check to see what they’ve put into their apps matches what’s actually supposed to go in there.

Question 9

Q

A network administrator is viewing a log file from a web server:

https://www.example.com/?s=/Index/think/app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][0]=__HelloThinkPHP

Which of the following would be the BEST way to prevent this attack?

❍ A. Static code analyzer
❍ B. Input validation
❍ C. Allow list
❍ D. Secure cookies

Answer

A

B. Input validation

In this example, the attacker is attempting to use a remote code execution exploit. Input validation can be used to create a very specific filter of allowed input, and a strict validation process would have prevented the web server from processing this attack information. (4.1)

Question 10

Q

A system administrator has configured MAC filtering on their corporate access point, but access logs show unauthorized users accessing the network. Which of the following should the administrator configure to prevent future unauthorized use?

❍ A. Enable WPA3 encryption
❍ B. Remove unauthorized MAC addresses from the filter
❍ C. Modify the SSID name
❍ D. Modify the channel frequencies

Answer

A

A. Enable WPA3 encryption

A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view and use legitimate MAC addresses. To ensure proper authentication, the system administrator can enable WPA3 (Wi-Fi Protected Access version 3) with a pre-shared key or 802.1X can be used to integrate with an existing authentication database. (4.1)

Question 11

Q

Which of the following deployment models would a company follow if they require individuals to use their personal phones for work purposes?

❍ A. CYOD
❍ B. MDM
❍ C. BYOD
❍ D. COPE

Answer

A

C. BYOD

BYOD (Bring Your Own Device) is a model where the employee owns the mobile device but can also use the same device for work. (4.1)

Question 12

Q

When decommissioning a device, a company documents the type and size of storage drive, the amount of RAM, and any installed adapter cards. Which of the following describes this process?

❍ A. Destruction
❍ B. Sanitization
❍ C. Certification
❍ D. Enumeration

Answer

A

D. Enumeration

Enumeration describes the detailed listing of all parts in a particular device. For a computer, this could include the CPU type, memory, storage drive details, keyboard model, and more. (4.2)

Question 13

Q

A company has deployed laptops to all employees, and each laptop is enumerated during each login. Which of the following is supported with this configuration?

❍ A. If the laptop hardware is modified, the security team is alerted
❍ B. Any malware identified on the system is automatically deleted
❍ C. Users are required to use at least two factors of authentication
❍ D. The laptop is added to a private VLAN after the login process

Answer

A

A. If the laptop hardware is modified, the security team
is alerted

The enumeration process identifies and reports on the hardware and software installed on the laptop. If this configuration is changed, an alert can be generated. (4.2)

Question 14

Q

A financial services company is headquartered in an area with a high occurrence of tropical storms and hurricanes. Which of the following would be MOST important when restoring services disabled by a storm?

❍ A. Disaster recovery plan
❍ B. Stakeholder management
❍ C. Change management
❍ D. Retention policies

Answer

A

A. Disaster recovery plan

A disaster recovery plan is a comprehensive set of processes for large-scale outages that affect the organization. Natural disasters, technology failures, and human-created disasters would be reasons to implement a disaster recovery plan. (4.2)

Question 15

Q

A finance company is legally required to maintain seven years of tax records for all of their customers. Which of the following would be the BEST way to implement this requirement?

❍ A. Automate a script to remove all tax information more than seven years old
❍ B. Print and store all tax records in a seven-year cycle
❍ C. Allow users to download tax records from their account login
❍ D. Create a separate daily backup archive for all applicable tax records

Answer

A

D. Create a separate daily backup archive for all applicable tax records

An important consideration for a data retention mandate is to always have access to the information over the proposed time frame. In this example, a daily backup would ensure tax information is constantly archived over a seven year period and could always be retrieved if needed. If data was inadvertently deleted from the primary storage, the backup would still maintain a copy. (4.2)

Question 16

Q

An internal audit has discovered four servers that have not been updated in over a year, and it will take two weeks to test and deploy the latest patches. Which of the following would be the best way to quickly respond to this situation in the meantime?

❍ A. Purchase cybersecurity insurance
❍ B. Implement an exception for all data center services
❍ C. Move the servers to a protected segment
❍ D. Hire a third-party to perform an extensive audit

Answer

A

C. Move the servers to a protected segment

Segmenting the servers to their own protected network would allow for additional security controls while still maintaining the uptime and availability of the systems. (4.3)

Question 17

Q

A security engineer runs a monthly vulnerability scan. The scan doesn’t list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result?

❍ A. Exploit
❍ B. Compensating controls
❍ C. Zero-day attack
❍ D. False negative

Answer

A

D. False negative

A false negative is a result that fails to detect an issue when one actually exists. (4.3)

Question 18

Q

A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the roll out to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited?

❍ A. Tabletop exercise
❍ B. Vulnerability scanner
❍ C. DDoS
❍ D. Penetration test

Answer

A

D. Penetration test

A penetration test can be used to actively exploit potential vulnerabilities in a system or application. This could cause a denial of service or loss of data, so the best practice is to perform the penetration test during nonproduction hours or in a test environment. (4.3)

Question 19

Q

A security engineer is preparing to conduct a penetration test of a third party website. Part of the preparation involves reading through social media posts for information about this site. Which of the following describes this practice?

❍ A. Partially known environment
❍ B. OSINT
❍ C. Exfiltration
❍ D. Active reconnaissance

Answer

A

B. OSINT

OSINT (Open Source Intelligence) describes the process of obtaining information from open sources such as social media sites, corporate websites, online forums, and other publicly available locations. (4.3)

Question 20

Q

What is OSINT?

Answer

A

Publicly available information from a variety of sources that give information on the latest threats and attacks to watch out for on your systems.

Question 21

Q

Which of the following would a company use to calculate the loss of a business activity if a vulnerability is exploited?

❍ A. Risk tolerance
❍ B. Vulnerability classification
❍ C. Environmental variables
❍ D. Exposure factor

Answer

A

D. Exposure factor

An exposure factor describes a loss of value to the organization. For example, a network throughput issue might limit access to half of the users, creating a 50% exposure factor. A completely disabled service would calculated as a 100% exposure factor. (4.3)

Question 22

Q

What is exposure factor?

Answer

A

Usually represented as a percentage, it tells users how risky it is to have that vulnerability remain on your system. If it’s minor, the percentage will be small. If it’s major, the percentage will be high.

Question 23

Q

Which of the following would be a common result of a successful vulnerability scan?

❍ A. Usernames and password hashes from a server
❍ B. A list of missing software patches
❍ C. A copy of image files from a private file share
❍ D. The BIOS configuration of a server

Answer

A

B. A list of missing software patches

A vulnerability scan can identify vulnerabilities and list the patches associated with those vulnerabilities. (4.3)

Question 24

Q

An organization has received a vulnerability scan report of their Internet-facing web servers. The report shows the servers have multiple Sun Java Runtime Environment (JRE) vulnerabilities, but the server administrator has verified that JRE is not installed. Which of the following would be the BEST way to handle this report?

❍ A. Install the latest version of JRE on the server
❍ B. Quarantine the server and scan for malware
❍ C. Harden the operating system of the web server
❍ D. Ignore the JRE vulnerability alert

Answer

A

D. Ignore the JRE vulnerability alert

It’s relatively common for vulnerability scans to show vulnerabilities that don’t actually exist, especially if the scans are not credentialed. An issue that is identified but does not actually exist is a false positive, and it can be dismissed once the alert has been properly researched. (4.3)

Question 25

Q

A company is using SCAP as part of their security monitoring processes. Which of the following would BEST describe this implementation?

❍ A. Train the user community to better identify phishing attempts
❍ B. Present the results of an internal audit to the board
❍ C. Automate the validation and patching of security issues
❍ D. Identify and document authorized data center visitors

Answer

A

C. Automate the validation and patching of security issues

SCAP (Security Content Automation Protocol) focuses on the standardization of vulnerability management across multiple security tools. This allows different tools to identify and act on the same security criteria. (4.4)

Question 26

Q

What is SCAP?

Answer

A

Security Content Automation Protocol. The consolidation of vulnerabilities found by multiple firewalls, IPSs, vulnerability scanners, etc. into a single language, so that all of these devices are communicating and working together to find threats.

Question 27

Q

The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message?

❍ A. IPS
❍ B. DLP
❍ C. RADIUS
❍ D. IPsec

Answer

A

B. DLP

DLP (Data Loss Prevention) technologies can identify and block the transmission of sensitive data across the network. (4.4)

Question 28

Q

What is DLP?

Answer

A

Data Loss Prevention. Looks for and stops running data you don’t want running on your network. If someone sends their social security number over the network, DLP stops it.

Question 29

Q

A security administrator receives a report each week showing a Linux vulnerability associated with a Windows server. Which of the following would prevent this information from appearing in the report?

❍ A. Alert tuning
❍ B. Application benchmarking
❍ C. SIEM aggregation
❍ D. Data archiving

Answer

A

A. Alert tuning

Our monitoring systems are not always perfect, and many require ongoing tuning to properly configure alerts and notifications of important events. (4.4)

Question 30

Q

A company has identified a compromised server, and the security team would like to know if an attacker has used this device to move between systems. Which of the following would be the BEST way to provide this information?

❍ A. DNS server logs
❍ B. Penetration test
❍ C. NetFlow logs
❍ D. Email metadata

Answer

A

C. NetFlow logs

NetFlow information can provide a summary of network traffic, application usage, and details of network conversations. The NetFlow logs will show all conversations from this device to any others in the network. (4.4)

Question 31

Q

What is NetFlow?

Answer

A

Gathers statistics and data from the raw traffic going across your network. Consists of a probe and a collector. The probe gathers data and then exports it back to the collector.

Question 32

Q

A newly installed IPS is flagging a legitimate corporate application as malicious network traffic. Which of the following would be the BEST way to resolve this issue?

❍ A. Disable the IPS signature
❍ B. Block the application
❍ C. Log all IPS events
❍ D. Tune the IPS alerts

Answer

A

D. Tune the IPS alerts

Each signature of an IPS can commonly be tuned to properly alert on a legitimate issue. Tuning the IPS can properly identify and block attacks and allow all legitimate traffic. (4.4)

Question 33

Q

A company’s email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of the following would determine the disposition of this message?

❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM

Answer

A

C. DMARC

DMARC (Domain-based Message Authentication Reporting and Conformance) specifies the disposition of spam emails. The legitimate owner of the originating email domain can choose to have these messages accepted, sent to a spam folder, or rejected. (4.5)

Question 34

Q

A security administrator needs to block users from visiting websites hosting malicious software. Which of the following would be the BEST way to control this access?

❍ A. Honeynet
❍ B. Data masking
❍ C. DNS filtering
❍ D. Data loss prevention

Answer

A

C. DNS filtering

DNS filtering uses a database of known malicious websites to resolve an incorrect or null IP address. If a user attempts to visit a known malicious site, the DNS resolution will fail and the user will not be able to visit the website. (4.5)

Question 35

Q

A security administrator is configuring a DNS server with a SPF record. Which of the following would be the reason for this configuration?

❍ A. Transmit all outgoing email over an encrypted tunnel
❍ B. List all servers authorized to send emails
❍ C. Digitally sign all outgoing email messages
❍ D. Obtain disposition instructions for emails marked as spam

Answer

A

B. List all servers authorized to send emails

SPF (Sender Policy Framework) is used to publish a list of all authorized email servers for a specific domain. (4.5)

Question 36

Q

Which of the following would be the BEST way for an organization to verify the digital signature provided by an external email server?

❍ A. Perform a vulnerability scan
❍ B. View the server’s device certificate
❍ C. Authenticate to a RADIUS server
❍ D. Check the DKIM record

Answer

A

D. Check the DKIM record

A DKIM (Domain Keys Identified Mail) record is a DNS (Domain Name System) entry that includes the public key associated with an email server’s digital signatures. A legitimate email server will digitally sign all outgoing emails and provide the public key in their DNS for third-party validation. (4.5)

Question 37

Q

A recent security audit has discovered usernames and passwords which can be easily viewed in a packet capture. Which of the following did the audit identify?

❍ A. Weak encryption
❍ B. Improper patch management
❍ C. Insecure protocols
❍ D. Open ports

Answer

A

C. Insecure protocols

An insecure authentication protocol will transmit information “in the clear,” or without any type of encryption or protection. (4.5)

Question 38

Q

A system administrator believes that certain configuration files on a Linux server have been modified from their original state. The administrator has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to provide this functionality?

❍ A. HIPS
❍ B. File integrity monitoring
❍ C. Application allow list
❍ D. WAF

Answer

A

B. File integrity monitoring

File integrity monitoring software (i.e., Tripwire, System File Checker, etc.) can be used to alert if the contents of a file are modified. (4.5)

Question 39

Q

A new malware variant takes advantage of a vulnerability in a popular email client. Once installed, the malware forwards all email attachments with credit card information to an external email address. Which of the following would limit the scope of this attack?

❍ A. Enable MFA on the email client
❍ B. Scan outgoing traffic with DLP
❍ C. Require users to enable the VPN when using email
❍ D. Update the list of malicious URLs in the firewall

Answer

A

B. Scan outgoing traffic with DLP

DLP (Data Loss Prevention) systems are designed to identify sensitive data transfers. If the DLP finds a data transfer with financial details, personal information, or other private information, the DLP can block the data transfer. (4.5)

Question 40

Q

A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires all web server sessions communicate over an encrypted channel. Which rule should the security administrator add to the firewall rulebase?

❍ A. Source: ANY, Destination: ANY, Protocol: TCP, Port: 23, Deny
❍ B. Source: ANY, Destination: ANY, Protocol: TCP, Port: 22, Allow
❍ C. Source: ANY, Destination: ANY, Protocol: TCP, Port: 80, Allow
❍ D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow

Answer

A

D. Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow

Most web servers use tcp/443 for HTTPS (Hypertext Transfer Protocol Secure) for encrypted web server communication This rule allows HTTPS encrypted traffic to be forwarded to the web server over tcp/443. (4.5)

Question 41

Q

A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain the application in the data center is no longer working. Which of the following would be the BEST way to correct this application issue?

❍ A. Create a single firewall rule with an explicit deny
❍ B. Build a separate VLAN for the application
❍ C. Create firewall rules that match the application traffic flow
❍ D. Enable firewall threat blocking

Answer

A

C. Create firewall rules that match the application traffic flow

By default, most firewalls implicitly deny all traffic. Firewall rules must be built to match the traffic flows, and only then will traffic pass through the firewall. (4.5)

Question 42

Q

An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:

Access records from all devices must be saved and archived
Any data access outside of normal working hours must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a single database

Which of the following should be implemented by the security team to meet these requirements? (Select THREE)

❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

Answer

A

A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on the authentication server

Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours. (4.6)

Question 43

Q

Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site?

❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO

Answer

A

A. Federation

Federation would allow members of one organization to authenticate using the credentials of another organization. (4.6)

Question 44

Q

A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would correct these policy issues? (Select TWO)

❍ A. Password complexity
❍ B. Password expiration
❍ C. Password reuse
❍ D. Account lockout
❍ E. Password managers

Answer

A

B. Password expiration
and
D. Account lockout

Password expiration would require a password change after the expiration date. An account lockout would disable an account after a predefined number of unsuccessful login attempts. (4.6)

Question 45

Q

A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have read only access to the file. Which of the following would describe this access control model?

❍ A. Discretionary
❍ B. Mandatory
❍ C. Attribute-based
❍ D. Role-based

Answer

A

A. Discretionary

Discretionary access control is used in many operating systems, and this model allows the owner of the resource to control who has access. (4.6)

Question 46

Q

Which of the following describes two-factor authentication?

❍ A. A printer uses a password and a PIN
❍ B. The door to a building requires a fingerprint scan
❍ C. An application requires a pseudo-random code
❍ D. A Windows Domain requires a password and smart card

Answer

A

D. A Windows Domain requires a password and smart card

The multiple factors of authentication for this Windows Domain are a password (something you know), and a smart card (something you have). (4.6)

Question 47

Q

A user is authenticating through the use of a PIN and a fingerprint. Which of the following would describe these authentication factors?

❍ A. Something you know, something you are
❍ B. Something you are, somewhere you are
❍ C. Something you have, something you know
❍ D. Somewhere you are, something you are

Answer

A

A. Something you know, something you are

A PIN (Personal Identification Number) is something you know, and a fingerprint is something you are. (4.6)

Question 48

Q

A recent audit has determined that many IT department accounts have been granted Administrator access. The audit recommends replacing these permissions with limited access rights. Which of the following would describe this policy?

❍ A. Password vaulting
❍ B. Offboarding
❍ C. Least privilege
❍ D. Discretionary access control

Answer

A

C. Least privilege

The policy of least privilege limits the rights and permissions of a user account to only the access required to accomplish their objectives. This policy would limit the scope of an attack originating from a user in the IT department. (4.6)

Question 49

Q

A company has rolled out a new application that requires the use of a hardware-based token generator. Which of the following would be the BEST description of this access feature?

❍ A. Something you know
❍ B. Somewhere you are
❍ C. Something you are
❍ D. Something you have

Answer

A

D. Something you have

The use of the hardware token generator requires the user be in possession of the device during the login process. (4.6)

Question 50

Q

A system administrator is implementing a password policy that would require letters, numbers, and special characters to be included in every password. Which of the following controls MUST be in place to enforce this password policy?

❍ A. Length
❍ B. Expiration
❍ C. Reuse
❍ D. Complexity

Answer

A

D. Complexity

Adding different types of characters to a password requires technical controls that increase password complexity. (4.6)

Question 51

Q

A security administrator is updating the network infrastructure to support 802.1X. Which of the following would be the BEST choice for this configuration?

❍ A. LDAP
❍ B. SIEM
❍ C. SNMP traps
❍ D. SPF

Answer

A

A. LDAP

802.1X is a standard for authentication, and LDAP (Lightweight Directory Access Protocol) is a common protocol used for centralized authentication. Other protocols such as RADIUS, TACACS+, or Kerberos would also be options for 802.1X authentication. (4.6)

Question 52

Q

A security administrator is using an access control where each file or folder is assigned a security clearance level, such as “confidential” or “secret.” The security administrator then assigns a maximum security level to each user. What type of access control is used in this network?

❍ A. Mandatory
❍ B. Rule-based
❍ C. Discretionary
❍ D. Role-based

Answer

A

A. Mandatory

Mandatory access control uses a series of security levels (i.e., public, private, secret) and assigns those levels to each object in the operating system. Users are assigned a security level, and they would only have access to objects that meet or are below that assigned security level. (4.6)

Question 53

Q

A system administrator is implementing a fingerprint scanner to provide access to the data center. Which of the following authentication technologies would be associated with this access?

❍ A. Digital signature
❍ B. Hard authentication token
❍ C. Security key
❍ D. Something you are

Answer

A

D. Something you are

An authentication factor of “something you are” often refers to a physical characteristic. This factor commonly uses fingerprints, facial recognition, or some other biometric characteristic to match a user to an authentication attempt. (4.6)

Question 54

Q

Which of these would be used to provide multi-factor authentication?

❍ A. USB-connected storage drive with FDE
❍ B. Employee policy manual
❍ C. Just-in-time permissions
❍ D. Smart card with picture ID

Answer

A

D. Smart card with picture ID

A smart card commonly includes a certificate that can be used as a multifactor authentication of something you have. These smart cards are commonly combined with an employee identification card, and often require a separate PIN (Personal Identification Number) as an additional authentication factor. (4.6)

Question 55

Q

In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory?

❍ A. Administrator
❍ B. Owner
❍ C. Group
❍ D. System

Answer

A

B. Owner

The owner of an object controls access in a discretionary access control model. The object and type of access is at the discretion of the owner, and they can determine who can access the file and the type of access they would have. (4.6)

Question 56

Q

A company is implementing a public file-storage and cloud-based sharing service, and would like users to authenticate with an existing account on a trusted third-party web site. Which of the following should the company implement?

❍ A. SSO
❍ B. Federation
❍ C. Least privilege
❍ D. Discretionary access controls

Answer

A

B. Federation

Federation provides authentication and authorization between two entities using a separate trusted authentication platform. For example, a web site could allow authentication using an existing account on a third-party social media site. (4.6)

Question 57

Q

A security administrator is implementing an authentication system for the company. Which of the following would be the best choice for validating login credentials for all usernames and passwords in the authentication system?

❍ A. CA
❍ B. SIEM
❍ C. LDAP
❍ D. WAF

Answer

A

C. LDAP

LDAP (Lightweight Directory Access Protocol) is a common standard for authentication. LDAP is an open standard and is available across many different operating systems and devices. (4.6)

Question 58

Q

A company’s employees are required to authenticate each time a file share, printer, or SAN imaging system is accessed. Which of the following should be used to minimize the number of employee authentication requests?

❍ A. SSO
❍ B. OSINT
❍ C. MFA
❍ D. SCAP

Answer

A

A. SSO

SSO (Single Sign-On) accepts valid authentication requests and allows users to access multiple resources without requiring additional user authentications. (4.6)

Question 59

Q

An IT help desk is using automation to improve the response time for security events. Which of the following use cases would apply to this process?

❍ A. Escalation
❍ B. Guard rails
❍ C. Continuous integration
❍ D. Resource provisioning

Answer

A

A. Escalation

Automation can recognize security events and escalate a security-related ticket to the incident response team without any additional human interaction. (4.7)

Question 60

Q

A company would like to orchestrate the response when a virus is detected on company devices. Which of the following would be the BEST way to implement this function?

❍ A. Active reconnaissance
❍ B. Log aggregation
❍ C. Vulnerability scan
❍ D. Escalation scripting

Answer

A

D. Escalation scripting

Scripting and automation can provide methods to automate or orchestrate the escalation response when a security issue is detected. (4.7)

Question 61

Q

An administrator is writing a script to convert an email message to a help desk ticket and assign the ticket to the correct department. Which of the following should be administrator use to complete this script?

❍ A. Role-based access controls
❍ B. Federation
❍ C. Due diligence
❍ D. Orchestration

Answer

A

D. Orchestration

Orchestration describes the process of automation, and is commonly associated with large scale automation or automating processes between different systems. (4.7)

Question 62

Q

Which of the following processes provides ongoing building and testing of newly written code?

❍ A. Continuous integration
❍ B. Continuity of operations
❍ C. Version control
❍ D. Race condition

Answer

A

A. Continuous integration
With continuous integration, code can be constantly written and merged into the central repository many times each day. (4.7)

Question 63

Q

A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding?

❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject

Answer

A

A. Root cause analysis

The goal of a root cause analysis is to explain the ultimate cause of an incident. Once the cause is known, it becomes easier to protect against similar attacks in the future. (4.8)

Question 64

Q

A security administrator has copied a suspected malware executable from a user’s computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process?

❍ A. Eradication
❍ B. Preparation
❍ C. Recovery
❍ D. Containment

Answer

A

D. Containment

The isolation and containment process prevents malware from spreading and allows the administrator to analyze the operation of the malware without putting any other devices at risk. (4.8)

Answer 65

A

C. Recovery

The recovery after a breach can be a phased approach that may take months to complete. (4.8)

Answer 66

A

B. Recovery

The recovery phase describes the process of returning the system and data to the state prior to the malware infection. With a malware infection, this often requires deleting all data and reinstalling a known-good operating system. (4.8)

Answer 67

A

D. Disconnect the web servers from the network

The unusual log entries on the web server indicate that the system may have been exploited. In that situation, the servers should be contained to prevent all connectivity to those systems. (4.8)

Answer 68

A

C. Chain of custody

A chain of custody is a documented record of the evidence. The chain of custody also documents the interactions of every person who comes into contact with the evidence to maintain the integrity. (4.8)

Answer 69

A

B. Create a hash of the data

A hash creates a unique value and can be quickly validated at any time in the future. If the hash value changes, then the data must have also changed. (4.8)

Answer 70

A

A. Eradication

The incident response process is preparation, detection, analysis,
containment, eradication, recovery, and lessons learned. Once a system has been contained, any malware or breached user accounts should be removed from the system. (4.8)

Answer 71

A

A. Recovery

The recovery phase focuses on getting things back to normal after an attack. This is the phase that removes malware, fixes vulnerabilities, and recovers the damaged systems. (4.8)

Answer 72

A

D. Data hashing

Data hashing creates a unique message digest based on stored data. If the data is tampered with, a hash taken after the change will differ from the original value. This allows the forensic engineer to identify if information has been changed. (4.8)

Answer 73

A

C. Legal hold

A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation prior to litigation. (4.8)

Answer 74

A

B. Containment

The containment phase isolates events which can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer. (4.8)

Answer 75

A

B. A download was blocked from a web server

A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked. (4.9)

Answer 76

A

C. Brute force

A brute force attack discovers password by attempting a large combination of letters, numbers, and special characters until a match is found. In this example, the notification of over four hundred attempts would qualify as a brute force attack. (4.9)

Answer 77

A

B. The alert was generated from an embedded script
and
C. The attacker’s IP address is 222.43.112.74

The details of the IPS (Intrusion Prevention System) alert show a script value embedded into JSON (JavaScript Object Notation) data. The IPS log also shows the flow of the attack with an arrow in the middle. The attacker was IP address 222.43.112.74 with port 3332, and the victim was 64.235.145.35 over port 80. (4.9)

Answer 78

A

C. Date and time when the file was created

The data and time the file was created is commonly found in the metadata of the document. (4.9)

Answer 79

A

C. IPS log

An IPS (Intrusion Detection System) commonly uses a database of known vulnerabilities to identify and block malicious network traffic. This log of attempted exploits would provide the required report information. (4.9)

Answer 80

A

D. The source of the attack is 10.1.111.7
and
E. The attacker sent an unusual HTTP packet to trigger the IPS

The second line of the IPS log shows the type of alert, and this record indicates a suspicious HTTP packet was sent. The last line of the IPS log shows the protocol, destination, and source IP address information. The source IP address is 10.1.111.7. (4.9)

Brainscape's Knowledge GenomeTM

Sec+ Objective 4 Test Questions Flashcards

Brainscape's Knowledge Genome^TM