B.3.3 Security+ SY0-601 Domain 3: Implementation Flashcards
338 questions (plus some of my own)
1
Q
For Milestone 4 (Reach Your Network), which of the following would be considered a secure protocol to use to reach your network?
A
SSH
2
Q
Which of the following file transfer protocols use SSH to provide confidentiality during the transfer? (Select two.)
A
SSH File Transfer Protocol (SFTP)
Secure Copy Protocol (SCP)
3
Q
You’ve just deployed a new Cisco router that connects several network segments in your organization.
The router is physically located in a server room that requires an ID for access. You’ve backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer using a Telnet client with a username of admin and a password of P@ssW0rd. You have used the MD5 hashing algorithm to protect the password.
What should you do to increase the security of this device? (Select two.)
A
Use an SSH client to access the router configuration
Change the default administrative username and password
4
Q
You’ve just deployed a new Cisco router that connects several network segments in your organization.
The router is physically located in a locked server closet. You use an FTP client to regularly back up the router configuration to a remote server in an encrypted file. You access the router configuration interface from a notebook computer that is connected to the router’s console port. You’ve configured the device with the username admin01 and the password P@ssW0rd. You have used the MD5 hashing algorithm to protect the password.
What should you do to increase the security of this device?
A
Use SCP to back up the router configuration to a remote location
5
Q
Which of the following protocols can be used to securely manage a network device from a remote connection?
A
SSH
6
Q
SFTP uses which mechanism to provide security for authentication and data transfer?
A
SSH
7
Q
Telnet is inherently insecure because its communications is in plaintext and easily intercepted. Which of the following is an acceptable alternative to Telnet?
A
SSH
8
Q
What is the default encryption algorithm used by SSH (Secure Shell) to protect data traffic between a client and the controlled server?
A
International Data Encryption Algorithm (IDEA)
9
Q
What is IDEA?
A
It’s designed to securely encrypt digital data and is used in various applications, including secure communications, financial transactions, and electronic voting systems
10
Q
Which of the following mechanisms can you use to add encryption to email? (Select two.)
A
S/MIME
PGP
11
Q
Which ports does LDAP use by default? (Select two.)
A
636
389
12
Q
You want to deploy SSL to protect authentication traffic with your LDAP-based directory service. Which port does this action use?
A
636
13
Q
Your LDAP directory-services solution uses simple authentication. What should you always do when using simple authentication?
A
Use SSL
14
Q
To transfer files to your company’s internal network from home, you use FTP. The administrator has recently implemented a firewall at the network perimeter and disabled as many ports as possible.
Now, you can no longer make the FTP connection. You suspect the firewall is causing the issue. Which ports need to remain open so you can still transfer the files? (Select two.)
A
20
21
15
Q
FTPS uses which mechanism to provide security for authentication and data transfer?
A
SSL
16
Q
Which of the following is a secure alternative to FTP that uses SSL for encryption?
A
FTPS
17
Q
As a network administrator, you are asked to recommend a secure method for transferring data between hosts on a network. Which of the following protocols would you recommend? (Select two.)
A
SFTP
SCP
18
Q
To increase security on your company’s internal network, the administrator has disabled as many ports as possible. However, now you can browse the internet, but you are unable to perform secure credit card transactions.
Which port needs to be enabled to allow secure transactions?
A
443
19
Q
Which of the following protocols uses port 443?
A
HTTPS
20
Q
Which TCP/IP protocol is a secure form of HTTP that uses SSL as a sub-layer for security?
A
HTTPS
21
Q
Which protocol is used to securely browse a website?
A
HTTPS
22
Q
Which utility would you MOST likely use on OS X to encrypt and decrypt data and messages?
A
GNU Privacy Guard (GPG)
23
Q
IPsec is implemented through two separate protocols. What are these protocols called? (Select two.)
A
Encapsulating Security Payload (ESP)
Authentication Header (AH)
24
Q
Which of the following network layer protocols provides authentication and encryption services for IP-based network traffic?
A
IPsec
25
What is the primary function of the IKE Protocol used with IPsec?
Create a security association between communicating partners
26
As you browse the internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for products that are inappropriate for your family to view.
Which tool can you implement to prevent these windows from showing?
Pop-up blocker
27
While using a web-based order form, an attacker enters an unusually large value in the Quantity field.
The value he or she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number.
As a result, the web application processes the order as a return instead of a purchase, and the attacker's account is credited with a large sum of money.
Which practices would have prevented this exploit? (Select two.)
Implementing server-side validation
Implementing client-side validation
28
You install a new Linux distribution on a server in your network. The distribution includes a Simple Mail Transfer Protocol (SMTP) daemon that is enabled by default when the system boots. The SMTP daemon does not require authentication to send email messages.
Which type of email attack is this server susceptible to?
Open SMTP relay
29
Which of the following BEST describes an email security gateway?
It monitors emails that originate from an organization
30
You often travel away from the office. While traveling, you would like to use your laptop computer to connect directly to a server in your office and access files.
You want the connection to be as secure as possible. Which type of connection do you need?
Remote access
31
What does a remote access server use for authorization?
Remote access policies
32
Which of the following app deployment and update methods allows updates to be uploaded onto Intune where they can be pushed out to users within 24 hours?
Remote management
33
Which of the following app deployment and update methods allows an administrator to remove apps and clear all data from a device without affecting the device itself?
Remote management
34
Which of the following tools allow remote management of servers? (Select two.)
Telnet
SSH
35
You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)
Run winrm qc -q on the source computer
Run wecutil qc on the collector computer
36
You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?
Define a filter
37
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?
Event Viewer
38
Which two types of service accounts must you use to set up event subscriptions?
Specific user service account
Default machine account
39
For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?
Runtime Status
40
Which of the following are required to configure Event Subscription for event forwarding? (Select three.)
Create a Windows firewall exception for HTTP or HTTPS on all source computers
Start Windows Event Collector service on collector computer
Start Windows Remote Management service on both the source and collector computers
41
For source-initiated subscriptions, which tool do you use to configure event forwarding?
Group Policy
42
You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?
Computer group
43
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?
Source-initiated
44
Which of the following DLP implementations can be used to monitor and control access to physical devices on workstations or servers?
Endpoint DLP
45
As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices.
You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks.
Which solution should you implement?
Host-based IDS
46
What do host-based intrusion detection systems often rely upon to perform detection activities?
Auditing capabilities
47
What is the most common form of host-based IDS that employs signature or pattern-matching detection methods?
Antivirus software
48
You have been given a laptop to use for work. You connect the laptop to your company network, use it from home, and use it while traveling.
You want to protect the laptop from internet-based attacks. Which solution should you use?
Host-based firewall
49
Which of the following is specifically meant to ensure that a program operates on clean, correct, and useful data?
Input validation
50
You are implementing a new application control solution.
Prior to enforcing your application whitelist, you want to monitor user traffic for a period of time to discover user behaviors and log violations for later review.
How should you configure the application control software to handle applications not contained in the whitelist?
Flag
51
This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?
Whitelisting
52
You have been receiving a lot of phishing emails sent from the domain kenyan.msn.pl. Links within these emails open new browser windows at youneedit.com.pl.
You want to make sure that these emails never reach your inbox, but you also want to make sure that emails from other senders are not affected.
What should you do?
Add kenyan.msn.pl to the email blacklist
53
Which of the following enters random data to the inputs of an application?
Fuzzing
54
Which fuzz testing program type defines new test data based on models of the input?
Generation-based
55
The Application layer of the security model includes which of the following? (Select two.)
Web application security
User management
56
Which common design feature among instant messaging clients make them less secure than other means of communicating over the internet?
Peer-to-peer networking
57
Which type of application allows users to share and access content without using a centralized server?
Peer-to-peer software
58
Which of the following methods did Microsoft introduce in Windows 10 to help distribute OS updates?
Peer-to-peer software
59
Which of the following is a benefit of P2P applications?
Shared resources
60
Which of the following actions should you take to reduce the attack surface of a server?
Disable unused services
61
Which action would you use in a rule to disallow a connection silently?
Drop
62
You have configured the following rules. What is the effect?
sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow SMTP traffic
63
Which type of packet would the sender receive if they sent a connection request to TCP port 25 on a server with the following command applied?
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
RST
64
When designing a firewall, what is the recommended approach for opening and closing ports?
Close all ports; open only ports required by applications inside the DMZ
65
You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose?
BitLocker
66
Which of the following is defined as an operating system that comes hardened and validated to a specific security level as defined in the Common Criteria for Information Technology Security Evaluation (CC)?
TOS
67
You have just purchased a new network device and are getting ready to connect it to your network. Which of the following actions should you take to increase its security? (Select two.)
Apply all patches and updates
Change default account passwords
68
Windows Server Update Services (WSUS) is used to accomplish which part of a manageable network?
Patch management
69
Which type of update should be prioritized even outside of a normal patching window?
Critical updates
70
You have recently experienced a security incident with one of your servers. After some research, you determine that a new hotfix has recently been released, which would have protected the server.
Which of the following recommendations would be the BEST solution for you to follow when applying the hotfix?
Test the hotfix and then apply it to all servers
71
Which of the following tools can you use on a Windows network to automatically distribute and install software and operating system patches on workstations? (Select two.)
WSUS
Group Policy
72
By definition, what is the process of reducing security exposure and tightening security controls?
Hardening
73
What is the main function of a TPM hardware chip?
Generate and store cryptographic keys
74
Which of the following functions are performed by a TPM?
Create a hash of system components
75
You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device.
What should you do?
Use a PIN instead of a startup key
76
You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files.
What should you do?
Implement BitLocker without a TPM
77
What is isolating a virtual machine from the physical network to allow testing to be performed without impacting the production environment called?
Sandboxing
78
Which load balancing method distributes a workload across multiple computers?
Workload balancing
79
Which of the following is a technique that disperses a workload between two or more computers or resources to achieve optimal resource utilization, throughput, or response time?
Load balancing
80
As you go through the process of making your network more manageable, you discover that employees in the sales department are on the same network segment as the human resources department.
Which of the following steps can be used to isolate these departments?
Create a separate VLAN for each department
81
Which of the following is commonly created to segment a network into different zones?
VLANs
82
When configuring VLANs on a switch, which type of switch ports are members of all VLANs defined on the switch?
Trunk ports
83
Which of the following is an appropriate definition of a VLAN?
A logical grouping of devices based on service need, protocol, or other criteria
84
A virtual LAN can be created using which of the following?
Switch
85
When configuring VLANs on a switch, what is used to identify which VLAN a device belongs to?
Switch port
86
You manage a network that uses a single switch. All ports within your building connect through the single switch.
In the lobby of your building are three RJ-45 ports connected to the switch. You want to allow visitors to plug into these ports to gain internet access, but they should not have access to any other devices on your private network. Employees connected throughout the rest of your building should have both private and internet access.
Which feature should you implement?
VLANs
87
You run a small network for your business that has a single router connected to the internet and a single switch. You keep sensitive documents on a computer that you would like to keep isolated from other computers on the network. Other hosts on the network should not be able to communicate with this computer through the switch, but you still need to access the network through the computer.
What should you use for this situation?
VLAN
88
Which of the following is an example of protocol-based network virtualization?
VLAN
89
What is a virtual LAN that runs on top of a physical LAN called?
Virtual Area Network (VAN)
90
You have placed a File Transfer Protocol (FTP) server in your DMZ behind your firewall. The FTP server is to be used to distribute software updates and demonstration versions of your products. However, users report that they are unable to access the FTP server.
What should you do to enable access?
Open ports 20 and 21 for outbound connections.
91
You have used firewalls to create a demilitarized zone. You have a web server that needs to be accessible to internet users. The web server must communicate with a database server for retrieving product, customer, and order information.
How should you place devices on the network to best protect the servers? (Select two.)
Put the database server on the private network
Put the web server inside the DMZ
92
Of the following security zones, which one can serve as a buffer network between a private secured network and the untrusted internet?
DMZ
93
In which of the following situations would you most likely implement a demilitarized zone (DMZ)?
You want to protect a public web server from attack
94
Which of the following terms describes a network device that is exposed to attacks and has been hardened against those attacks?
Bastion or sacrificial host
95
Which of the following is another name for a firewall that performs router functions?
Screening router
96
How many network interfaces does a dual-homed gateway typically have?
3
97
In which of the following zones would a web server most likely be placed?
Low-trust zone
98
Which of the following BEST describes zero-trust security?
Only devices that pass both authentication and authorization are trusted
99
Your network devices are categorized into the following zone types:
- No-trust zone
- Low-trust zone
- Medium-trust zone
- High-trust zone
Your network architecture employs multiple VLANs for each of these network zones. Each zone is separated by a firewall that ensures only specific traffic is allowed.
Which of the following is the secure architecture concept that is being used on this network?
Network segmentation
100
Which of the following is a privately controlled portion of a network that is accessible to some specific external entities?
Extranet
101
Which of the following best describes the concept of a virtual LAN?
Devices on the same network logically grouped as if they were on separate networks
102
Which of the following provides the network virtualization solution called XenServer?
Citrix
103
Which VPN tunnel style routes only certain types of traffic?
Split
104
Which of the following VPN protocols is no longer considered secure?
Point-to-Point Tunneling Protocol (PPTP)
105
A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server.
Which solution should you implement?
VPN concentrator
106
Which VPN implementation uses routers on the edge of each site?
Site-to-site VPN
107
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database.
Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports.
Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection.
Which key steps should you take when implementing this configuration? (Select two.)
Configure the browser to send HTTPS requests through the VPN connection
Configure the VPN connection to use IPsec
108
Which statement BEST describes IPsec when used in tunnel mode?
The entire data packet, including headers, is encapsulated
109
Which IPSec subprotocol provides data encryption?
ESP
110
In addition to Authentication Header (AH), IPsec is comprised of what other service?
Encapsulating Security Payload (ESP)
111
Which VPN protocol typically employs IPsec as its data encryption mechanism?
Layer 2 Tunneling Protocol (L2TP)
112
A VPN is primarily used for which of the following purposes?
Support secured communications over an untrusted network
113
Which of the following is the BEST solution to allow access to private resources from the internet?
VPN
114
The IT manager has asked you to create four new VLANs for a new department. As you are going through the VLAN configurations, you find some VLANs numbered 1002-1005. However, they are not in use.
What should you do with these VLANs?
Nothing. They are reserved and cannot be used or deleted
115
Which of the following is used as a secure tunnel to connect two networks?
VPN
116
The IT manager has asked you to create a separate VLAN to be used exclusively for wireless guest devices to connect to.
Which of the following is the primary benefit of creating this VLAN?
You can control security by isolating wireless guest devices within this VLAN
117
Which of the following NAC agent types is the most convenient agent type?
Permanent
118
Which of the following NAC agent types creates a temporary connection?
Dissolvable
119
Which of the following NAC agent types would be used for IoT devices?
Agentless
120
Members of the sales team use laptops to connect to the company network. While traveling, they connect their laptops to the internet through airport and hotel networks.
You are concerned that these computers could pick up viruses that could spread to your private network. You would like to implement a solution that prevents the laptops from connecting to your network unless antivirus software and the latest operating system patches are installed.
Which solution should you use?
Network Access Control (NAC)
121
What is Cisco's Network Access Control (NAC) solution called?
Identity Services Engine (ISE)
122
You are configuring the security settings for your network. You have decided to configure a policy that requires any computer connecting to the network to run at least Windows 10 version 2004.
Which of the following have you configured?
NAC
123
Which of the steps in the Network Access Control (NAC) implementation process occurs once the policies have been defined?
Apply
124
You are part of a committee that is meeting to define how Network Access Control (NAC) should be implemented in the organization.
Which step in the NAC process is this?
Plan
125
What are the steps in the NAC implementation process in order?
Planning
Define
Implementing
Review
126
The IT manager has tasked you with implementing a solution that ensures that mobile devices are up to date, have anti-malware installed, and have the latest definition updates before being allowed to connect to the network.
Which of the following should you implement?
NAC
127
Which of the following do switches and wireless access points use to control access through a device?
MAC address filtering
128
In which of the following situations would you use port security?
You want to restrict the devices that could connect through a switch port
129
You are the network administrator for a city library. Throughout the library are several groups of computers that provide public access to the internet. Supervision of these computers has been difficult. You've had problems with patrons bringing personal laptops into the library and disconnecting the network cables from the library computers to connect their laptops to the internet.
The library computers are in groups of four. Each group of four computers is connected to a hub that is connected to the library network through an access port on a switch. You want to restrict access to the network so that only library computers are permitted connectivity to the internet.
What can you do?
Configure port security on the switch
130
Which protocol should you disable on the user access ports of a switch?
Dynamic Trunking Protocol (DTP)
131
Which of the following types of proxies would you use to remain anonymous when surfing the internet?
Forward
132
Which security mechanism can be used to detect attacks that originate on the internet or from within an internal trusted subnet?
Intrusion Detection System (IDS)
133
Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations?
IDS
134
An active IDS system often performs which of the following actions? (Select two.)
Updates filters to block suspect traffic
Performs reverse lookups to identify an intruder
135
Which of the following devices can monitor a network and detect potential security attacks?
IDS
136
Which of the following devices is capable of detecting and responding to security threats?
Intrusion Prevention System (IPS)
137
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible.
Which tool should you use?
IPS
138
Your organization uses a web server to host an e-commerce site.
Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them.
What should you do?
Implement an application-aware IPS in front of the web server
139
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?
Signature-based IDS
140
What does a signature-based IDS use to identify attacks?
Comparisons to known attack patterns
141
You have just installed a new network-based IDS system that uses signature recognition. What should you do on a regular basis?
Update the signature files
142
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections.
Which type of device should you use?
Anomaly-based IDS
143
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated
144
You want to install a firewall that can reject packets that are not part of an active session. Which type of firewall should you use?
Circuit-level gateway
145
Which of the following are true of a circuit proxy-filter firewall? (Select two.)
Operates at the Session layer
Verifies sequencing of session packets
146
Which of the following are characteristics of a circuit-level gateway? (Select two.)
Filters based on sessions
Stateful
147
Which of the following are characteristics of a packet-filtering firewall? (Select two.)
Filters IP address and port
Stateless
148
You have just installed a packet-filtering firewall on your network. Which options are you able to set on your firewall? (Select all that apply.)
Destination address of a packet
Port number
Source address of a packet
149
You want to connect your small company network to the internet. Your ISP provides you with a single IP address that is to be shared between all hosts on your private network. You do not want external hosts to be able to initiate connection to internal hosts.
Which type of Network Address Translation (NAT) should you implement?
Dynamic
150
Which NAT implementation assigns two IP addresses to the public NAT interface, allowing traffic to flow in both directions?
Dynamic and static
151
Which device is NAT typically implemented on?
Gateway router
152
Which problem does NAT help address?
The shortage of IPv4 addresses
153
At which layer of the OSI model do NAT routers operate?
Layer 3 (Network layer)
154
How many concurrent connections does NAT support?
5,000
155
Which of the following does a NAT router use to associate a port number with a request from a private host?
Port Address Translation (PAT)
156
A network device is given an IP address of 172.16.0.55. Which type of network is this device on?
Class B private network
157
You have a small network at home that is connected to the internet. On your home network, you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network.
You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website.
What should you use to allow access?
Static NAT
158
You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers, but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the inside network, yet still allow them to be accessible to the public from the outside.
Which method of NAT translation should you implement for these servers?
Static
159
Which of the following is a firewall function?
Packet filtering
160
Which of the following is the best device to deploy to protect your private network from a public untrusted network?
Firewall
161
You are configuring web threat protection on the network and want to block emails coming from a specific sender. Which of the following should be configured?
Spam filter
162
You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?
Content filtering
163
Jessica needs to set up a firewall to protect her internal network from the internet. Which of the following would be the BEST type of firewall for her to use?
Hardware
164
You provide internet access for a local school. You want to control internet access based on the user and prevent access to specific URLs.
Which type of firewall should you install?
Application-level gateway
165
You connect your computer to a wireless network available at the local library. You find that you can access all of the websites you want on the internet except for two.
What might be causing the problem?
A proxy server is blocking access to the websites
166
Which of the following functions are performed by proxies? (Select two.)
Block employees from accessing certain websites
Cache web pages
167
Which of the following solutions would you implement to track which websites network users are accessing?
Proxy
168
Which of the following are features of an application-level gateway? (Select two.)
Stops each packet at the firewall for inspection
Reassembles entire messages
169
Which of the following best describes a proxy server?
Operates at Layer 7 (Application layer) of the OSI model
170
You are the office manager of a small financial credit business. Your company handles personal financial information for clients seeking small loans over the internet. You are aware of your obligation to secure clients records, but the budget is an issue for your company.
Which item would provide the BEST security for this situation?
All-in-one security appliance
171
A proxy server can be configured to do which of the following?
Restrict users on the inside of a network from getting out to the internet
172
You want to give all managers the ability to view and edit a certain file. To do so, you need to edit the discretionary access control list (DACL) associated with the file. You want to be able to easily add and remove managers as their job positions change.
What is the BEST way to accomplish this?
Create a security group for the managers. Add all users as members of the group. Add the group to the file's DACL
173
You have a shared folder named Reports. Members of the Managers group have been given Write access to the shared folder.
Mark Mangum is a member of the Managers group. He needs access to the files in the Reports folder, but he should not have any access to the Confidential.xls file.
What should you do?
Add Mark Mangum to the ACL for the Confidential.xls file with Deny permissions
174
Which of the following does a router acting as a firewall use to control which packets are forwarded or dropped?
ACL
175
Which security mechanism uses a unique list that meets the following specifications:
- The list is embedded directly in the object itself.
- The list defines which subjects have access to certain objects.
- The list specifies the level or type of access allowed to certain objects.
User ACL
176
Which of the following should be configured on the router to filter traffic at the router level?
Access control list
177
Which of the following is used by Microsoft for auditing in order to identify past actions performed by users on an object?
System Access Control List (SACL)
178
Which of the following describes how access control lists can be used to improve network security?
An access control list filters traffic based on the IP header information, such as source or destination IP address, protocol, or socket number
179
Which of the following does a router use to determine where packets are forwarded to?
Routing table
180
Which of the following happens by default when you create and apply a new ACL on a router?
All traffic is blocked
181
You have configured your ACL to block outgoing traffic from a device with the IP address 192.168.1.52. Which type of ACL have you configured?
Standard
182
Which type of ACL should be placed as close to the source as possible?
Extended
183
Which command would you use to list all of the currently defined iptables rules?
sudo iptables -L
184
Which of the following devices can apply quality of service and traffic-shaping rules based on what created the network traffic?
Application-aware devices
185
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router.
When you run the software, you see frames addressed to the four workstations, but not to the router.
Which feature should you configure on the switch?
Port mirroring
186
Which of the following features are supplied by WPA2 on a wireless network?
Encryption
187
You need to secure your wireless network. Which security protocol would be the best choice?
WPA2
188
You need to add security for your wireless network, and you would like to use the most secure method.
Which method should you implement?
WPA2
189
Which of the following items would be implemented at the Data layer of the security model?
Cryptography
190
You need to configure a wireless network using WPA2-Enterprise. Which of the following components should be part of your design? (Select two.)
802.1x
AES encryption
191
Which EAP implementation is MOST secure?
EAP-TLS
192
You want to increase the security of your network by allowing only authenticated users to access network devices through a switch.
Which of the following should you implement?
802.1x authentication
193
What is 802.1x Authentication?
An authentication method used on a LAN to allow or deny access based on a port or connection to the network
194
An authentication method used on a LAN to allow or deny access based on a port or connection to the network
Controlling access through a switch
195
You are adding switches to your network to support additional VLANs. Unfortunately, the new switches are from a different vendor than the current switches.
Which standard do you need to ensure that the switches are supported?
802.1Q
196
Which 802.1Q priority is IP phone traffic on a voice VLAN tagged with by default?
5
197
You want to implement 802.1x authentication on your wireless network. Where would you configure passwords that are used for authentication?
On a RADIUS server
198
You are the wireless network administrator for your organization. As the size of the organization has grown, you've decide to upgrade your wireless network to use 802.1x authentication instead of pre-shared keys.
To do this, you need to configure a RADIUS server and RADIUS clients. You want the server and the clients to mutually authenticate with each other.
What should you do? (Select two. Each response is a part of the complete solution.)
Configure all wireless access points with client certificates
Configure the RADIUS server with a server certificate
199
You want to connect a laptop computer running Windows to a wireless network.
The wireless network uses multiple access points and WPA2-Personal. You want to use the strongest authentication and encryption possible. SSID broadcast has been disabled.
What should you do?
Configure the connection with a pre-shared key and AES encryption
200
Which of the following devices would you use to perform a site survey?
Wi-Fi analyzer
201
Which of the following types of site surveys should be performed first?
Passive
202
You are concerned that wireless access points may have been deployed within your organization without authorization.
What should you do? (Select two. Each response is a complete solution.)
Check the MAC addresses of devices connected to your wired switch
Conduct a site survey
203
Which of the following is generated after a site survey and shows the Wi-Fi signal strength throughout the building?
Heat map
204
When setting up a new wireless access point, what is the first configuration change that should be made?
Default login
205
Which of the following is used on a wireless network to identify the network name?
Service Set Identifier (SSID)
206
Which of the following is responsible for broadcasting information and data over radio waves?
Wireless access point
207
Which class of wireless access point (WAP) has everything necessary to manage clients and broadcast a network already built into its functionality?
Fat
208
Which of the following wireless network protection methods prevents the wireless network name from being broadcast?
SSID broadcast
209
You have physically added a wireless access point to your network and installed a wireless networking card in two laptops that run Windows. Neither laptop can find the network. You have come to the conclusion that you must manually configure the access point (AP).
Which of the following values uniquely identifies the network AP?
SSID
210
You need to implement a wireless network link between two buildings on a college campus. A wired network has already been implemented within each building. The buildings are 100 meters apart.
Which type of wireless antenna should you use on each side of the link? (Select two.)
Parabolic
High-gain
211
The IT manager has tasked you with installing the new wireless LAN controller (WLC).
Where should you install the controller?
Network closet
212
Which type of wireless access point is generally used in a residential setting?
Small Office Home Office (SOHO) Router
213
You need to implement a solution to manage multiple access points in your organization. Which of the following would you most likely use?
Wireless LAN Controller (WLC)
214
You've just finished installing a wireless access point for a client. What should you do to prevent unauthorized users from using the access point (AP) configuration utility?
Change the administrative password on the AP
215
Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on their personal tablets.
The chief information officer worries that one of these users might also use their tablet to steal sensitive information from the organization's network. Your job is to implement a solution that prevents insiders from accessing sensitive information stored on the organization's network from their personal devices while still giving them access to the internet.
Which of the following should you implement?
A guest wireless network that is isolated from your organization's production network
216
Your organization recently purchased a mixture of iOS and Android devices for use by the organization's management team.
What is the BEST approach to defined and enforced app whitelists for these devices?
Enroll the devices in a mobile device management (MDM) system
217
Which of the following app deployment and update methods can be configured to make available to specific users and groups only the apps that they have rights to access?
App catalog
218
Users in the sales department perform many of their daily tasks, such as emailing and creating sales presentations, on company-owned tablets. These tablets contain sensitive information. If one of these tablets is lost or stolen, this information could end up in the wrong hands.
The chief information officer wants you to implement a solution that can be used to keep sensitive information from getting into the wrong hands if a device is lost or stolen.
Which of the following should you implement?
A mobile device management (MDM) infrastructure
219
A smartphone was lost at the airport. There is no way to recover the device. Which of the following ensures data confidentiality on the device?
Remote wipe
220
Which of the following mobile device security considerations disables the ability to use the device after a short period of inactivity?
Screen lock
221
Which of the following is a solution that pushes security policies directly to mobile devices over a network connection?
Mobile device management (MDM)
222
Mobile device management (MDM) provides the ability to do which of the following?
Track the device
223
Which of the following mobile device management (MDM) solutions is hardware-agnostic and supports many different brands of mobile devices?
Enterprise Mobility Management (EMM)
224
Which of the following mobile device management (MDM) solutions allows an organization to manage all devices, including printers, workstations, and even IoT devices?
Unified Endpoint Management (UEM)
225
Mobile application management (MAM) provides the ability to do which of the following?
Remotely install and uninstall apps
226
Your organization recently purchased 20 Android tablets for use by the organization's management team.
You are using a Windows domain. Which of the following should you use to push security settings to the devices?
Intune
227
Which of the following is the recommend Intune configuration?
Intune Standalone
228
Which of the following Intune portals is used by end users to manage their own account and enroll devices?
Company portal
229
The IT manager has tasked you with configuring Intune. You have enrolled the devices and now need to set up the Intune policies.
Where would you go to set up the Intune policies?
In the Admin portal, select Policy > Add Policy
230
What is the minimum number of users needed in a Windows Enterprise agreement for Intune to be included?
500
231
Which of the following is the first phase of the Microsoft Intune application life cycle?
Add
232
What are the Microsoft Intune phases in order?
Add
Deploy
Configure
Protect
233
In which phase of the Microsoft Intune application life cycle would you assign an app to users and/or devices you manage and monitor them on the Azure portal?
Deploy
234
If a user's BYOD device (such as a tablet or phone) is infected with malware, that malware can be spread if that user connects to your organization's network. One way to prevent this event is to use a Network Access Control (NAC) system.
How does an NAC protect your network from being infected by a BYOD device?
The NAC remediates devices before allowing them to connect to your network
235
Which of the following could be an example of a malicious insider attack?
A user uses the built-in microphone to record conversations
236
Which device deployment model gives businesses significant control over device security while allowing employees to use their devices to access both corporate and personal data?
Corporate-Owned, Personally Enables (COPE)
237
Which of the following are true concerning virtual desktop infrastructure (VDI)? (Select two.)
User desktop environments are centrally hosted on servers instead of on individual desktop systems
In the event of a widespread malware infection, the administrator can quickly reimage all user desktops on a few central servers
238
Which of the following BEST describes a virtual desktop infrastructure (VDI)?
Provides enhanced security and better data protection because most of the data processing is provided by servers in the data center rather than on the local device
239
Which of the following is a collection of recorded data that may include details about logons, object access, and other activities deemed important by your security policy and is often used to detect unwanted and unauthorized user activity?
Audit trail
240
A recreation of historical events is made possible through which of the following?
Audit trails
241
Which of the following is true concerning internal audits?
They are generally nonobjective
242
Which component of an IT security audit evaluates defense in depth and IT-related fraud?
Risk evaluation
243
Which type of audit is performed by either a consultant or an auditing firm employee?
External audit
244
Which of the following methods can cloud providers implement to provide high availability?
Replication
245
Google Cloud, Amazon Web Services (AWS), and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompt companies to take advantage of cloud storage? (Select two.)
Growing demand for storage
Need to bring costs down
246
Which area of focus do public-facing servers, workstations, Wi-Fi networks, and personal devices fall under?
Entry points
247
Which of the following objects identifies a set of users with similar access needs?
Group
248
Which type of group can be used for controlling access to objects?
Security
249
Which of the following tools allows the user to set security rules for an instance of an application that interacts with one organization and different security rules for an instance of the application when interacting with another organization?
Instance awareness
250
Cloud storage is a virtual service, so the infrastructure is the responsibility of the storage provider. Access control should be set as a local file system would be, with no need for the provider to have access to the stored data.
- You are implementing the following measures to secure your cloud storage:
- Verify that security controls are the same as in a physical data center.
- Use data classification policies.
- Assign information into categories that determine storage, handling, and access requirements.
- Assign information classification based on information sensitivity and criticality.
Which of the following is another security measure you can implement?
Configure redundancy and distribution of data
251
Which of the following is a network security service that filters malware from user-side internet connections using different techniques?
Secure web gateway
252
Which of the following is a network device that is deployed in the cloud to protect against unwanted access to a private network?
Cloud-based firewall
253
Which type of firewall protects against packets coming from certain IP addresses?
Packet-filtering
254
Which type of firewall operates at Layer 7 of the OSI model?
Application layer
255
Your browser has blocked you from accessing your crucial secure intranet sites. What could be the problem?
Your SSL certificate status has been revoked
256
Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system?
Username
257
What should you do to a user account if the user goes on an extended vacation?
Disable the account
258
Tom Plask's user account has been locked because he entered too many incorrect passwords. You need to unlock the account.
Click the tab in the properties of the Tom Plask user object you would use to unlock his account.
Account
259
Tom Plask was recently transferred to the Technical Support Department. He now needs access to the network resources used by tech support employees.
To grant him access, you need to add Tom Plask's user account to the Support group in the Active Directory domain.
Click the tab in the properties of the Tom Plask user object you would use to accomplish this.
Member Of
260
You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account.
However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password.
Click the option you would use in the New Object - User dialog to remedy this situation.
User must change password at next logon
261
One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones with no other values changed.
Which of the following commands would accomplish this?
usermod -l kjones kscott
262
An employee named Bob Smith, whose username is bsmith, has left the company. You have been instructed to delete his user account and home directory.
Which of the following commands would produce the required outcome? (Select two.)
userdel bsmith;rm -rf /home/bsmith
userdel -r bsmith
263
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database.
Which action should you take? (Select two. Each response is part of a complete solution.)
Delete the account that the sales employees are currently using
Train sales employees to use their own user accounts to update the customer database
264
Mary, a user, is attempting to access her OneDrive from within Windows and is unable to.
Which of the following would be the MOST likely cause?
Mary needs to log in with a Microsoft account
265
Which of the following account types uses a single sign-on system that lets you access Windows, Office 365, Xbox Live, and more?
Microsoft
266
John, a user, is attempting to install an application but receives an error that he has insufficient privileges. Which of the following is the MOST likely cause?
John has a local standard user account
267
Which of the following account types is a cloud-based identity and access management service that provides access to both internal and external resources?
Azure AD
268
You've just deployed a new Cisco router that connects several network segments in your organization.
The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You've configured the management interface with a username of admin and a password of password.
What should you do to increase the security of this device?
Use a stronger administrative password
269
Which of the following are characteristics of a complex password? (Select two.)
Has a minimum of eight characters
Consists of letters, numbers, and symbols
270
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days.
What should you do?
Configure account policies in Group Policy
271
You are configuring the Local Security Policy of a Windows system. You want to require users to create passwords that are at least ten characters in length. You also want to prevent login after three unsuccessful login attempts.
Which policies should you configure? (Select two.)
Account lockout threshold
Minimum password length
272
You are teaching new users about security and passwords.
Which of the following is the BEST example of a secure password?
T1a73gZ9!
273
John, a network administrator, is looking to implement a new authentication method for his company's secure server room. He wants a solution that does not require physical contact with the reader device and uses Radio Frequency Identification (RFID) technology.
Which type of smart card should John implement?
Contactless smart cards
274
Sarah, a cybersecurity analyst, is conducting a risk assessment on the use of smart cards in her organization. She is particularly concerned about a type of attack that deliberately induces malfunctions in the card.
Which of the following weaknesses of smart cards is Sarah worried about?
Fault generation
275
A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work.
When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d.
On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido.
What should you do to increase the security of Bob's account? (Select two.)
Use Group Policy to require strong passwords on user accounts
Train users not to use passwords that are easy to guess
276
You are configuring the Local Security Policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again.
Which policies should you configure? (Select two.)
Minimum password age
Enforce password history
277
What is the effect of the following command?
chage -M 60 -W 10 jsmith
Sets the password for jsmith to expire after 60 days and gives a warning 10 days before expiration
278
You have just configured the password policy and set the minimum password age to 10.
What is the effect of this configuration?
Users cannot change the password for 10 days
279
Which chage option keeps a user from changing their password every two weeks?
-m 33
280
You have hired ten new temporary employees to be with the company for three months.
How can you make sure that these users can only log on during regular business hours?
Configure day/time restrictions in user accounts
281
Recently, a serious security breach occurred in your organization. An attacker was able to log in to the internal network and steal data through a VPN connection using the credentials assigned to a vice president in your organization.
For security reasons, all individuals in upper management in your organization have unlisted home phone numbers and addresses. However, security camera footage from the vice president's home recorded someone rummaging through her garbage cans prior to the attack. The vice president admitted to writing her VPN login credentials on a sticky note that she subsequently threw away in her household trash. You suspect the attacker found the sticky note in the trash and used the credentials to log in to the network.
You've reviewed the vice president's social media pages. You found pictures of her home posted, but you didn't notice anything in the photos that would give away her home address. She assured you that her smartphone was never misplaced prior to the attack.
Which security weakness is the MOST likely cause of the security breach?
Geotagging was enabled on her smartphone
282
You have hired 10 new temporary workers who will be with the company for three months. You want to make sure that the user accounts cannot be used for login after that time period. What should you do?
Configure account expiration in the user accounts
283
There are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as:
- Use Windows features such as BitLocker, Offline Files, and Parental Controls
- Customize the Start menu, taskbar, or desktop environment
- Control notifications
- Restrict access to Control Panel features
- Configure Internet Explorer features and options
What are these settings known as?
Administrative templates
284
You want to ensure that all users in the Development OU have a common set of network communication security settings applied.
Which action should you take?
Create a GPO computer policy for the computers in the Development OU
285
You have several computers running Windows 10. The computers are members of a domain.
For all computers, you want to remove access to administrative tools from the Start menu and hide notifications from the system tray. What should you do?
Use Group Policy
286
A user has complained about not being able to remove a program that is no longer needed on a computer. The Programs and Features page is not available in Control Panel.
You suspect that a policy is enabled that hides this page from the user. But after opening the Local Group Policy Editor, you see that the Hide Programs and Features page is set to Not configured. You know that other users in this domain can access the Programs and Features page.
To determine whether the policy is enabled, where should you look next?
GPOs linked to organizational units that contain this user's object
287
The Hide Programs and Features page setting is configured for a specific user as follows:
Policy Setting
Local Group Policy Enabled
Default Domain Policy GPO Not configured
GPO linked to the user's
organizational unit Disabled
After logging in, the user is able to see the Programs and Features page. Why does this happen?
The GPO linked to the user's organizational unit is applied last, so this setting takes precedence
288
Which statement is true regarding the application of GPO settings?
If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting is applied
289
Group Policy Objects (GPOs) are applied in which of the following orders?
Local Group Policy, GPO linked to site, GPO linked to domain, GPO linked to organizational unit (highest to lowest)
290
Which of the following identifies the type of access that is allowed or denied for an object?
Permissions
291
You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options.
What should you do?
Create a GPO user policy for the Administrators OU
292
You have performed an audit and found an active account for an employee with the username joer. This user no longer works for the company.
Which command can you use to disable this account?
usermod -L joer
293
Which of the following terms identifies the process of reviewing log files for suspicious activity and threshold compliance?
Auditing
294
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within ten minutes.
What should you do?
Configure account lockout policies in Group Policy
295
Which of the following utilities could you use to lock a user account? (Select two.)
usermod
passwd
296
In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
!
297
You suspect that the gshant user account is locked.
Enter the command you would use in a shell to show the status of the user account.
passwd -S gshant
298
A manager has told you she is concerned about her employees writing their passwords for websites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment.
Which tool could you use to prevent this behavior?
Credential Manager
299
KWalletManager is a Linux-based credential management system that stores encrypted account credentials for network resources.
Which encryption methods can KWalletManager use to secure account credentials? (Select two.)
Blowfish
GPG
300
You want to protect the authentication credentials you use to connect to the LAB server in your network by copying them to a USB drive.
Click the option you use in Credential Manager to protect your credentials.
Back Up Credentials
301
Which remote access authentication protocol allows for the use of smart cards for authentication?
EAP
302
Which of the following is a feature of MS-CHAP v2 that is not included in CHAP?
Mutual authentication
303
CHAP performs which of the following security functions?
Periodically verifies the identity of a peer using a three-way handshake
304
RADIUS is primarily used for what purpose?
Authenticating remote clients before access to the network is granted
305
You want to implement 802.1x authentication on your wireless network. Which of the following is required?
RADIUS
306
You are replacing a wired business network with an 802.11g wireless network. You currently use Active Directory on the company network as your directory service. The new wireless network has multiple wireless access points, and you want to use WPA2 on the network. What should you do to configure the wireless network? (Select two.)
Configure devices to run in infrastructure mode
Install a RADIUS server and use 802.1x authentication
307
Which of the following are characteristics of TACACS+? (Select two.)
Allows three different servers (one each for authentication, authorization, and accounting)
Uses TCP
308
Which of the following are differences between RADIUS and TACACS+?
RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers
309
Which of the following is a characteristic of TACACS+?
Encrypts the entire packet, not just authentication packets
310
Which of the following ports are used with TACACS?
49
311
When using Kerberos authentication, which of the following terms is used to describe the token that verifies the user's identity to the target system?
Ticket
312
You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?
Simple Authentication and Security Layer (SASL)
313
A user has just authenticated using Kerberos. Which object is issued to the user immediately following login?
Ticket-granting ticket
314
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC)
315
Which form of access control is based on job descriptions?
Role-Based Access Control (RBAC)
316
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used?
Role-Based Access Control (RBAC)
317
Which of the following is an example of rule-based access control?
Router access control lists that allow or deny traffic based on the characteristics of an IP packet
318
Which type of access control focuses on assigning privileges based on security clearance and data sensitivity?
Mandatory Access Control (MAC)
319
In which form of access control environment is access controlled by rules rather than identity?
MAC
320
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
Discretionary Access Control (DAC)
321
You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
DAC
322
Which of the following is a privilege or action that can be taken on a system?
User rights
323
You have a file server named Srv3 that holds files used by the development department. You want to allow users to access the files over the network and control access to files accessed through the network or through a local logon.
Which solution should you implement?
NTFS permissions and share permissions
324
If Mark has a read-write permission to the share \\fileserver\securefiles and a read-only permission to the file coolstuff.docx on the NTFS file system shared by the file share, he is able to perform which action?
Read the file
325
Which of the following items are contained in a digital certificate? (Select two.)
Public key
Validity period
326
Which aspect of a certificate makes it a reliable and useful mechanism for proving the identity of a person, system, or service on the internet?
It is a trusted third party
327
An SSL client has determined that the certificate authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity?
The CA's public key must validate the CA's digital signature on the server certificate
328
Which of the following is an entity that accepts and validates information contained within a request for a certificate?
Registration authority
329
Certificates can be invalidated by the trusted third party that originally issued the certificate. What is the name of the mechanism that is used to distribute information about invalid certificates?
Certificate Revocation List (CRL)
330
Which of the following best describes the contents of the CRL?
A list of all revoked certificates
331
Which of the following would require that a certificate be placed on the CRL?
The private key is compromised
332
To obtain a digital certificate and participate in a public key infrastructure (PKI), what must be submitted and where?
Identifying data and a certification request to the registration authority (RA)
333
A private key has been stolen. Which action should you take to deal with this crisis?
Add the digital certificate to the CRL
334
Which action is taken when the private key associated with a digital certificate becomes compromised?
The certificate is revoked and added to the Certificate Revocation List
335
Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments?
Online Certificate Status Protocol
336
A PKI is an implementation for managing which type of encryption?
Asymmetric
337
Which of the following is a mechanism for granting and validating certificates?
PKI
338
You have just finished developing a new application. Before putting it on the website for users to download, you want to provide a checksum to verify that the object has not been modified.
Which of the following would you implement?
Code signing
339
In the certificate authority trust model known as a hierarchy, where does trust start?
Root CA
340
Which standard is most widely used for certificates?
X.509
341
What is the purpose of key escrow?
To provide a means for legal authorities to access confidential data
342
You are concerned that if a private key is lost, all documents encrypted with your private key will be inaccessible. Which service should you use to solve this problem?
Key escrow
