Security+ Warm Up Flashcards
1
Q
A company would like to prevent the transfer of non-encrypted credit card numbers over the network. Which of the following would be the BEST choice for this requirement?
A) Data loss prevention
B) Digital Signatures
C) SSL inspection
D) Certificate authority
E) Self-encrypting drives
A
A) Data loss prevention
DLP: Data Loss Prevention. Looks for and stops running data you don’t want running on your network. If someone sends their social security number over the network, DLP stops it. Also prohibits USB access and blocks sensitive information in inbound and outbound emails, if you set it up that way. (4.4 & 4.5)
2
Q
A known vulnerability that passes through an IPS without an alert is an example of what?
A) False negative
B) Obfuscation
C) Blockchain
D) Federation
A
A) False negative
False Negative: A vulnerability that exists, but your software didn’t find it. (4.3)
3
Q
A client using an API to access an application function is an example of what?
A) Hashing
B) Secure enclave
C) Microservices
D) False negative
A
C) Microservices
Microservices: Instead of having one big application running all of the functions of the application simultaneously, you can have different aspects of the application run on and be supplied by different services still accessible from one client through an API gateway. The API gateway is the glue that makes all the services run when they’re needed. Security for each microservice can be provided individually, instead of security for one big application. (3.1)
4
Q
All data on a mobile device being encrypted is an example of what?
A) Obfuscation
B) Federation
C) Blockchain
D) Secure enclave
A
D) Secure enclave
Secure Enclave: A security processor built into the systems we use. (1.4)
5
Q
Application transactions that are logged in a public ledger is an example of what?
A) Federation
B) Blockchain
C) False negative
D) Hashing
A
B) Blockchain
Blockchain: A distributed ledger for anyone to be able to see that keeps track of transactions. If you are involved in a blockchain, you are notified of any and all changes. The transaction is then added to a new block of data containing other recently verified transactions. A hash is added to the block of data and the block is completed so that if data is changed, everyone looking at it will know. (1.4)
6
Q
An MSP needs a secure method of connecting to the web servers of a remote client. Which of the following would be the BEST choice for this task?
A) Proxy server
B) SIEM
C) Jump server
D) IPS
E) HSM
A
C) Jump server
Jump Server: A server that’s on the inside of a private protected network that provides access to allowed clients on the outside trying to access that network. (3.2)
7
Q
A DDoS has caused a critical service to be unavailable for 90% of the business day. Which of the following would describe this loss of value?
A) Asset value
B) Single loss expectancy
C) Risk appetite
D) Exposure factor
E) Key risk indicator
A
D) Exposure factor
Exposure Factor: Usually represented as a percentage, it tells users how risky it is to have that vulnerability remain on your system. If it’s minor, the percentage will be small. If it’s major, the percentage will be high. (4.3)
8
Q
A company is protecting user passwords by hashing the password values multiple times. Which of the following would describe this process?
A) Salting
B) Steganography
C) Symmetric encryption
D) Digital signature
E) Key stretching
A
E) Key stretching
Key strengthening: Also known as key hashing or key stretching. The process of making your key stronger by hashing the hashes of your password multiple times. The hash of a hash of a hash of a password is difficult to brute-force. (1.4)
9
Q
An organization has discovered an attacker entering the building using an employee access card, but the employee still has their original card. Which of the following is the most likely explanation?
A) Privilege escalation
B) RFID cloning
C) Brute force
D) Spraying
E) Injection
A
B) RFID cloning
RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)
10
Q
A security administrator has identified all possible points of unauthorized entry on a newly built web server. Which of the following would describe this list?
A) Responsibility matrix
B) Platform diversity
C) Journaling
D) Input validation
E) Attack surface
A
E) Attack surface
Attack Surface: The combination of potential openings into your network. How does your network look? Are you aware of all of the ways into your network? (3.2)
11
Q
A login process requires an app with a pseudo-random number. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A
A) Something you have
Something you have: Like a smart card, phone, USB security key, or hardware/software token. (4.6)
12
Q
A user in another country is not able to login to the VPN portal. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A
B) Somewhere you are
Somewhere you are: A login allowed or denied based upon where the login took place. Could be based on IP address or GPS location services. (4.6)
13
Q
An ATM requires a PIN for authentication. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A
C) Something you know
Something you know: Like a password or a secret phrase, PIN number or pattern. Very common. (4.6)
14
Q
A text message with a code is sent during a login process. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A
A) Something you have
Something you have: Like a smart card, phone, USB security key, or hardware/software token. (4.6)
15
Q
A system administrator uses a fingerprint to unlock their laptop. What is the appropriate authentication factor for this?
A) Something you have
B) Somewhere you are
C) Something you know
D) Something you are
A
D) Something you are
Something you are: Biometrics. (4.6)
16
Q
A company is assigning administrator rights to IT technicians on a temporary basis. Which of the following would describe this system?
A) Just-in-time permissions
B) Password vaulting
C) Salting
D) Hashing
E) Passwordless access
A
A) Just-in-time permissions
Just-In-Time Permissions: Granting admin access for a limited time on a specific set of time sensitive credentials. (4.6)
17
Q
A company performs a risk assessment each time the hardware or software is updated for an application instance. Which of the following would describe this assessment process?
A) One-time
B) Ad hoc
C) Recurring
D) Mandated
E) Third-party
A
B) Ad hoc
Ad Hoc: A risk assessment designed to look at only one specific threat. (5.2)
18
Q
Which of the following would BEST describe a honeytoken?
A) A publicly accessible password.txt file
B) Intentionally incorrect API credentials
C) A virtual machine with a known vulnerability
D) A workstation without a locking screen saver
E) A random access code used during login
A
B) Intentionally incorrect API credentials
Honeytokens: A bit of traceable data added to your honeynet. If data is stolen and shared, you will be notified and can trace it to who stole it. (1.2)
19
Q
When power is removed from an inline IPS, all network traffic stops. Which of the following would describe this functionality?
A) High availability
B) Parallel processing
C) Load balancing
D) Cold site
E) Failed closed
A
E) Failed closed
Fail-Close: When a system fails, data stops flowing. (3.2)
20
Q
A server was previously infected with malware, and a technician is reimaging the system and updating the application software. Which of the following best describes this incident response step?
A) Preparation
B) Analysis
C) Recovery
D) Lessons learned
E) Detection
A
C) Recovery
Recovery: Getting things back to normal. Replacing software, re-imaging, disabling compromised accounts, fixing vulnerabilities, recovering the OS, etc. (4.8)
21
Q
A security engineer is following a checklist to recover a system containing a malware infection. Which of the following would describe this process list?
A) Change management
B) Playbook
C) Disaster recovery
D) Business continuity
E) Centralized governance
A
B) Playbook
Playbooks: Conditional steps to follow in the case of a particular event. For example, a checklist of what happens if, say, there’s a data breach, or you need to recover a device from ransomware. Can sometimes be implemented into a SOAR platform (Security Orchestration, Automation, and Response), and automated. (5.1)
22
Q
Which technology would be utilized in this scenario?
Verifying the status of a web server certificate.
A) Tokenization
B) Federation
C) Blockchain
D) OCSP
A
D) OCSP
OCSP: Online Certificate Status Protocol. A protocol that lists the status of its certificate onto the web server itself. (1.4)
23
Q
Which technology would be utilized in this scenario?
Credit card numbers are being replaced with temporary values.
A) Salting
B) Tokenization
C) OCSP
D) False negative
A
B) Tokenization
Tokenization: Takes sensitive information such as a credit card number used in a purchase, and replaces it with a token number that is completely different when crossing the network. Only a one time use. Nothing is encrypted, but all the numbers are changed on the token. (3.3)
24
Q
Which technology would be utilized in this scenario?
Randomization has been added to a hash.
A) Honeyfile
B) Tokenization
C) Salting
D) Blockchain
A
C) Salting
Salting: Random data added to a password when hashing that password, making a different hash for the password when stored. For example, the password ‘dragon’ has its own unique hash, but the password ‘dragon +r4$x’ has a different hash, but is still able to be deciphered when the password is looked at in plain text. The +r4$x is known to the user to be the salt. (1.4)
25
Which technology would be utilized in this scenario?
Creating a document with invalid authentication information.
A) Honeyfile
B) OCSP
C) Federation
D) False negative
A) Honeyfile
Honeyfile: A fake file with fake information to attract a bad guy. An alert is sent once the file is accessed. (1.2)
26
A user is asymmetrically encrypting an outgoing email message. Which of the following is used to encrypt this information?
A) Sender's public key
B) Recipient's private key
C) Sender's private key
D) Recipient's public key and sender's private key
E) Recipient's public key
E) Recipient's public key
Asymmetric Encryption: Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source. (1.4)
27
Which of the following external threat actors commonly has limited resources and relatively low attack sophistication?
A) Unskilled
B) Shadow IT
C) Organized crime
D) Nation state
E) Hacktivist
A) Unskilled
Unskilled Attackers: Basically the opposite of a Nation State. Low skill, resources, and capability. Motivated by causing disruption and general chaos. They usually run pre-made scripts to attack your organization without really knowing how any of it works. Anyone can do this. Can be internal or external. (2.1)
28
An administrator is configuring the security rules in a firewall. Which of the following SDN plane would be most associated with this task?
A) Data
B) Active
C) Control
D) Infrastructure
E) Management
E) Management
Management plane: Also called the Application Layer. Where we as Network admins physically configure and manage all of these network devices. (3.1)
SDN: Software Defined Networking. Networking architecture is defined by how the networking devices operate on their planes of operation, and organized accordingly.
The three planes of operation for software defined networking are the data, control, and management planes.
29
A security analyst would like to be informed if any core operating system files are modified. Which of the following would provide this functionality?
A) SIM
B) SNMP
C) FIM
D) NetFlow
E) DLP
C) FIM
FIM: File Integrity Monitoring. Some files should never change. FIMs check and make sure the files that shouldn’t be changing aren’t changing. Windows has one built in called SFC (system file checker). Linux has one called Tripwire. (4.5)
30
A security administrator has copied a suspected malware executable from a user's computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process?
A) Eradication
B) Preparation
C) Recovery
D) Containment
D) Containment
Containment: Stopping the attack as quickly as possible by isolating it. (4.8)
31
A security technician observes that the data center's server racks are accessible to all employees, posing a risk to critical infrastructure. What is the most appropriate physical control to mitigate this risk?
A) Implement a network intrusion detection system
B) Install locks on the server rack doors
C) Update the antivirus software on the servers
D) Conduct a risk assessment of the data center
B) Install locks on the server rack doors
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this. (1.1)
32
A security professional notices an unusual pattern of outgoing traffic from a server hosting sensitive data. The traffic suggest potential data exfiltration. What technical control should be implemented IMMEDIATELY to best address this issue?
A) Install a firewall to monitor and control incoming and outgoing network traffic
B) Conduct a security awareness training for employees
C) Implement biometric access controls to the server room
D) Review and update the company's security policies
A) Install a firewall to monitor and control incoming and outgoing network traffic
Firewall: Filters traffic by port number and protocol or application, depending on whether it’s a traditional firewall or a next gen firewall. (4.5)
33
The company has faced several instances of tailgating, where unauthorized individuals gain access by following employees into restricted areas. Which deterrent control would be most effective in reducing the occurrence of tailgating?
A) Install more surveillance cameras at all entry points
B) Implement stricter password policies
C) Conduct regular security audits of the access control systems
D) Set up a software based IPS
A) Install more surveillance cameras at all entry points
Video surveillance: Or CCTV. Security cameras that watch areas to see if unauthorized people are gaining access. Can have motion or object detection. (1.2)
34
A smart phone user wants to access features not available in the standard operating system. What method would enable this?
A) Exploiting database vulnerabilities
B) Utilizing scripting vulnerabilities
C) Jailbreaking
D) Direct software installation
C) Jailbreaking
Jailbreaking: Bypassing the built in security that comes with a mobile device. One could also replace the standard OS and/or firmware that comes with the device and replace it with your own. On an Android device, this is known as rooting. On an Apple iOS device, this is known as Jailbreaking.(2.3)
35
A security professional is reviewing the security measures of a financial firm's data storage system to ensure it aligns with the C and I of the CIA triad. Which of the following actions would BEST ensure adherence to the C and I?
A) Encrypting stored data
B) Implementing a firewall
C) Regularly updating software
D) Conducting background checks on employees
A) Encrypting stored data
CIA Triad: A combination of principles concerning the fundamentals of security; Confidentiality, Integrity, and Availability. (1.2)
36
A security professional is tasked with identifying the discrepancies between the current security posture and the desired state of security in their organization. Which process should the security professional undertake to identify these discrepancies?
A) Risk assessment
B) Gap analysis
C) Penetration testing
D) Compliance auditing
B) Gap analysis
Gap Analysis: A study of where we are versus where we would like to be. It requires research and consideration of many different IT and security factors in order to close that gap and make sure everything is completed without tripping over itself. (1.2)
37
A security professional is enhancing the physical security measures of a corporate building located in a busy downtown area, with a focus on mitigating vehicle-based threats. Which physical security measure is most suitable for protecting the building against potential vehicle ramming attacks while allowing pedestrian access?
A) Installing video surveillance cameras around the building perimeter
B) Implementing an access control vestibule at the main entrance
C) Erecting bollards along the building's street facing side
D) Enhancing the lighting around the building's entrance
C) Erecting bollards along the building's street facing side
Barricades and bollards: Allow people access by channeling them to a specific point, but prevent vehicles. (1.2)
38
A security technician is proposing the implementation of a new firewall system in their organization. The proposal includes significant changes to the current network infrastructure. Before implementing the new firewall system, what is the first step the security technician should do before installing the new system?
A) Conducting an impact analysis of the new system on current operations
B) Obtaining formal approval for the project from senior management
C) Scheduling a maintenance window for the implementation
D) Preparing a back out plan in case the implementation fails
B) Obtaining formal approval for the project from senior management
Change Management: Or Change Approval Process. The formal process an IT administrator goes through to ensure that a change to the systems goes through properly and without messing anything up.
Change Control Process:
-1) Fill out an approval process request form.
-2) Explain what the change is and why it’s being implemented.
-3) Identify the scope of the change, or how big this change will be.
-4) Schedule a date and time for the change to take place.
-5) Determine the affected systems and the impact on those systems.
-6) Analyze the risk associated with the change.
-7) Get approval from the change control board to go ahead with the change. (1.3)
39
Which of the following teams combines both offensive and defensive testing of a company's network?
A) Red
B) White
C) Blue
D) Purple
D) Purple
Integrated Penetration Testing: Red Vs Blue going together.
Offensive: A pen test where your systems are attacked and vulnerabilities are looked for to exploit (The Red Team).
Defensive: A pen test where a group (The Blue Team) attempts to identify pen test attacks in real-time and tries to prevent unauthorized access. (5.5)
40
What should a security analysis do to ensure evidence is handled correctly?
A) Chain of custody
B) Collection
C) Hand over
D) Storage
A) Chain of custody
Chain of Custody: Information must maintain its unmodified status for the duration of its necessary use, thus a process is in place to see who has access to the information. Hashes and digital signatures allow us to know how the data has been stored and whether or not it has been tampered with. (4.8)
41
Two security professionals are setting up a secure communication channel between their organizations. They need a secure way to establish a shared secret key for symmetric encryption. Which method should they use to securely exchange the symmetric key?
A) Public key infrastructure (PKI) for key exchange
B) Directly sending the symmetric key over email
C) Using an asymmetric algorithm such as Diffie-Hellman
D) Encrypting the key using symmetric encryption and then sending it
C) Using an asymmetric algorithm such as Diffie-Hellman
Asymmetric Encryption: Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source. (1.4)
42
A security professional is responsible for securely storing user passwords in a database. They need a method to protect the passwords from being exposed in case of a breach. What technique should the security professional use to safeguard user passwords in the database?
A) Digital signatures
B) Hashing
C) File permission
D) Blockchain
B) Hashing
Hash: A short string of text that can be created based upon data contained within the plain text. Also known as a message digest or a fingerprint.
Hashing: Representing data as a short string of text. Cannot be decrypted. (1.4)
43
A security professional is managing a network with multiple SSL/TLS-secured devices. They need a mechanism to promptly revoke the trust of a compromised certificate across all devices. What technology should the professional use to maintain a list of revoked certificates that can be checked by clients?
A) Self-signed certificate
B) CSR
C) CRL
D) Third-party certificate
C) CRL
Certificate Revocation Lists: (CRLs) A list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a CA issues a digital certificate, it includes an expiration date. However, certain events may lead to the need for revocation before the certificate's expiration, such as the compromise of the private key associated with the certificate, the compromise of the CA itself, or other security-related concerns. (1.4)
44
A security technician has noticed unusual behavior from an employee who has access to sensitive customer data. The employee's actions are suspicious, indicating potential malicious intent. What type of threat actor is the employee most likely categorized as?
A) Organized crime
B) Nation-state
C) Hacktivist
D) Insider threat
D) Insider threat
Insider Threat: A threat from the inside of your organization. Someone on the outside can squeazel their way in and then betray you. Motivated by revenge and financial gain. In this circumstance, your organization is their funding. They have institutional knowledge, and know what vulnerable systems to hit. (2.1)
45
What type of cyber-attack occurs when employees of a company are tricked by a fake website that looks legitimate?
A) Identity theft
B) Misinformation
C) Watering-hole
D) Spear phishing
C) Watering-hole
Watering Hole Attack: An attacker, who cannot gain access to your network by conventional means, “poisons” a third party website that all of your employees visit, thus getting a foot in the door, and attacking your network indirectly. (2.2)
46
To quickly address a security vulnerability found in the firmware of IoT devices, what is the most effective action?
A) Conducting a risk analysis
B) Patching
C) Network restructuring
D) Device upgradation
B) Patching
Patching: Keeping your systems up to date by closing up found holes of vulnerability. Do this as often as you can. (2.5)
47
A security professional has noticed an increase in phone calls to employees, where the callers pose as IT support staff and request sensitive information such as login credentials. Some employees have unknowingly provided this information. Which technique is most likely being used to deceive employees through phone calls?
A) Typosquatting
B) Watering-hole
C) Vishing
D) Whaling
C) Vishing
Vishing: Voice fishing. An attacker lying to you over the phone to get your information. (2.2)
48
To identify the creator and creation date of a suspicious file found on a server, what should a security analyst check?
A) File's hash value
B) Network activity logs
C) Server access logs
D) File's metadata
D) File's metadata
Metadata: Data that describes other data sources, so, for example, in a picture taken on your phone, you can pull up all sorts of data about the picture, such as when and where it was taken and how large it is, things like that. (4.9)
49
A security professional is responsible for managing the virtualized infrastructure of a large organization. They have heard about the concept of "VM escape" and its potential security implications. What does the term VM escape refer to in the context of virtualization security?
A) The process of migrating a virtual machine from one host to another
B) A security breach where a malicious actor gains control of the host system from within a virtual machine
C) The practice of cloning virtual machines for backup purposes
D) The deployment of virtual machines across multiple physical hosts for load balancing
B) A security breach where a malicious actor gains control of the host system from within a virtual machine
VM Escape: When a VM is able to break out of its self-contained system and interact with the host operating system or hardware on the same hypervisor. (2.3)
50
An organization wants to enhance its security measures to prevent employees from inadvertently installing harmful applications. What is the most effective strategy?
A) Regular malware scans
B) VPN implementation
C) Implementing an application allow list
D) User access control
C) Implementing an application allow list
Application Allow/Deny List: Ensuring only legitimate applications are used on a system. Allow List = Nothing runs unless it’s approved. Deny List = Everything can run except the things denied. (2.5)
51
A security technician notices that a piece of malware is rapidly spreading through the organization's network, creating copies of itself and consuming network resources. What type of malware attack is described in the scenario, and what is its primary characteristic?
A) The scenario describes a worm attack known for its ability to self-replicate
B) The scenario describes a trojan attack known for its deceptive appearance
C) The scenario describes spyware known for its rapid spread through networks
D) The scenario describes a logic bomb known for consuming network resources
A) The scenario describes a worm attack known for its ability to self-replicate
Worm: Malware similar to a virus that can move around from system to system without any user intervention. (2.4)
52
A security engineer notices that several logs from critical network devices, such as firewalls and intrusion detection systems, are missing for a period of several hours, during which a security incident may have occurred. What should the security engineer do to address it?
A) Missing logs indicate that the network devices were not generating any log data during that time, and there is no cause for concern.
B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.
C) The missing logs are a result of log rotation, and the security engineer should configure longer log retention periods.
D) The published documentation regarding log storage is accurate, and no action is required.
B) Missing logs can be a sign of a security incident or a potential breach of the logging system. The security engineer should investigate the cause of the missing logs and take corrective action.
Missing Logs: Deleted log information is an indication of compromise that someone is (sloppily) trying to cover their tracks. (2.4)
53
A security administrator is responsible for securing servers in a data center. They implement a security measure to control incoming and outgoing network traffic on each server to protect against unauthorized access and network-based attacks. What hardening technique is the security administrator primarily implementing to enhance server security in this scenario?
A) Default password changes
B) Host-based firewall
C) Encryption
D) Removal of unnecessary software
B) Host-based firewall
Host-based firewall: Software based firewall that runs behind the scenes on every endpoint. Allows or disallows incoming or outgoing application traffic. Identifies and blocks unknown processes. (2.5)
54
What is the primary characteristic of an on-premises architecture model for hosting servers and data?
A) Reliance on third-party cloud providers
B) Geographic distribution of resources
C) Hosting servers and data within physical facilities
D) Use of serverless computing
C) Hosting servers and data within physical facilities
Benefits of On-Premises Security: Everything is local and on you to secure, giving you the freedom and control to protect things exactly how you want it, but it costs more to maintain (being a Tech Director). (3.1)
55
A security technician is responsible for implementing threat detection mechanisms in an ICS used for managing a city's water treatment plant. Which threat detection mechanism is essential for monitoring and alerting on suspicious activities in an ICS environment such as a water treatment plant?
A) Email filtering
B) Antivirus software
C) IDS
D) MDM
C) IDS
IDS: Intrusion Detection System. Watches network traffic and only alerts if it finds traffic it doesn’t recognize. (3.2)
56
An organization requires a way to monitor changes in its network environment. Which system should be implemented?
A) Firewall
B) IPS
C) NAC
D) FIM
D) FIM
FIM: File Integrity Monitoring. Some files should never change. FIMs check and make sure the files that shouldn’t be changing aren’t changing. Windows has one built in called SFC (system file checker). Linux has one called Tripwire. (4.5)
57
To enhance network security. what change should a security analyst recommend if a remote desktop service is accessible from the internet?
A) Implementing stronger encryption
B) Setting up a VPN and firewall restrictions
C) Changing default port configurations
D) Increasing password complexity
B) Setting up a VPN and firewall restrictions
Infrastructure Monitoring: Monitor your remote access systems to see who’s connecting via VPN. Also, take a look at your firewall and IPS reports. (4.4)
58
A large e-commerce platform wants to ensure uninterrupted service even during peak shopping seasons. Which approach should the security professional recommend to achieve high availability?
A) Load balancing
B) Hot site
C) Geographic spreading
D) Continuity of operations
A) Load balancing
Load Balancing: Load is distributed across multiple servers, but the servers are unaware of each other. Only the load balancer knows about all the servers. Servers can run different OSs. (3.4)
59
A company wants to ensure that only authorized devices can connect to the switch ports. What security measure should they deploy on the switch to achieve this?
A) IDS
B) NAC
C) SSL
D) VLAN
B) NAC
NAC: Network Access Control. Rules put in place that limit a device’s access to certain types of data, either someone on the outside trying to get in, or someone inside trying to get out. Rules based on user, group, location, application, etc. Think ACLs.
60
A security technician is conducting a code review for a software development project. They want to identify and mitigate potential vulnerabilities in the applications source code. What technique should the security technician employ to identify and mitigate security vulnerabilities in the source code?
A) Implement input validation
B) Use secure cookies
C) Perform static code analysis
D) Apply code signing
C) Perform static code analysis
Static Code Analysis: A method application developers use to test the security of their applications. They put their code through a static code analyzer and the analyzer checks it for buffer overflows and database injections. (4.1)
61
A security professional is responsible for maintaining an accurate inventory of software licenses within an organization. They discover that some software licenses have expired, but the software is still in use. What action should the security professional take to address the issue of expired software licenses being used?
A) Implement data retention policies for the expired licenses
B) Schedule the destruction of the software with expired licenses
C) Initiate the acquisition/procurement process for new software licenses
D) Disable the software
C) Initiate the acquisition/procurement process for new software licenses
The Acquisition/Procurement Process: A user wants something and asks IT for it. IT (or the purchasing committee) looks at what they want to buy and analyzes the budget to see if they can buy it. If they can, management, IT, and/or the purchasing committee sign off on it and they buy it. Sometimes IT haggles with whoever they’re trying to buy it from. When a price is reached, the transaction takes place. Paid all at once or in payments. (4.2)
62
In a penetration testing engagement, what document typically outlines the estimated time required for the test?
A) NDA
B) SLA
C) BPA
D) SOW
D) SOW
WO: Work Order (or Statement of Work). Specific list of items to be completed used in conjunction with the MSA that details the scope of the job, the location, acceptance criteria, etc. (5.3)
63
A security technician is tasked with identifying and responding to security alerts generated by the organization's systems and applications. Which tool or technology should the security technician rely on to receive real-time security alerts from systems and applications?
A) SCAP
B) Antivirus software
C) SIEM
D) Archiving tools
C) SIEM
Log Aggregation: Getting all the security data you need all at once. Use a SIEM: Security Information and Event Management. The logging of security events and information to one central consolidation point. What you can reference if something goes wrong with security. You can set up a SIEM to alert you as well. (4.4)
64
What are the best ways to ensure only authorized personnel can access a secure research facility (select two)?
A) Perimeter fencing
B) CCTV monitoring
C) Badge access system
D) Controlled access vestibule
E) Visitor sign-in log
F) Motion detectors
C) Badge access system
&
D) Controlled access vestibule
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this.
Access Control Vestibule: A place people have to go into first before accessing another part of the building. Opening one door causes another one to lock, or vice versa. (1.2)
65
A security technician needs to ensure that privileged users have temporary and limited access to sensitive systems when necessary. What privileged access management tool or concept should the security technician implement to grant privileged users temporary and limited access to sensitive systems?
A) Tokenization
B) Biometric
C) Password managers
D) Just-in-time permissions
D) Just-in-time permissions
Just-In-Time Permissions: Granting admin access for a limited time on a specific set of time sensitive credentials.(4.6)
66
A security technician is implementing automation to scale the organization's infrastructure in a secure manner during peak usage periods. What benefit of automation and orchestration?
A) Standard infrastructure configurations
B) Cost reduction
C) Scaling in a secure manner
D) Employee retention
B) Cost reduction
67
A security professional is investigating a suspected security breach in the organization's web application. What type of log data source is mot likely to contain information about user actions, error, and events related to the web application?
A) Vulnerability scans
B) Application logs
C) Endpoint logs
D) Dashboards
B) Application logs
Application Logs: Log files specific to an application. You can find this in the application log in Event Viewer in Windows.(4.9)
68
What is most likely to be used in a company to document risks, assign responsible parties, and define thresholds?
A) Definition of risk tolerance
B) Process of risk transfer
C) Maintenance of a risk register
D) Conduction a risk analysis
C) Maintenance of a risk register
Risk Register: A document that identifies the risk associated with each step of a project, and offers possible solutions to those risks. (5.2)
69
A security professional notices that an unauthorized device has been used to copy the signals from legitimate RFID tags, allowing unauthorized access to a secure area. What type of physical attack is described in the scenario, and how does it work?
A) Environmental attack
B) Brute force attack
C) Cloning attack
D) Social engineering
C) Cloning attack
RFID Cloning: Duplicating an access badge to impersonate a legitimate employee and gain access to where they go. (2.4)
70
A security technician discovers that an attacker has gained access to a network and positioned themselves in a way that allows them to intercept and manipulate network traffic. What type of attack is described in the scenario, and how is the attacker positioned?
A) The scenario describes a malicious code attack targeting network devices
B) The scenario describes an on-path attack
C) The scenario describes a rootkit installed on a server
D) The scenario describes a security professional conduction a penetration test
B) The scenario describes an on-path attack
On-Path attacks: The attacks formerly known as man-in-the-middle attacks. Attackers getting in between two systems and watching, capturing, and modifying the traffic that flows between them. The attacker is “on your path” (2.4)
71
An organization enforces mobile device management (MDM) policies to secure and manage employee-owned smartphones and tablets used for work. In the context of mobile device security, what is the organization primarily achieving when enforcing MDM policies for employee-owned devices?
A) Secure data destruction
B) Data encryption
C) Endpoint security
D) Risk acceptance
C) Endpoint security
Endpoint: The device used by the user. (4.5)
72
What type of reconnaissance activity is a security professional primarily engaged in when gathering information about potential vulnerabilities on the organization's external network by reviewing job postings or message boards about the organization?
A) Passive reconnaissance
B) Active reconnaissance
C) Defensive penetration testing
D) Known environment testing
A) Passive reconnaissance
Passive Reconnaissance: Information needed before an attack that is gathered by learning as much as you can from open sources. Social media, websites, online forums, and social engineering, for example. (5.5)
73
An organization implements MFA for its employees' access to sensitive systems and resources. What security measure is the organization primarily implementing when implementing MFA?
A) Threat analysis
B) User authentication
C) Security awareness training
D) Access control
B) User authentication
(4.6)
74
A security technician analyzes network traffic logs to identify patterns indicative of a potential DDoS attack. In the context of threat detection and analysis, what action is the security technician primarily taking when analyzing these logs?
A) Intrusion prevention
B) Threat hunting
C) Risk assessment
D) Risk mitigation
B) Threat hunting
Threat Hunting: Finding the attacker before they find you. Upgrading your defenses so that threats can be caught before they get in. (4.8)
75
An organization enforces mobile device encryption policies to ensure that data stored on employees' smartphones and tablets is protected from unauthorized access in case of device loss or theft. What security measure is the organization primarily implementing by enforcing these mobile device encryption policies?
A) Data integrity
B) Data confidentiality
C) Data availability
D) Data authentication
B) Data confidentiality
Confidentiality: Ensures that information being exchanged is confidential or private. The concept includes the prevention of disclosure of information to unauthorized individuals or systems. This is achieved through encryption, two-factor authentication, and access controls. (1.2)
76
A security technician is responsible for designing the network infrastructure of a critical government agency. They need to ensure that certain sensitive systems are physically isolated from the rest of the network to prevent unauthorized access. Which network design technique should the security technician implement to achieve physical isolation of sensitive systems?
A) Logical segmentation
B) SDN
C) Virtualization
D) Air-gapped
D) Air-gapped
Air Gap: Means the devices are physically separate. If an attacker gained access to switch A, they would have no way to access switch B. (3.1)
77
A bank requires all of its vendors to implement measures to prevent data loss on stolen laptops. Which strategy is the bank demanding?
A) Disk encryption
B) Data permission
C) Information categorization
D) Access right limitations
A) Disk encryption
Examples of full-disk and partition/volume encryption software include BitLocker (Windows OS) and FileVault (Mac OS). (1.4)
78
To ensure software code authenticity in a development environment, which method should a software development manager implement?
A) Regular code reviews
B) Dynamic application security testing
C) Code signing
D) Implementing agile methodologies
C) Code signing
Code Signing: Validating that the code you’re about to run on your computer for an application is the same code that was made by the developers. Code is digitally signed by the dev, like a CA. (4.1)
79
In a corporate network, the IT department wants to implement a solution that divides the network based on security requirements. What mitigation technique is the IT department planning to implement to enhance network security in this scenario?
A) Least privilege
B) Patching
C) Segmentation
D) Encryption
C) Segmentation
Physical segmentation: Devices confined within a specific network that are unable to access other networks because the physical devices between the two networks are not physically connected.
Logical segmentation: Devices ARE connected to the same physical switch, but they are separated on the switch via VLANs. (2.5 and 4.3)
80
Security protocols in a cloud data center are under review to guarantee the protection of the safety of the data center staff. Which of the following best illustrates the appropriate setup for these security controls?
A) External gate way access points should fail closed
B) Data access logs should fail open
C) Fire safety mechanisms should fail open
D) User authentication systems should fail closed
C) Fire safety mechanisms should fail open
Fail-Open: When a system fails, data continues to flow.
Fail-Close: When a system fails, data stops flowing. (3.2)
81
Which of the following answers can be used to describe technical security controls? (Select 3 answers)
A) Focused on protecting material assets
B) Sometimes called logical security controls
C) Executed by computer systems (instead of people)
D) Also known as administrative controls
E) Implemented with technology
F) Primarily implemented and executed by people (as opposed to computer systems)
B) Sometimes called logical security controls
C) Executed by computer systems (instead of people)
E) Implemented with technology
Technical Controls: Controls implemented using some type of technical system, for example, setting up policies and procedures in an OS that would allow or disallow different functions from occurring. Firewalls, anti-virus, and other similar software fall under this category. (1.1)
82
Which of the answers listed below refer to examples of technical security controls? (Select 3 answers)
A) Security Audits
B) Encryption
C) Organizational Security Policy
D) IDSs
E) Configuration Management
F) Firewalls
B) Encryption
D) IDSs
F) Firewalls
Technical Controls: Controls implemented using some type of technical system, for example, setting up policies and procedures in an OS that would allow or disallow different functions from occurring. Firewalls, anti-virus, and other similar software fall under this category. (1.1)
83
Which of the following answers refer to the characteristic features of managerial security controls? (Select 3 answers)
A) Also known as administrative controls
B) Sometimes referred to as logical security controls
C) Focused on reducing the risk of security incidents
D) Executed by computer systems (instead of people)
E) Documented in written policies
F) Focused on protecting material assets
A) Also known as administrative controls
C) Focused on reducing the risk of security incidents
E) Documented in written policies
Managerial Controls: A series of policies that explain to end users the best way to manage their computers, data, or other systems. A security policy document or manual is an example of this. (1.1)
84
Examples of managerial security controls include: (Select 3 answers)
A) Configuration management
B) Data backups
C) Organizational security policy
D) Risk assessments
E) Security awareness training
C) Organizational security policy
D) Risk assessments
E) Security awareness training
Managerial Controls: A series of policies that explain to end users the best way to manage their computers, data, or other systems. A security policy document or manual is an example of this. (1.1)
85
Which of the answers listed below can be used to describe operational security controls (Select 3 answers)
A) Also known as administrative controls
B) Focused on the day-to-day procedures of an organization
C) Executed by computer systems (instead of people)
D) Used to ensure that the equipment continues to work as specified
E) Focused on managing risk
F) Primarily implemented and executed by people (as opposed to computer systems)
B) Focused on the day-to-day procedures of an organization
D) Used to ensure that the equipment continues to work as specified
F) Primarily implemented and executed by people (as opposed to computer systems)
Operational Controls: Controls implemented by people instead of systems or documents. Security guards, awareness programs, and posters are all examples of this. (1.1)
86
Which of the following examples fall into the category of operational security controls? (Select 3 answers)
A) Risk assessments
B) Configuration management
C) System backups
D) Authentication protocols
E) Patch management
B) Configuration management
C) System backups
E) Patch management
Operational Controls: Controls implemented by people instead of systems or documents. Security guards, awareness programs, and posters are all examples of this. (1.1)
87
Which of the answers listed below refers to security controls designed to deter, detect, and prevent unauthorized access, theft, damage, or destruction of material assets?
A) Managerial security controls
B) Physical security controls
C) Technical security controls
D) Operational security controls
B) Physical security controls
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this. (1.1)
88
Which of the following examples do not fall into the category of physical security controls? (Select 3 answers)
A) Lighting
B) Access control vestibules
C) Data backups
D) Fencing/Bollards/Barricades
E) Firewalls
F) Security guards
G) Asset management
C) Data backups
E) Firewalls
G) Asset management
Physical Controls: Controls that limit physical access to a building, room or device. Locks, fences, and badge readers are examples of this. (1.1)
89
What are the examples of preventive security controls? (Select 3 answers)
A) Encryption
B) IDS
C) Sensors
D) Firewalls
E) Warning signs
F) AV software
A) Encryption
D) Firewalls
F) AV software
Preventive Controls: Block access to a resource. (1.1)
90
Examples of deterrent security controls include: (Select 3 answers)
A) Warning signs
B) Sensors
C) Lighting
D) Video surveillance
E) Security audits
F) Fencing/Bollards
A) Warning signs
C) Lighting
F) Fencing/Bollards
Deterrent Controls: Discourages an intrusion, but does not directly prevent access. (1.1)
91
Which of the answers listed below refer(s) to detective security control(s)? (Select all that apply)
A) Lighting
B) Log monitoring
C) Sandboxing
D) Security audits
E) CCTV
F) IDS
G) Vulnerability scanning
B) Log monitoring
E) CCTV
F) IDS
G) Vulnerability scanning
Detective Controls: Identifies and logs an intrusion attempt (1.1)
92
Which of the following answers refer(s) to corrective security control(s)? (Select all that apply)
A) IRPs
B) Log monitoring
C) Backups and system recovery
D) DRPs
E) Forensic analysis
A) IRPs
C) Backups and system recovery
D) DRPs
E) Forensic analysis
Corrective Controls: Applies a control after an event has been detected. (1.1)
93
Which of the answers listed below refer(s) to compensating security control(s)? (Select all that apply)
A) Temporary service disablement
B) Video surveillance
C) MFA
D) Backup power systems
E) Sandboxing
F) Temporary port blocking
A) Temporary service disablement
C) MFA
D) Backup power systems
E) Sandboxing
F) Temporary port blocking
Compensating: A control method using other means instead (Plan B) (1.1)
94
True or False: The term "Directive security controls" refers to the category of security controls that are implemented through policies and procedures.
True.
Directive Controls: Directs a subject towards security compliance. (1.1)
95
Which of the following terms fall into the category of directive security controls? (Select 2 answers)
A) IRP
B) AUP
C) IDS
D) MFA
E) IPS
A) IRP
B) AUP
Directive Controls: Directs a subject towards security compliance. (1.1)
96
Which of the terms listed below can be used to describe the basic principles of information security?
A) PKI
B) AAA
C) GDPR
D) CIA
D) CIA
CIA Triad: A combination of principles concerning the fundamentals of security; Confidentiality, Integrity, and Availability. (1.2)
97
True or False: The term "Non-repudiation" describes the inability to deny responsibility for performing a specific action. In the context of data security, non-repudiation ensures data confidentiality, provides proof of data integrity, and proof of data origin.
False.
Non-repudiation: The ability to verify whether the information received is from the sender that the information says it’s from. A non-technological example would be like you signing a document. Only you have your own signature, so that adds non-repudiation to the document you’re signing. (1.2)
98
Which of the following best applies to the concept of non-repudiation?
A) Digital certificate
B) MFA
C) Hashing
D) Encryption
A) Digital certificate
Digital Certificate: A file that contains both a public key and a digital signature. Think of it as a digital version of an ID card. It’s a way to provide trust and for them to say that the person is who they actually say they are in authentication, and allow them access to things they previously did not have access to. (1.4)
99
Which type of user account violates the concept of non-repudiation?
A) Standard user account
B) Shared account
C) Guest user account
D) Service account
B) Shared account
Non-repudiation: The ability to verify whether the information received is from the sender that the information says it’s from. A non-technological example would be like you signing a document. Only you have your own signature, so that adds non-repudiation to the document you’re signing. (1.2)
100
Which part of the AAA security architecture deals with the verification of the identity of a person or process?
A) Authentication
B) Authorization
C) Accounting
A) Authentication
The AAA Framework: Authentication, Authorization, and Accounting.
Authentication: The check between your username, your password, and any other authentication factors. It proves we are who we say we are. (1.2)
101
In the AAA security architecture, the process of granting or denying access to resources is known as:
A) Authentication
B) Authorization
C) Accounting
B) Authorization
The AAA Framework: Authentication, Authorization, and Accounting.
Authorization: What type of access one has after they’ve proven who they are through identification and authentication. (1.2)
102
In the AAA security architecture, the process of tracking accessed services as well as the amount of consumed resources is called:
A) Authentication
B) Authorization
C) Accounting
C) Accounting
The AAA Framework: Authentication, Authorization, and Accounting.
Accounting: A log of who has logged in, sent and received data, and logged out. (1.2)
103
Which of the following solutions provide(s) the AAA functionality? (Select all that apply)
A) CHAP
B) TACACS+
C) PAP
D) RADIUS
E) MS-CHAP
B) TACACS+
D) RADIUS
RADIUS: Remote Authentication Dial-in User Service. How the teachers at school log in. A centralized database of users and passwords (Active Directory) that allows for authentication into a network. Used by all sorts of devices, very popular. (4.1)
104
In the context of the AAA framework, common methods for authenticating people include: (Select 3 answers)
A) IP addresses
B) Usernames and passwords
C) MAC addresses
D) Biometrics
E) MFA
B) Usernames and passwords
D) Biometrics
E) MFA
Authentication: The check between your username, your password, and any other authentication factors. It proves we are who we say we are. (1.2)
105
Which of the answers listed below refer to common methods of device authentication used within the AAA framework? (Select 3 answers)
A) Usernames and passwords
B) Digital certificates
C) IP addresses
D) MFA
E) Biometric authentication
F) MAC addresses
B) Digital certificates
C) IP addresses
F) MAC addresses
Authentication: The check between your username, your password, and any other authentication factors. It proves we are who we say we are. (1.2)
106
Which of the following terms describes the process of identifying differences between an organization's current security posture and its desired security posture?
A) Tabletop exercise
B) Gap analysis
C) Security awareness training
D) Risk assessment
B) Gap analysis
Gap Analysis: A study of where we are versus where we would like to be. It requires research and consideration of many different IT and security factors in order to close that gap and make sure everything is completed without tripping over itself. (1.2)
107
True or False: The term "Zero Trust security" refers to a cybersecurity model that eliminates implicit trust from networks and requires all users and devices to be continuously verified before being granted access to resources. The implementation of the Zero Trust security involves two distinct components: a Data Plane, responsible for defining and managing security policies, and a Control Plane, responsible for enforcing the security policies established by the Data Plane.
False
Zero Trust: A holistic approach to network security that covers every device, process and person. You have to authenticate every time you want to gain access to a particular resource. (1.2)
108
Which of the answers listed below refers to a Zero Trust Control Plane security approach that takes into account user identity, device security, network conditions, and other contextual information to enable dynamic access decisions?
A) Implicit trust
B) Monitoring and logging
C) Adaptive identity
D) Microsegmentation
C) Adaptive identity
Adaptive Identity: Where you examine the identity of an individual and apply security controls based on other factors than just what the end user told you, such as the end user’s physical location, their relationship to the organization, their type of connection, and their IP address. (1.2)
109
What are the key components of the Zero Trust Control Plane's Policy Decision Point (PDP)? (Select 2 answers)
A) Policy Engine (PE)
B) Monitoring and logging
C) Policy Enforcement Point (PEP)
D) Microsegmentation
E) Policy Administrator (PA)
A) Policy Engine (PE)
E) Policy Administrator (PA)
Policy Engine: Thing that looks at all of the requests that are coming through the network, examines each request, compares it to a set of predefined security policies, and then makes a decision on whether the request is granted, denied, or revoked.
Policy Administrator: Takes the decision made by the policy engine and provides that information to the PEP. (1.2)
110
True or False: In the Zero Trust security architecture, the Policy Enforcement Point (PEP) is a Data Plane component that enforces the security policies defined at the Control Plane by the Policy Decision Point (PDP).
True.
Policy Enforcement Point: (PEP) The gatekeeper that all network traffic goes through. Can be one device or multiple devices working together checking different policies on things. (1.2)
111
True or False: An access control vestibule (a.k.a. mantrap) is a physical security access control system used to prevent unauthorized users from gaining access to restricted areas. An example mantrap could be a two-door entrance point connected to a guard station wherein a person entering from the outside remains locked inside until he/she provides authentication token required to unlock the inner door.
True.
Access Control Vestibule: A place people have to go into first before accessing another part of the building. Opening one door causes another one to lock, or vice versa. (1.2)
112
Which of the following statements about honeypots are true? (Select 2 answers)
A) Honeypots are always part of a honeynet
B) Honeypots mimic real systems to attract cyber attackers
C) Honeypots are a type of anti-malware solution
D) Honeypots contain apparent vulnerabilities that are closely monitored by a security team
E) Honeypots are used to launch attacks on cyber attackers
B) Honeypots mimic real systems to attract cyber attackers
D) Honeypots contain apparent vulnerabilities that are closely monitored by a security team
Honeypot: Setting up a fake system to attract a bad guy, monitoring how they are attempting to override your fake system, and then recording their methods to implement securities on your real system. Tricking evil Winnie the Pooh and trapping him. (1.2)
113
What is a honeynet in the context of cybersecurity?
A) A network of IDSs
B) A network of honeypots
C) A network of infected hosts
D) A network of IPSs
B) A network of honeypots
Honeynet: A bunch of honeypots networked together. Very sticky. (1.2)
114
Which of the answers listed below refers to a honeynet example?
A) A network of fake websites
B) A network of fake servers
C) A network of fake databases
D) A network of fake file shares
E) All of the above
E) All of the above
Honeynet: A bunch of honeypots networked together. Very sticky. (1.2)
115
True or False: A honeyfile can be any type of file (e.g., a document, email message, image, or video file) containing real user data intentionally placed within a network or system to attract potential attackers or unauthorized users.
False.
Honeyfile: A fake file with fake information to attract a bad guy. An alert is sent once the file is accessed. (1.2)
116
A honeyfile can be used for:
A) Attracting cyber attackers
B) Triggering alerts when accessed
C) Monitoring network activity
D) All of the above
D) All of the above
Honeyfile: A fake file with fake information to attract a bad guy. An alert is sent once the file is accessed. (1.2)
117
What is a honeytoken?
A) A decoy file that is designed to attract attackers
B) A unique identifier assigned to a honeyfile
C) A decoy system that is designed to lure potential attackers
D) A unique identifier that is designed to track attackers
D) A unique identifier that is designed to track attackers
Honeytokens: A bit of traceable data added to your honeynet. If data is stolen and shared, you will be notified and can trace it to who stole it. (1.2)
118
Which of the following should not be used as honeytokens? (Select all that apply)
A) Active user account credentials
B) Database entries mimicking real data
C) Actual URLs to live websites or resources
D) Dummy server logs with enticing information
E) Fake identifiers, including usernames, passwords, email addresses, and IP addresses
A) Active user account credentials
C) Actual URLs to live websites or resources
Honeytokens: A bit of traceable data added to your honeynet. If data is stolen and shared, you will be notified and can trace it to who stole it. (1.2)
119
A process used by organizations to assess and evaluate the potential impact of disruptive incidents or disasters on their critical business functions and operations is referred to as:
A) BPA
B) BIA
C) SLE
D) BCP
B) BIA
BIA: A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies. (5.3)
120
A hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates is known as:
A) PKI
B) RA
C) PKCS
D) CA
A) PKI
PKI: Public Key Infrastructure. Policies and procedures that are responsible for creating, distributing, managing, storing, revoking, and performing processes associated with digital certificates.
PKI used as a verb means to associate a certificate to people or devices. (1.4)
121
Which of the answers listed below best describes the characteristics of a public-private key pair?
A) Both keys are examples of a symmetrical key
B) Two keys that are identical
C) A pair of keys where one is used for encryption and the other for decryption
D) Both keys are examples of a shared key
C) A pair of keys where one is used for encryption and the other for decryption
Asymmetric Encryption: Public key cryptography. Two (or more) mathematically related keys. You encrypt data with one key and decrypt data with a different key. Both keys are made at the same time so they mathematically understand one another. One of the keys made is the private key (the one that is not shared) and the other is made to be the public key (the one that is shared to other people). The private key is the only key that can decrypt data encrypted with the public key, making all data encrypted with the public key safe from encryption except from one source. (1.4)
122
What is the typical use of a public key?
A) Data encryption
B) Data decryption
C) User/device authentication
D) All of the above
A) Data encryption
Symmetric Encryption: A single, shared key. You encrypt data with the key and decrypt data with the key. If the key gets out, you’ll need another key. Also known as a secret key algorithm or a shared secret. It doesn’t really scale very well because it’s only one key shared between a bunch of people. It is very fast, however. (1.4)
123
True or False: Key escrow is a cryptographic technique that enables storing copies of encryption keys with a trusted third party. A Recovery Agent (RA) is a trusted third party (an individual, entity, or system) who is authorized to assist in the retrieval of encryption keys and data on behalf of the data owner. Key escrow and RA are both used to ensure that encrypted data can be decrypted even if the data owner loses access to their encryption key. Since key escrow and RAs are both components of a single security solution, the only way to implement key escrow systems is with the use of RAs.
False.
Key Escrow: Someone else holding onto your decryption keys, either within your organization or with a third party. (1.4)
124
Which of the following answers refers to a data storage device equipped with hardware-level encryption functionality?
A) HSM
B) TPM
C) EFS
D) SED
D) SED
SED: Self-Encrypting Devices. Data storage device with built-in cryptographic processing that may be utilized to encrypt and decrypt the stored data, occurring within the device and without dependence on a connected information system. (1.4)
125
Which of the answers listed below refers to software technology designed to provide confidentiality for an entire data storage device?
A) TPM
B) FDE
C) EFS
D) HSM
B) FDE (Full Disk Encryption)
Encryption Hardening Techniques: Ensure file systems are encrypted, either EFS or FDE, and encrypt your network with a VPN. (2.5)
126
An MS Windows component that enables encryption of individual files is called:
A) SED
B) EFS
C) BitLocker
D) FDE
B) EFS (Encrypting File System)
You can encrypt individual files on Windows using EFS (Encrypting File System), and other OSs using other third party utilities. (1.4)
127
What is the name of a network protocol that secures web traffic via SSL/TLS encryption?
A) SFTP
B) HTTPS
C) FTPS
D) SNMP
B) HTTPS
Transport encryption: Protecting data as it crosses the network. This is done by browsers using secure ports such as HTTPS that encrypt data as it crosses the network. VPNs are another example, either site to site VPNs using IPsec, or client based VPNs using SSL/TLS. (1.4)
128
Which of the answers listed below refers to a deprecated TLS-based method for secure transmission of email messages?
A) S/MIME
B) STARTTLS
C) DKIM
D) SMTPS
D) SMTPS
Insecure Protocols: Telnet, FTP, SMTP, and IMAP all send their information in the clear, so use the secure versions of these instead. (NA)
129
True or False: The MIME specification extends the email message format beyond plain text, enabling the transfer of graphics, audio, and video files over the Internet mail system. S/MIME is an enhanced version of the MIME protocol that enables email security features by providing encryption, authentication, message integrity, and other related services.
True.
(NA)
130
What is the name of a network protocol that enables secure file transfer over SSH?
A) TFTP
B) SFTP
C) Telnet
D) FTPS
B) SFTP
(NA)
131
True or False: SFTP is an extension of the FTP protocol that adds support for SSL/TLS encryption.
False. It's an extension of SSH. (NA)
132
A type of cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers is known as:
A) RDP
B) SSH
C) Telnet
D) SCP
B) SSH (NA)
133
Which of the answers listed below refers to a suite of protocols and technologies providing encryption, authentication, and data integrity for network traffic?
A) TLS
B) SSH
C) IPsec
D) VPN
C) IPsec
IPSec: Internet Protocol Security. Provides authentication (AH, authentication header) and encryption (ESP, encapsulation security payload) for all layer 3 (IP) packets. (3.2)
134
Which part of IPsec provides authentication, integrity, and confidentiality?
A) SPD
B) PFS
C) AH
D) ESP
D) ESP
IPSec: Internet Protocol Security. Provides authentication (AH, authentication header) and encryption (ESP, encapsulation security payload) for all layer 3 (IP) packets. (3.2)
135
A system that uses public network (such as the Internet) as a means for creating private encrypted connections between remote locations is referred to as:
A) WWAN
B) VPN
C) PAN
D) VLAN
B) VPN
VPN: Virtual Private Network. Encrypted (private) data traversing a public network. Data meets and flows in and out of a VPN concentrator. (3.2)
136
Which protocol enables secure, real-time delivery of audio and video over an IP network?
A) S/MIME
B) RTP
C) SIP
D) SRTP
D) SRTP (NA)
137
An encryption protocol primarily used in Wi-Fi networks implementing the WPA2 security standard is called:
A) TKIP
B) CCMP
C) SSL
D) IPsec
B) CCMP (NA)
138
A security protocol designed to improve the security of existing WEP implementations is known as:
A) WPA2
B) RC4
C) CCMP
D) TKIP
D) TKIP (NA)
139
Which cryptographic protocol is designed to provide secure communications over a computer network and is the successor to SSL?
A) IPsec
B) TLS
C) AES
D) CCMP
B) TLS
Transport encryption: Protecting data as it crosses the network. This is done by browsers using secure ports such as HTTPS that encrypt data as it crosses the network. VPNs are another example, either site to site VPNs using IPsec, or client based VPNs using SSL/TLS.
Client VPNs use SSL/TLS protocols (TCP 443). (1.4 & 3.2)
140
True or False: In asymmetric encryption, any message encrypted with the use of a public key can only be decrypted by applying the same algorithm and a matching private key (and vice versa).
True. (1.4)
141
Which of the answers listed below refers to a shared secret authentication method used in WPA, WPA2, and EAP?
A) PSK
B) 802.1X
C) SAE
D) TKIP
A) PSK
WPA3: Wi-Fi Protected Access 3. WPA with GCMP block cipher mode. PSK is not sent across the network. Nothing to brute force. Each session key is unique, so it doesn’t matter if it’s captured. Very secure. (4.1)
142
Which cryptographic solution would be best suited for low-power devices, such as IoT devices, embedded systems, and mobile devices?
A) ECC
B) DES
C) RSA
D) AES
A) ECC (NA)
143
Which of the cryptographic algorithms listed below is the least vulnerable to attacks?
A) AES
B) DES
C) RC4
D) 3DES
A) AES (NA)
144
Which of the following answers refers to a deprecated wireless authentication protocol developed by Cisco?
A) PEAP
B) EAP-TTLS
C) LEAP
D) EAP-TLS
C) LEAP (NA)
145
Which of the answers listed below refers to an open standard wireless network authentication protocol that enhances security by encapsulating authentication process within an encrypted TLS tunnel?
A) PEAP
B) EAP
C) LEAP
D) RADIUS
A) PEAP (NA)
146
Which of the programming aspects listed below are critical in the secure application development process? (Select 2 answers)
A) Patch management
B) Input validation
C) Password protection
D) Error and exception handling
E) Application whitelisting
B) Input validation
D) Error and exception handling
Input Validation: Basically editing application code. Application developers perform input validation when information is going into their application. It ensures that any unexpected data that’s put into one of those inputs will not be interpreted by the application. They check to see what they’ve put into their apps matches what’s actually supposed to go in there. (4.1)
147
Which of the following answers refers to a countermeasure against code injection?
A) Fuzzing
B) Input validation
C) Code signing
D) Normalization
B) Input validation
Input Validation: Basically editing application code. Application developers perform input validation when information is going into their application. It ensures that any unexpected data that’s put into one of those inputs will not be interpreted by the application. They check to see what they’ve put into their apps matches what’s actually supposed to go in there. (4.1)
148
True or False: The term "Secure cookie" refers to a type of HTTP cookie that is transmitted over an encrypted HTTPS connection, which helps prevent the cookie from being intercepted or tampered with during transit.
True.
Secure Cookies: Cookies are bits of data about your web sessions that’s stored on your computer by a web browser. Secure cookies only send that data over HTTPS so it’s secure. (4.1)
149
Which of the terms listed below refers to an automated or manual code review process aimed at discovering logic and syntax errors in the application's source code?
A) Input validation
B) Dynamic code analysis
C) Fuzzing
D) Static code analysis
D) Static code analysis
Static Code Analysis: A method application developers use to test the security of their applications. They put their code through a static code analyzer and the analyzer checks it for buffer overflows and database injections. (4.1)
150
True or False: A dynamic code analysis allows for detecting application flaws without the need for actual execution of the application code.
False.
Dynamic Code Analysis: Fuzzing. Fuzzing is designed to send a random input into the code of an application (fault-injecting) and see if it responds in an unexpected way. (4.1)
151
True or False: The term "Static code analysis" refers to the process of discovering application runtime errors.
False.
Static Code Analysis: A method application developers use to test the security of their applications. They put their code through a static code analyzer and the analyzer checks it for buffer overflows and database injections. (4.1)
152
What is the purpose of code signing? (Select 2 answers)
A) Disables code reuse
B) Confirms the application's source of origin
C) Enables application installation
D) Validates the application's integrity
E) Protects the application against unauthorized use
B) Confirms the application's source of origin
D) Validates the application's integrity
Code Signing: Validating that the code you’re about to run on your computer for an application is the same code that was made by the developers. Code is digitally signed by the dev, like a CA.
153
The practice of finding vulnerabilities in an application by feeding it incorrect input is called:
A) Normalization
B) Hardening
C) Dynamic code analysis
D) Fuzzing
C) Dynamic code analysis
OR
D) Fuzzing
Dynamic Code Analysis: Fuzzing. Fuzzing is designed to send a random input into the code of an application (fault-injecting) and see if it responds in an unexpected way. (4.1)
154
In computer security, a mechanism for safe execution of untested code or untrusted applications is referred to as:
A) Sideloading
B) Virtualization
C) Sandboxing
D) Stress testing
C) Sandboxing
Sandboxing: Running code in an isolated environment to make sure it works and won’t infect anything if it’s corrupted. Commonly used during development. (4.1)
155
Which of the following answers refers to a Windows-specific feature for handling exceptions, errors, and abnormal conditions in software?
A) EPC
B) SEH
C) EH
D) EXR
B) SEH (Secured Exceptions Handling) (NA)
156
True or False: Address Space Layout Randomization (ASLR) is an OS security technique that randomizes the location of key data areas in memory. The purpose of ASLR is to prevent attackers from predicting the location of specific code or data in memory, which adds a layer of defense against memory-based attacks, such as buffer overflows.
True. (NA)
157
A type of user identification mechanism used as a countermeasure against automated software (such as network bots) is known as:
A) MFA
B) CAPTCHA
C) SSO
D) NIDS
B) CAPTCHA (NA)
158
Which of the answers listed below refers to a hardware monitoring and asset tracking method?
A) Barcode labels
B) QR codes
C) RFID tags
D) GPS tracking
E) All of the above
E) All of the above (4.2)
159
Which of the following wireless technologies enables identification and tracking of tags attached to objects?
A) GPS
B) IR
C) RFID
D) NFC
C) RFID (4.2)
160
Which type of software enables monitoring and tracking of mobile devices?
A) MDM
B) GPS
C) NFC
D) GSM
A) MDM
MDM: Mobile Device Management: A centralized console that manages company-owned and user-owned mobile devices. Can set policies on what mobile apps can and can’t be used, can remotely access phones, and can partition the device data into segments. (4.1)
161
True or False: One of the ways to prevent data recovery from a storage drive is to overwrite its contents. The data overwriting technique is used by drive wipe utilities which might employ different methods (including multiple overwriting rounds) to decrease the likelihood of data retrieval. As an example, a disk sanitization utility might overwrite the data on the drive with the value of one in the first pass, change that value to zero in the second pass, and finally perform a few more passes, overwriting the contents with random characters.
True.
Media Sanitization: Making sure data is completely removed from media, and no usable information remains. You can either completely clean a hard drive for future use, or just permanently delete a single file. (4.2)
162
Which of the destruction tools/methods listed below allow(s) for secure disposal of physical documents? (Select all that apply)
A) Shredding
B) Overwriting
C) Burning
D) Formatting
E) Degaussing
A) Shredding
C) Burning
Physical Destruction of Media: Drill it. Hammer it. Shoot it. Put it in a shredder. Crush it. Incinerate it. Degauss it. (4.2)
163
Which of the following methods provides the most effective way for permanent removal of data stored on a magnetic drive?
A) Cryptographic erasure
B) Data overwriting
C) Degaussing
D) Low-level formatting
C) Degaussing
Physical Destruction of Media: Drill it. Hammer it. Shoot it. Put it in a shredder. Crush it. Incinerate it. Degauss it. (4.2)
164
True or False: Certificate of destruction is a document issued by companies that conduct secure device/document disposal. The certificate verifies proper asset destruction and can be used for auditing purposes. In case of device disposal, the document includes a list of all the items that have been destroyed along with their serial numbers. It may also describe the destruction method, specify location (on-site/off-site), or list the names of witnesses who oversaw the entire process.
True.
Certificate of Destruction: Give your drives to a third party, they blow them up, and then give you a certificate saying they blew them up.
165
Which policy typically specifies the period during which certain types of data must be stored prior to disposal?
A) Data protection policy
B) Data classification policy
C) Data backup policy
D) Data retention policy
D) Data retention policy
Data Retention: Sometimes you are required to keep data for a certain number of years (emails, for example). Make sure this data is backed up somewhere, and sometimes even in multiple formats. (4.2)
166
Vulnerability scanning: (Select all that apply)
A) Identifies lack of security controls
B) Actively tests security controls
C) Identifies common misconfigurations
D) Exploits vulnerabilities
E) Passively tests security controls
A) Identifies lack of security controls
C) Identifies common misconfigurations
E) Passively tests security controls
Vulnerability Scan: A minimally invasive scan on your systems used to determine if a system may be susceptible to a type of attack. Not a penetration test. Usually includes a port scan. Sometimes include false positives, so they need to be looked through by hand afterward. (4.3)
167
Which of the answers listed below refer to the characteristic features of static code analysis? (Select 3 answers)
A) Involves examining the code without executing it
B) Often used early in the development process
C) Examines code structure, syntax, and semantics to detect issues like syntax errors, coding standards violations, security vulnerabilities, and bugs
D) Typically used later in the software development lifecycle
E) Involves executing the code and analyzing its behavior at runtime
F) Analyzes runtime properties like memory usage, performance, and error handling to identify issues such as memory leaks, performance bottlenecks, and runtime errors
A) Involves examining the code without executing it
B) Often used early in the development process
C) Examines code structure, syntax, and semantics to detect issues like syntax errors, coding standards violations, security vulnerabilities, and bugs
Static Code Analysis: A method application developers use to test the security of their applications. They put their code through a static code analyzer and the analyzer checks it for buffer overflows and database injections. (4.1)
168
Who are stakeholders in the context of change management?
A) Only technical staff
B) Individuals or groups affected by or involved in a change
C) Only security personnel
D) Only upper management
B) Individuals or groups affected by or involved in a change
Stakeholders: Individuals or departments that will be impacted by the change you’re proposing. They’re going to want input on the change management process, and some type of control over when the change occurs. Take into account who all is going to be impacted by the change. Look beyond the immediate impact and look through the whole process. (1.3)
169
How do privileged access management tools enhance security in an organization?
A) By granting all users privileged access
B) By restricting access to all resources
C) By disabling all access controls
D) By implementing just-in-time permissions and password vaulting
D) By implementing just-in-time permissions and password vaulting
Privileged Access Management Tools:
Just-In-Time Permissions: Granting admin access for a limited time on a specific set of time sensitive credentials.
Password Vaulting: Primary credentials are stored in a password vault, and the vault controls who gets access to credentials. (4.6)
170
What are common characteristics of external threat actors? (Select two)
A) Limited access to internal systems
B) Often motivated by financial gain
C) Typically have less sophisticated tools
D) Usually driven by political or ideological beliefs
A) Limited access to internal systems
B) Often motivated by financial gain
Threat Actor: The entity responsible for an event that has an impact on the safety of another entity. Also called a malicious actor.
The three important attributes to nail down when identifying a threat actor are
1) Are they internal or external
2) How much funding/resources do they have
3) What’s their level of sophistication/capability (2.1)
171
How does User Behavior Analytics (UBA) contribute to enterprise security?
A) By analyzing and detecting anomalous user behavior
B) By ignoring user activities
C) By disabling user access
D) By allowing unrestricted user activities
A) By analyzing and detecting anomalous user behavior
User Behavior Analytics: A large amount of correlated user activity data observed by XDR and used to build a baseline for what “normally” happens on the network, so that outlying activity stands out and can be stopped. (4.5)
172
What is the role of a Policy Enforcement Point (PEP) in policy-driven access control?
A) Creating security policies
B) Enforcing security policies at runtime
C) Analyzing threat scope reduction
D) Allowing unrestricted access to all users
B) Enforcing security policies at runtime
Policy Enforcement Point: (PEP) The gatekeeper that all network traffic goes through. Can be one device or multiple devices working together checking different policies on things. (1.2)
173
In a wartime scenario, which threat actors are most likely to be active?
A) Nation-state
B) Insider threats
C) Organized crime
D) Hacktivists
A) Nation-state
Nation State: A threat actor external to your organization associated with a government or national security of that government. They could have many motivations for attacking you, with lots of sophistication, capability, and resources. (2.1)
174
Which of the following agreement types is specifically focused on defining the scope of work to be performed by a vendor?
A) Memorandum of Agreement (MOA)
B) Service-Level Agreement (SLA)
C) Work Order (WO)/Statement of Work (SOW)
D) Non-Disclosure Agreement (NDA)
C) Work Order (WO)/Statement of Work (SOW)
WO: Work Order (or Statement of Work). Specific list of items to be completed used in conjunction with the MSA that details the scope of the job, the location, acceptance criteria, etc. (5.3)
175
Why is root cause analysis important in incident response?
A) To increase complexity
B) To understand the fundamental reasons behind an incident
C) To ignore the incident
D) To decrease reaction time
B) To understand the fundamental reasons behind an incident
Root Cause Analysis: Determining the ultimate cause of an incident. Asking, “Why did this happen?” or “What was the first domino to fall in this chain of incidents?” Gathering of facts to draw a reasonable conclusion. (4.8)
176
When considering the security implications of hardware, software, and data asset management, which practices contribute to maintaining a secure environment? (Select all that apply)
A) Regular disposal and destruction of outdated assets
B) Dynamic assignment of ownership
C) Monitoring and tracking assets throughout their lifecycle
D) Lack of classification for sensitive data
A) Regular disposal and destruction of outdated assets
C) Monitoring and tracking assets throughout their lifecycle
Assignment/Accounting and Monitoring/Asset Tracking: …Dude, just put an asset tag on things when you get them, and put them into an asset tracking system explaining what the thing is and who currently has it. This is not hard.
Physical Destruction of Media: Drill it. Hammer it. Shoot it. Put it in a shredder. Crush it. Incinerate it. Degauss it. (4.2)
177
In vulnerability management, the term _________ refers to the process of determining the relative importance or urgency of addressing a particular vulnerability.
A) Rescanning
B) Analysis
C) Confirmation
D) Prioritize
D) Prioritize
Prioritize: Vulnerabilities are classified as low, medium, and high priority based upon how open the vulnerability makes your systems. (4.3)
178
Frank was contacted by phone a person claiming to be an executive vice president urgently requesting that his password be reset. He insisted on the security urgency at hand and informed Frank that his supervisor would be contacted unless he complied immediately. Frank suspected that this was a social engineering attack. Which principles of human manipulation did the attacker attempt on Frank? Choose three.
A) Authority
B) Fright
C) Intimidation
D) Urgency
E) Scarcity
F) Trust
A) Authority
C) Intimidation
D) Urgency
Authority is a doubly correct answer here because the caller is made by someone impersonating an authority figure but also because of the threat to contact Frank’s supervisor. The threat consists of the threat to contact Frank’s supervisor. The urgency is referenced twice so clearly belongs to the correct choice. Neither trust nor scarcity apply in this scenario and Fright is a nonsense detractor as it is not a recognized category of human manipulation for social engineering. (2.2)
179
Alina works for a company whose domains are .domain.com and .domain.org. She has been tasked to acquire a digital certificate that will cover these domains as well as all the subdomains these main domains have. Which of the following certificates would best fulfill the requirements?
A) Domain validation digital certificate
B) Wildcard digital certificate
C) SAN
D) NAXX
C) SAN
SAN – Subject Alternative Name allows different values to be associated with a single certificate. A SAN allows a single digital certificate to specify additional host names to be protected by that one certificate. It also allows a certificate to cover multiple IP addresses. A wildcard digital certificate can protect all first-level subdomains on an entire domain but they cannot apply to different domains so they can’t fulfill Alina’s requirements. A domain validation digital certificate will verify the identity of the entity that has control over a given domain name. NAXX is the nonsense detractor. (4.1)
180
Which PKI trust model assigns a single hierarchy with one master CA called the root, who signs all digital certificate authorities with a single key?
A) Distributed trust model.
B) Bridge trust model.
C) Hierarchical trust model.
D) Centralized trust model.
C) Hierarchical trust model.
A hierarchical trust model assigns a single hierarchy with one master CA called the root, who signs all digital certificate authorities with a single key. The distributed trust model has multiple CAs that sign digital certificates. With the bridge trust model, no single CA signs digital certificates, and yet the CA acts as a facilitator to interconnect all other CAs. Centralized trust model. (1.4)
181
What is the primary distinction between a Certificate Policy (CP) and a Certificate Practice Statement (CPS)?
A) A CP describes how end-users register for a digital certificate.
B) A CPS is a published set of rules that govern the operation of a PKI.
C) A CPS governs the operation of intermediate CA.
D) A CP provides recommended baseline security requirements for the use and operation of PKI components.
D) A CP provides recommended baseline security requirements for the use and operation of PKI components.
A CP is a set of rules that provide recommended baseline security requirements for the use and operation of PKI components, while a CPS is a more technical document that describes how the CA uses and manages certificates. (1.4)
182
Several steps can be taken to harden SCADA and ICS systems. Which of the following is not such a step?
A) As much as possible rely on proprietary protocols to protect the network.
B) Establish clear policies and conduct training around the policies.
C) Test to identify and evaluate possible attack scenarios.
D) Remove or disable unnecessary services.
E) Identify all connections to SCADA networks.
A) As much as possible rely on proprietary protocols to protect the network.
SCADA: Supervisory Control and Data Acquisition System. Also known as ICS, Industrial Control Systems. Basically large scale industrial networking. Various building controls talking to one another through the network. Managed usually at one computer. (3.1)
183
You have been tasked to configure the VPN to preserve bandwidth. Which configuration would you choose?
A) Point-to-Point Tunneling
B) Secure Socket Tunneling
C) Full tunnel
D) Split tunnel
D) Split tunnel
In a split tunnel configuration, only traffic destined for the corporate network is sent through the Virtual Private Network (VPN) tunnel. All other traffic, such as internet browsing, goes directly to the internet without passing through the VPN tunnel. This configuration preserves bandwidth as it doesn’t route unnecessary traffic through the corporate VPN. The full tunnel configuration has all traffic sent to the VPN so it does not minimize traffic. Neither Point-to-Point Tunneling nor Secure Socket Tunneling are tunnel configurations, they are both protocols. (3.2)
184
Which of the following is not a characteristic of a vulnerability scan?
A) It, on occasion, will gain unauthorized access and exploit vulnerabilities.
B) Its purpose is to reduce the attack surface.
C) Its objective is to identify risks by scanning systems and networks.
D) It is typically performed by internal security personnel.
A) It, on occasion, will gain unauthorized access and exploit vulnerabilities.
Vulnerability Scan: A minimally invasive scan on your systems used to determine if a system may be susceptible to a type of attack. Not a penetration test. Usually includes a port scan. Sometimes include false positives, so they need to be looked through by hand afterward. (4.3)
185
A method used for improved redundancy is to put in place a server cluster. There a two kinds of server clusters symmetric and asymmetric clusters. Which of the following is true about asymmetrical clusters?
A) The standby server performs useful work in addition to supporting a failed server.
B) The standby server performs no useful work other than to be ready if it is needed.
C) The standby server launches a copy of the virtual machine the failed server.
D) Virtualization dramatically increases the number of server clusters that are needed for server redundancy.
B) The standby server performs no useful work other than to be ready if it is needed.
Server Clustering: Having multiple servers configured to all work together as one big server. Can be added or removed in real-time as needed. All run the same OS. All use the same shared storage. (3.4)
186
Below is a description of IT assets typically found in modern enterprises. Which of these has the highest value and therefore justifies the most significant effort to secure?
A) Operating System that provides the foundation for application software.
B) Custom-made order fulfillment system.
C) Servers, routers, and power supplies.
D) Sales, marketing, production, and finance databases.
D) Sales, marketing, production, and finance databases.
The proprietary databases contain the most unique data and therefore would be the hardest to replace assets would they be lost. Next is the custom-made order fulfillment system as it is proprietary and so probably fairly expensive to replace although not as unique as the data. The off-the-shelf software and hardware are the easiest and cheapest to replace. (4.2)
187
A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company's internal network, but they can gather information from any other source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit
The Answer: B. Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from
open sources such as social media, corporate websites, and business
organizations. (5.5)
188
A company's email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of the following would determine the disposition of this message?
❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM
The Answer: C. DMARC
DMARC (Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate
owner of the originating email domain can choose to have these messages accepted, sent to a spam folder, or rejected. (4.5)
189
Which of these threat actors would be MOST likely to attack systems for direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT
The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital. (2.1)
190
A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding?
❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject
The Answer: A. Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an
incident. Once the cause is known, it becomes easier to protect against
similar attacks in the future. (4.8)
191
A city is building an ambulance service network for emergency medical dispatching. Which of the following should have the highest priority?
❍ A. Integration costs
❍ B. Patch availability
❍ C. System availability
❍ D. Power usage
The Answer: C. System availability
Requests to emergency services are often critical in nature, and it's
important for a dispatching system to always be available when a call is
made. (3.1)
192
A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert?
❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit
The Answer: C. Automation
Automation ensures that compliance checks can be performed on a regular basis without the need for human intervention. This can be especially useful to provide alerts when a configuration change causes an organization to be out of compliance. (5.4)
193
A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy
to block the use of removable media
❍ B. Monitor removable media usage in
host-based firewall logs
❍ C. Only allow applications that do not use
removable media
❍ D. Define a removable media block rule in the UTM
The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive. (2.2)
194
A company creates a standard set of government reports each calendar quarter. Which of the following would describe this type of data?
❍ A. Data in use
❍ B. Obfuscated
❍ C. Trade secrets
❍ D. Regulated
The Answer: D. Regulated
Reports and information created for governmental use are regulated by
laws regarding the disclosure of certain types of data. (3.3)
195
An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server
The Answer:
A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server
Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours. (4.6)
196
A security engineer is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim's IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked. (4.9)
197
A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication
The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning. (2.4)
198
Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO
The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization. (4.6)
199
A system administrator is working on a contract that will specify a minimum required uptime for a set of Internet facing firewalls. The administrator needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO
The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail. (5.2)
200
An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call?
❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path
The Answer: A. Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls. (2.2) [A19]
