Test #1 Flashcards

Question 1

Q

You want to ensure that data can only be viewed by authorized users. What provides this assurance?  
    
A. Confidentiality      
B. Integrity      
C. Availability      
D. Authentication

Answer

A

A. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Integrity provides assurances that data has not been modified and is enforced with hashing. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.

Question 2

Q

A database administrator has just completed an update to a database using a script. Unfortunately, the script had an error and wrote incorrect data throughout the database. What has been lost?     
A. Confidentiality      
B. Integrity      
C. Availability      
D. Authentication

Answer

A

B. If an unauthorized or unintended change occurs to data, the data has lost integrity. Confidentiality prevents unauthorized disclosure and is enforced with access controls and encryption. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to

Question 3

Q

What does RAID-1 support?  
    
A. Authentication      
B. Availability      
C. Confidentiality      
D. Integrity

Answer

A

B. Redundant Array of Inexpensive Disks 1 (RAID-1) uses two disks to create a mirror of each, and it provides availability through fault tolerance. If a single drive fails, the system can tolerate the fault and continue to operate. Authentication provides proof of a user’s identity. Confidentiality ensures that data is only viewable by authorized users. Integrity provides assurances that data has not been modified.

Question 4

Q

A user enters a username and a password and logs onto a system. What does this describe?      
A. Identification      
B. Authentication      
C. Authorization      
D. Availability

Answer

A

B. Authentication occurs when an identity is verified. An entity claims an identity by presenting something like a username and proves the identity with an authentication mechanism such as a password. Authorization provides access to resources and occurs after authentication. Availability indicates that the system is up and operational when needed.

Question 5

Q

Your organization has configured an account policy that locks out a user accounts for thirty minutes if they enter the wrong password five times. What is this policy?

A. Account lockout policy
B. Account disablement policy
C. Account continuance policy
D. Password policy

Answer

A

A. An account lockout policy will force an account to be locked out after the wrong password is entered a set number of times (such as after five failed attempts). An account disablement policy specifies that accounts are disabled when no longer needed, such as after an employee leaves the company. There is no such thing as an account continuance policy. A password policy ensures strong passwords are used and users change their password regularly.

Question 6

Q

Which of the following supports the use of one-time passwords?

A. Proximity card
B. Tokens
C. CAC
D. PIV

Answer

A

B. A token (such as an RSA token) provides a rolling password for one-time use. A proximity card is something you have (or something a user has) as a factor of authentication, but it doesn’t use one-time passwords. A CAC and a PIV are both specialized types of smart cards that include photo identification.

Question 7

Q

A user must swipe his finger on a fingerprint scanner to gain access to his laptop. What is being used for authentication?

A. Something the user knows
B. Something the user has
C. Something the user wants
D. Biometrics

Answer

A

D. A fingerprint scanner is using biometrics (in the something the user is factor of authentication). Biometrics are the most difficult for an attacker to falsify or forge since it represents a user based on personal characteristics. A password or PIN is an example of something the user knows. A token or smart card is an example of something the user has. Something the user wants is not a valid factor of authentication.

Question 8

Q

Of the following choices, what qualifies as two-factor authentication?

A. Fingerprints from both of a user’s hands B. Two passwords
C. A smart card and a PIN
D. A token and a smart card

Answer

A

C. Two-factor authentication includes authentication from two of three factors (something you know, something you have, and something you are) and only a smart card (something you have) and a PIN (something you know) meet this requirement. Fingerprints from two hands use only biometrics (something you are), two passwords are two instances of something you know, and a token and smart card represent two instances of something you have.

Question 9

Q

Which of the following choices is an example of authentication based on something you have and something you are?

A. A username, password, and PIN
B. A token and a fingerprint scan
C. A token and a password
D. A PIN and a fingerprint scan

Answer

A

B. Token-based authentication is based on something you have, and a fingerprint scan is based on something you are. A username, password, and PIN all fall in under the something you know factor of authentication. A token and password are something you have and something you know. A PIN and a fingerprint scan are something you know and something you are.

Question 10

Q

Which of the following authentication protocols uses tickets?  
    
A. LDAP      
B. MD5      
C. SHA1      
D. Kerberos

Answer

A

D. Kerberos is a network authentication protocol using tickets. The Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories and is used to manage objects (such as users and computers) in an Active Directory domain. MD5 and SHA1 are hashing algorithms, not authentication protocols.

Question 11

Q

Dawn logged on using her work account at 6: 45 a.m. into a Kerberos realm. She was able to access network resources throughout the day with no problem. A crisis kept her at work late. However, she found that at about 7: 30 p.m., she was no longer able to access a server she accessed earlier. Another worker working on the evening shift accessed the server without any problem. What is the likely problem?

A. The server is down
B. Her certificate has expired
C. Her ticket has expired
D. The server’s certificate has expired

Answer

A

C. Kerberos uses time-stamped tickets, and they often have a lifetime of ten or twelve hours. If the ticket is expired, the user won’t be able to use it anymore without logging off and back on. Since another user is accessing the server, it is not down. A Kerberos realm uses tickets, not certificates, and there is no indication that certificates are being used.

Question 12

Q

What is a primary difference between TACACS and TACACS +?

A. TACACS can use either TCP or UDP ports 514 while TACACS + uses only TCP port 514
B. TACACS can use either TCP or UDP ports 49 while TACACS + uses only TCP port 49
C. TACACS + can use either TCP or UDP ports 49 while TACACS uses only TCP port 49
D. TACACS + can use either TCP or UDP ports 514 while TACACS uses only TCP port 514

Answer

A

B. TACACS can use either TCP or UDP ports 49, while TACACS + uses only TCP port 49. Port 514 is used for the UNIX-based syslog.

Question 13

Q

Sally is required to review security logs and maintain three servers within a network. Instead of giving her full access to all network resources, she is granted access only to the security logs and the three servers. Which of the following choices best identifies what is being used?

A. MAC
B. DAC
C. RBAC
D. Least privilege

Answer

A

D. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. MAC, DAC, and RBAC are access control models that include much more than just a single access control such as least privilege.

Question 14

Q

An administrator wants to use user templates as a method of complying with the principle of least privilege. What access control model supports this process?

A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Rule-based access control (RBAC)

Answer

A

C. Role-based access control (RBAC) allows an administrator to create a user template, add the user template to one or more groups based on roles, and then assign rights and permissions to the groups. Any user accounts created with this template will automatically have these permissions. The DAC model specifies that every object has an owner, and Windows systems use the DAC model by default for NTFS files and folders. The MAC model uses sensitivity labels.

Question 15

Q

What is the difference between rule-based and role-based access control?

A. Rule-based access control is based on a set of approved instructions while role-based is based on job function
B. Rule-based access control is based on job function while role-based is based on a set of approved instructions
C. Rule-based access control uses labels to identify subjects and objects while role-based requires every object to have an owner
D. They are both the same, and known as RBAC

Answer

A

A. Rule-based access control (RBAC) is based on a set of approved instructions configured as rules, while role-based uses roles (or groups) based on job functions. MAC uses labels to identify subjects and objects and DAC requires every object to have an owner. While both rule-based and role-based access controls share the same acronym (RBAC), they are not the same.

Question 16

Q

You want to increase physical security for your server room. Which of the following provides the best protection?

A. Limit access to only a single well-protected entrance
B. Ensure that the server room has one door for entrance and one door for exit
C. Ensure that access to the server is limited to only management
D. Remove all physical access to the server room

Answer

A

A. One of the best examples of physical security for a server room is to ensure that access is limited to only a single well-protected entrance. Two doors (one for entrance and one for exit) requires security at both doors, and it is difficult to ensure that each is only used for an entrance or exit. More than one entrance and exit makes it harder to monitor access.

Question 17

Q

Users in an organization are issued proximity cards that they use to access secure areas. Lately, users have begun trading their proximity cards so co-workers can access resources with someone else’s card. What permits this misuse?

A. A lack of authorization controls
B. A lack of access controls
C. Authentication verification without authorization D. Authorization verification without authentication

Answer

A

D. The proximity card is being used without any type of authentication other than holding the proximity badge, which is granting authorization to resources without authenticating users; a solution would be to require authentication though a method other than the proximity badge prior to authorizing access, such as matching a PIN to the card. Authorization is being granted based on possession of the proximity cards so there are authorization and access controls; however, there isn’t any authentication verification.

Question 18

Q

A security professional observes employees regularly tailgating others into a secure datacenter. What can prevent this?

A. CCTV
B. Mantrap
C. Proximity card
D. Cipher lock

Answer

A

B. A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. CCTV provides video surveillance and it can record unauthorized entry, but it can’t prevent it. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating, so it isn’t as useful as a mantrap. A cipher lock is a door access control, but it can’t prevent tailgating.

Question 19

Q

An employee found a USB flash drive in the parking lot. What should the employee do with this?

A. Look at the contents to determine the owner B. Destroy it
C. Turn it into a security professional
D. Take it home and insert it into a home computer

Answer

A

C. The USB flash drive should be turned in to a security professional. It’s risky to plug it in to look at the contents or take it home, since it could have malware. While it may be safe to destroy it, a security professional can plug it into an isolated system to determine its contents and the owner.

Question 20

Q

An employee has left the company to go back to school. Which of the following is considered a security best practice in this situation?

A. Disable the account
B. Set the account to expire in sixty days
C. Set the password to expire
D. Since the employee left on good terms, nothing needs to be done

Answer

A

A. An account disablement policy would ensure that a terminated employee’s account is disabled to revoke the employee’s access. Setting an account to expire is useful for a temporary account, but in this situation, it would leave the account available for anyone to use for the next sixty days instead of immediately disabling it. Expiring the password forces the user to change the password at the next logon. It doesn’t matter why employees leave a company; if they are no longer employed, the account should be disabled.

Question 21

Q

You want to ensure that data remains in an encrypted format while it is transmitted over the Internet. Of the following choices, what can you use? (Choose all that apply.)

A. SFTP, FTPS, TFTP, HTTPS, SSL, TLS
B. SSH, SFTP, SSL, HTTP
C. TLS, SSL, SSH, FTPS, SFTP,
D. HTTPS, FTP, SSH, SSL

Answer

A

C. Transport Layer Security (TLS), Secure Sockets Layer (SSL), Secure Shell (SSH), File Transfer Protocol Secure (FTPS), and Secure File Transfer Protocol (SFTP) can all encrypt data transmitted over the Internet. (Notice they all have an “S” in them.) TFTP, HTTP, and FTP are all unencrypted.

Question 22

Q

You want to configure traps on devices in your network. What would you use?

A. A load balancer
B. SNMP
C. Default gateways
D. SCP

Answer

A

B. The Simple Network Management Protocol (SNMP) uses device traps to send notifications, and it can monitor and manage network devices, such as routers or switches. A load balancer can optimize and distribute data workloads across multiple computers. A default gateway is an IP address on a router, and it provides a path to another network. SCP is based on SSH and copies files over a network in an encrypted format.

Question 23

Q

What port does SCP use? 
     
A. 22      
B. 23      
C. 25      
D. 80

Answer

A

A. Secure Copy (SCP) uses port 22, as do other protocols encrypted with Secure Shell (SSH), such as Secure File Transfer Protocol (SFTP). Telnet uses port 23. SMTP uses port 25. HTTP uses port 80.

Question 24

Q

Of the following choices, what is the best choice to indicate the protocol( s) that use( s) port 22?

A. SCP
B. SCP and SSH
C. SCP, TFTP, SQL, and SSH
D. SCP, SFTP, and SSH

Answer

A

D. Secure Copy (SCP), Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) all use port 22. While SCP alone, and SCP and SSH, both use port 22, answer D is the best choice since it shows more of the protocols using this port. TFTP uses port 69 and Microsoft’s SQL server uses port 1433.

Question 25

Q

An administrator wants to determine what services and protocols are running on a remote system. Of the following choices, what is the best choice to achieve this goal?

A. Go to the datacenter, log on, and inspect the system
B. Perform a vulnerability assessment
C. Perform an ICMP sweep
D. Identify open ports on the system

Answer

A

D. Since many services and protocols use open ports, an administrator can identify running services on a system by determining what ports are open. Since the system is remote, it could be in another building or even another city, so going to the datacenter is not the best choice. While a vulnerability assessment will often include a port scan, it will do much more. An ICMP sweep (also called a host enumeration sweep) will identify servers on a network, but not individual services, protocols,

Question 26

Q

You are examining open ports on a firewall and you see that port 500 is open. What is the likely reason?

A. To support an L2TP VPN connection
B. To support a PPTP VPN connection
C. To support a TACACS + VPN connection D. To support an IPsec VPN connection

Answer

A

D. Internet Protocol security (IPsec) virtual private network (VPN) connections use port 500 (often combined with protocol IDs 50 and/ or 51 to identify IPsec) with the Internet Key Exchange (IKE) protocol. L2TP uses port 1701. PPTP uses port 1723. TACACS + uses port 49.

Question 27

Q

Your organization has configured switches so that only devices with specific MAC addresses can connect to specific ports on the switches. The switch prevents any other devices from connecting. What is this?

A. Content filtering
B. Port security
C. Load balancing
D. Proxy caching

Answer

A

B. A version of port security maps specific end-device MAC addresses to specific ports on the switch and prevents any other devices from connecting. Web security gateways and all-in-one security appliances provide content filtering. A load balancer optimizes and distributes data loads across multiple computers or multiple networks. A proxy server provides content filtering and caching.

Question 28

Q

You are reviewing a firewall’s ACL and see the following statement: drop all. What security principle does this enforce?

A. Least privilege
B. Integrity
C. Availability
D. Implicit deny

Answer

A

D. A drop all or deny any any statement is placed at the end of an access control list (ACL) and enforces an implement deny strategy. Least privilege ensures users have only the access they need to perform their jobs and no more. Integrity provides assurances that data has not been modified, and availability ensures systems and data are up and operational when needed, but the drop all statement doesn’t address either of these as directly as implicit deny.

Question 29

Q

Firewalls include rules in an ACL. Which of the following would block network traffic that isn’t in any of the previously defined rules?

A. Explicit allow
B. Implicit allow
C. Explicit deny
D. Implicit deny

Answer

A

D. Most firewalls have an implicit deny statement (such as drop all or deny any any) at the end of an access control list (ACL) to block all traffic not previously allowed. An allow rule would not block traffic. An explicit deny rule explicitly blocks traffic defined in the rule only, not all other traffic.

Question 30

Q

An organization wants to hide addresses it uses on its internal network. What can assist with this goal?

A. MAC filtering
B. NAC
C. NAT
D. DMZ

Answer

A

C. Network Address Translation (NAT) translates public IP addresses to private, private IP addresses back to public, and hides addresses on the internal network. Port security and network access control use MAC filtering to limit access. Network access control can inspect clients for health prior to allowing network access. A DMZ provides access to services (hosted on servers) from the Internet while providing a layer of protection for the internal network.

Question 31

Q

Your network includes a device that examines network traffic and determines when the traffic is outside expected boundaries. What is this device?      
A. Anomaly-based HIDS      
B. Signature-based HIDS      
C. Anomaly-based NIDS      
D. Signature-based NIDS

Answer

A

C. An anomaly-based, network-based intrusion detection system (NIDS) compares current activity with a previously created baseline to detect abnormal activity. HIDS systems only monitor individual systems, not the network. Signature-based IDSs use signatures similar to antivirus software.

Question 32

Q

Attackers frequently attack your organization, and administrators want to learn more about zero day attacks on the network. What can they use?

A. Anomaly-based HIDS
B. Signature-based HIDS
C. Honeypot
D. Signature-based NIDS

Answer

A

C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero day exploits, or previously unknown attacks. HIDS protects host-based attacks and wouldn’t help with network-based attacks. Signature-based tools would not have a signature for zero day attack since the attack method is unknown by definition.

Question 33

Q

Users in your network are complaining that they are unable to download content from a specific website. Additionally, your IDS is recording multiple events on the network. What is a likely reason why users are unable to download this content?

A. A load balancer is blocking content from the website
B. The firewall is in failopen mode
C. An evil twin is on the network
D. NIPS is blocking content from the website

Answer

A

D. A network-based intrusion prevention system (NIPS) can detect and block malicious content, and both a NIPS and an intrusion detection system (IDS) can record the events. A load balancer can optimize and distribute data loads across multiple computers. Firewalls would normally fail in failsafe/ failsecure (or closed) mode, blocking all traffic, but if it failed in failopen mode, it would allow all traffic. An evil twin is a rogue wireless access point with the same SSID as a live wireless access point.

Question 34

Q

Attackers have launched multiple attacks against your network in recent weeks. While administrators have taken action to reduce the impact of the attacks, management wants to prevent these attacks. What can prevent ongoing network-based attacks?

A. NIDS
B. NIPS
C. HIDS
D. HIPS

Answer

A

B. A network-based intrusion prevention system (NIPS) can detect and prevent ongoing network-based attacks. In contrast, a NIDS would only detect the activity, and this is likely what is alerting administrators to the attacks now. Host-based IDSs and IPSs detect malicious activity only on a host, not a network.

Question 35

Q

Users that are further away from the WAP installed in your company’s network are having trouble connecting. What can you check to increase the coverage of the WAP?

A. SSID broadcasting
B. Encryption method
C. Verify Enterprise mode is used
D. Power levels

Answer

A

D. You can increase coverage of a wireless access point (WAP) by increasing the power level and by adjusting the antenna placement. SSID broadcasting and encryption method does not affect the wireless coverage. Enterprise mode uses an 802.1X server for authentication and stronger security but does not affect the coverage of the WAP.

Question 36

Q

You are configuring a secure wireless network that will use WPA2. Management wants to use a more secure method than PSKs. Of the following choices, what will you need?

A. 802.11n
B. CCMP
C. AES
D. RADIUS

Answer

A

D. WPA2 needs RADIUS to support WPA2 Enterprise mode. WPA2 personal mode uses a preshared key (PSK), and since management does not want to use PSKs, the solution requires Enterprise mode. 802.11n is a wireless standard. CCMP and AES provide strong encryption. However, using 802.11n, CCMP, or AES does not prevent the use of PSKs.

Question 37

Q

You have discovered a counterfeit wireless station using the same SSID as your wireless network. What best describes this?    
  
A. Evil twin      
B. IV attack      
C. War driving      
D. Rogue access point

Answer

A

A. An evil twin is a rogue (or counterfeit) access point with the same SSID as an authorized access point. An IV attack attempts to discover encryption keys to crack WEP. War driving is the practice of driving around looking for access points. A rogue access point is an unauthorized wireless station, but if it has the same SSID, it’s best described as an evil twin.

Question 38

Q

You are planning to complete a wireless audit. What should you check? (Choose all that apply.)      
A. Antenna placement      
B. Power levels      
C. Footprint      
D. Encryption      
E. Flood guards

Answer

A

A, B, C, D. A wireless audit can check antenna placement, WAP power levels, WAP footprint, and encryption techniques. It also looks for rogue access points and unauthorized users, which are not listed in the answers. Flood guards can help prevent SYN flood attacks.

Question 39

Q

Your organization wants to provide secure remote access to the internal network to over two hundred employees that are regularly on the road. What would they use?

A. VPN concentrator
B. Health agents
C. Web application firewall
D. Honeypot

Answer

A

A. VPN concentrators provide strong security and support large numbers of VPN clients. Health agents are required for network access control (NAC) solutions, but not required for all remote access solutions. A web application firewall (WAF) is a firewall specifically designed to protect a web application, such as a web server, and not required for remote access. A honeypot is a server designed to look valuable to an attacker, can divert attacks, and can help organizations identify the latest unknown attacks.

Question 40

Q

What type of control is MAC filtering?

A. Network access control
B. Physical control
C. Detective control
D. Management control

Answer

A

A. MAC filtering is a form of network access control (NAC). A physical control restricts physical access to buildings and hardware devices. A detective control such as a security audit detects when a vulnerability has been exploited. Management controls are primarily administrative in function, such as risk assessments or vulnerability assessments.

Question 41

Q

Of the following choices, what can you do to protect a system from malicious software? (Choose two.)

A. Disable unused services
B. Disable the host-based firewall
C. Keep a system up-to-date with current patches D. Install malware

Answer

A

A, C. You can protect a system from malicious software by disabling unused services and keeping a system up-to-date. Enabling the firewall, not disabling it, provides protection against attacks. Installing antivirus or anti-malware software, not installing malware, protects a system.

Question 42

Q

An administrator is upgrading an application on a server. What would the administrator update when complete?

A. Baseline
B. The IaaS plan
C. The HVAC system
D. The hard drive hash

Answer

A

A. A configuration baseline documents the configuration of a system and should be updated after modifying a system, such as after upgrading new software or installing a service pack. IaaS is a cloud-based technology that allows an organization to reduce its hardware footprint by outsourcing equipment requirements. HVAC provides heating and cooling, but doesn’t need to be updated after upgrading an application. Incident response procedures use a hard drive hash to identify evidence tampering.

Question 43

Q

An administrator is deploying a service pack to several database servers. What would the administrator update when complete?

A. The SaaS plan
B. The patch management policy
C. A chain of custody
D. Configuration baseline

Answer

A

D. A configuration baseline documents the configuration of a system and is updated after modifying a system, such as through a service pack or upgrading new software. SaaS is a cloud-based technology that provides applications such as web-based e-mail to users. A patch management policy defines how patches are tested and applied, including a timeline for deployment. A chain of custody validates the control of forensic evidence, such as a disk drive, during transport.

Question 44

Q

A virtual machine includes data on employees, including folders and files with payroll data. Management is concerned that an attacker can copy the virtual machine and access the data. What would you suggest to protect against this?
A. Enable VM escape
B. Disable VM escape
C. Encrypt the files and folders
D. Add a network-based DLP device

Answer

A

C. You can encrypt files and folders on virtual machines to protect against loss of confidentiality just as you can on physical systems. VM escape is an attack run on virtual machines, allowing the attacker to access and control the physical host. You can’t enable or disable VM escape, but you can keep a system patched and up to date to help protect against VM escape attacks. A DLP is a device that reduces the risk of employees e-mailing confidential information outside the organization.

Question 45

Q

Of the following choices, what indicates the best choice to verify software changes on a system?      
A. Patch management     
B. A patch management policy      
C. Standardized images      
D. Performance baseline

Answer

A

A. Patch management includes testing and deploying patches and verifying the software changes made by the patches. A patch management policy defines the patch management process, including a timeline for installing patches. Standardized images provide a secure baseline and include mandatory security configurations, and a performance baseline documents a system’s performance. You can compare current systems with standardized images and performance baselines to identify differences, but just an image or a baseline will not verify the changes.

Question 46

Q

A software vendor recently released several patches that apply to several of your servers. When should you apply these patches to the production servers?

A. Immediately
B. On the second Tuesday of each month C. Annually
D. After testing

Answer

A

D. You should apply patches to production servers after performing regression testing, and testing should be performed in a test environment that mirrors the production environment. Patches applied immediately may adversely affect production systems. Microsoft releases patches on the second Tuesday of each month, but patches still need to be tested. Applying patches annually leaves systems vulnerable to known threats between the updates.

Question 47

Q

Sally stores a list of her passwords in a file on her computer’s local hard drive. What can protect this data if her computer is lost or stolen?   
   
A. File level encryption      
B. DLP      
C. GPS      
D. Permissions

Answer

A

A. File level encryption can protect a single file against loss of confidentiality if a computer is lost or stolen. A DLP system can examine and analyze data to detect sensitive or confidential data. A GPS can help locate a lost or stolen computer but won’t protect the individual file. Permissions provide a level of protection but can be bypassed if a computer is lost or stolen.

Question 48

Q

Of the following choices, what will store RSA keys?

A. TPM and SSL
B. TPM and HSM
C. SSL and HSM
D. CCMP and TKIP

Answer

A

B. A Trusted Platform Module (TPM) and a hardware security module (HSM) are hardware devices that store RSA keys, provide encryption and decryption services, and can assist with user authentication. SSL uses RSA keys, also called asymmetric keys, but it is a protocol and does not store RSA keys. CCMP is an improved wireless encryption protocol used with WPA2, while TKIP is an older wireless protocol used with WPA, but neither store RSA keys.

Question 49

Q

Your organization has an existing server and you want to add a hardware device to provide encryption capabilities. What is the easiest way to accomplish this?

A. TPM
B. HSM
C. DLP
D. IaaS

Answer

A

B. A hardware security module (HSM) is a hardware device you can add to a server to provide encryption capabilities. A TPM is a chip embedded into a motherboard that also provides hardware encryption, but you can’t easily add a TPM to an existing server. A DLP can reduce the risk of employees e-mailing confidential information outside the organization. Organizations use IaaS to rent access to hardware such as servers via the cloud to limit their hardware footprint and personnel costs.

Question 50

Q

Your organization issues laptop computers to employees. Employees use them while traveling, and frequently store sensitive data on these systems. What can you use to recover a laptop if an employee loses it?

A. Encryption
B. Remote wipe
C. Remote lock
D. GPS tracking

Answer

A

D. The goal in the question is to recover the laptop, and the only answer that helps recover it is Global Positioning System (GPS) tracking. If you want to protect the data in the event that the employee loses the laptop, full disk encryption is a good choice. If you want to erase all the data so that an attacker can’t read it after the laptop is lost, you can use remote wipe. If you want to make it more difficult for an attacker to use the device, you can use remote lock to lock it with a different passcode.

Question 51

Q

Your organization is considering using different cloud-based technologies. What security control is lost with these technologies?

A. Backup capabilities
B. Physical control of the data
C. Operating system choice
D. Access to the data

Answer

A

B. Since cloud computing stores data in unknown locations accessible via the Internet, you lose physical control of the data. Cloud computing providers often include backup services and customers can back up their data. Cloud computing does not limit operating system choices, and it does not result in a loss of data access.

Question 52

Q

While surfing the Internet, a user sees a message indicating a malware infection and offering free antivirus software. The user downloads and installs the free antivirus software but then realizes it infected the system. Which of the following choices best explains what happened to the user’s system?   
   
A. Social engineering      
B. Trojan      
C. Vishing      
D. Spim

Answer

A

B. The user’s system was infected with a Trojan commonly known as rogueware. The website tricked the user into installing the malware using a form of social engineering, and this would be the best answer if the question asked what happened to the user. Vishing is a form of phishing that uses recorded voice over the telephone. Spim is a form of spam using instant messaging (IM).

Question 53

Q

What malware can hide its running processes to avoid detection?

A. Worm
B. Virus
C. Rootkit
D. Integrity checker

Answer

A

C. Rootkits can hide their internal processes so that users can’t easily detect them, and they are more difficult for antivirus software to detect. Worms and viruses do not hide their processes to avoid detection. A file integrity checker can detect files modified by rootkits, but it is not malware.

Question 54

Q

After browsing the Internet, a user notices the computer is running slowly. An antivirus scan with updated signatures doesn’t report any problems. What is a likely cause?

A. Known virus
B. LDAP injection
C. Zero day attack
D. Spyware

Answer

A

D. Spyware can be installed without the user’s knowledge; it can add processes and change settings, which can cause a system to run slower. A known virus would be detected by an antivirus scan with updated signatures, but not all antivirus software detects spyware. LDAP injection attempts to access Active Directory data in a domain. A zero day attack is an attack on an undisclosed vulnerability.

Question 55

Q

Of the following choices, what can prevent malicious code from running on a computer?

A. Antivirus software
B. Host-based firewall
C. Input validation
D. Fuzzing

Answer

A

A. Antivirus software can detect malware and prevent it from running on a computer. Firewalls can prevent intrusions but won’t block software from running. Input validation checks input data and can help mitigate buffer overflow, SQL injection, and cross-site scripting attacks. Fuzzing sends pseudo-random data as input to an application in an attempt to crash or confuse it.

Question 56

Q

A security newsletter describes an attack where e-mails that look like they are from reputable companies are actually from attackers trying to get personal and financial information. What type of attack is this?

A. Arrow phishing
B. Phishing
C. Bear phishing
D. VoIPing

Answer

A

B. Phishing is the practice of sending e-mail to users with the purpose of tricking them into revealing personal information, such as bank account information. There’s no such thing as arrow phishing, but a spear phishing attack targets a specific person or specific groups of people, such as employees of a company. There’s no such thing as bear phishing, but whaling is a phishing attack that targets high-level executives. There’s no such thing as VoIPing, but vishing is a form of phishing that uses recorded voice over the telephone.

Question 57

Q

An organization has purchased privacy screens for all users. What threat is it trying to mitigate?

A. Password masking
B. Vishing
C. Shoulder surfing
D. Dumpster diving

Answer

A

C. Shoulder surfing can be mitigated with the use of privacy screens and password-protected screen savers. A password mask displays another character, such as an asterisk (*), to prevent shoulder surfing. Vishing is a form of phishing that uses recorded voice over the telephone and is not related to shoulder surfing. Dumpster divers search through trash looking for information, and shredding mitigates the threat.

Question 58

Q

An investigation revealed that multiple computers within your network connected to an unknown server after business hours. These computers then launched an attack. What is the best explanation for this behavior?

A. Botnet
B. Malware
C. Kiting
D. Fuzzing

Answer

A

A. Computers within a botnet regularly check in with command and control servers for instructions and then follow instructions, which often include launching DDoS attacks. Some malware infects systems and joins them to a botnet, but not all malware follows this behavior. Kiting is the practice of repeatedly reserving domain names without paying for them. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system looking for vulnerabilities.

Question 59

Q

A user entered improper data into an application and the application crashed. What is missing in this application?

A. Error handling
B. Cross-site scripting
C. Shredding
D. Password masking

Answer

A

A. Error handling routines are a part of input validation and can prevent application failures and many application attacks. Cross-site scripting is a type of attack that can be prevented with input validation. Organizations shred paper documents instead of throwing them away to mitigate dumpster diving attacks. Password masking helps prevent shoulder surfing attacks by displaying a character such as an asterisk instead of the password.

Question 60

Q

Which of the following is related to a buffer overflow attack?

A. Flood guard
B. Memory addressing
C. HTML tags
D. Whaling

Answer

A

B. A buffer overflow attack occurs when an attacker sends more data to an application than it can handle and overwrites memory locations. A flood guard is a security control that protects against SYN flood attacks. Cross-site scripting attacks use HTML or JavaScript tags. Whaling is a targeted phishing e-mail against a company executive, such as a CEO or president.

Question 61

Q

A web developer wants to avoid data loss from SQL injection attacks. What should the developer include in web applications?

A. Buffer overflows
B. Input validation
C. Output validation
D. Fuzzing

Answer

A

B. Input validation checks the validity of data before using it can help prevent SQL injection, buffer overflow, and cross-site scripting attacks. Buffer overflows are a vulnerability that attackers can exploit. Only inputted data needs to be validated, not outputted data. Fuzzing, or fuzz testing, sends invalid, unexpected, or random data to a system to detect buffer overflow vulnerabilities.

Question 62

Q

An organization evaluated a marketing application and discovered that it required opening several ports on firewalls. They decided on purchasing a different marketing application. What risk management strategy did they use?

A. Risk acceptance
B. Risk avoidance
C. Risk deterrence
D. Risk transference

Answer

A

B. An organization can avoid a risk by not providing a service, using an application, or participating in a risky activity, and in this case, it used a different application to avoid the risk of the open ports. Organizations often accept a risk when the cost of the control exceeds the cost of the risk. Risk deterrence attempts to discourage attacks with preventative controls such as a security guard. Organizations can transfer a risk by purchasing insurance.

Question 63

Q

A security professional is performing a quantitative risk analysis. Of the following choices, what is most likely to be used in the assessment? 
     
A. Judgment      
B. Expert opinions      
C. Asset value      
D. Fuzzing

Answer

A

C. A quantitative risk analysis uses cost and asset values. A qualitative risk assessment uses judgment based on expert opinions to categorize risks based on probability and impact. Fuzzing sends random data to an application and is sometimes used in black box testing, but it is not specific to any type of risk analysis.

Question 64

Q

Management is deciding which controls to implement to reduce specific risks. They are basing their decisions on the result of an assessment that used cost. What type of assessment was completed?

A. Quantitative
B. Qualitative
C. Vulnerability scan
D. Penetration test

Answer

A

A. A quantitative risk analysis uses cost and asset values. A qualitative risk assessment uses judgment to categorize risks based on probability and impact. A vulnerability scan passively checks systems for vulnerabilities, and a penetration test will actively assess security controls to identify what can be exploited, but neither is an assessment based on cost.

Answer 65

A

B. A vulnerability scanner checks systems for known security issues. A port scanner will identify open ports but won’t identify security issues. An intrusion prevention system (IPS) is a preventative control used to detect and stop attacks. A firewall can prevent intrusions on a system but cannot identify security issues.

Answer 66

A

D. Vulnerability scanning will passively test security controls to identify vulnerabilities and identify a lack of security controls. A penetration test will attempt to exploit weaknesses. Vulnerability scans look for common misconfigurations of security controls and can compare current configuration against a baseline, but they do not identify baseline configurations. A scan will not identify threats, only vulnerabilities.

Answer 67

A

A. A penetration test demonstrates how security vulnerabilities can be exploited. A vulnerability test identifies security vulnerabilities but doesn’t demonstrate how they can be exploited. A penetration test is not used to demonstrate or identify system capabilities.

Answer 68

A

C. In gray box testing, the testers have some knowledge of the environment. In white box testing, testers have access to all of the system details. In a black box test, testers have zero knowledge of system details. Both internal testers and external testers can start with some inside knowledge of the tested system.

Answer 69

A

A. Black hat identifies a malicious attacker performing criminal activities. Black box testers have zero knowledge of system details. A fuzzer sends random data to an application, and black box testing (not black hat) is sometimes referred to as fuzzing.

Answer 70

A

A. Reviewing user rights and permissions is a form of a system audit, and it can help ensure a server’s security configuration. An evil twin is a counterfeit wireless access point using the same SSID as a legitimate access point. Platform as a Service (PaaS) provides an easy-to-configure operating system as a cloud computing service. A hard drive hash is useful in forensics as part of an incident response and verifies that a hard drive has not been modified.

Answer 71

A

C. A password cracker can verify users are creating strong passwords for their login account in compliance with a company policy (though it is more effective to use a password policy to require strong passwords). You can use a protocol analyzer (sniffer) to view headers and clear-text contents in IP packets, but login passwords wouldn’t be passed across the network in clear text. Reviewing user rights and permissions is a form of a system audit, but it doesn’t examine the password used for login.

Answer 72

A

C. You can protect logs from compromise with centralized logging. If the logs are read only, the system will not be able to write log entries. Archiving is a good practice, but it won’t protect the logs from compromise during the attack. If logging is disabled, logs won’t have any data.

Answer 73

A

B. RAID-1 (mirroring) includes two drives and will continue to operate if one of the drives (half the total) fail, and this is the same for both hardware RAID-1 and software RAID-1. RAID-0 does not provide fault tolerance. RAID-5 uses three or more drives.

Answer 74

A

B. Generators can provide an alternate power source for extended power outages. An uninterruptible power supply (UPS) is a battery that provides temporary power for short-term outages or power fluctuations. An HVAC system provides heating and cooling. Hot and cold aisles regulate cooling to reduce cooling costs while also increasing availability.

Answer 75

A

D. A business impact analysis identifies critical functions and services and helps an organization make decisions related to business continuity, including alternate sites. A vulnerability assessment identifies and prioritizes weaknesses, but it doesn’t identify critical functions. A penetration test is an active test that attempts to exploit vulnerabilities. Business continuity plans are often tested to validate them, but they would not identify critical functions.

Answer 76

A

B. Between the choices, a hot site provides the minimum downtime if a disaster occurs. Storing a copy of the backups at the hot site helps ensure that the hot site servers can become operational with minimal downtime after a disaster at the primary location. Warm sites and cold sites will take longer to become operational.

Answer 77

A

C. A warm site provides the capability to bring services back online within a day. A hot site brings services back online within minutes or possibly an hour. A cold site brings services back online as long as a few days after the outage. Backups will not provide an alternate location that can be used after a disaster.

Answer 78

A

C. A disaster recovery plan (DRP) includes a testing element to validate the plan. A DRP will include a hierarchical list of critical systems but not a list of all systems. A chain of custody verifies forensic data is handled properly. Digital signatures provide authentication, integrity, and non-repudiation but are unrelated to a DRP.

Answer 79

A

A. Hot and cold aisles regulate cooling to reduce cooling costs while also increasing availability. A mantrap can counter the social engineering tactic of tailgating, but it doesn’t increase availability. Cameras and guards can provide access control, but do not directly increase availability.

Answer 80

A

A. If availability is more important than security, it should fail in an open state. If security is more important than availability, it should fail in a closed state. Different systems can achieve a closed state using different methods and they don’t necessarily have to be shut down or rebooted.

Answer 81

A

B. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, including files. Triple Data Encryption Standard (3DES) and Blowfish are symmetric encryption (not hashing) algorithms. RSA is an asymmetric encryption algorithm.

Answer 82

A

A. The older LANMAN protocol stores passwords using a LM hash of the password by first dividing the password into two seven-character blocks, and then converting all lower case letters to upper case. AES is used for symmetric encryption, and RSA is used for asymmetric encryption. Kerberos is a network authentication protocol using tickets.

Answer 83

A

C. Diffie-Hellman addresses key management and provides a method to privately share a symmetric key between two parties. Secure/ Multipurpose Internet Mail Extensions (S/ MIME) and Pretty Good Privacy (PGP) provide methods of digitally signing and encrypting e-mail. RC4 is a strong symmetric stream cipher used for encryption, not key management.

Answer 84

A

C. Diffie-Hellman addresses key management and provides a method to privately share a symmetric key between two parties. Secure/ Multipurpose Internet Mail Extensions (S/ MIME) and Pretty Good Privacy (PGP) provide methods of digitally signing and encrypting e-mail. RC4 is a strong symmetric stream cipher used for encryption, not key management.

Answer 85

A

A. SSL uses symmetric encryption to encrypt data in a browser session, so it uses a symmetric key. Asymmetric encryption using public and private keys is used to privately share the symmetric key. RSA uses prime numbers to create asymmetric keys, but there is no such thing as a prime number key.

Answer 86

A

C, D. The sender’s private key (Sally’s private key) signs the e-mail and the recipient’s public key (Joe’s public key) encrypts the e-mail. In this case, Sally sent the e-mail so her private key signs it, and it is encrypted with Joe’s public key. The sender’s public key (not the private key) verifies the digital signature. The recipient’s private key (not the public key) decrypts the e-mail.

Answer 87

A

A. The sender’s private key encrypts the e-mail hash in a digital signature. The sender’s public key decrypts the e-mail hash in a digital signature. If data is encrypted with a private key, anyone with the public key (which is publically available) can decrypt it. Message Digest 5 (MD5) is a hashing algorithm that can ensure the integrity of data, but it doesn’t use keys. While not included in the answers, a recipient’s private key is used to decrypt data (not the digital signature) encrypted with the recipient’s public key.

Answer 88

A

D. Pretty Good Privacy (PGP) uses public and private keys for asymmetric encryption and decryption of e-mail. A certificate revocation list (CRL) identifies revoked certificates. A certificate authority (CA) publishes the CRL, but the CRL and CA do not encrypt or decrypt e-mail. LANMAN is an older protocol that stores passwords as a hash after converting all lower case letters to upper case and dividing the password into two seven-character blocks.

Answer 89

A

A, B, C. A certificate revocation list (CRL) identifies revoked certificates and is publically available. Certificates include public keys and are publically available (though the matching private key is always kept private). Websites use certificates for authentication and encryption of HTTPS sessions, and they freely share the certificates. A user’s passphrase (or password) should be kept private.

Answer 90

A

C. A key escrow stores copies of user’s private keys to ensure that the loss of the original key does not result in data loss. A certificate revocation list (CRL) identifies revoked certificates, and a certificate authority (CA) publishes the CRL, but neither address data loss. The trusted root certification authority store is a collection of certificates from trusted

Answer 91

A

C. A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise. Physical health issues are not security issues related to a clean desk policy. Not all employees necessarily interact with customers, but a clean desk policy still applies, requiring them to protect data. Integrity ensures data is not modified, but a clean desk policy helps ensure confidentiality by preventing unauthorized disclosure.

Answer 92

A

C. A user privilege policy mandates that users only have the rights and permissions needed to perform their job and no more. A user privilege review will audit assigned rights and permissions to discover these types of violations. A chain of custody provides assurances that evidence collected after an incident has been controlled and handled properly after collection. Storage and retention policies identify how long it is retained.

Answer 93

A

C. Mandatory vacation policies require employees to take time away from their job and help detect malicious activities. Dual accounts for administrators help prevent privilege escalation attacks but are unrelated to vacations. Regular security awareness training helps reinforce compliance with security policies. While vacations are valuable for recreation, this is not the goal.

Answer 94

A

B. A separation of duties policy separates individual tasks of an overall function between different people. In this case, the administrator was likely promoted into a job that required separation from the access of the previous job. Mandatory vacation policies require employees to take time away from their job and help detect malicious activities. Job rotation policies require employees to change roles on a regular basis. Single sign-on (SSO) allows users to access multiple systems by providing credentials only once, so this wouldn’t prevent access.

Answer 95

A

A. Organizations provide security awareness training to minimize the risk posed by users. Training helps reinforce user compliance with security policies, not reduce compliance. It is not possible to eliminate risk and not desirable to increase the risk.

Answer 96

A

D. Revealing personally identifiable information (PII) represents a significant threat, and organizations provide training to employees not to do so. It’s acceptable to provide any type of publically available information, such as that on a website or in sales brochure. Salespeople want to be contacted, so giving out their contact information is acceptable, as long as its professional and not personal contract information.

Answer 97

A

C. A port scanner can detect open ports used by peer-to-peer (P2P) software. A protocol analyzer can capture packets and view the contents, but it isn’t the easiest way to detect P2P software. A user rights review audits assigned rights and permissions and will discover accounts with too many permissions and enabled accounts of previous employees. A penetration test will actively assess or test security controls, and while it may include a port scan, it does much more.

Answer 98

A

D. The media access control (MAC) address is a hexadecimal number permanently assigned to a computer’s network interface card. The user logon name identifies the user, but the question asks how to identify the computer. The user can change the name and IP address of the personal computer.

Answer 99

A

A. The forensic hash of the drive verifies that the imaging process did not modify the drive and is performed before and after creating the image. Forensic hashing of an image provides assurances of image integrity, but this is different than creating a forensic image of the drive. A chain of custody provides assurances that evidence has been controlled and handled properly after collection, but is not directly related to creating the hash. You can isolate a computer from an attack by disconnecting the computer from the network, but this is unrelated to a forensic hash of a drive.

Answer 100

A

A. A chain of custody provides assurances that evidence has been controlled and handled properly after collection, but if the drive was left on a desk, it was not controlled. A clean desk policy (not a cleanliness policy) would dictate keeping a desk clean of sensitive data, but this is not an incidence response procedure. A separation of duties policy separates individual tasks of an overall function between different people. The first response after identifying an incident is to isolate the problem, and removing the thumb drive may have isolated the problem, but leaving it uncontrolled is unrelated to containment.

Brainscape's Knowledge GenomeTM

Test #1 Flashcards

Brainscape's Knowledge Genome^TM