Chapter 1-6 Practice Questions Flashcards

Question 1

Q

You need to transmit PII via email and you want to maintain its confidentiality. Which of the following choices is your BEST solution?

A. Use hashes
B. Encrypt it before sending
C. Protect it with digital signature
D. Use RAID

Answer

A

B. Encrypt it before sending

Using hashes is for when checking if a data has been modified.
Protecting it with a digital signature ensures that it came from you.
RAID does not do anything to protect confidentiality

Book:
B. You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, nonrepudiation, and integrity. A redundant array of inexpensive disks (RAID)
provides higher availability for a disk subsystem.

Question 2

Q

Apu manages network devices in his store and maintains copies of the configuration files for all the managed routers and switches. On a weekly basis, he creates hashes for these files and compares them with hashes he created on the same files the previous week. Which of the following use case is the most likely being used?

A. Supporting confidentiality
B. Supporting integrity
C. Supporting encryption
D. Supporting availability

Answer

A

B. Supporting integrity

Using hash does not support confidentiality the files can still be viewed. Encryption is not hashing or is it a method of. Hashing does not promote availability too. Hashing supports integrity because it will identify whether or not a file has been modified.

Book:
B. He is most likely using a use case of supporting integrity. By verifying that the hashes are the same on the configuration files, he is verifying that the files have not changed. Confidentiality is enforced with encryption, access controls, and steganography. Encryption is a method of enforcing confidentiality and it doesn’t use hashes. Availability ensures systems are up and operational when needed.

Question 3

Q

Louie hid several plaintext documents within an image file. He then sent the image file to Tony. Which of the following BEST describes the purpose of his actions?

A. to support steganography
B. to support integrity
C. to support availability
D. to support obfuscation

Answer

A

Book:
D. Hiding data within data is one way to support a use case of
supporting obfuscation. In this scenario, Louie is using steganography to hide the files within the image, but that is the method, not the purpose. Hashing methods and digital signatures support integrity. Redundancy and fault-tolerance methods increase availability.

Question 4

Q

Management has mandated the use of digital signatures by all personnel within your organization. Which of the following use case does this primarily support?

A. Supporting confidentiality
B. Supporting availability
C. Supporting obfuscation
D. Supporting non-repudiation

Answer

A

D. Supporting non-repudiation

non-repudiation is the assurance that one cannot deny something and is achieved by using digital signatures just like using a signature

Book:
D. Digital signatures will support a use case of supporting nonrepudiation.
Digital signatures don’t encrypt data, so they do not support a use case of supporting confidentiality. Redundancy and fault-tolerance solutions will increase availability. Steganography is one way of supporting obfuscation.

Question 5

Q

As the CTO, Marge is implementing a security program. She has included security controls to address confidentiality and availability. Of the following choices, what else should she include?

A. Ensure critical systems provide uninterruptible service.
B. Protect data-in-transit from unauthorized disclosure.
C. Ensure data systems are not susceptible to unauthorized changes.
D. Secure data to prevent unauthorized disclosure.

Answer

A

C. ensure data systems are not susceptible to unauthorized changes

this answer supports integrity. she already has measures for confidentiality and availability

Book:
C. The chief technology officer (CTO) should ensure systems are not susceptible to unauthorized changes, which is an element of integrity. A security program should address the three core security principles of
confidentiality, integrity, and availability (CIA). The system in the example is already addressing confidentiality and availability. Ensuring critical systems provide uninterrupted service addresses availability.
Protecting data and securing

Question 6

Q

Your organization wants to reduce the amount of money it is losing due to thefts. Which of the following is the BEST example of an equipment theft deterrent?

A. Snapshots
B. Cable locks
C. Strong passwords
D. Persistent VDI

Answer

A

B. cable locks

this is a physical means of security to prevent theft

Book:
B. Cable locks are effective equipment theft deterrents for laptops and other systems. Snapshots refer to digital snapshots that capture the state of a virtual machine at a moment in time. Passwords prevent
unauthorized access to systems, but don’t provide physical security. A virtual desktop infrastructure (VDI) allows users to access a desktop on a remote server. A persistent VDI saves

Question 7

Q

Your organization is considering virtualization solutions. Management wants to ensure that any solution provides the best ROI. Which of the following situations indicates that virtualization would provide the best ROI?

A. Most physical servers within the organization are currently utilized at close to 100 percent.
B. The organization has many servers that do not require failover services.
C. Most desktop PCs require fast processors and a high amount of memory.
D. Most physical servers within the organization are currently underutilized.

Answer

A

D. most physical servers within an organization are currently underutilized

since they are underutilized, utilize them more to increase efficiency with lesser cost, thus better ROI

Book:
D. If most physical servers within the organization are currently underutilized, virtualization will provide a high return on investment (ROI). If the servers are currently utilized close to 100 percent, new servers will need to be purchased to virtualize them. It is possible to
implement failover services on virtualized servers so there is little cost difference between physical and virtualized servers. The amount of processing power or memory requirements isn’t relevant unless you
know how much systems are currently utilizing.

Question 8

Q

You are preparing to deploy a new application on a virtual server. The virtual server hosts another server application that employees routinely access. Which of the following is the BEST method to use when deploying the new application?

A. Take a snapshot of the VM before deploying the new application.
B. Take a snapshot of the VM after deploying the new application.
C. Ensure the server is configured for non-persistence.
D. Back up the server after installing the new application.

Answer

A

A. take a snapshot of the VM before deploying the new application

this method is a backup method in case the new application messes with the operation of the server

Book:
A. Taking a snapshot of the virtual machine (VM) before deploying it ensures that the VM can be reverted to the original configuration if the
new application causes problems. Taking a snapshot after the installation doesn’t allow you to revert the image. Non-persistence is used in a virtual desktop infrastructure (VDI), where user changes to the
desktop are not changed. It isn’t appropriate to use non-persistence on a virtual server. Backing up the server might be

Question 9

Q

Ned is not able to access any network resources from his Linux-based computer. Which of the following commands would he use to view the network configuration of his system?

A. ifconfig
B. ipconfig
C. netstat
D. tracert

Answer

A

A. ifconfig

Book:
A. The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC). The ipconfig command
performs similar checks on Windows computers, but not on Linux systems. Netstat shows network statistics and active connections but not the network settings. The tracert command traces the route of data and
can help determine which network devices are failing.

Question 10

Q

Administrators frequently create VMs for testing. They sometimes leave these running without them again after they complete their tests. Which of the following does this describe?

A. VM escape
B. VDI snapshot
C. VM sprawl
D. Type II hypervisor

Answer

A

C. VM sprawl

this is a phenomenon where the number of VMs have reached a point where admins can no longer manage them effectively - because many test VMs are kept running

Book:
C. VM sprawl occurs when an organization has many VMs that aren’t managed properly. Unmonitored VMs typically won’t get updated and can be vulnerable to attacks. VM escape is an attack that allows an
attacker to access the host system from within the virtual system. A virtual desktop infrastructure (VDI) provides users with virtual desktops hosted on a server. A VDI snapshot is commonly used to provide users with the same non-persistent desktop that doesn’t save changes. The VMs might be Type II hypervisors (running as software within a host
operating system), but that isn’t relevant to leaving them running and unmonitored.

Question 11

Q

Users within your organization access virtual desktops hosted on remote servers. This describes which of the following?

A. VDE
B. Snapshots for non-persistence
C. Type I hypervisors
D. VM sprawl

Answer

A

A. VDE

by process of elimination
not B, C or D
What is VDE?

Book:
A. In a virtual desktop environment (VDE), users access virtual desktops hosted on remote servers. VDE desktops can use snapshots for non-persistence, but it is also possible to allow users to have persistent
unique desktops in a VDE. Type I hypervisors (bare-metal hypervisors) run directly on the system without an operating system and are not used for a VDE. VM sprawl describes a problem of many unmanaged VMs,
but the scenario doesn’t mention that the virtual desktops are not managed.

Question 12

Q

Your organization has implemented a VDI for most users. When a user logs off, the desktop reverts to its original state without saving any changes made by the user. Which of the following BEST describes this behavior?

A. Container virtualization
B. VM escape
C. Non-persistence
D. Elasticity

Answer

A

C. Non-persistence

nothing is saved. it reverts back to its original state after log off

Book:
C. Non-persistence in a virtual desktop infrastructure (VDI) indicates that the desktop is the same for most (or all) users and when the user logs off, the desktop reverts to a known state or rolls back to a known configuration. With container virtualization, application cells run isolated services or applications within the host, using the host’s kernel. Virtual machine (VM) escape is an attack where the attacker accesses
the host system from within the VM. Elasticity refers to the ability to resize a VM in response to increased or decreased load.

Question 13

Q

Which type of virtualization allows a computer’s operating system kernel to run multiple isolated instances of a guest virtual machine, with each guest sharing the same kernel?

A. Container virtualization
B. Type I hypervisor virtualization
C. Type II hypervisor virtualization
D. VDE

Answer

A

Book:
A. Container-based virtualization (also called application cell virtualization) uses the same operating system kernel of the host computer. It is often used to run isolated applications or services within a
virtual environment. Type I hypervisor virtualization runs directly on the system hardware. Type II hypervisor virtualization runs VMs that all include their own operating system, including their own kernel. A virtual desktop

Question 14

Q

You are considering rebooting a database server and want to identify if it has any active network connections. Which of the following commands will list activate network connections?

A. arp
B. ipconfig
C. ping
D. netstat

Answer

A

D. netstat

Book:
D. The netstat command displays active connections on a system. Arp displays information related to media access control (MAC) addresses. Ipconfig displays TCP/IP configuration information for wired and wireless network

Question 15

Q

You have configured a firewall in your network to block ICMP traffic. You want to verify that it is blocking this traffic. Which of the following commands would you use?

A. arp
B. ipconfig
C. netstat
D. ping

Answer

A

D. ping

Book:
D. The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies. Arp resolves IP addresses to media access control (MAC) addresses and does not use echo commands. Ipconfig checks the configuration of a NIC. Netstat shows active connections and network statistics.

Question 16

Q

Developers in your organization have created an application designed for the sales team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization’s password policy. Which of the following is the BEST response by the security administrator after learning about this?

A. Nothing. Strong passwords aren’t required in applications
B. Modify the security policy to accept this password.
C. Document this as an exception in the application’s documentation.
D. Direct the application team manager to ensure the application adheres to the organization’s password policy.

Answer

A

D. must adhere to password policy

Book:
D. The application should be recoded to adhere to the company’s password policy, so the best response is to direct the application team manager to do so. Application passwords should be strong and should
adhere to an organization’s security policy. It is not appropriate to weaken a security policy to match a weakness in an application. Nor is it appropriate to simply document that the application uses a weak
password.

Question 17

Q

Ned is reviewing password security for employees of The Leftorium. The password policy has the following settings:

the password maximum age is 30 days
the password minimum length is 14 characters
passwords cannot be reused until five other passwords have been used
passwords must include at least one of each of the following four character types: uppercase letters, lowercase letters, numbers, and special characters.

Ned discovers that despite having this password policy in place, users are still using the same password that they were using more than a month ago. Which of the following actions will resolve this issue?

A. Create a rule in the password policy for the password minimum age to be 7 days.
B. Change the password history to 10
C. Require the use of complex passwords.
D. Change the maximum age setting to 60 days.

Answer

A

A. minimum age for password must be set, otherwise they can change the password five times over and they will be able to reuse their old password at the 6th change

Book:
A. The best solution is to create a rule in the password policy for the password minimum age. Currently, users can change their passwords five more times in just a couple of minutes, changing it back to their original password on the sixth change. None of the other settings prevents the users from doing this. A password history of 10 forces the users to take a couple more minutes to get back to the original password. The password policy currently requires complex passwords.
Maximum age of 60 days increases how long a user can keep the same password.

Question 18

Q

Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?

A. HOTP
B. TOTP
C. CAC
D. Kerberos

Answer

A

B. time-based one-time password

coz its temporary

Book:
B. A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do
not expire. A Common Access Card (CAC) is a type of smart card, but it does not create passwords. Kerberos uses tickets instead of passwords.

Question 19

Q

Your organization has decided to implement a biometric solution for authentication. One of the goals is to ensure that the biometric system is highly accurate. Which of the following provides the BEST indication of accuracy with the biometric system?

A. The lowest possible FRR
B. The highest possible FAR
C. The lowest possible CER
D. The highest possible CER

Answer

A

C. lowest CER?

FRR - false rejection rate
FAR - false acceptance rate
CER - crossover error rate
ideal to be below CER - can tune to smaller FRR and FAR

Book:
C. A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FAR) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don’t indicate accuracy by themselves. A higher CER indicates a less accurate biometric system.

Question 20

Q

Your organization recently updated an online application that employees use to log on when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?

A. One-factor
B. Dual-factor
C. Something you are
D. Somewhere you are

Answer

A

A. one-factor

Something you know - uname and password
logs location using GPS - so?

Book:
A. This is using one-factor authentication—something you know. The application uses the username for identification and the password for authentication. Note that even though the application is logging the
location using Global Positioning System (GPS), there isn’t any indication that it is using this information for authentication. Dual-factor authentication requires another factor of authentication. If the application verified you were logging on from a specific GPS location as part of the authentication, it would be dual-factor authentication (something you know and somewhere you are). Something-you-are refers
to biometric authentication methods. The somewhere you are authentication method verifies you are somewhere, such as in a specific GPS location, but this isn’t being used for authentication in this scenario.

Question 21

Q

A network includes a ticket-granting ticket server used for authentication. Which authentication service does this network use?

A. Shibboleth
B. SAML
C. LDAP
D. Kerberos

Answer

A

D. Kerberos

ticket granting ticket server

D. Kerberos uses a ticket-granting ticket (TGT) server, which creates tickets for authentication. Shibboleth is a federated identity solution used in some single sign-on (SSO) solutions. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for some SSO solutions. Lightweight Directory Access Protocol (LDAP) is an X.500- based authentication service used to identify objects.

Question 22

Q

Lisa is a training instructor and she maintains a training lab with 18 computers. She has enough rights and permissions on these machines so that she can configure them as needed for classes. However, she does not have the rights to add them to the organization’s domain. Which of the following BEST describes this example?

A. Least privilege
B. Need to know
C. Group-based privileges
D. Location-based privileges

Answer

A

A. Least privilege

she has enough rights to perform her function -

Book:
A. When following the principle of least privilege, individuals have only enough rights and permissions to perform their job, and this is exactly what is described in this scenario. Need to know typically refers to data and information rather than the privileges required to perform an action, such as adding computers to a domain. Group-based privileges refer to giving permissions to groups and then adding the users to the groups to give them appropriate privileges. A location-based policy
allows or blocks access based on location, but the scenario doesn’t indicate the location is being checked.

Question 23

Q

Marge is reviewing an organization’s account management processes. She wants to ensure that security log entries accurately report the identity of personnel taking specific actions. Which of the following steps would BEST meet this requirement?

A. Update ACLs for all files and folders
B. Implement role-based privileges
C. Use an SSO solution.
D. Remove all shared accounts

Answer

A

D. remove all shared accounts

so she can identify who accesses what

Book:
D. Removing all shared accounts is the best answer to the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn’t possible to identify which employee deleted the data. File and folder access control lists (ACLs) identify permissions for users, but don’t control the user identity. Role-based (or group-based) privileges assign the same permissions to all members of a group, which simplifies administration.
A single sign-on (SSO) solution allows a user to log on once and access multiple resources.

Question 24

Q

A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, no one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. Which of the following is the BEST response to this situation?

A. Remove the account expiration from the accounts.
B. Delete the accounts.
C. Reset the accounts.
D. Disable the accounts.

Answer

A

D. disable the accounts

Book:
D. The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn’t indicate the accounts have an expiration date. Because the contractors need to access the accounts periodically, it’s better to disable them rather than delete them. Reset the accounts implies you are changing the password, but this isn’t needed.

Question 25

Q

Members of a project team chose to meet at a local library to complete some work on a key project. All of them are authorized to work from home using a VPN connection and have connected from home successfully. However, they found that they were unable to connect to the network using the VPN from the library and they could not access any of the project data. Which of the following choices is the MOST likely reason why they can’t access this data?

A. Role-based access control
B. Time-of-day access control
C. Location-based policy
D. Discretionary access control

Answer

A

c. location-based

Book:
C. A location-based policy restricts access based on location, such as with an IP address, and this is the best possible answer to those given. The scenario indicates they could use the virtual private network (VPN) connection from home, but it was blocked when they tried to access it from the library. Time-of-day access control restricts access based on the time of day, but the scenario doesn’t indicate the time. Neither a discretionary access control model nor a role-based access control model restricts access based on location.

Question 26

Q

You need to create an account for a contractor who will be working at your company for 60 days. Which of the following is the BEST security step to take when creating this account?

A. Configure history on the account.
B. Configure a password expiration date on the account.
C. Configure and expiration date on the account
D. Configure complexity

Answer

A

c. expiration date for the account

Book:
C. When creating temporary accounts, it’s best to configure expiration dates so that the system will automatically disable the accounts on the specified date. History, password expiration, and complexity all refer to password policy settings. However, it’s rare to
configure a specific password policy on a single account.

Question 27

Q

A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response?

A. Disable all the temporary accounts.
B. Disable the temporary accounts you’ve noticed are enabled.
C. Craft a script to identify inactive accounts based on the last time they logged on.
D. Set account expiration dates for all accounts when creating them.

Answer

A

c. craft a script to identify inactive accounts

identify the former accounts to disable

Book:
C. Running a last logon script allows you to identify inactive accounts, such as accounts that haven’t been logged on to in the last 30 days. It’s appropriate to disable unused accounts, but it isn’t necessarily
appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn’t address previously created
accounts.

Question 28

Q

Developers are planning to develop an application using role-based access control. Which of the following would they MOST likely include in their planning?

A. A listing of labels reflecting classification levels
B. A requirements list identifying need to know
C. A listing of owners
D. A matrix functions matched with their required privileges

Answer

A

d. matrix with required privileges

Book:
D. A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for role-based access control (role-
BAC) model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list.

Question 29

Q

Security administrators need to implement an access control system that will protect data based on the following matrix.

(Note that this matrix only represents a subset of the overall requirements.) Which of the following models is the administrator implementing?

A. DAC
B. MAC
C. Role-BAC
D. ABAC

Answer

A

B. MAC

“levels”

Book:
B. This is a mandatory access control (MAC) model. You can tell because it is using security labels. None of the other model’s listed use labels. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions. An attribute-based access control (ABAC) model uses attributes assigned to subjects and objects within a policy to grant access.

Question 30

Q

Your organization is implementing an SDN. Management wants to use an access control model that controls access based on attributes. Which of the following is the BEST solution?

A. DAC
B. MAC
C. Role-BAC
D. ABAC

Answer

A

D. ABAC

attributes based

D. A software-defined network (SDN) typically uses an attribute-based access control (ABAC) model, which is based on attributes that identify subjects and objects within a policy. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A mandatory access control (MAC) model uses labels assigned to subjects and objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions.

Question 31

Q

Your organization’s security policy requires that PII data-in-transit must be encrypted. Which of the following protocols would BEST meet this requirement?

A. FTP
B. SSH
C. SMTP
D. HTTP

Answer

A

B. SSH

not file transfer, not mail

Book:
B. You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data-intransit). Secure File Transfer Protocol (SFTP) uses SSH to encrypt File Transfer Protocol (FTP) traffic. FTP, Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol.

Question 32

Q

Marge needs to collect network device configuration information and network statistics from devices on the network. She wants to protect the confidentiality of credentials used to connect to these devices. Which of the following protocols would BEST meet this need?

A. SSH
B. FTPs
C. SNMPv3
4. TLS

Answer

A

Book:
C. Simple Network Management Protocol version 3 (SNMPv3) is a secure protocol that can monitor and collect information from network devices. It includes strong authentication mechanisms to protect the
confidentiality of credentials. None of the other protocols listed are used to monitor network devices. Secure Shell (SSH) provides a secure method of connecting to devices but does not monitor them. File
Transfer Protocol Secure (FTPS) is useful for encrypting large files in transit, using Transport Layer Security (TLS). TLS is commonly used to secure transmissions but doesn’t include methods to monitor devices.

Question 33

Q

Lisa is enabling NTP on some servers within the DMZ. Which of the following use case is she MOST likely supporting this action?

A. Support voice and video transmissions
B. Provide time synchronization
C. Enable email usage
D. Encrypt data-in-transit

Answer

A

B. time synch

NTP - network time protocol

Book:
B. The Network Time Protocol (NTP) provides time synchronization services, so enabling NTP on servers would meet this use case. The Real-time Transport Protocol (RTP) delivers audio and video over IP networks and Secure RTP (SRTP) provides encryption, message authentication, and integrity for RTP. Protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol v3 (POP3), and Internet
Message Access Protocol version 4 (IMAP4) is used for email. Encrypting data isn’t relevant to time synchronization services provided by NTP.

Question 34

Q

Your organization wants to increase security for VoIP and video teleconferencing applications used within the network. Which of the following protocols will BEST support this goal?

A. SMTP
B. TLS
C. SFTP
D. SRTP

Answer

A

Book:
D. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for Voice over Internet Protocol(VoIP), video teleconferencing, and other streaming
media applications. None of the other answers are directly related to VoIP or video teleconferencing. Simple Mail Transfer Protocol (SMTP) transfers email. The Transport Layer Security (TLS) protocol is used to encrypt data-in-transit but isn’t the best choice for streaming media. Secure File Transfer Protocol (SFTP) is a secure implementation of FTP to transfer files.

Question 35

Q

Your organization wants to ensure that switches are not susceptible to switching loop problems. Which of the following protocols is the BEST choice to meet this need?

A. Flood guard
B. SNMPv3
C. SRTP
D. RSTP

Answer

A

D. RSTP

Rapid Spanning Tree Protocol ensures a loop-free topology for Ethernet networks
Flood guard - tools to prevent DoS attacks
SNMPv3 - security model
SRTP - Secure Real-time Transport protocol

Book:
D. Rapid STP (RSTP) prevents switching loop problems and should be enabled on the switches to meet this need. A flood guard on a switch helps prevent a media access control (MAC) flood attack. Simple Network Management Protocol version 3 (SNMPv3) is used to manage and monitor network devices. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for
video and voice data.

Question 36

Q

A network technician incorrectly wired the switch connections in your organization’s network. It effectively disabled the switch as though it was a victim of a denial-of-service attack. Which of the following should be done to prevent this situation in the future?

A. Install an IDS
B. Only use Layer 2 switches
C. Install SNMPv3 on the switches
D. Implement STP or RSTP

Answer

A

Book:
D. Spanning Tree Protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. It’s rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each
other, it creates a switching loop and effectively disables the switch. An intrusion detection system (IDS) will not prevent a switching loop. Layer 2 switches are susceptible to this problem. Administrators use
Simple Network Management Protocol version 3 (SNMPv3) to manage and monitor devices, but it doesn’t prevent switching loops.

Question 37

Q

Developers recently configured a new service on Server A. Server A is in DMZ and accessed by internal users and via the Internet. Network administrators modified firewall rules to access the service. Testing shows the service works when accessed from the Internet. Which of the following is MOST likely configured incorrectly?

A. The new service
B. An ACL
C. Server A
D. The VLAN

Answer

A

Book:
B. The most likely problem of the available choices is that an access control list (ACL) is configured incorrectly. The server is in a demilitarized zone (DMZ) and the most likely problem is an incorrectly configured ACL on the border firewall. The service is operating when accessed from internal clients, so it isn’t likely that it is the problem. Also, the server works for internal systems indicating it is working correctly.
There isn’t any indication a virtual local area network (VLAN) is in use.

Question 38

Q

You manage a Linux computer used for security within your network. You plan to use it to inspect and handle network-based traffic using iptables. Which of the following network devices can this replace?

A. Wireless Access Point
B. Firewall
C. Layer 2 switch
D. Bridge

Answer

A

Book:
B. Iptables include settings used by the Linux Kernel firewall and can be used to replace a firewall. While it’s possible to implement iptables on a wireless access point (assuming it is Linux-based), iptables still function as a firewall, not a wireless access point. A Layer 2 switch routes traffic based on the destination media access control (MAC) address, but iptables focus on IP addresses. A network bridge connects
multiple networks together.

Question 39

Q

You need to implement antispoofing on a border router. Which one of the following choices will BEST meet this goal?

A. Create rules to block all outgoing traffic from a private IP address.
B. Implement a flood guard on switches.
C. Add a web application firewall.
D. Create rules to block all incoming traffic from a private IP address.

Answer

A

Book:
D. You would create rules to block all incoming traffic from private IP addresses. The border router is between the internal network and the Internet and any traffic coming from the Internet with a private IP address is a spoofed source IP address. All outgoing traffic will typically use a private IP address, so you shouldn’t block this outgoing traffic. A flood guard on a switch protects against media access control (MAC)
flood attacks and is unrelated to this question. A web application firewall protects a web application and is unrelated to antispoofing.

Question 40

Q

An organization has recently had several attacks against servers within a DMZ. Security administrators discovered that many of these attacks are using TCP, but they did not start with a three-way handshake. Which of the following devices provides the BEST solution?

A. Stateless firewall
B. Stateful firewall
C. Network firewall
D. Application-based firewall

Answer

A

Book:
B. A stateful firewall filters traffic based on the state of the packet within a session. It would filter a packet that isn’t part of a TCP three-way handshake. A stateless firewall filters traffic based on the IP address, port, or protocol ID. While it’s appropriate to place a network firewall in a demilitarized zone (DMZ), a network firewall could be either a stateless firewall or a stateful firewall. An application-based firewall is typically only protecting a host, not a network.

Question 41

Q

Which type of device would have the following entries used to define its operation?
permit IP any any eq 80
permit IP any any eq
443 deny IP any any

A. Firewall
B. Layer 2 switch
C. Proxy server
D. Web server

Answer

A

Book:
A. These are rules in an access control list (ACL) for a firewall. The first two rules indicate that traffic from any IP address, to any IP address, using ports 80 or 443 is permitted or allowed. The final rule is also known as an implicit deny rule and is placed last in the ACL. It
ensures that all traffic that hasn’t been previously allowed is denied. Layer 2 switches do not use ACLs. A proxy server would not use an ACL, although it would use ports 80 and 443 for Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), respectively. A web
server wouldn’t use an ACL, although it would also use ports 80 and 443.

Question 42

Q

Your organization hosts a web server and wants to increase its security. You need to separate all web-facing traffic from internal network traffic. Which of the following provides the BEST solution?

A. DMZ
B. VLAN
C. Firewall
D. WAF

Answer

A

Book:
A. A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the webserver but doesn’t necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.

Question 43

Q

Management at your organization wants to prevent employees from accessing social media sites using company-owned computers. Which of the following devices would you implement?

A. Transparent proxy
B. Reverse proxy
C. Nontransparent proxy
D. Caching proxy

Answer

A

Book:
C. A nontransparent proxy includes the ability to filter traffic based on the URL and is the best choice. A transparent proxy doesn’t modify or filter requests. A reverse proxy is used for incoming traffic to an internal firewall, not traffic going out of the network. Proxy servers are caching proxy servers, but won’t block outgoing traffic.

Question 44

Q

You need to configure a UTM security appliance to restrict traffic going to social media sites. Which of the following are you MOST likely to configure?

A. content inspection
B. Malware inspection
C. URL filter
D. DDoS mitigator

Answer

A

Book:
C. You would most likely configure the Uniform Resource Locator (URL) filter on the unified threat management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL. Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites. A distributed denial-of-service (DDoS) mitigator will attempt to block incoming DDoS attack traffic.

Question 45

Q

Your organization recently purchased a sophisticated security appliance that includes DDoS mitigator. Where should you place this device?

A. Within the DMZ
B. At the border of the network, between intranet and the DMZ
C. At the border of the network, between the private network and the Internet
D. In the internal network

Answer

A

Book:
C. A distributed denial-of-service (DDoS) mitigator attempts to block DDoS attacks and should be placed at the border of the network, between the private network and the Internet. If the network includes a
demilitarized zone (DMZ), the appliance should be placed at the border of the DMZ and the Internet. Placing it in the DMZ or the internal network doesn’t ensure it will block incoming traffic.

Question 46

Q

You are preparing to deploy a heuristic-based detection system to monitor network activity. Which of the following would you create first?

A. Flood guards
B. Signatures
C. Baseline
D. Honeypot

Answer

A

Book:
C. A heuristic-based (also called anomaly-based or behavior-based) detection system compares current activity with a previously created baseline to detect any anomalies or changes. Flood guards help protect
against flood attacks (such as a SYN flood attack). Signature-based systems (also called definition-based) use signatures of known attack patterns to detect attacks. A honeypot is a server designed to look valuable to an attacker and can divert attacks.

Question 47

Q

Attackers have recently launched several attacks against servers in your organization’s DMZ. You are tasked with identifying a solution that will have the best chance of preventing these attacks in the future. Which of the following is the BEST choice?

A. An out-of-band IPS
B. An in-band IPS
C. A passive IDS
D. An out-of-band IDS

Answer

A

B. An in-band IPS

Book:
B. The best solution from the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS and the IPS has the best chance of preventing attacks from reaching internal systems. An IPS is in-band, not out-of-band. An intrusion detection system (IDS) is passive and not in-band, so it can only detect and react to the attacks, not block them.

Question 48

Q

Lisa oversees and monitors processes at a water treatment plant using SCADA systems. Administrators recently discovered malware on her system that was connecting to the SCADA systems. Although they
removed the malware, management is still concerned. Lisa needs to continue using her system and it’s not possible to update the SCADA systems. Which of the following can mitigate this risk?

A. Install HIPS on the SCADA systems.
B. Install a firewall on the border of the SCADA network.
C. Install a NIPS on the border of the SCADA network.
D. Install a honeypot on the SCADA network.

Answer

A

Book:
C. A network intrusion prevention system (NIPS) installed on the supervisory control and data acquisition (SCADA) network can intercept malicious traffic coming into the network and is the best choice of those given. The scenario states you cannot update the SCADA systems, so you cannot install a host-based IPS (HIPS) on any of them. A firewall provides a level of protection. However, it wouldn’t be able to differentiate between valid traffic sent by Lisa and malicious traffic sent by malware from Lisa’s system. A honeypot might be useful to observe malicious traffic but wouldn’t prevent it.

Question 49

Q

Which of the following BEST describes a false negative?

A. An IDS falsely indicates a buffer overflow attack occurred.
B. Antivirus software reports that a valid application is a malware.
C. A heuristic-based IDS detects a previously unknown attack.
D. An IDS does not detect a buffer overflow attack.

Answer

A

Book:
D. If an intrusion detection system (IDS) does not detect and report a buffer overflow attack, it is a false negative. It is a false positive if the IDS falsely (incorrectly) indicates an attack occurred. If antivirus
software indicates a valid application is malware, it is also a false positive. If a heuristic-based IDS accurately detects a previously unknown attack, it is working correctly.

Question 50

Q

Your wireless network includes one centralized AP that you configure. This AP forwards the configuration to other APs in your wireless network. Which of the following BEST describes these APs?

A. The centralized AP is a stand-alone AP and it configures fat APs in your network.
B. The centralized AP is a thin AP and it configures fat APs in your network.
C. The centralized AP is a controller-based AP and it configures stand-alone APs in your network.
D. The centralized AP is a fat AP and it configures thin APs in your network.

Answer

A

Book:
D. The centralized access point (AP) is a fat AP and it configures thin APs in the network. The fat AP could also be called a stand-alone, intelligent, or autonomous AP and it is used to configure thin APs, not fat APs. Thin APs do not configure other APs. Stand-alone APs are not configured by other APs.

Question 51

Q

You need to provide connectivity between two buildings without running any cables. You decide to use two 802.11ac APs to provide wireless connectivity between the buildings. Which of the following is the
BEST choice to support this need?

A. Use omnidirectional antennas on both APs.
B. Use wide channels.
C. Use the 2.4 GHz frequency band.
D. Use directional antennas on both APs.

Answer

A

Book:
D. Using directional antennas on both access points (APs) is the best choice to meet this need because they have high gain with a very narrow radiation pattern. Omnidirectional antennas transmit the signal in all directions at the same time and are not a good choice when connecting networks between two buildings. Wider channels reduce the range of
wireless transmissions and aren’t a good choice here. Because of 802.11ac uses only the 5 GHz frequency band, you can’t use 2.4 GHz.

Question 52

Q

You want to implement the STRONGEST level of security on a wireless network. Which of the following supports this goal?

A. Implementing WPA with TKIP
B. Disabling SSID broadcast
C. Enabling MAC filtering
D. Implementing WPA2 with CCMP

Answer

A

Book:
D. Wi-Fi Protected Access II (WPA2) with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides the strongest level of security of the given choices. Temporal Key Integrity Protocol (TKIP) is an older encryption protocol used with WPA and it isn’t as strong as CCMP. Disabling service set identifier (SSID) broadcast hides the network from casual users, but attackers can still discover it because the SSID is still included in some packets in plaintext. Attackers can bypass media access control (MAC) address filtering by spoofing authorized MAC addresses.

Question 53

Q

Your organization is planning to implement a wireless network using WPA2 Enterprise. Of the following choices, what is required?

A. An authentication server with a digital certificate installed on the authentication server
B. An authentication server with DHCP installed on the
authentication server
C. An authentication server with DNS installed on the authentication server
D. An authentication server with WEP running on the access point

Answer

A

Book:
A. WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server. The network will likely have Dynamic Host Configuration Protocol
(DHCP) and Domain Name System (DNS) services, but it isn’t necessary to install them on the authentication server. Wired Equivalent Privacy (WEP) provides poor security and is not compatible with WPA2
Enterprise.

Question 54

Q

A security administrator is testing the security of an AP. The AP is using WPA2. She ran an automated program for several hours and discovered the AP’s passphrase. Which of the following methods was she MOST likely using?

A. IV attack
B. Disassociation attack
C. WPS attack
D. Evil twin attack

Answer

A

C

Book:
C. This is most likely a Wi-Fi Protected Setup (WPS) attack. Reaver is an automated program that will discover the WPS PIN and after it discovers the PIN, it can discover the passphrase or secret key used by the
access point (AP). While an initialization vector (IV) attack can discover the passphrase in legacy wireless security protocols, Wi-Fi Protected Access II (WPA2) isn’t susceptible to an IV attack. A disassociation
attack effectively removes a wireless client from a wireless network, but it doesn’t discover the passphrase. An evil twin attack uses a separate AP
with the same name as an existing AP with the goal of tricking users into connecting to it.

Question 55

Q

Your wireless network name is myoffice. You disabled the SSID broadcast several days ago. Today, you notice that a wireless network named myoffice is available to wireless users. You verified that SSID broadcast is still disabled. Which of the following is the MOST likely reason for this behavior?

A. Evil twin attack
B. Disassociation attack
C. WPS attack
D. Jamming attack

Answer

A

Book:
A. The scenario indicates an evil twin attack is in progress. An attacker can easily discover the service set identifier (SSID) even with SSID broadcast disabled and can then create another access point with
the same SSID. A disassociation attack disconnects wireless clients from the wireless network. A Wi-Fi Protected Setup (WPS) attack discovers the eight-digit PIN and then uses it to discover the passphrase.
A jamming attack floods the frequency channel with noise to prevent connections.

Question 56

Q

Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don’t have any problems. You suspect this is due to an attack. Which
of the following attacks is MOST likely causing this problem?

A. Wireless jamming
B. IV
C. Replay
D. Bluesnarfing

Answer

A

Book:
A. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other
attacks are DoS attacks. An initialization vector (IV) attack attempts to discover the passphrase. A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original
transmission. Bluesnarfing is a Bluetooth attack that attempts to access information on Bluetooth devices.

Question 57

Q

Management within your organization wants some users to be able to access internal network resources from remote locations. Which of the following is the BEST choice to meet this need?

A. NAC
B. VPN
C. IDS
D. IPS

Answer

A

B

Book:
B. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide access. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access.

Question 58

Q

Your organization is planning to implement a VPN. They want to ensure that after a VPN client connects to the VPN server, all traffic from the VPN client is encrypted. Which of the following would BEST meet
this goal?

A. Split tunnel
B. Full tunnel
C. IPsec using Tunnel mode
D. IPsec using Transport mode

Answer

A

Book:
B. A full tunnel encrypts all traffic after a user has connected to a VPN using a tunnel. A split tunnel only encrypts traffic destined for the VPN’s private network. Traffic from the client directly to another Internet site is not encrypted. Internet Protocol security (IPsec) Tunnel
mode encrypts the entire IP packet used in the internal network. It encrypts all traffic used within the VPN’s private network, but not all traffic from the VPN client. IPsec Transport mode only encrypts the payload and is used within private networks, not for VPN traffic.

Question 59

Q

You are tasked with configuring authentication services settings on computers in your network. You are entering shared secrets on different servers. Which of the following services are you MOST likely configuring?
(Select TWO.)

A. RADIUS
B. Kerberos
C. LDAP
D. EAP-TLS

Answer

A

Book:
A, C. Remote Authentication Dial-in User Service (RADIUS) servers use shared secrets. You can configure them to interact with Lightweight Directory Access Protocol (LDAP)–based systems by entering the same shared secret on both a RADIUS server and an LDAP server. A shared secret is basically just an identical password on both systems. Kerberos uses tickets for authentication, not shared secrets. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is an authentication protocol that requires the use of certificates on both clients and servers, not shared secrets.

Question 60

Q

Your organization recently implemented a BYOD policy. However, management wants to ensure that mobile devices meet minimum standards for security before they can access any network resources. Which of the
following agents would the NAC MOST likely have?

A. Permanent
B. Health
C. RADIUS
D. Dissolvable

Answer

A

D

Book:
D. A dissolvable agent is often used on employee-owned devices and would be appropriate if an organization implemented a bring your own device (BYOD) policy. A permanent network access control (NAC) agent is installed on the device permanently, but this might cause problems for employee-owned devices. Any NAC agent is a health agent. Remote Authentication Dial-In User Service (RADIUS) is used
for authentication, not to inspect clients.

Question 61

Q

Attackers recently attacked a web server hosted by your organization. Management has tasked administrators with configuring the servers following the principle of least functionality. Which of the following will meet this goal?

A. Disabling unnecessary services
B. Installing and updating antivirus software
C. Identifying the baseline
D. Installing a NIDS

Answer

A

Book:
A. Disabling unnecessary services is one of the elements of the principle of least functionality. Other elements include deploying the server with only the applications and protocols they need to meet their
purpose. Installing up-to-date antivirus software is a valid preventive control, but it isn’t related to the least functionality. Identifying the baseline should be done after disabling unnecessary services. A network-based
intrusion detection system (NIDS) helps protect the server, but it doesn’t implement least functionality.

Question 62

Q

Network administrators have identified what appears to be malicious traffic coming from an internal computer, but only when no one is logged on to the computer. You suspect the system is infected with malware. It periodically runs an application that attempts to connect to web sites over port 80 with Telnet. After comparing the computer with a list of applications from the master image, you verify this application is very likely the problem. What allowed you to make this determination?

A. Least functionality
B. Sandbox
C. Blacklist
D. Integrity measurements

Answer

A

Book:
D. The master image is the baseline and the administrators performed integrity measurements to identify baseline deviations. By comparing the list of applications in the baseline with the applications running on the suspect computer, you can identify unauthorized applications. None of the other answers include the troubleshooting steps necessary to discover the problem. The master image would include only the applications, services, and protocols needed to meet the principle of least functionality. A sandbox is an isolated area of a system, typically used to test applications. A blacklist is a list of prohibited applications.

Question 63

Q

Security experts want to reduce risks associated with updating critical operating systems. Which of the following will BEST meet this goal?

A. Implement patches when they are released.
B. Implement a change management policy.
C. Use only trusted operating systems.
D. Implement operating systems with secure configurations.

Answer

A

B

Book:
B. A change management policy helps reduce risk associated with making any changes to systems, including updating them. Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences. The use of a trusted operating system or operating systems with secure configurations doesn’t address how they are updated.

Question 64

Q

Your organization wants to ensure that employees do not install any unauthorized software on their computers. Which of the following is the BEST choice to prevent this?

A. Master image
B. Application whitelisting
C. Anti-malware software
D. Antivirus software

Answer

A

B

Book:
B. Application whitelisting identifies authorized applications and prevents users from installing unauthorized software. Alternately, you can use a blacklist to identify specific applications that cannot be
installed or run on a system. A master image provides a secure baseline, but it doesn’t prevent users from installing additional applications. Antimalware software and antivirus software can detect and block malware,
but they don’t prevent users from installing unauthorized software.

Answer 65

A

C

Book:
C. A sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a
single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.

Answer 66

A

C

Book:
C. A remote attestation process checks a computer during the boot cycle and sends a report to a remote system. The remote system attests, or confirms, that the computer is secure. None of the other answers
sends data to a remote system. A Trusted Platform Module (TPM) is a hardware chip on a motherboard and provides a local secure boot process. A TPM includes an encryption key burned into the CPU, which
provides a hardware root of trust. A trusted operating system meets a set of predetermined requirements typically enforced with the mandatory access control (MAC) model.

Answer 67

A

Book:
C. This is a Software as a Service (SaaS) model. The software is the online application and the cloud provider (the Springfield Nuclear Power Plant in this example) maintains it. Infrastructure as a Service
(IaaS) provides customers with the hardware via the cloud. Customers are responsible for installing the operating system and any applications. Platform as a Service (PaaS) is a computing platform. For example, a
cloud provider can provide a server with a preconfigured operating system. Anyone can access a public cloud. However, the question states that only students and teachers can access it.

Answer 68

A

D

Book:
D. A network intrusion prevention system (NIPS) is the most relevant security control of those listed to ensure the availability of the supervisory control and data acquisition (SCADA) system. Data loss prevention
(DLP) system helps prevent loss of data, but wouldn’t protect a SCADA system from potential attacks. A Trusted Platform Module (TPM) is a hardware chip on a computer’s motherboard that stores cryptographic
keys used for encryption. An electromagnetic pulse (EMP) is a short burst of electromagnetic energy and unrelated to a SCADA system.

Answer 69

A

Book:
B. Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model. None of the other answers are directly related to mobile devices. A supervisory control and data acquisition (SCADA) system control an industrial control system (ICS), such as those used in nuclear power plants or water treatment facilities, and it should be isolated. Database security includes the use of permissions and encryption to protect data in a database. Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time.

Answer 70

A

C

Book:
C. Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the confidentiality of the data. Global Positioning System (GPS) tagging includes location information on pictures and other files but won’t help protect a lost or stolen device. Patch management keeps devices up to date and change management helps prevent outages from
unauthorized changes. Infrastructure as a Service (IaaS) is a cloud computing option.

Answer 71

A

Book:
A. Geofencing can be used to create a virtual fence or geographic boundary, outlining the company’s property. Geofencing will use geolocation to identify the mobile device’s location, but geolocation
without geofencing won’t detect if a user is on the company’s property. Global Positioning System (GPS) tagging adds geographic data (such as latitude and longitude data) to files and is unrelated to this question. Containerization runs applications in a container to isolate them.

Answer 72

A

D

Book:
D. Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the
requirements of the question. A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication. Containerization isolates an application, protecting it and its data. Tethering allows one device to share its Internet connection with other devices.

Answer 73

A

Book:
A. The system administrator should modify permissions with the chmod (short for change mode) command. Remote wipe sends a remote signal to a mobile device to wipe or erase all the data and is unrelated to this question. Push notification services send messages to users but don’t change permissions. The chroot command is used to create a sandbox for testing an application.

Answer 74

A

Book:
A. A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives. A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys. COPE (corporate-owned, personally enabled) is a mobile device deployment model. A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys.

Answer 75

A

Book:
C. Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields
that don’t need to be encrypted. Full database encryption and whole disk encryption aren’t appropriate because everything doesn’t need to be
encrypted to protect the credit card data. File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application.

Answer 76

A

Book:
A. This attack was most likely launched by an organized crime group because their motivation is primarily money. While the scenario describes ransomware, ransomware is the malware, not the threat actor. Competitors often want to obtain proprietary information and it would be very rare for a hospital competitor to extort money from another hospital. A hacktivist typically launches attacks to further a cause, not to extort money.

Answer 77

A

Book:
A. A logic bomb is a code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their
awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.

Answer 78

A

C

Book:
C. A backdoor provides someone an alternative way of accessing a system or application, which is exactly what Lisa created in this scenario. It might seem as though she’s doing so with good intentions, but if attackers discover a backdoor, they can exploit it. A virus is a malicious code that attaches itself to an application and executes when the application runs, not code that is purposely written into the application. A worm is a self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A Trojan is a software that looks like it has a beneficial purpose but includes a malicious component.

Answer 79

A

Book:
A. The code is creating a new account that Dr. Terwilliger can use to access as a backdoor. He is creating this with a logic bomb, but a logic bomb is the malware type, not the type of account that he created. Rootkits include hidden processes, but they do not activate in response to events. Ransomware demands payment to release a user’s computer or data.

Answer 80

A

C

Book:
C. The scenario describes a remote access Trojan (RAT), which is a type of malware that allows attackers to take control of systems from remote locations. While the threat actor may be a member of an advanced persistent threat (APT) or an organized crime group, these are threat actor types, not types of malware. Crypto-malware is a type of ransomware that encrypts data, but there isn’t an indication that the data is being encrypted in this scenario.

Answer 81

A

Book:
A. A rootkit typically runs processes that are hidden and it also attempts to connect to computers via the Internet. Although an attacker might have used a backdoor to gain access to the user’s computer and
install the rootkit, backdoors don’t run hidden processes. Spam is unwanted email and is unrelated to this question. A Trojan is a malware that looks like it’s beneficial but is malicious.

Answer 82

A

B

Book:
B.
This sounds like a social engineering attack where the caller is attempting to get information on the servers, so it’s appropriate to end the call, report the call to a
supervisor, and independently check the vendor for potential issues. It is not appropriate to give external personnel information on internal systems from a single phone call. It isn’t necessary to ask for a phone
number because you wouldn’t call back and give information on the servers. The caller has not committed a crime by asking questions, so it is not appropriate to contact law enforcement personnel.

Answer 83

A

D

Book:
D. Tailgating is the practice of following closely behind someone else without using credentials. In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in
by tailgating. Spear phishing and whaling are two types of phishing with email. Mantraps prevent tailgating.

Answer 84

A

B

Book:
B. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated. Vishing is a form of phishing that uses the phone. Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers. Tailgating is the practice of following
closely behind someone else, without using proper credentials.

Answer 85

A

B

Book:
B. A zero-day exploit is one that isn’t known by trusted sources such as antivirus vendors or operating system vendors. Phishing is malicious spam and it can include malware, but there isn’t an indication this loss was from an email. Attackers use open-source intelligence to identify a target. Some typical sources are social media sites and news outlets. A hoax is not a specific attack. It is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist.

Answer 86

A

B

Book:
B. Shoulder surfing is the practice of viewing data by looking over someone’s shoulder and it includes looking at computer monitors. Positioning monitors so that they cannot be viewed through a window and/or placing screen filters over the monitors reduces this threat. Phishing is an email attack. Dumpster diving is the practice of looking through dumpsters. Social engineers often try to impersonate others to trick them.

Answer 87

A

D

Book:
D. Whaling is a type of phishing that targets high-level executives, such as chief financial officers (CFOs) or chief executive officers (CEOs) and this scenario describes an attack targeting the CFO. Because whaling is more specific than phishing, phishing isn’t the best answer. Spam is unwanted email, but spam isn’t necessarily malicious. While the infected Portable Document File (PDF) might include a Trojan, the scenario doesn’t describe the type of malware within the PDF.

Answer 88

A

Book:
A. A digital signature provides assurances of who sent an email and meets the goal of this scenario. Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email. A training program would help educate employees about attacks and would help prevent the success of these attacks, but it doesn’t provide assurances about who sent an email. Some antivirus software includes
heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures.

Answer 89

A

B

Book:
B. Of the given choices, an untrained user is the most likely vulnerability in this scenario. A trained user would be less likely to click on a malicious link received in an email. While the attack describes
ransomware, ransomware isn’t a vulnerability. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack often results in resource exhaustion, but that is the result of an attack, not a vulnerability. An insider threat implies a malicious insider, but there isn’t any indication that the new employee was malicious.

Answer 90

A

D

Book:
D. The sender is using the social engineering principle of authority in this scenario. A chief executive officer (CEO) would respect legal authorities and might be more inclined to open an attachment from such
an authority. While the scenario describes whaling, a specific type of phishing attack, whaling and phishing are attacks, not social engineering principles. The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario.

Brainscape's Knowledge GenomeTM

Chapter 1-6 Practice Questions Flashcards

Brainscape's Knowledge Genome^TM