Security+ Warm Up Flashcards
A company would like to prevent the transfer of non-encrypted credit card numbers over the network. Which of the following would be the BEST choice for this requirement?
A) Data loss prevention
B) Digital Signatures
C) SSL inspection
D) Certificate authority
E) Self-encrypting drives
A) Data loss prevention
DLP: Data Loss Prevention. Looks for and stops running data you don’t want running on your network. If someone sends their social security number over the network, DLP stops it. Also prohibits USB access and blocks sensitive information in inbound and outbound emails, if you set it up that way. (4.4 & 4.5)
A known vulnerability that passes through an IPS without an alert is an example of what?
A) False negative
B) Obfuscation
C) Blockchain
D) Federation
A) False negative
False Negative: A vulnerability that exists, but your software didn’t find it. (4.3)
A client using an API to access an application function is an example of what?
A) Hashing
B) Secure enclave
C) Microservices
D) False negative
C) Microservices
Microservices: Instead of having one big application running all of the functions of the application simultaneously, you can have different aspects of the application run on and be supplied by different services still accessible from one client through an API gateway. The API gateway is the glue that makes all the services run when they’re needed. Security for each microservice can be provided individually, instead of security for one big application. (3.1)
All data on a mobile device being encrypted is an example of what?
A) Obfuscation
B) Federation
C) Blockchain
D) Secure enclave
D) Secure enclave
Secure Enclave: A security processor built into the systems we use. (1.4)
Application transactions that are logged in a public ledger is an example of what?
A) Federation
B) Blockchain
C) False negative
D) Hashing
B) Blockchain
Blockchain: A distributed ledger for anyone to be able to see that keeps track of transactions. If you are involved in a blockchain, you are notified of any and all changes. The transaction is then added to a new block of data containing other recently verified transactions. A hash is added to the block of data and the block is completed so that if data is changed, everyone looking at it will know. (1.4)
An MSP needs a secure method of connecting to the web servers of a remote client. Which of the following would be the BEST choice for this task?
A) Proxy server
B) SIEM
C) Jump server
D) IPS
E) HSM
C) Jump server
Jump Server: A server that’s on the inside of a private protected network that provides access to allowed clients on the outside trying to access that network. (3.2)
A DDoS has caused a critical service to be unavailable for 90% of the business day. Which of the following would describe this loss of value?
A) Asset value
B) Single loss expectancy
C) Risk appetite
D) Exposure factor
E) Key risk indicator
D) Exposure factor
Exposure Factor: Usually represented as a percentage, it tells users how risky it is to have that vulnerability remain on your system. If it’s minor, the percentage will be small. If it’s major, the percentage will be high. (4.3)
A company is protecting user passwords by hashing the password values multiple times. Which of the following would describe this process?
A) Salting
B) Steganography
C) Symmetric encryption
D) Digital signature
E) Key stretching
E) Key stretching
Key strengthening: Also known as key hashing or key stretching. The process of making your key stronger by hashing the hashes of your password multiple times. The hash of a hash of a hash of a password is difficult to brute-force. (1.4)
An organization has discovered an attacker entering the building using an employee access card, but the employee still has their original card. Which of the following is the most likely explanation?
A) Privilege escalation
B) RFID cloning
C) Brute force
D) Spraying
E) Injection
B) RFID cloning
RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)
A security administrator has identified all possible points of unauthorized entry on a newly built web server. Which of the following would describe this list?
A) Responsibility matrix
B) Platform diversity
C) Journaling
D) Input validation
E) Attack surface
E) Attack surface
Attack Surface: The combination of potential openings into your network. How does your network look? Are you aware of all of the ways into your network? (3.2)
A login process requires an app with a pseudo-random number. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A) Something you have
Something you have: Like a smart card, phone, USB security key, or hardware/software token. (4.6)
A user in another country is not able to login to the VPN portal. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
B) Somewhere you are
Somewhere you are: A login allowed or denied based upon where the login took place. Could be based on IP address or GPS location services. (4.6)
An ATM requires a PIN for authentication. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
C) Something you know
Something you know: Like a password or a secret phrase, PIN number or pattern. Very common. (4.6)
A text message with a code is sent during a login process. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A) Something you have
Something you have: Like a smart card, phone, USB security key, or hardware/software token. (4.6)
A system administrator uses a fingerprint to unlock their laptop. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
D) Something you are
Something you are: Biometrics. (4.6)
A company is assigning administrator rights to IT technicians on a temporary basis. Which of the following would describe this system?
A) Just-in-time permissions
B) Password vaulting
C) Salting
D) Hashing
E) Passwordless access
A) Just-in-time permissions
Just-In-Time Permissions: Granting admin access for a limited time on a specific set of time sensitive credentials. (4.6)
A company performs a risk assessment each time the hardware or software is updated for an application instance. Which of the following would describe this assessment process?
A) One-time
B) Ad hoc
C) Recurring
D) Mandated
E) Third-party
B) Ad hoc
Ad Hoc: A risk assessment designed to look at only one specific threat. (5.2)
Which of the following would BEST describe a honeytoken?
A) A publicly accessible password.txt file
B) Intentionally incorrect API credentials
C) A virtual machine with a known vulnerability
D) A workstation without a locking screen saver
E) A random access code used during login
B) Intentionally incorrect API credentials
Honeytokens: A bit of traceable data added to your honeynet. If data is stolen and shared, you will be notified and can trace it to who stole it. (1.2)
When power is removed from an inline IPS, all network traffic stops. Which of the following would describe this functionality?
A) High availability
B) Parallel processing
C) Load balancing
D) Cold site
E) Failed closed
E) Failed closed
Fail-Close: When a system fails, data stops flowing. (3.2)
A server was previously infected with malware, and a technician is reimaging the system and updating the application software. Which of the following best describes this incident response step?
A) Preparation
B) Analysis
C) Recovery
D) Lessons learned
E) Detection
C) Recovery
Recovery: Getting things back to normal. Replacing software, re-imaging, disabling compromised accounts, fixing vulnerabilities, recovering the OS, etc. (4.8)
A security engineer is following a checklist to recover a system containing a malware infection. Which of the following would describe this process list?
A) Change management
B) Playbook
C) Disaster recovery
D) Business continuity
E) Centralized governance
B) Playbook
Playbooks: Conditional steps to follow in the case of a particular event. For example, a checklist of what happens if, say, there’s a data breach, or you need to recover a device from ransomware. Can sometimes be implemented into a SOAR platform (Security Orchestration, Automation, and Response), and automated. (5.1)
Which technology would be utilized in this scenario?
Verifying the status of a web server certificate.
A) Tokenization
B) Federation
C) Blockchain
D) OCSP
D) OCSP
OCSP: Online Certificate Status Protocol. A protocol that lists the status of its certificate onto the web server itself. (1.4)
Which technology would be utilized in this scenario?
Credit card numbers are being replaced with temporary values.
A) Salting
B) Tokenization
C) OCSP
D) False negative
B) Tokenization
Tokenization: Takes sensitive information such as a credit card number used in a purchase, and replaces it with a token number that is completely different when crossing the network. Only a one time use. Nothing is encrypted, but all the numbers are changed on the token. (3.3)
Which technology would be utilized in this scenario?
Randomization has been added to a hash.
A) Honeyfile
B) Tokenization
C) Salting
D) Blockchain
C) Salting
Salting: Random data added to a password when hashing that password, making a different hash for the password when stored. For example, the password ‘dragon’ has its own unique hash, but the password ‘dragon +r4$x’ has a different hash, but is still able to be deciphered when the password is looked at in plain text. The +r4$x is known to the user to be the salt. (1.4)
Which technology would be utilized in this scenario?
Creating a document with invalid authentication information.
A) Honeyfile
B) OCSP
C) Federation
D) False negative
A) Honeyfile
Honeyfile: A fake file with fake information to attract a bad guy. An alert is sent once the file is accessed. (1.2)
A user is asymmetrically encrypting an outgoing email message. Which of the following is used to encrypt this information?
A) Sender’s public key
B) Recipient’s private key
C) Sender’s private key
D) Recipient’s public key and sender’s private key
E) Recipient’s public key
E) Recipient’s public key
Asymmetric Encryption: Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source. (1.4)
Which of the following external threat actors commonly has limited resources and relatively low attack sophistication?
A) Unskilled
B) Shadow IT
C) Organized crime
D) Nation state
E) Hacktivist
A) Unskilled
Unskilled Attackers: Basically the opposite of a Nation State. Low skill, resources, and capability. Motivated by causing disruption and general chaos. They usually run pre-made scripts to attack your organization without really knowing how any of it works. Anyone can do this. Can be internal or external. (2.1)
An administrator is configuring the security rules in a firewall. Which of the following SDN plane would be most associated with this task?
A) Data
B) Active
C) Control
D) Infrastructure
E) Management
E) Management
Management plane: Also called the Application Layer. Where we as Network admins physically configure and manage all of these network devices. (3.1)
SDN: Software Defined Networking. Networking architecture is defined by how the networking devices operate on their planes of operation, and organized accordingly.
The three planes of operation for software defined networking are the data, control, and management planes.
A security analyst would like to be informed if any core operating system files are modified. Which of the following would provide this functionality?
A) SIM
B) SNMP
C) FIM
D) NetFlow
E) DLP
C) FIM
FIM: File Integrity Monitoring. Some files should never change. FIMs check and make sure the files that shouldn’t be changing aren’t changing. Windows has one built in called SFC (system file checker). Linux has one called Tripwire. (4.5)
A security administrator has copied a suspected malware executable from a user’s computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process?
A) Eradication
B) Preparation
C) Recovery
D) Containment
D) Containment
Containment: Stopping the attack as quickly as possible by isolating it. (4.8)
A security technician observes that the data center’s server racks are accessible to all employees, posing a risk to critical infrastructure. What is the most appropriate physical control to mitigate this risk?
A) Implement a network intrusion detection system
B) Install locks on the server rack doors
C) Update the antivirus software on the servers
D) Conduct a risk assessment of the data center
B) Install locks on the server rack doors
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this. (1.1)
A security professional notices an unusual pattern of outgoing traffic from a server hosting sensitive data. The traffic suggest potential data exfiltration. What technical control should be implemented IMMEDIATELY to best address this issue?
A) Install a firewall to monitor and control incoming and outgoing network traffic
B) Conduct a security awareness training for employees
C) Implement biometric access controls to the server room
D) Review and update the company’s security policies
A) Install a firewall to monitor and control incoming and outgoing network traffic
Firewall: Filters traffic by port number and protocol or application, depending on whether it’s a traditional firewall or a next gen firewall. (4.5)
The company has faced several instances of tailgating, where unauthorized individuals gain access by following employees into restricted areas. Which deterrent control would be most effective in reducing the occurrence of tailgating?
A) Install more surveillance cameras at all entry points
B) Implement stricter password policies
C) Conduct regular security audits of the access control systems
D) Set up a software based IPS
A) Install more surveillance cameras at all entry points
Video surveillance: Or CCTV. Security cameras that watch areas to see if unauthorized people are gaining access. Can have motion or object detection. (1.2)
A smart phone user wants to access features not available in the standard operating system. What method would enable this?
A) Exploiting database vulnerabilities
B) Utilizing scripting vulnerabilities
C) Jailbreaking
D) Direct software installation
C) Jailbreaking
Jailbreaking: Bypassing the built in security that comes with a mobile device. One could also replace the standard OS and/or firmware that comes with the device and replace it with your own. On an Android device, this is known as rooting. On an Apple iOS device, this is known as Jailbreaking.(2.3)
A security professional is reviewing the security measures of a financial firm’s data storage system to ensure it aligns with the C and I of the CIA triad. Which of the following actions would BEST ensure adherence to the C and I?
A) Encrypting stored data
B) Implementing a firewall
C) Regularly updating software
D) Conducting background checks on employees
A) Encrypting stored data
CIA Triad: A combination of principles concerning the fundamentals of security; Confidentiality, Integrity, and Availability. (1.2)
A security professional is tasked with identifying the discrepancies between the current security posture and the desired state of security in their organization. Which process should the security professional undertake to identify these discrepancies?
A) Risk assessment
B) Gap analysis
C) Penetration testing
D) Compliance auditing
B) Gap analysis
Gap Analysis: A study of where we are versus where we would like to be. It requires research and consideration of many different IT and security factors in order to close that gap and make sure everything is completed without tripping over itself. (1.2)
A security professional is enhancing the physical security measures of a corporate building located in a busy downtown area, with a focus on mitigating vehicle-based threats. Which physical security measure is most suitable for protecting the building against potential vehicle ramming attacks while allowing pedestrian access?
A) Installing video surveillance cameras around the building perimeter
B) Implementing an access control vestibule at the main entrance
C) Erecting bollards along the building’s street facing side
D) Enhancing the lighting around the building’s entrance
C) Erecting bollards along the building’s street facing side
Barricades and bollards: Allow people access by channeling them to a specific point, but prevent vehicles. (1.2)
A security technician is proposing the implementation of a new firewall system in their organization. The proposal includes significant changes to the current network infrastructure. Before implementing the new firewall system, what is the first step the security technician should do before installing the new system?
A) Conducting an impact analysis of the new system on current operations
B) Obtaining formal approval for the project from senior management
C) Scheduling a maintenance window for the implementation
D) Preparing a back out plan in case the implementation fails
B) Obtaining formal approval for the project from senior management
Change Management: Or Change Approval Process. The formal process an IT administrator goes through to ensure that a change to the systems goes through properly and without messing anything up.
Change Control Process:
-1) Fill out an approval process request form.
-2) Explain what the change is and why it’s being implemented.
-3) Identify the scope of the change, or how big this change will be.
-4) Schedule a date and time for the change to take place.
-5) Determine the affected systems and the impact on those systems.
-6) Analyze the risk associated with the change.
-7) Get approval from the change control board to go ahead with the change. (1.3)
Which of the following teams combines both offensive and defensive testing of a company’s network?
A) Red
B) White
C) Blue
D) Purple
D) Purple
Integrated Penetration Testing: Red Vs Blue going together.
Offensive: A pen test where your systems are attacked and vulnerabilities are looked for to exploit (The Red Team).
Defensive: A pen test where a group (The Blue Team) attempts to identify pen test attacks in real-time and tries to prevent unauthorized access. (5.5)
What should a security analysis do to ensure evidence is handled correctly?
A) Chain of custody
B) Collection
C) Hand over
D) Storage
A) Chain of custody
Chain of Custody: Information must maintain its unmodified status for the duration of its necessary use, thus a process is in place to see who has access to the information. Hashes and digital signatures allow us to know how the data has been stored and whether or not it has been tampered with. (4.8)
Two security professionals are setting up a secure communication channel between their organizations. They need a secure way to establish a shared secret key for symmetric encryption. Which method should they use to securely exchange the symmetric key?
A) Public key infrastructure (PKI) for key exchange
B) Directly sending the symmetric key over email
C) Using an asymmetric algorithm such as Diffie-Hellman
D) Encrypting the key using symmetric encryption and then sending it
C) Using an asymmetric algorithm such as Diffie-Hellman
Asymmetric Encryption: Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source. (1.4)
A security professional is responsible for securely storing user passwords in a database. They need a method to protect the passwords from being exposed in case of a breach. What technique should the security professional use to safeguard user passwords in the database?
A) Digital signatures
B) Hashing
C) File permission
D) Blockchain
B) Hashing
Hash: A short string of text that can be created based upon data contained within the plain text. Also known as a message digest or a fingerprint.
Hashing: Representing data as a short string of text. Cannot be decrypted. (1.4)
A security professional is managing a network with multiple SSL/TLS-secured devices. They need a mechanism to promptly revoke the trust of a compromised certificate across all devices. What technology should the professional use to maintain a list of revoked certificates that can be checked by clients?
A) Self-signed certificate
B) CSR
C) CRL
D) Third-party certificate
C) CRL
Certificate Revocation Lists: (CRLs) A list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a CA issues a digital certificate, it includes an expiration date. However, certain events may lead to the need for revocation before the certificate’s expiration, such as the compromise of the private key associated with the certificate, the compromise of the CA itself, or other security-related concerns. (1.4)
A security technician has noticed unusual behavior from an employee who has access to sensitive customer data. The employee’s actions are suspicious, indicating potential malicious intent. What type of threat actor is the employee most likely categorized as?
A) Organized crime
B) Nation-state
C) Hacktivist
D) Insider threat
D) Insider threat
Insider Threat: A threat from the inside of your organization. Someone on the outside can squeazel their way in and then betray you. Motivated by revenge and financial gain. In this circumstance, your organization is their funding. They have institutional knowledge, and know what vulnerable systems to hit. (2.1)
What type of cyber-attack occurs when employees of a company are tricked by a fake website that looks legitimate?
A) Identity theft
B) Misinformation
C) Watering-hole
D) Spear phishing
C) Watering-hole
Watering Hole Attack: An attacker, who cannot gain access to your network by conventional means, “poisons” a third party website that all of your employees visit, thus getting a foot in the door, and attacking your network indirectly. (2.2)
To quickly address a security vulnerability found in the firmware of IoT devices, what is the most effective action?
A) Conducting a risk analysis
B) Patching
C) Network restructuring
D) Device upgradation
B) Patching
Patching: Keeping your systems up to date by closing up found holes of vulnerability. Do this as often as you can. (2.5)
A security professional has noticed an increase in phone calls to employees, where the callers pose as IT support staff and request sensitive information such as login credentials. Some employees have unknowingly provided this information. Which technique is most likely being used to deceive employees through phone calls?
A) Typosquatting
B) Watering-hole
C) Vishing
D) Whaling
C) Vishing
Vishing: Voice fishing. An attacker lying to you over the phone to get your information. (2.2)
To identify the creator and creation date of a suspicious file found on a server, what should a security analyst check?
A) File’s hash value
B) Network activity logs
C) Server access logs
D) File’s metadata
D) File’s metadata
Metadata: Data that describes other data sources, so, for example, in a picture taken on your phone, you can pull up all sorts of data about the picture, such as when and where it was taken and how large it is, things like that. (4.9)
A security professional is responsible for managing the virtualized infrastructure of a large organization. They have heard about the concept of “VM escape” and its potential security implications. What does the term VM escape refer to in the context of virtualization security?
A) The process of migrating a virtual machine from one host to another
B) A security breach where a malicious actor gains control of the host system from within a virtual machine
C) The practice of cloning virtual machines for backup purposes
D) The deployment of virtual machines across multiple physical hosts for load balancing
B) A security breach where a malicious actor gains control of the host system from within a virtual machine
VM Escape: When a VM is able to break out of its self-contained system and interact with the host operating system or hardware on the same hypervisor. (2.3)
An organization wants to enhance its security measures to prevent employees from inadvertently installing harmful applications. What is the most effective strategy?
A) Regular malware scans
B) VPN implementation
C) Implementing an application allow list
D) User access control
C) Implementing an application allow list
Application Allow/Deny List: Ensuring only legitimate applications are used on a system. Allow List = Nothing runs unless it’s approved. Deny List = Everything can run except the things denied. (2.5)
A security technician notices that a piece of malware is rapidly spreading through the organization’s network, creating copies of itself and consuming network resources. What type of malware attack is described in the scenario, and what is its primary characteristic?
A) The scenario describes a worm attack known for its ability to self-replicate
B) The scenario describes a trojan attack known for its deceptive appearance
C) The scenario describes spyware known for its rapid spread through networks
D) The scenario describes a logic bomb known for consuming network resources
A) The scenario describes a worm attack known for its ability to self-replicate
Worm: Malware similar to a virus that can move around from system to system without any user intervention. (2.4)
A security engineer notices that several logs from critical network devices, such as firewalls and intrusion detection systems, are missing for a period of several hours, during which a security incident may have occurred. What should the security engineer do to address it?
A) Missing logs indicate that the network devices were not generating any log data during that time, and there is no cause for concern.
B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.
C) The missing logs are a result of log rotation, and the security engineer should configure longer log retention periods.
D) The published documentation regarding log storage is accurate, and no action is required.
B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.
Missing Logs: Deleted log information is an indication of compromise that someone is (sloppily) trying to cover their tracks. (2.4)
A security administrator is responsible for securing servers in a data center. They implement a security measure to control incoming and outgoing network traffic on each server to protect against unauthorized access and network-based attacks. What hardening technique is the security administrator primarily implementing to enhance server security in this scenario?
A) Default password changes
B) Host-based firewall
C) Encryption
D) Removal of unnecessary software
B) Host-based firewall
Host-based firewall: Software based firewall that runs behind the scenes on every endpoint. Allows or disallows incoming or outgoing application traffic. Identifies and blocks unknown processes. (2.5)
What is the primary characteristic of an on-premises architecture model for hosting servers and data?
A) Reliance on third-party cloud providers
B) Geographic distribution of resources
C) Hosting servers and data within physical facilities
D) Use of serverless computing
C) Hosting servers and data within physical facilities
Benefits of On-Premises Security: Everything is local and on you to secure, giving you the freedom and control to protect things exactly how you want it, but it costs more to maintain (being a Tech Director). (3.1)
A security technician is responsible for implementing threat detection mechanisms in an ICS used for managing a city’s water treatment plant. Which threat detection mechanism is essential for monitoring and alerting on suspicious activities in an ICS environment such as a water treatment plant?
A) Email filtering
B) Antivirus software
C) IDS
D) MDM
C) IDS
IDS: Intrusion Detection System. Watches network traffic and only alerts if it finds traffic it doesn’t recognize. (3.2)
An organization requires a way to monitor changes in its network environment. Which system should be implemented?
A) Firewall
B) IPS
C) NAC
D) FIM
D) FIM
FIM: File Integrity Monitoring. Some files should never change. FIMs check and make sure the files that shouldn’t be changing aren’t changing. Windows has one built in called SFC (system file checker). Linux has one called Tripwire. (4.5)
To enhance network security. what change should a security analyst recommend if a remote desktop service is accessible from the internet?
A) Implementing stronger encryption
B) Setting up a VPN and firewall restrictions
C) Changing default port configurations
D) Increasing password complexity
B) Setting up a VPN and firewall restrictions
Infrastructure Monitoring: Monitor your remote access systems to see who’s connecting via VPN. Also, take a look at your firewall and IPS reports. (4.4)
A large e-commerce platform wants to ensure uninterrupted service even during peak shopping seasons. Which approach should the security professional recommend to achieve high availability?
A) Load balancing
B) Hot site
C) Geographic spreading
D) Continuity of operations
A) Load balancing
Load Balancing: Load is distributed across multiple servers, but the servers are unaware of each other. Only the load balancer knows about all the servers. Servers can run different OSs. (3.4)
A company wants to ensure that only authorized devices can connect to the switch ports. What security measure should they deploy on the switch to achieve this?
A) IDS
B) NAC
C) SSL
D) VLAN
B) NAC
NAC: Network Access Control. Rules put in place that limit a device’s access to certain types of data, either someone on the outside trying to get in, or someone inside trying to get out. Rules based on user, group, location, application, etc. Think ACLs.
A security technician is conducting a code review for a software development project. They want to identify and mitigate potential vulnerabilities in the applications source code. What technique should the security technician employ to identify and mitigate security vulnerabilities in the source code?
A) Implement input validation
B) Use secure cookies
C) Perform static code analysis
D) Apply code signing
C) Perform static code analysis
Static Code Analysis: A method application developers use to test the security of their applications. They put their code through a static code analyzer and the analyzer checks it for buffer overflows and database injections. (4.1)
A security professional is responsible for maintaining an accurate inventory of software licenses within an organization. They discover that some software licenses have expired, but the software is still in use. What action should the security professional take to address the issue of expired software licenses being used?
A) Implement data retention policies for the expired licenses
B) Schedule the destruction of the software with expired licenses
C) Initiate the acquisition/procurement process for new software licenses
D) Disable the software
C) Initiate the acquisition/procurement process for new software licenses
The Acquisition/Procurement Process: A user wants something and asks IT for it. IT (or the purchasing committee) looks at what they want to buy and analyzes the budget to see if they can buy it. If they can, management, IT, and/or the purchasing committee sign off on it and they buy it. Sometimes IT haggles with whoever they’re trying to buy it from. When a price is reached, the transaction takes place. Paid all at once or in payments. (4.2)
In a penetration testing engagement, what document typically outlines the estimated time required for the test?
A) NDA
B) SLA
C) BPA
D) SOW
D) SOW
WO: Work Order (or Statement of Work). Specific list of items to be completed used in conjunction with the MSA that details the scope of the job, the location, acceptance criteria, etc. (5.3)
A security technician is tasked with identifying and responding to security alerts generated by the organization’s systems and applications. Which tool or technology should the security technician rely on to receive real-time security alerts from systems and applications?
A) SCAP
B) Antivirus software
C) SIEM
D) Archiving tools
C) SIEM
Log Aggregation: Getting all the security data you need all at once. Use a SIEM: Security Information and Event Management. The logging of security events and information to one central consolidation point. What you can reference if something goes wrong with security. You can set up a SIEM to alert you as well. (4.4)
What are the best ways to ensure only authorized personnel can access a secure research facility (select two)?
A) Perimeter fencing
B) CCTV monitoring
C) Badge access system
D) Controlled access vestibule
E) Visitor sign-in log
F) Motion detectors
C) Badge access system
&
D) Controlled access vestibule
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this.
Access Control Vestibule: A place people have to go into first before accessing another part of the building. Opening one door causes another one to lock, or vice versa. (1.2)
A security technician needs to ensure that privileged users have temporary and limited access to sensitive systems when necessary. What privileged access management tool or concept should the security technician implement to grant privileged users temporary and limited access to sensitive systems?
A) Tokenization
B) Biometric
C) Password managers
D) Just-in-time permissions
D) Just-in-time permissions
Just-In-Time Permissions: Granting admin access for a limited time on a specific set of time sensitive credentials.(4.6)
A security technician is implementing automation to scale the organization’s infrastructure in a secure manner during peak usage periods. What benefit of automation and orchestration?
A) Standard infrastructure configurations
B) Cost reduction
C) Scaling in a secure manner
D) Employee retention
B) Cost reduction
A security professional is investigating a suspected security breach in the organization’s web application. What type of log data source is mot likely to contain information about user actions, error, and events related to the web application?
A) Vulnerability scans
B) Application logs
C) Endpoint logs
D) Dashboards
B) Application logs
Application Logs: Log files specific to an application. You can find this in the application log in Event Viewer in Windows.(4.9)
What is most likely to be used in a company to document risks, assign responsible parties, and define thresholds?
A) Definition of risk tolerance
B) Process of risk transfer
C) Maintenance of a risk register
D) Conduction a risk analysis
C) Maintenance of a risk register
Risk Register: A document that identifies the risk associated with each step of a project, and offers possible solutions to those risks. (5.2)
A security professional notices that an unauthorized device has been used to copy the signals from legitimate RFID tags, allowing unauthorized access to a secure area. What type of physical attack is described in the scenario, and how does it work?
A) Environmental attack
B) Brute force attack
C) Cloning attack
D) Social engineering
C) Cloning attack
RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)
A security technician discovers that an attacker has gained access to a network and positioned themselves in a way that allows them to intercept and manipulate network traffic. What type of attack is described in the scenario, and how is the attacker positioned?
A) The scenario describes a malicious code attack targeting network devices
B) The scenario describes an on-path attack
C) The scenario describes a rootkit installed on a server
D) The scenario describes a security professional conduction a penetration test
B) The scenario describes an on-path attack
On-Path attacks: The attacks formerly known as man-in-the-middle attacks. Attackers getting in between two systems and watching, capturing, and modifying the traffic that flows between them. The attacker is “on your path” (2.4)
An organization enforces mobile device management (MDM) policies to secure and manage employee-owned smartphones and tablets used for work. In the context of mobile device security, what is the organization primarily achieving when enforcing MDM policies for employee-owned devices?
A) Secure data destruction
B) Data encryption
C) Endpoint security
D) Risk acceptance
C) Endpoint security
Endpoint: The device used by the user. (4.5)
What type of reconnaissance activity is a security professional primarily engaged in when gathering information about potential vulnerabilities on the organization’s external network by reviewing job postings or message boards about the organization?
A) Passive reconnaissance
B) Active reconnaissance
C) Defensive penetration testing
D) Known environment testing
A) Passive reconnaissance
Passive Reconnaissance: Information needed before an attack that is gathered by learning as much as you can from open sources. Social media, websites, online forums, and social engineering, for example. (5.5)
An organization implements MFA for its employees’ access to sensitive systems and resources. What security measure is the organization primarily implementing when implementing MFA?
A) Threat analysis
B) User authentication
C) Security awareness training
D) Access control
B) User authentication
(4.6)
A security technician analyzes network traffic logs to identify patterns indicative of a potential DDoS attack. In the context of threat detection and analysis, what action is the security technician primarily taking when analyzing these logs?
A) Intrusion prevention
B) Threat hunting
C) Risk assessment
D) Risk mitigation
B) Threat hunting
Threat Hunting: Finding the attacker before they find you. Upgrading your defenses so that threats can be caught before they get in. (4.8)
An organization enforces mobile device encryption policies to ensure that data stored on employees’ smartphones and tablets is protected from unauthorized access in case of device loss or theft. What security measure is the organization primarily implementing by enforcing these mobile device encryption policies?
A) Data integrity
B) Data confidentiality
C) Data availability
D) Data authentication
B) Data confidentiality
Confidentiality: Ensures that information being exchanged is confidential or private. The concept includes the prevention of disclosure of information to unauthorized individuals or systems. This is achieved through encryption, two-factor authentication, and access controls. (1.2)
A security technician is responsible for designing the network infrastructure of a critical government agency. They need to ensure that certain sensitive systems are physically isolated from the rest of the network to prevent unauthorized access. Which network design technique should the security technician implement to achieve physical isolation of sensitive systems?
A) Logical segmentation
B) SDN
C) Virtualization
D) Air-gapped
D) Air-gapped
Air Gap: Means the devices are physically separate. If an attacker gained access to switch A, they would have no way to access switch B. (3.1)
A bank requires all of its vendors to implement measures to prevent data loss on stolen laptops. Which strategy is the bank demanding?
A) Disk encryption
B) Data permission
C) Information categorization
D) Access right limitations
A) Disk encryption
Examples of full-disk and partition/volume encryption software include BitLocker (Windows OS) and FileVault (Mac OS). (1.4)
To ensure software code authenticity in a development environment, which method should a software development manager implement?
A) Regular code reviews
B) Dynamic application security testing
C) Code signing
D) Implementing agile methodologies
C) Code signing
Code Signing: Validating that the code you’re about to run on your computer for an application is the same code that was made by the developers. Code is digitally signed by the dev, like a CA. (4.1)
In a corporate network, the IT department wants to implement a solution that divides the network based on security requirements. What mitigation technique is the IT department planning to implement to enhance network security in this scenario?
A) Least privilege
B) Patching
C) Segmentation
D) Encryption
C) Segmentation
Physical segmentation: Devices confined within a specific network that are unable to access other networks because the physical devices between the two networks are not physically connected.
Logical segmentation: Devices ARE connected to the same physical switch, but they are separated on the switch via VLANs. (2.5 and 4.3)
Security protocols in a cloud data center are under review to guarantee the protection of the safety of the data center staff. Which of the following best illustrates the appropriate setup for these security controls?
A) External gate way access points should fail closed
B) Data access logs should fail open
C) Fire safety mechanisms should fail open
D) User authentication systems should fail closed
C) Fire safety mechanisms should fail open
Fail-Open: When a system fails, data continues to flow.
Fail-Close: When a system fails, data stops flowing. (3.2)
