Test #1 Flashcards

1
Q
You want to ensure that data can only be viewed by authorized users. What provides this assurance?  
    
A. Confidentiality      
B. Integrity      
C. Availability      
D. Authentication
A

A. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Integrity provides assurances that data has not been modified and is enforced with hashing. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
A database administrator has just completed an update to a database using a script. Unfortunately, the script had an error and wrote incorrect data throughout the database. What has been lost?     
A. Confidentiality      
B. Integrity      
C. Availability      
D. Authentication
A

B. If an unauthorized or unintended change occurs to data, the data has lost integrity. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
What does RAID-1 support?  
    
A. Authentication      
B. Availability      
C. Confidentiality      
D. Integrity
A

B. Redundant Array of Inexpensive Disks 1 (RAID-1) uses two disks to create a mirror of each, and it provides availability through fault tolerance. If a single drive fails, the system can tolerate the fault and continue to operate. Authentication provides proof of a user’s identity. Confidentiality ensures that data is only viewable by authorized users. Integrity provides assurances that data has not been modified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
A user enters a username and a password and logs onto a system. What does this describe?      
A. Identification      
B. Authentication      
C. Authorization      
D. Availability
A

B. Authentication occurs when an identity is verified. An entity claims an identity by presenting something like a username and proves the identity with an authentication mechanism such as a password. Authorization provides access to resources and occurs after authentication. Availability indicates that the system is up and operational when needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Your organization has configured an account policy that locks out a user accounts for thirty minutes if they enter the wrong password five times. What is this policy?

A. Account lockout policy
B. Account disablement policy
C. Account continuance policy
D. Password policy

A

A. An account lockout policy will force an account to be locked out after the wrong password is entered a set number of times (such as after five failed attempts). An account disablement policy specifies that accounts are disabled when no longer needed, such as after an employee leaves the company. There is no such thing as an account continuance policy. A password policy ensures strong passwords are used and users change their password regularly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following supports the use of one-time passwords?

A. Proximity card
B. Tokens
C. CAC
D. PIV

A

B. A token (such as an RSA token) provides a rolling password for one-time use. A proximity card is something you have (or something a user has) as a factor of authentication, but it doesn’t use one-time passwords. A CAC and a PIV are both specialized types of smart cards that include photo identification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A user must swipe his finger on a fingerprint scanner to gain access to his laptop. What is being used for authentication?

A. Something the user knows
B. Something the user has
C. Something the user wants
D. Biometrics

A

D. A fingerprint scanner is using biometrics (in the something the user is factor of authentication). Biometrics are the most difficult for an attacker to falsify or forge since it represents a user based on personal characteristics. A password or PIN is an example of something the user knows. A token or smart card is an example of something the user has. Something the user wants is not a valid factor of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Of the following choices, what qualifies as two-factor authentication?

A. Fingerprints from both of a user’s hands B. Two passwords
C. A smart card and a PIN
D. A token and a smart card

A

C. Two-factor authentication includes authentication from two of three factors (something you know, something you have, and something you are) and only a smart card (something you have) and a PIN (something you know) meet this requirement. Fingerprints from two hands use only biometrics (something you are), two passwords are two instances of something you know, and a token and smart card represent two instances of something you have.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following choices is an example of authentication based on something you have and something you are?

A. A username, password, and PIN
B. A token and a fingerprint scan
C. A token and a password
D. A PIN and a fingerprint scan

A

B. Token-based authentication is based on something you have, and a fingerprint scan is based on something you are. A username, password, and PIN all fall in under the something you know factor of authentication. A token and password are something you have and something you know. A PIN and a fingerprint scan are something you know and something you are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which of the following authentication protocols uses tickets?  
    
A. LDAP      
B. MD5      
C. SHA1      
D. Kerberos
A

D. Kerberos is a network authentication protocol using tickets. The Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories and is used to manage objects (such as users and computers) in an Active Directory domain. MD5 and SHA1 are hashing algorithms, not authentication protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Dawn logged on using her work account at 6: 45 a.m. into a Kerberos realm. She was able to access network resources throughout the day with no problem. A crisis kept her at work late. However, she found that at about 7: 30 p.m., she was no longer able to access a server she accessed earlier. Another worker working on the evening shift accessed the server without any problem. What is the likely problem?

A. The server is down
B. Her certificate has expired
C. Her ticket has expired
D. The server’s certificate has expired

A

C. Kerberos uses time-stamped tickets, and they often have a lifetime of ten or twelve hours. If the ticket is expired, the user won’t be able to use it anymore without logging off and back on. Since another user is accessing the server, it is not down. A Kerberos realm uses tickets, not certificates, and there is no indication that certificates are being used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. What is a primary difference between TACACS and TACACS +?

A. TACACS can use either TCP or UDP ports 514 while TACACS + uses only TCP port 514
B. TACACS can use either TCP or UDP ports 49 while TACACS + uses only TCP port 49
C. TACACS + can use either TCP or UDP ports 49 while TACACS uses only TCP port 49
D. TACACS + can use either TCP or UDP ports 514 while TACACS uses only TCP port 514

A

B. TACACS can use either TCP or UDP ports 49, while TACACS + uses only TCP port 49. Port 514 is used for the UNIX-based syslog.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Sally is required to review security logs and maintain three servers within a network. Instead of giving her full access to all network resources, she is granted access only to the security logs and the three servers. Which of the following choices best identifies what is being used?

A. MAC
B. DAC
C. RBAC
D. Least privilege

A

D. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. MAC, DAC, and RBAC are access control models that include much more than just a single access control such as least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An administrator wants to use user templates as a method of complying with the principle of least privilege. What access control model supports this process?

A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Rule-based access control (RBAC)

A

C. Role-based access control (RBAC) allows an administrator to create a user template, add the user template to one or more groups based on roles, and then assign rights and permissions to the groups. Any user accounts created with this template will automatically have these permissions. The DAC model specifies that every object has an owner, and Windows systems use the DAC model by default for NTFS files and folders. The MAC model uses sensitivity labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the difference between rule-based and role-based access control?

A. Rule-based access control is based on a set of approved instructions while role-based is based on job function
B. Rule-based access control is based on job function while role-based is based on a set of approved instructions
C. Rule-based access control uses labels to identify subjects and objects while role-based requires every object to have an owner
D. They are both the same, and known as RBAC

A

A. Rule-based access control (RBAC) is based on a set of approved instructions configured as rules, while role-based uses roles (or groups) based on job functions. MAC uses labels to identify subjects and objects and DAC requires every object to have an owner. While both rule-based and role-based access controls share the same acronym (RBAC), they are not the same.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You want to increase physical security for your server room. Which of the following provides the best protection?

A. Limit access to only a single well-protected entrance
B. Ensure that the server room has one door for entrance and one door for exit
C. Ensure that access to the server is limited to only management
D. Remove all physical access to the server room

A

A. One of the best examples of physical security for a server room is to ensure that access is limited to only a single well-protected entrance. Two doors (one for entrance and one for exit) requires security at both doors, and it is difficult to ensure that each is only used for an entrance or exit. More than one entrance and exit makes it harder to monitor access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Users in an organization are issued proximity cards that they use to access secure areas. Lately, users have begun trading their proximity cards so co-workers can access resources with someone else’s card. What permits this misuse?

A. A lack of authorization controls
B. A lack of access controls
C. Authentication verification without authorization D. Authorization verification without authentication

A

D. The proximity card is being used without any type of authentication other than holding the proximity badge, which is granting authorization to resources without authenticating users; a solution would be to require authentication though a method other than the proximity badge prior to authorizing access, such as matching a PIN to the card. Authorization is being granted based on possession of the proximity cards so there are authorization and access controls; however, there isn’t any authentication verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A security professional observes employees regularly tailgating others into a secure datacenter. What can prevent this?

A. CCTV
B. Mantrap
C. Proximity card
D. Cipher lock

A

B. A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. CCTV provides video surveillance and it can record unauthorized entry, but it can’t prevent it. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating, so it isn’t as useful as a mantrap. A cipher lock is a door access control, but it can’t prevent tailgating.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An employee found a USB flash drive in the parking lot. What should the employee do with this?

A. Look at the contents to determine the owner B. Destroy it
C. Turn it into a security professional
D. Take it home and insert it into a home computer

A

C. The USB flash drive should be turned in to a security professional. It’s risky to plug it in to look at the contents or take it home, since it could have malware. While it may be safe to destroy it, a security professional can plug it into an isolated system to determine its contents and the owner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An employee has left the company to go back to school. Which of the following is considered a security best practice in this situation?

A. Disable the account
B. Set the account to expire in sixty days
C. Set the password to expire
D. Since the employee left on good terms, nothing needs to be done

A

A. An account disablement policy would ensure that a terminated employee’s account is disabled to revoke the employee’s access. Setting an account to expire is useful for a temporary account, but in this situation, it would leave the account available for anyone to use for the next sixty days instead of immediately disabling it. Expiring the password forces the user to change the password at the next logon. It doesn’t matter why employees leave a company; if they are no longer employed, the account should be disabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You want to ensure that data remains in an encrypted format while it is transmitted over the Internet. Of the following choices, what can you use? (Choose all that apply.)

A. SFTP, FTPS, TFTP, HTTPS, SSL, TLS
B. SSH, SFTP, SSL, HTTP
C. TLS, SSL, SSH, FTPS, SFTP,
D. HTTPS, FTP, SSH, SSL

A

C. Transport Layer Security (TLS), Secure Sockets Layer (SSL), Secure Shell (SSH), File Transfer Protocol Secure (FTPS), and Secure File Transfer Protocol (SFTP) can all encrypt data transmitted over the Internet. (Notice they all have an “S” in them.) TFTP, HTTP, and FTP are all unencrypted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You want to configure traps on devices in your network. What would you use?

A. A load balancer
B. SNMP
C. Default gateways
D. SCP

A

B. The Simple Network Management Protocol (SNMP) uses device traps to send notifications, and it can monitor and manage network devices, such as routers or switches. A load balancer can optimize and distribute data workloads across multiple computers. A default gateway is an IP address on a router, and it provides a path to another network. SCP is based on SSH and copies files over a network in an encrypted format.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
What port does SCP use? 
     
A. 22      
B. 23      
C. 25      
D. 80
A

A. Secure Copy (SCP) uses port 22, as do other protocols encrypted with Secure Shell (SSH), such as Secure File Transfer Protocol (SFTP). Telnet uses port 23. SMTP uses port 25. HTTP uses port 80.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Of the following choices, what is the best choice to indicate the protocol( s) that use( s) port 22?

A. SCP
B. SCP and SSH
C. SCP, TFTP, SQL, and SSH
D. SCP, SFTP, and SSH

A

D. Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) all use port 22. While SCP alone, and SCP and SSH, both use port 22, answer D is the best choice since it shows more of the protocols using this port. TFTP uses port 69 and Microsoft’s SQL server uses port 1433.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

An administrator wants to determine what services and protocols are running on a remote system. Of the following choices, what is the best choice to achieve this goal?

A. Go to the datacenter, log on, and inspect the system
B. Perform a vulnerability assessment
C. Perform an ICMP sweep
D. Identify open ports on the system

A

D. Since many services and protocols use open ports, an administrator can identify running services on a system by determining what ports are open. Since the system is remote, it could be in another building or even another city, so going to the datacenter is not the best choice. While a vulnerability assessment will often include a port scan, it will do much more. An ICMP sweep (also called a host enumeration sweep) will identify servers on a network, but not individual services, protocols,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

You are examining open ports on a firewall and you see that port 500 is open. What is the likely reason?

A. To support an L2TP VPN connection
B. To support a PPTP VPN connection
C. To support a TACACS + VPN connection D. To support an IPsec VPN connection

A

D. Internet Protocol security (IPsec) virtual private network (VPN) connections use port 500 (often combined with protocol IDs 50 and/ or 51 to identify IPsec) with the Internet Key Exchange (IKE) protocol. L2TP uses port 1701. PPTP uses port 1723. TACACS + uses port 49.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Your organization has configured switches so that only devices with specific MAC addresses can connect to specific ports on the switches. The switch prevents any other devices from connecting. What is this?

A. Content filtering
B. Port security
C. Load balancing
D. Proxy caching

A

B. A version of port security maps specific end-device MAC addresses to specific ports on the switch and prevents any other devices from connecting. Web security gateways and all-in-one security appliances provide content filtering. A load balancer optimizes and distributes data loads across multiple computers or multiple networks. A proxy server provides content filtering and caching.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

You are reviewing a firewall’s ACL and see the following statement: drop all. What security principle does this enforce?

A. Least privilege
B. Integrity
C. Availability
D. Implicit deny

A

D. A drop all or deny any any statement is placed at the end of an access control list (ACL) and enforces an implement deny strategy. Least privilege ensures users have only the access they need to perform their jobs and no more. Integrity provides assurances that data has not been modified, and availability ensures systems and data are up and operational when needed, but the drop all statement doesn’t address either of these as directly as implicit deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Firewalls include rules in an ACL. Which of the following would block network traffic that isn’t in any of the previously defined rules?

A. Explicit allow
B. Implicit allow
C. Explicit deny
D. Implicit deny

A

D. Most firewalls have an implicit deny statement (such as drop all or deny any any) at the end of an access control list (ACL) to block all traffic not previously allowed. An allow rule would not block traffic. An explicit deny rule explicitly blocks traffic defined in the rule only, not all other traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

An organization wants to hide addresses it uses on its internal network. What can assist with this goal?

A. MAC filtering
B. NAC
C. NAT
D. DMZ

A

C. Network Address Translation (NAT) translates public IP addresses to private, private IP addresses back to public, and hides addresses on the internal network. Port security and network access control use MAC filtering to limit access. Network access control can inspect clients for health prior to allowing network access. A DMZ provides access to services (hosted on servers) from the Internet while providing a layer of protection for the internal network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
Your network includes a device that examines network traffic and determines when the traffic is outside expected boundaries. What is this device?      
A. Anomaly-based HIDS      
B. Signature-based HIDS      
C. Anomaly-based NIDS      
D. Signature-based NIDS
A
  1. C. An anomaly-based, network-based intrusion detection system (NIDS) compares current activity with a previously created baseline to detect abnormal activity. HIDS systems only monitor individual systems, not the network. Signature-based IDSs use signatures similar to antivirus software.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Attackers frequently attack your organization, and administrators want to learn more about zero day attacks on the network. What can they use?

A. Anomaly-based HIDS
B. Signature-based HIDS
C. Honeypot
D. Signature-based NIDS

A

C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero day exploits, or previously unknown attacks. HIDS protects host-based attacks and wouldn’t help with network-based attacks. Signature-based tools would not have a signature for zero day attack since the attack method is unknown by definition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Users in your network are complaining that they are unable to download content from a specific website. Additionally, your IDS is recording multiple events on the network. What is a likely reason why users are unable to download this content?

A. A load balancer is blocking content from the website
B. The firewall is in failopen mode
C. An evil twin is on the network
D. NIPS is blocking content from the website

A

D. A network-based intrusion prevention system (NIPS) can detect and block malicious content, and both a NIPS and an intrusion detection system (IDS) can record the events. A load balancer can optimize and distribute data loads across multiple computers. Firewalls would normally fail in failsafe/ failsecure (or closed) mode, blocking all traffic, but if it failed in failopen mode, it would allow all traffic. An evil twin is a rogue wireless access point with the same SSID as a live wireless access point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Attackers have launched multiple attacks against your network in recent weeks. While administrators have taken action to reduce the impact of the attacks, management wants to prevent these attacks. What can prevent ongoing network-based attacks?

A. NIDS
B. NIPS
C. HIDS
D. HIPS

A

B. A network-based intrusion prevention system (NIPS) can detect and prevent ongoing network-based attacks. In contrast, a NIDS would only detect the activity, and this is likely what is alerting administrators to the attacks now. Host-based IDSs and IPSs detect malicious activity only on a host, not a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Users that are further away from the WAP installed in your company’s network are having trouble connecting. What can you check to increase the coverage of the WAP?

A. SSID broadcasting
B. Encryption method
C. Verify Enterprise mode is used
D. Power levels

A

D. You can increase coverage of a wireless access point (WAP) by increasing the power level and by adjusting the antenna placement. SSID broadcasting and encryption method does not affect the wireless coverage. Enterprise mode uses an 802.1X server for authentication and stronger security but does not affect the coverage of the WAP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

You are configuring a secure wireless network that will use WPA2. Management wants to use a more secure method than PSKs. Of the following choices, what will you need?

A. 802.11n
B. CCMP
C. AES
D. RADIUS

A

D. WPA2 needs RADIUS to support WPA2 Enterprise mode. WPA2 personal mode uses a preshared key (PSK), and since management does not want to use PSKs, the solution requires Enterprise mode. 802.11n is a wireless standard. CCMP and AES provide strong encryption. However, using 802.11n, CCMP, or AES does not prevent the use of PSKs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
You have discovered a counterfeit wireless station using the same SSID as your wireless network. What best describes this?    
  
A. Evil twin      
B. IV attack      
C. War driving      
D. Rogue access point
A
  1. A. An evil twin is a rogue (or counterfeit) access point with the same SSID as an authorized access point. An IV attack attempts to discover encryption keys to crack WEP. War driving is the practice of driving around looking for access points. A rogue access point is an unauthorized wireless station, but if it has the same SSID, it’s best described as an evil twin.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
You are planning to complete a wireless audit. What should you check? (Choose all that apply.)      
A. Antenna placement      
B. Power levels      
C. Footprint      
D. Encryption      
E. Flood guards
A

A, B, C, D. A wireless audit can check antenna placement, WAP power levels, WAP footprint, and encryption techniques. It also looks for rogue access points and unauthorized users, which are not listed in the answers. Flood guards can help prevent SYN flood attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Your organization wants to provide secure remote access to the internal network to over two hundred employees that are regularly on the road. What would they use?

A. VPN concentrator
B. Health agents
C. Web application firewall
D. Honeypot

A

A. VPN concentrators provide strong security and support large numbers of VPN clients. Health agents are required for network access control (NAC) solutions, but not required for all remote access solutions. A web application firewall (WAF) is a firewall specifically designed to protect a web application, such as a web server, and not required for remote access. A honeypot is a server designed to look valuable to an attacker, can divert attacks, and can help organizations identify the latest unknown attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What type of control is MAC filtering?

A. Network access control
B. Physical control
C. Detective control
D. Management control

A

A. MAC filtering is a form of network access control (NAC). A physical control restricts physical access to buildings and hardware devices. A detective control such as a security audit detects when a vulnerability has been exploited. Management controls are primarily administrative in function, such as risk assessments or vulnerability assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Of the following choices, what can you do to protect a system from malicious software? (Choose two.)

A. Disable unused services
B. Disable the host-based firewall
C. Keep a system up-to-date with current patches D. Install malware

A

A, C. You can protect a system from malicious software by disabling unused services and keeping a system up-to-date. Enabling the firewall, not disabling it, provides protection against attacks. Installing antivirus or anti-malware software, not installing malware, protects a system.

42
Q

An administrator is upgrading an application on a server. What would the administrator update when complete?

A. Baseline
B. The IaaS plan
C. The HVAC system
D. The hard drive hash

A

A. A configuration baseline documents the configuration of a system and should be updated after modifying a system, such as after upgrading new software or installing a service pack. IaaS is a cloud-based technology that allows an organization to reduce its hardware footprint by outsourcing equipment requirements. HVAC provides heating and cooling, but doesn’t need to be updated after upgrading an application. Incident response procedures use a hard drive hash to identify evidence tampering.

43
Q

An administrator is deploying a service pack to several database servers. What would the administrator update when complete?

A. The SaaS plan
B. The patch management policy
C. A chain of custody
D. Configuration baseline

A

D. A configuration baseline documents the configuration of a system and is updated after modifying a system, such as through a service pack or upgrading new software. SaaS is a cloud-based technology that provides applications such as web-based e-mail to users. A patch management policy defines how patches are tested and applied, including a timeline for deployment. A chain of custody validates the control of forensic evidence, such as a disk drive, during transport.

44
Q

A virtual machine includes data on employees, including folders and files with payroll data. Management is concerned that an attacker can copy the virtual machine and access the data. What would you suggest to protect against this?
A. Enable VM escape
B. Disable VM escape
C. Encrypt the files and folders
D. Add a network-based DLP device

A

C. You can encrypt files and folders on virtual machines to protect against loss of confidentiality just as you can on physical systems. VM escape is an attack run on virtual machines, allowing the attacker to access and control the physical host. You can’t enable or disable VM escape, but you can keep a system patched and up to date to help protect against VM escape attacks. A DLP is a device that reduces the risk of employees e-mailing confidential information outside the organization.

45
Q
Of the following choices, what indicates the best choice to verify software changes on a system?      
A. Patch management     
B. A patch management policy      
C. Standardized images      
D. Performance baseline
A

A. Patch management includes testing and deploying patches and verifying the software changes made by the patches. A patch management policy defines the patch management process, including a timeline for installing patches. Standardized images provide a secure baseline and include mandatory security configurations, and a performance baseline documents a system’s performance. You can compare current systems with standardized images and performance baselines to identify differences, but just an image or a baseline will not verify the changes.

46
Q

A software vendor recently released several patches that apply to several of your servers. When should you apply these patches to the production servers?

A. Immediately
B. On the second Tuesday of each month C. Annually
D. After testing

A

D. You should apply patches to production servers after performing regression testing, and testing should be performed in a test environment that mirrors the production environment. Patches applied immediately may adversely affect production systems. Microsoft releases patches on the second Tuesday of each month, but patches still need to be tested. Applying patches annually leaves systems vulnerable to known threats between the updates.

47
Q
Sally stores a list of her passwords in a file on her computer’s local hard drive. What can protect this data if her computer is lost or stolen?   
   
A. File level encryption      
B. DLP      
C. GPS      
D. Permissions
A

A. File level encryption can protect a single file against loss of confidentiality if a computer is lost or stolen. A DLP system can examine and analyze data to detect sensitive or confidential data. A GPS can help locate a lost or stolen computer but won’t protect the individual file. Permissions provide a level of protection but can be bypassed if a computer is lost or stolen.

48
Q

Of the following choices, what will store RSA keys?

A. TPM and SSL
B. TPM and HSM
C. SSL and HSM
D. CCMP and TKIP

A

B. A Trusted Platform Module (TPM) and a hardware security module (HSM) are hardware devices that store RSA keys, provide encryption and decryption services, and can assist with user authentication. SSL uses RSA keys, also called asymmetric keys, but it is a protocol and does not store RSA keys. CCMP is an improved wireless encryption protocol used with WPA2, while TKIP is an older wireless protocol used with WPA, but neither store RSA keys.

49
Q

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM
B. HSM
C. DLP
D. IaaS

A

B. A hardware security module (HSM) is a hardware device you can add to a server to provide encryption capabilities. A TPM is a chip embedded into a motherboard that also provides hardware encryption, but you can’t easily add a TPM to an existing server. A DLP can reduce the risk of employees e-mailing confidential information outside the organization. Organizations use IaaS to rent access to hardware such as servers via the cloud to limit their hardware footprint and personnel costs.

50
Q

Your organization issues laptop computers to employees. Employees use them while traveling, and frequently store sensitive data on these systems. What can you use to recover a laptop if an employee loses it?

A. Encryption
B. Remote wipe
C. Remote lock
D. GPS tracking

A

D. The goal in the question is to recover the laptop, and the only answer that helps recover it is Global Positioning System (GPS) tracking. If you want to protect the data in the event that the employee loses the laptop, full disk encryption is a good choice. If you want to erase all the data so that an attacker can’t read it after the laptop is lost, you can use remote wipe. If you want to make it more difficult for an attacker to use the device, you can use remote lock to lock it with a different passcode.

51
Q

Your organization is considering using different cloud-based technologies. What security control is lost with these technologies?

A. Backup capabilities
B. Physical control of the data
C. Operating system choice
D. Access to the data

A

B. Since cloud computing stores data in unknown locations accessible via the Internet, you lose physical control of the data. Cloud computing providers often include backup services and customers can back up their data. Cloud computing does not limit operating system choices, and it does not result in a loss of data access.

52
Q
While surfing the Internet, a user sees a message indicating a malware infection and offering free antivirus software. The user downloads and installs the free antivirus software but then realizes it infected the system. Which of the following choices best explains what happened to the user’s system?   
   
A. Social engineering      
B. Trojan      
C. Vishing      
D. Spim
A

B. The user’s system was infected with a Trojan commonly known as rogueware. The website tricked the user into installing the malware using a form of social engineering, and this would be the best answer if the question asked what happened to the user. Vishing is a form of phishing that uses recorded voice over the telephone. Spim is a form of spam using instant messaging (IM).

53
Q

What malware can hide its running processes to avoid detection?

A. Worm
B. Virus
C. Rootkit
D. Integrity checker

A

C. Rootkits can hide their internal processes so that users can’t easily detect them, and they are more difficult for antivirus software to detect. Worms and viruses do not hide their processes to avoid detection. A file integrity checker can detect files modified by rootkits, but it is not malware.

54
Q

After browsing the Internet, a user notices the computer is running slowly. An antivirus scan with updated signatures doesn’t report any problems. What is a likely cause?

A. Known virus
B. LDAP injection
C. Zero day attack
D. Spyware

A

D. Spyware can be installed without the user’s knowledge; it can add processes and change settings, which can cause a system to run slower. A known virus would be detected by an antivirus scan with updated signatures, but not all antivirus software detects spyware. LDAP injection attempts to access Active Directory data in a domain. A zero day attack is an attack on an undisclosed vulnerability.

55
Q

Of the following choices, what can prevent malicious code from running on a computer?

A. Antivirus software
B. Host-based firewall
C. Input validation
D. Fuzzing

A

A. Antivirus software can detect malware and prevent it from running on a computer. Firewalls can prevent intrusions but won’t block software from running. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. Fuzzing sends pseudo-random data as input to an application in an attempt to crash or confuse it.

56
Q

A security newsletter describes an attack where e-mails that look like they are from reputable companies are actually from attackers trying to get personal and financial information. What type of attack is this?

A. Arrow phishing
B. Phishing
C. Bear phishing
D. VoIPing

A

B. Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information, such as bank account information. There’s no such thing as arrow phishing, but a spear phishing attack targets a specific person or specific groups of people, such as employees of a company. There’s no such thing as bear phishing, but whaling is a phishing attack that targets high-level executives. There’s no such thing as VoIPing, but vishing is a form of phishing that uses recorded voice over the telephone.

57
Q

An organization has purchased privacy screens for all users. What threat is it trying to mitigate?

A. Password masking
B. Vishing
C. Shoulder surfing
D. Dumpster diving

A

C. Shoulder surfing can be mitigated with the use of privacy screens and password-protected screen savers. A password mask displays another character, such as an asterisk (*), to prevent shoulder surfing. Vishing is a form of phishing that uses recorded voice over the telephone and is not related to shoulder surfing. Dumpster divers search through trash looking for information, and shredding mitigates the threat.

58
Q

An investigation revealed that multiple computers within your network connected to an unknown server after business hours. These computers then launched an attack. What is the best explanation for this behavior?

A. Botnet
B. Malware
C. Kiting
D. Fuzzing

A

A. Computers within a botnet regularly check in with command and control servers for instructions and then follow instructions, which often include launching DDoS attacks. Some malware infects systems and joins them to a botnet, but not all malware follows this behavior. Kiting is the practice of repeatedly reserving domain names without paying for them. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system looking for vulnerabilities.

59
Q

A user entered improper data into an application and the application crashed. What is missing in this application?

A. Error handling
B. Cross-site scripting
C. Shredding
D. Password masking

A

A. Error handling routines are a part of input validation and can prevent application failures and many application attacks. Cross-site scripting is a type of attack that can be prevented with input validation. Organizations shred paper documents instead of throwing them away to mitigate dumpster diving attacks. Password masking helps prevent shoulder surfing attacks by displaying a character such as an asterisk instead of the password.

60
Q

Which of the following is related to a buffer overflow attack?

A. Flood guard
B. Memory addressing
C. HTML tags
D. Whaling

A

B. A buffer overflow attack occurs when an attacker sends more data to an application than it can handle and overwrites memory locations. A flood guard is a security control that protects against SYN flood attacks. Cross-site scripting attacks use HTML or JavaScript tags. Whaling is a targeted phishing e-mail against a company executive, such as a CEO or president.

61
Q

A web developer wants to avoid data loss from SQL injection attacks. What should the developer include in web applications?

A. Buffer overflows
B. Input validation
C. Output validation
D. Fuzzing

A

B. Input validation checks the validity of data before using it can help prevent SQL injection, buffer overflow, and cross-site scripting attacks. Buffer overflows are a vulnerability that attackers can exploit. Only inputted data needs to be validated, not outputted data. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system to detect buffer overflow vulnerabilities.

62
Q

An organization evaluated a marketing application and discovered that it required opening several ports on firewalls. They decided on purchasing a different marketing application. What risk management strategy did they use?

A. Risk acceptance
B. Risk avoidance
C. Risk deterrence
D. Risk transference

A

B. An organization can avoid a risk by not providing a service, using an application, or participating in a risky activity, and in this case, it used a different application to avoid the risk of the open ports. Organizations often accept a risk when the cost of the control exceeds the cost of the risk. Risk deterrence attempts to discourage attacks with preventative controls such as a security guard. Organizations can transfer a risk by purchasing insurance.

63
Q
A security professional is performing a quantitative risk analysis. Of the following choices, what is most likely to be used in the assessment? 
     
A. Judgment      
B. Expert opinions      
C. Asset value      
D. Fuzzing
A

C. A quantitative risk analysis uses cost and asset values. A qualitative risk assessment uses judgment based on expert opinions to categorize risks based on probability and impact. Fuzzing sends random data to an application and is sometimes used in black box testing, but it is not specific to any type of risk analysis.

64
Q

Management is deciding which controls to implement to reduce specific risks. They are basing their decisions on the result of an assessment that used cost. What type of assessment was completed?

A. Quantitative
B. Qualitative
C. Vulnerability scan
D. Penetration test

A

A. A quantitative risk analysis uses cost and asset values. A qualitative risk assessment uses judgment to categorize risks based on probability and impact. A vulnerability scan passively checks systems for vulnerabilities, and a penetration test will actively assess security controls to identify what can be exploited, but neither is an assessment based on cost.

65
Q

Your organization recently installed a new server hosting a database application. You want to test the server to determine if it has any known security issues. What would you use?

A. Port scanner
B. Vulnerability scanner
C. IPS
D. Firewall

A

B. A vulnerability scanner checks systems for known security issues. A port scanner will identify open ports but won’t identify security issues. An intrusion prevention system (IPS) is a preventative control used to detect and stop attacks. A firewall can prevent intrusions on a system but cannot identify security issues.

66
Q
  1. Of the following choices, what best describes a goal of a vulnerability scan?

A. Exploit weaknesses in security controls B. Identify baseline configuration of security controls
C. Identify security control threats
D. Identify lack of security controls

A

D. Vulnerability scanning will passively test security controls to identify vulnerabilities and identify a lack of security controls. A penetration test will attempt to exploit weaknesses. Vulnerability scans look for common misconfigurations of security controls and can compare current configuration against a baseline, but they do not identify baseline configurations. A scan will not identify threats, only vulnerabilities.

67
Q

Of the following choices, what provides the best explanation for what a penetration test provides?
A. Demonstration of security vulnerabilities B. Identification of security vulnerabilities
C. Demonstration of system capabilities
D. Identification of system capabilities

A

A. A penetration test demonstrates how security vulnerabilities can be exploited. A vulnerability test identifies security vulnerabilities but doesn’t demonstrate how they can be exploited. A penetration test is not used to demonstrate or identify system capabilities.

68
Q

Security testers are performing a penetration test with some inside knowledge of the system. What type of test is this?

A. Black box test
B. White box test
C. Gray box test
D. Internal test

A

C. In gray box testing, the testers have some knowledge of the environment. In white box testing, testers have access to all of the system details. In a black box test, testers have zero knowledge of system details. Both internal testers and external testers can start with some inside knowledge of the tested system.

69
Q

What does black hat indicate?

A. A malicious attacker
B. A tester working with zero knowledge of the tested system
C. An application sending random data to an application
D. Fuzzing

A

A. Black hat identifies a malicious attacker performing criminal activities. Black box testers have zero knowledge of system details. A fuzzer sends random data to an application, and black box testing (not black hat) is sometimes referred to as fuzzing.

70
Q

You are tasked with maintaining a file server. Which of the following should you periodically review to ensure the server’s security configuration?

A. User rights and permissions
B. Evil twin capabilities
C. PaaS capabilities
D. Hard drive hash

A

A. Reviewing user rights and permissions is a form of a system audit, and it can help ensure a server’s security configuration. An evil twin is a counterfeit wireless access point using the same SSID as a legitimate access point. Platform as a Service (PaaS) provides an easy-to-configure operating system as a cloud computing service. A hard drive hash is useful in forensics as part of an incident response and verifies that a hard drive has not been modified.

71
Q

A security administrator wants to verify that all users are following company policies for login. What can they use?

A. Protocol analyzer
B. Sniffer
C. Password cracker
D. User rights review

A

C. A password cracker can verify users are creating strong passwords for their login account in compliance with a company policy (though it is more effective to use a password policy to require strong passwords). You can use a protocol analyzer (sniffer) to view headers and clear-text contents in IP packets, but login passwords wouldn’t be passed across the network in clear text. Reviewing user rights and permissions is a form of a system audit, but it doesn’t examine the password used for login.

72
Q

A recent attack modified logs on a server. In the future, you want to protect logs from compromise. What can you use?

A. Change the logs to read only
B. Archive the logs at least weekly
C. Centralized log management
D. Disable logging

A

C. You can protect logs from compromise with centralized logging. If the logs are read only, the system will not be able to write log entries. Archiving is a good practice, but it won’t protect the logs from compromise during the attack. If logging is disabled, logs won’t have any data.

73
Q
Of the following choices, what can ensure availability of a server if half of its drives fail?      
A. Hardware RAID-0      
B. Hardware RAID-1      
C. Software RAID-0      
D. Software RAID-5
A

B. RAID-1 (mirroring) includes two drives and will continue to operate if one of the drives (half the total) fail, and this is the same for both hardware RAID-1 and software RAID-1. RAID-0 does not provide fault tolerance. RAID-5 uses three or more drives.

74
Q

An organization is in a location at risk of hurricanes, which can cause extended power outages. What can the organization use to prepare for these power outages?

A. UPS
B. Generators
C. HVAC system
D. Hot and cold aisles

A

B. Generators can provide an alternate power source for extended power outages. An uninterruptible power supply (UPS) is a battery that provides temporary power for short-term outages or power fluctuations. An HVAC system provides heating and cooling. Hot and cold aisles regulate cooling to reduce cooling costs while also increasing availability.

75
Q

An organization has decided to create a warm site to house a redundant datacenter. What likely drove this decision?

A. Vulnerability assessment
B. Penetration test
C. Annual test
D. Business impact analysis

A

D. A business impact analysis identifies critical functions and services and helps an organization make decisions related to business continuity, including alternate sites. A vulnerability assessment identifies and prioritizes weaknesses, but it doesn’t identify critical functions. A penetration test is an active test that attempts to exploit vulnerabilities. Business continuity plans are often tested to validate them, but they would not identify critical functions.

76
Q

An organization completes backups for critical servers daily. The organization wants to minimize downtime if a disaster occurs. Where should a copy of the backups be stored?

A. At any off-site location
B. At a designated hot site
C. At a designated warm site
D. At a designated cold site

A

B. Between the choices, a hot site provides the minimum downtime if a disaster occurs. Storing a copy of the backups at the hot site helps ensure that the hot site servers can become operational with minimal downtime after a disaster at the primary location. Warm sites and cold sites will take longer to become operational.

77
Q

An organization is completing a business continuity plan for its datacenter. It determines that half of these servers must be operational within a day after a disaster. What would it use?

A. Hot site
B. Cold site
C. Warm site
D. Full backups

A

C. A warm site provides the capability to bring services back online within a day. A hot site brings services back online within minutes or possibly an hour. A cold site brings services back online as long as a few days after the outage. Backups will not provide an alternate location that can be used after a disaster.

78
Q

Of the following choices, what is included in a DRP?

A. List of all computers
B. Chain of custody
C. Regular testing
D. Digital signatures

A

C. A disaster recovery plan (DRP) includes a testing element to validate the plan. A DRP will include a hierarchical list of critical systems but not a list of all systems. A chain of custody verifies forensic data is handled properly. Digital signatures provide authentication, integrity, and non-repudiation but are unrelated to a DRP.

79
Q

Your organization is designing a large datacenter that will host several bays of servers. Which of the following choices will increase availability of the datacenter?

A. Hot and cold aisles
B. Mantrap
C. Cameras
D. Guards

A

A. Hot and cold aisles regulate cooling to reduce cooling costs while also increasing availability. A mantrap can counter the social engineering tactic of tailgating, but it doesn’t increase availability. Cameras and guards can provide access control, but do not directly increase availability.

80
Q
You are evaluating the security and availability of a system. Availability is more important than security in the system. If it fails, what state should it fail in?      
A. It should fail open      
B. It should fail closed      
C. It should shut down      
D. It should be rebooted
A

A. If availability is more important than security, it should fail in an open state. If security is more important than availability, it should fail in a closed state. Different systems can achieve a closed state using different methods and they don’t necessarily have to be shut down or rebooted.

81
Q

An administrator wants to verify that a file has not been altered. What technology provides this capability?

A. 3DES
B. MD5
C. RSA
D. Blowfish

A

B. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, including files. Triple Data Encryption Standard (3DES) and Blowfish are symmetric encryption (not hashing) algorithms. RSA is an asymmetric encryption algorithm.

82
Q

Which of the following converts passwords to all upper case and divides them into two seven-character strings?

A. LANMAN
B. AES
C. RSA
D. Kerberos

A

A. The older LANMAN protocol stores passwords using a LM hash of the password by first dividing the password into two seven-character blocks, and then converting all lower case letters to upper case. AES is used for symmetric encryption, and RSA is used for asymmetric encryption. Kerberos is a network authentication protocol using tickets.

83
Q

What type of encryption uses hard-copy printouts of keys?

A. AES
B. One-time pads
C. RSA
D. Diffie-Hellman

A

C. Diffie-Hellman addresses key management and provides a method to privately share a symmetric key between two parties. Secure/ Multipurpose Internet Mail Extensions (S/ MIME) and Pretty Good Privacy (PGP) provide methods of digitally signing and encrypting e-mail. RC4 is a strong symmetric stream cipher used for encryption, not key management.

84
Q

Of the following choices, what addresses key management?

A. S/ MIME
B. PGP
C. Diffie-Hellman
D. RC4

A

C. Diffie-Hellman addresses key management and provides a method to privately share a symmetric key between two parties. Secure/ Multipurpose Internet Mail Extensions (S/ MIME) and Pretty Good Privacy (PGP) provide methods of digitally signing and encrypting e-mail. RC4 is a strong symmetric stream cipher used for encryption, not key management.

85
Q
What key encrypts the data sent between a web browser and a web server in an SSL session?      
A. Symmetric key      
B. Private key      
C. Public key      
D. Prime number key
A

A. SSL uses symmetric encryption to encrypt data in a browser session, so it uses a symmetric key. Asymmetric encryption using public and private keys is used to privately share the symmetric key. RSA uses prime numbers to create asymmetric keys, but there is no such thing as a prime number key.

86
Q

Sally sent an encrypted e-mail with a digital signature to Joe. Of the following choices, what is involved in this process? (Choose all that apply.)
A. Sally’s private key verifies the digital signature B. Joe’s public key decrypts the e-mail
C. Sally’s private key signs the e-mail
D. Joe’s public key encrypts the e-mail

A

C, D. The sender’s private key (Sally’s private key) signs the e-mail and the recipient’s public key (Joe’s public key) encrypts the e-mail. In this case, Sally sent the e-mail so her private key signs it, and it is encrypted with Joe’s public key. The sender’s public key (not the private key) verifies the digital signature. The recipient’s private key (not the public key) decrypts the e-mail.

87
Q

What is a private key used for in a PKI?

A. Encrypt the hash in a digital signature
B. Decrypt the hash in a digital signature
C. Encrypt data before sending it
D. MD5

A

A. The sender’s private key encrypts the e-mail hash in a digital signature. The sender’s public key decrypts the e-mail hash in a digital signature. If data is encrypted with a private key, anyone with the public key (which is publically available) can decrypt it. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, but it doesn’t use keys. While not included in the answers, a recipient’s private key is used to decrypt data (not the digital signature) encrypted with the recipient’s public key.

88
Q

Of the following choices, what uses public and private keys for encryption and decryption of e-mail?

A. CRL
B. CA
C. LANMAN
D. PGP

A

D. Pretty Good Privacy (PGP) uses public and private keys for asymmetric encryption and decryption of e-mail. A certificate revocation list (CRL) identifies revoked certificates. A certificate authority (CA) publishes the CRL, but the CRL and CA do not encrypt or decrypt e-mail. LANMAN is an older protocol that stores passwords as a hash after converting all lower case letters to upper case and dividing the password into two seven-character blocks.

89
Q

Of the following choices, which are publically available? (Choose all that apply.)

A. Certificate revocation list
B. Certificate holding a public key matched to a private key
C. Website certificate
D. User passphrase

A

A, B, C. A certificate revocation list (CRL) identifies revoked certificates and is publically available. Certificates include public keys and are publically available (though the matching private key is always kept private). Websites use certificates for authentication and encryption of HTTPS sessions, and they freely share the certificates. A user’s passphrase (or password) should be kept private.

90
Q

An organization has determined that data loss is unacceptable within its PKI. What can it implement?

A. CRL
B. CA
C. Key escrow
D. Trusted root certification authority store

A

C. A key escrow stores copies of user’s private keys to ensure that the loss of the original key does not result in data loss. A certificate revocation list (CRL) identifies revoked certificates, and a certificate authority (CA) publishes the CRL, but neither address data loss. The trusted root certification authority store is a collection of certificates from trusted

91
Q

Of the following choices, what is the most important security benefit of a clean desk policy?
A. Prevents illnesses due to viruses and bacteria B. Presents a positive image to customers C. Ensures sensitive data and passwords are secured
D. Increases integrity of data

A

C. A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise. Physical health issues are not security issues related to a clean desk policy. Not all employees necessarily interact with customers, but a clean desk policy still applies, requiring them to protect data. Integrity ensures data is not modified, but a clean desk policy helps ensure confidentiality by preventing unauthorized disclosure.

92
Q

A user requires read access to a business application. However, an administrator discovers the user can read, write, and delete data in the application. What policy is this violating?

A. User privilege review
B. Chain of custody
C. User privilege policy
D. Retention policy

A

C. A user privilege policy mandates that users only have the rights and permissions needed to perform their job and no more. A user privilege review will audit assigned rights and permissions to discover these types of violations. A chain of custody provides assurances that evidence collected after an incident has been controlled and handled properly after collection. Storage and retention policies identify how long it is retained.

93
Q

An organization has implemented a mandatory vacation policy for security administrators. What is the organization’s most likely goal?

A. Reduce potential for privilege escalation B. Reinforce compliance with security policies C. Detect malicious actions by security administrators
D. Ensure administrators have time for recreation

A

C. Mandatory vacation policies require employees to take time away from their job and help detect malicious activities. Dual accounts for administrators help prevent privilege escalation attacks but are unrelated to vacations. Regular security awareness training helps reinforce compliance with security policies. While vacations are valuable for recreation, this is not the goal.

94
Q

After a promotion, an administrator is not able to access some servers. However, the administrator was able to access the servers in the previous job. What policy is most likely causing this?

A. Mandatory vacations policy
B. Separation of duties policy
C. Job rotation policy
D. Single sign-on policy

A

B. A separation of duties policy separates individual tasks of an overall function between different people. In this case, the administrator was likely promoted into a job that required separation from the access of the previous job. Mandatory vacation policies require employees to take time away from their job and help detect malicious activities. Job rotation policies require employees to change roles on a regular basis. Single sign-on (SSO) allows users to access multiple systems by providing credentials only once, so this wouldn’t prevent access.

95
Q

A company provides employees with annual security awareness training. Of the following choices, what is the most likely reason the company is doing this?

A. To minimize risk posed by users
B. To reduce user compliance with security policies
C. To eliminate risk posed by users
D. To increase risk posed by users

A

A. Organizations provide security awareness training to minimize the risk posed by users. Training helps reinforce user compliance with security policies, not reduce compliance. It is not possible to eliminate risk and not desirable to increase the risk.

96
Q

A receptionist regularly answers the phone and answers queries for the company. Of the following choices, what identifies the biggest threat from this receptionist?

A. Providing information on the website
B. Providing information from a company sales brochure
C. Providing contact information for a sales person D. Providing personal contact information

A

D. Revealing personally identifiable information (PII) represents a significant threat, and organizations provide training to employees not to do so. It’s acceptable to provide any type of publically available information, such as that on a website or in sales brochure. Salespeople want to be contacted, so giving out their contact information is acceptable, as long as its professional and not personal contract information.

97
Q

A security policy restricts the use of P2P software on any company system. Of the following choices, what is the easiest way an administrator can verify systems are not running this software?

A. Protocol analyzer
B. Penetration test
C. Port scanner
D. User rights review

A

C. A port scanner can detect open ports used by peer-to-peer (P2P) software. A protocol analyzer can capture packets and view the contents, but it isn’t the easiest way to detect P2P software. A user rights review audits assigned rights and permissions and will discover accounts with too many permissions and enabled accounts of previous employees. A penetration test will actively assess or test security controls, and while it may include a port scan, it does much more.

98
Q

An employee has been accused of stealing data using a personal laptop. A forensics investigation into the theft includes logs and protocol analyzer captures. What information will most accurately identify the computer used by the attacker?

A. User logon name
B. Computer name
C. IP address
D. MAC address

A

D. The media access control (MAC) address is a hexadecimal number permanently assigned to a computer’s network interface card. The user logon name identifies the user, but the question asks how to identify the computer. The user can change the name and IP address of the personal computer.

99
Q

When would a security professional create a forensic hash of a drive?

A. Before and after creating an image
B. Before creating an image, after creating an image, and on the image
C. Immediately before creating the chain of custody
D. Immediately after disconnecting the computer from the network

A

A. The forensic hash of the drive verifies that the imaging process did not modify the drive and is performed before and after creating the image. Forensic hashing of an image provides assurances of image integrity, but this is different than creating a forensic image of the drive. A chain of custody provides assurances that evidence has been controlled and handled properly after collection, but is not directly related to creating the hash. You can isolate a computer from an attack by disconnecting the computer from the network, but this is unrelated to a forensic hash of a drive.

100
Q

An administrator collected a thumb drive as evidence and stored the drive on his desk for analysis the next day. Of the following choices, what incident response procedure did the forensic expert violate?

A. Chain of custody
B. Cleanliness policy
C. Separation of duties
D. Containment

A

A. A chain of custody provides assurances that evidence has been controlled and handled properly after collection, but if the drive was left on a desk, it was not controlled. A clean desk policy (not a cleanliness policy) would dictate keeping a desk clean of sensitive data, but this is not an incidence response procedure. A separation of duties policy separates individual tasks of an overall function between different people. The first response after identifying an incident is to isolate the problem, and removing the thumb drive may have isolated the problem, but leaving it uncontrolled is unrelated to containment.