CompTIA Security+ Questions (Lesson 11-21) Flashcards
(152 cards)
1
Q
An attacker modifies the HOSTS file on a workstation to redirect traffic. Consider the types of attacks and deduce which type of attack has likely occurred.
DNS server cache poisoning
DNS spoofing
DNS client cache poisoning
Typosquatting
A
DNS client cache poisoning
The HOSTS file is checked before using Domain Name System (DNS). Its contents are loaded into a cache of known names and the client only contacts a DNS server if the name is not cached. If an attacker can place a false name, then the attacker will be able to direct traffic.
2
Q
A system administrator is configuring a new Dynamic Host Configuration Protocol (DHCP) server. Consider the various types of attacks specific to DHCP and determine which steps the system administrator should take to protect the server. (Select all that apply.)
Use scanning and intrusion detection to pick up suspicious activity.
Disable DHCP snooping on switch access ports to block unauthorized servers.
Enable logging and review the logs for suspicious events.
Disable unused ports and perform regular physical inspections to look for unauthorized devices.
A
Use scanning and intrusion detection to pick up suspicious activity.
Enable logging and review the logs for suspicious events.
Disable unused ports and perform regular physical inspections to look for unauthorized devices.
3
Q
An organization routinely communicates directly to a partner company via a domain name. The domain name now leads to a fraudulent site for all users. Systems administrators for the organization find incorrect host records in DNS. What do the administrators believe to be the root cause?
A server host has a poisoned arp cache.
Some user systems have invalid hosts file entries.
An attacker masquerades as an authoritative name server.
The domain servers have been hijacked.
A
An attacker masquerades as an authoritative name server.
DNS server cache poisoning aims to corrupt the records held by the DNS server itself. A DNS server queries an authoritative server for domain information. An attacker can masquerade as an authoritative name server and respond with fraudulent information.
4
Q
An authoritative server for a zone creates an RRset signed with a Zone Signing Key. Another server requests a secure record exchange and the authoritative server returns the package along with the public key. Evaluate the scenario to determine what the authoritative server is demonstrating in this situation.
Domain Name System (DNS)
DNS Security Extension
DNS Footprinting
Dynamic Host Configuration Protocol (DHCP)
A
DNS Security Extension
5
Q
When a company attempts to re-register their domain name, they find that an attacker has supplied false credentials to the domain registrar and redirected their host records to a different IP address. What type of attack has occurred?
Domain hijacking
Domain name system client cache (DNS) poisoning
Rogue dynamic host configuration protocol (DHCP)
Domain name system server cache (DNS) poisoning
A
Domain hijacking
6
Q
A system administrator is setting up a new Simple Mail Transfer Protocol (SMTP) configuration. Make recommendations for how the administrator should configure the ports. (Select all that apply.)
Port 110 should be used by mail clients to submit messages for delivery.
Port 143 should be used to connect clients.
Port 25 should be used for message relay.
Port 465 should be used for message submission over implicit TLS.
A
Port 25 should be used for message relay.
Port 465 should be used for message submission over implicit TLS.
Port 25 is used for message relay between Simple Mail Transfer Protocol (SMTP) servers or Message Transfer Agents (MTA). If security is required and supported by both servers, the STARTTLS command can be used to set up the secure connection.
Port 465 is used by providers and mail clients for message submission over implicit Transport Layer Security (TLS).
7
Q
A security engineer encrypted traffic between a client and a server. Which security protocol is the best for the engineer to configure if an ephemeral key agreement is used?
AES 256
TLS 1.2
TLS 1.3
SHA 384
A
TLS 1.3
Only ephemeral key agreement is supported in TLS 1.3. The signature type is supplied in the certificate, so the cipher suite only lists the bulk encryption key strength and mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA384).
8
Q
Transport layer security (TLS) version 1.3 improves upon a vulnerability in TLS1.2. Which statement correctly describes a remedy for this vulnerability?
TLS version 1.3 is backward compatible with earlier versions of transport layer security.
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
TLS version 1.3 creates a secure link between the client and server using Secure Shell (SSH) over TCP port 22.
TLS1.3 can use more secure authentication and authorization methods, such as security assertion markup language (SAML) and open authorization (OAuth).
A
TLS version 1.3 removes the ability to downgrade to weaker encryption ciphers and earlier versions of transport layer security.
9
Q
If an administrator in an exchange server needs to send digitally signed and encrypted messages, what messaging implementation will best suit the administrator’s needs?
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure Post Office Protocol v3 (POP3S)
Internet Message Access Protocol v4 (IMAP4)
Simple Mail Transfer Protocol (SMTP)
A
Secure/Multipurpose Internet Mail Extensions (S/MIME)
One means of applying authentication and confidentiality on a per-message basis is an email encryption standard called Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME adds digital signatures and public key cryptography to mail communications. To use S/MIME, a sender and receiver exchange digital certificates signed by a certification authority (CA).
10
Q
A technician is configuring Internet Protocol Security (IPSec) for communications over a Virtual Private Network (VPN). Evaluate the features of available modes and recommend the best option for implementation.
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
Transport mode because the whole IP packet is encrypted, and a new IP header is added.
Tunnel mode because the payload is encrypted.
Transport mode because the payload is encrypted.
A
Tunnel mode because the whole IP packet is encrypted, and a new IP header is added.
11
Q
A system administrator uses a Graphical User Interface (GUI) remote administration tool over TCP port 3389 to manage a server operating Windows 2016. Evaluate the types of remote administration tools to conclude which protocol the administrator is using.
Secure Shell
Telnet
Dynamic Host Configuration Protocol
Remote Desktop
A
Remote Desktop
12
Q
A security administrator employs a security method that can operate at layer 3 of the OSI model. Which of the following secure communication methods could the security administrator be using?
(Select all that apply.)
ESP
AH
TLS
IKE
A
ESP
AH
Encapsulation Security Payload (ESP) provides confidentiality and/or authentication and integrity. ESP is one of the two core protocols of IPsec.
AH is another core protocol of IPsec. The Authentication Header (AH) protocol performs a cryptographic hash on the whole packet, including the IP header, plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV).
13
Q
A system administrator needs secure remote access into a Linux server. Evaluate the types of remote administration to recommend which protocol should be used in this situation.
Telnet
Secure Shell (SSH)
Remote Desktop Protocol (RDP)
Kerberos
A
Secure Shell (SSH)
14
Q
Analyze the methods for authentication to a Secure Shell (SSH) and determine which statement best summarizes the host-based authentication method.
The user’s private key is configured with a passphrase that must be input to access the key.
The client submits credentials that are verified by the SSH server using RADIUS.
The client submits a Ticket Granting Ticket (TGT) that is obtained when the user logged onto the workstation.
The client sends a request for authentication and the server generates a challenge with the public key.
A
The client sends a request for authentication and the server generates a challenge with the public key.
In host-based authentication, the server is configured with a list of authorized client public keys. The client requests authentication using one of these keys and the server generates a challenge with the public key.
15
Q
Analyze the features of a Full Disk Encryption (FDE) to select the statements that accurately reflect this type of security. (Select all that apply.)
FDE encrypts the files that are listed as critical with one encryption key.
The encryption key that is used for FDE can only be stored in a TPM on the disk for security.
A drawback of FDE is the cryptographic operations performed by the OS reduces performance.
FDE requires the secure storage of the key used to encrypt the drive contents.
A
A drawback of FDE is the cryptographic operations performed by the OS reduces performance.
FDE requires the secure storage of the key used to encrypt the drive contents.
16
Q
Compare and evaluate the various levels and types of security found within a Trusted OS (TOS) to deduce which scenario is an example of a hardware Root of Trust (RoT).
A security system is designed to prevent a computer from being hijacked by a malicious operating system
The boot metrics and operating system files are checked, and signatures verified at logon.
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
The industry standard program code that is designed to operate the essential components of a system.
A
The boot metrics and operating system files are checked, and signatures verified at logon.
17
Q
Compare and evaluate the various levels and types of platform security to conclude which option applies to a hardware Trusted Platform Module (TPM).
A specification for a suite of high-level communication protocols used for network communication.
The boot metrics and operating system files are checked and signatures verified at logon.
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
The industry standard program code that is designed to operate the essential components of a system.
A
Digital certificates, keys, and hashed passwords are maintained in hardware-based storage.
18
Q
Given knowledge of secure firmware implementation, select the statement that describes the difference between secure boot and measured boot.
Secure boot requires a unified extensible firmware interface (UEFI) and trusted platform module (TPM), but measured boot requires only a unified extensible firmware interface (UEFI).
Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
Secure boot is the process of sending a signed boot log or report to a remote server, while measured boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes.
Secure boot requires a unified extensible firmware interface (UEFI) but does not require a trusted platform module (TPM). Measured boot is the mechanism by which a system sends signed boot log or report to a remote server.
A
Secure boot provisions certificates for trusted operating systems (OSes) and blocks unauthorized OSes. Measured boot stores and compares hashes of critical boot files to detect the presence of unauthorized processes.
19
Q
Contrast vendor support for products and services at the end of their life cycle. Which of the following statements describes the difference between support available during the end of life (EOL) phase and end of service life (EOSL) phase?
During the end of life (EOL) phase, manufacturers provide limited support, updates, and spare parts. In the end of service life (EOSL), developers or vendors no longer support the product and no longer push security updates.
During the end of service life (EOSL) phase, manufacturers provide limited support, updates, and spare parts. In the end of life (EOL), developers or vendors no longer support the product and no longer push security updates.
All vendors adhere to a policy of providing five years of mainstream support (end of life support) and five years of extended support (end of service life support), during which vendors only ship security updates.
A well-maintained piece of software is in its end of service life (EOSL) stage. Abandonware refers to a product during the end of life (EOL) stage, which no longer receives updates.
A
During the end of life (EOL) phase, manufacturers provide limited support, updates, and spare parts. In the end of service life (EOSL), developers or vendors no longer support the product and no longer push security updates.
20
Q
A network manager is installing a new switch on the network. Which option does the manager use to harden network security after installation?
A Group Policy Object (GPO) should be configured to deploy custom settings.
The Server Core option should be used to limit the device to only using Hyper-V and DHCP.
Microsoft Baseline Security Analyzer (MBSA) is used on Windows networks and validates the security configuration of a Windows system.
The network manager should ensure all patches are applied and it is appropriately configured.
A
The network manager should ensure all patches are applied and it is appropriately configured.
21
Q
Evaluate approaches to applying patch management updates to select the accurate statement.
Operating System major release updates can cause problems with software application compatibility.
Applying all patches as released is more time consuming than only applying patches as needed.
It is more costly to apply all patches, so most companies choose to apply patches on an as-needed basis.
It is best practice to install patches immediately to provide the highest level of security for workstations.
A
Operating System major release updates can cause problems with software application compatibility.
22
Q
A system administrator has received new systems to deploy within a work center. Which of the following should the system administrator implement to ensure proper hardening without impacting functionality? (Select all that apply.)
Remove all third-party software.
Disable ports that allow client software to connect to applications.
Disable any network interfaces that are not required.
Disable all unused services.
A
Disable ports that allow client software to connect to applications.
Disable any network interfaces that are not required.
Disable all unused services.
23
Q
Select the options that can be configured by Group Policy Objects (GPOs). (Select all that apply.)
Registry settings
Code signing
Access policies
Baseline deviation
A
Registry settings
Access policies
24
Q
During a training event, an executive at a large company asks the security manager trainer why pushing automatic updates as a patch management solution is not ideal for their Enterprise network. How will the security manager most likely respond?
The security manager pushes updates individually, based on office hours.
Automatic updates can cause performance and availability issues.
A patch management suite is impractical for Enterprise networks.
Next-generation endpoint protection suites perform patch management.
A
Automatic updates can cause performance and availability issues.
25
You are asked to help design a security system. What are some methods that can be used to mitigate risks to embedded systems in security environments? (Select all that apply.)
Faraday cage
Firmware patching
Network Segmentation
Wrappers
Firmware patching
Network Segmentation
Wrappers
26
Evaluate the threats and vulnerabilities regarding medical devices and then select accurate statements. (Select all that apply.)
Medical devices are only those devices located outside of the hospital setting, including defibrillators and insulin pumps.
Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom.
Medical devices are updated regularly to secure them against vulnerabilities and protect patient safety.
Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
Attackers may attempt to gain access in order to kill or injure patients, or hold medical units ransom.
Many portable devices, such as cardiac monitors and insulin pumps, run on unsupported operating systems.
27
Compare the features of static and dynamic computing environments and then select the accurate statements. (Select all that apply.)
Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments.
Dynamic computing environments are easier to update than static computing environments.
Dynamic computing environments give less control to users than static computing environments.
Dynamic computing environments are easier to secure than static computing environments.
Embedded systems are typically static computing environments, while most personal computers are dynamic computing environments.
Dynamic computing environments are easier to update than static computing environments.
28
Examine the differences between general purpose personal computer hosts and embedded systems and select the true statements regarding embedded system constraints. (Select all that apply.)
Many embedded systems work on battery power, so they cannot require significant processing overhead.
Many embedded systems rely on a root of trust established at the hardware level by a trusted platform module (TPM).
Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency.
Most embedded systems are based on a common but customizable design, such as FPGA.
Many embedded systems work on battery power, so they cannot require significant processing overhead.
Embedded systems often use the system on chip (SoC) design to save space and increase power efficiency.
29
A company security manager takes steps to increase security on Internet of Things (IoT) devices and embedded systems throughout a company’s network and office spaces. What measures can the security manager use to implement secure configurations for these systems? (Select all that apply.)
Isolate hosts that are using legacy versions of operating systems (OSes) from other network devices through network segmentation.
Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems’ data in transit.
Increase network connectivity for embedded systems so they receive regular updates.
Maintain vendor-specific software configuration on Internet of Things (IoT) devices that users operate at home and in the office.
Isolate hosts that are using legacy versions of operating systems (OSes) from other network devices through network segmentation.
Use wrappers, such as Internet Protocol Security (IPSec) for embedded systems’ data in transit.
30
A system administrator is deploying a new web server. Which hardening procedures should the administrator consider? (Select all that apply.)
The administrator should use SFTP to transfer files to and from the server remotely.
Any guest web access that exist on the webserver should be disabled or removed.
The administrator should assign a digital certificate and enable the use of TLS 1.3.
The configuration templates contain vulnerabilities, and the administrator should not utilize them.
The administrator should use SFTP to transfer files to and from the server remotely.
The administrator should assign a digital certificate and enable the use of TLS 1.3.
31
A system administrator needs to implement a secure remote administration protocol and would like more information on Telnet. Evaluate and select the features of Telnet that the administrator should consider to accomplish this task. (Select all that apply.)
Question 1 options:
Telnet uses encryption to send passwords.
Telnet does not support direct file transfer.
FTP supports both direct file transfer and encryption
Telnet uses TCP port 23.
Telnet is a secure option.
Telnet does not support direct file transfer.
Telnet uses TCP port 23.
32
The owner of a company asks a network manager to recommend a mobile device deployment model for implementation across the company. The owner states security is the number one priority. Which deployment model should the network manager recommend for implementation?
BYOD since the company can restrict the usage to business only applications.
CYOD because even though the employee picks the device, the employee only conducts official business on it.
COPE because the device is chosen and supplied by the company, retaining ownership, but allows employee usage for personal email, public web browsing, and social media.
COBO because the device is the property of the company and can only be used for company business.
COBO because the device is the property of the company and can only be used for company business.
Corporate Owned, Business Only (COBO) devices provide the greatest security of the four mobile device deployment models. The device is the property of the company and may only be used for company business.
33
A user would like to install an application on a mobile device that is not authorized by the vendor. The user decides the best way to accomplish the install is to perform rooting on the device. Compare methods for obtaining access to conclude which type of device the user has, and what actions the user has taken.
The user has an iOS device and has used custom firmware to gain access to the administrator account.
The user has an Android device and has used custom firmware to gain access to the administrator account.
The user has an iOS device and has booted the device with a patched kernel.
The user has an Android device and has booted the device with a patched kernel.
The user has an Android device and has used custom firmware to gain access to the administrator account.
34
Analyze mobile device deployment models to select the best explanation of the Corporate Owned, Personally-Enabled (COPE) deployment model.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the employee.
The device is the property of the company and may only be used for company business.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen by the employee and supplied by the company.
The employee may use the mobile device to access personal email and social media accounts. The device is chosen and supplied by the company.
35
Analyze and compare iOS and Android operating systems (OS) to accurately differentiate between the two. (Select all that apply.)
Android releases updates often, while iOS is more sporadically released.
iOS is limited to Apple products, while Android has multiple hardware vendors.
Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
iOS is more vulnerable to attack due to being a closed source, while Android is more secure with multiple partners working to secure the OS.
iOS is limited to Apple products, while Android has multiple hardware vendors.
Android is an open source OS based on Linux, unlike iOS, which is a closed and proprietary system.
36
Pilots in an Air Force unit utilize government-issued tablet devices loaded with navigational charts and aviation publications, with all other applications disabled. This illustrates which type of mobile device deployment?
BYOD
COBO
COPE
CYOD
COBO
37
An attacker uses spoofed GPS coordinates on a stolen mobile device, attempting to gain access to an enterprise network. Which statement best describes the attack vector?
The attacker uses the spoofed coordinates to defeat containerization on the target network.
The attacker uses spoofed coordinates to perform a bluesnarfing attack.
The attacker uses spoofed coordinates to establish a rogue wireless access point.
The attacker uses spoofed coordinates to defeat geofencing on the target network.
The attacker uses spoofed coordinates to defeat geofencing on the target network.
38
Analyze the following scenarios and determine which accurately describes the use of an ad hoc Wi-Fi network.
Two or more wireless devices connect to each other on a temporary basis.
A smartphone shares its Internet connection with a PC.
Mobile device connects with a wireless speaker and keyboard.
A smartphone connects to a PC via Bluetooth.
Two or more wireless devices connect to each other on a temporary basis.
39
A user facing a tight deadline at work experiences difficulties logging in to a network workstation, so the user activates a smartphone hotspot and connects a company laptop to save time. Which of the following vulnerabilities has the user potentially created for the enterprise environment?
A device in “discoverable” mode can exploit outdated software patches.
The device may be vulnerable to a skimming attack.
The device may be able to defeat geofencing mechanisms.
The device may circumvent data loss prevention and web content filtering policies.
The device may circumvent data loss prevention and web content filtering policies.
40
An attacker steals personal data from a user device with an outdated Bluetooth authentication mechanism. What type of attack has occurred?
Bluejacking
Bluesnarfing
Bluetooth jamming
Jailbreaking
Bluesnarfing
41
Which microwave connection mode is most appropriate for forming a strong connection between two sites?
P2P
P2M
OTA
OTG
P2P
A point-to-point topology occurs when two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes.
Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub.
Over-the-air (OTA) firmware updates are delivered to radio devices via a cellular data connection.
The USB on the go (OTG) specification allows a mobile device to act as a host when a device, such as an external drive or keyboard, is attached. USB OTG allows a port to function either as a host or as a device.
42
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Stack overflow
Race conditions
Dynamic Link Library (DLL) injection
Integer overflow
Race conditions
43
Analyze types of vulnerabilities and summarize a zero-day exploit.
A design flaw that can cause the application security system to be circumvented.
A vulnerability that is capitalized on before the developer knows about it.
An attack that passes invalid data to an application.
An attack that passes data to deliberately overflow the buffer, that the application reserves to store the expected data.
A vulnerability that is capitalized on before the developer knows about it.
44
Which of the following is a common solution that protects an application from behaving in an unexpected way when passing invalid data through an attack?
Buffer overflow
Race conditions
Zero-day exploit
Input Validation
Input Validation
45
A system administrator is working to restore a system affected by a stack overflow. Analyze the given choices and determine which overflow vulnerability the attacker exploited.
An attacker changes the return address of an area of memory used by a program subroutine.
An attacker overwrites an area of memory allocated by an application to store variables.
An attacker exploits unsecure code with more values than an array expects.
An attacker causes the target software to calculate a value that exceeds the set bounds.
An attacker changes the return address of an area of memory used by a program subroutine.
A stack is an area of memory used by a program subroutine. It includes a return address, which is the location of the program that is called the subroutine. An attacker could use a buffer overflow to change the return address, which is called a stack overflow.
46
A threat actor programs an attack designed to invalidate memory locations to crash target systems. Which statement best describes the nature of this attack?
The attacker created a null pointer file to conduct a dereferencing attack.
The attacker programmed a dereferencing attack.
The attacker programmed a null pointer dereferencing exception.
The attacker created a race condition to perform a null pointer dereferencing attack.
The attacker programmed a null pointer dereferencing exception.
Dereferencing occurs when a pointer variable stores a memory location, which is attempting to read or write that memory address via the pointer. If the memory location is invalid or null, this creates a null pointer dereference type of exception and the process may crash.
Dereferencing does not mean deleting or removing; it means read or resolve.
47
Which method might an attacker use to redirect login via information gained by implementing JavaScript on a webpage the user believes is legitimate?
Man-in-the-Browser (MitB)
Confused deputy
Reflected
Clickjacking
Clickjacking
48
A security analyst is assessing the security of their company’s web application. They have determined multiple occurrences of XSS attacks and need to identify what type of XSS attacks occurred in order to apply the proper remediation. Which of the following accurately distinguishes between Reflected XSS, Stored XSS, and DOM XSS attacks?
Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in client-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in server-side scripts by manipulating the Document Object Model (DOM).
Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM).
Reflected XSS attacks exploit client-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in server-side scripts by manipulating the Document Object Model (DOM).
Nonpersistent XSS and Persistent XSS attacks exploit client-side scripts, while the DOM is used to exploit vulnerabilities in server-side scripts by manipulating the Document Object Model
Reflected XSS attacks exploit server-side scripts by capturing user input and reflecting it back to the client, while Stored XSS attacks exploit vulnerabilities in server-side scripts by storing malicious code in a database. DOM XSS attacks exploit vulnerabilities in client-side scripts by manipulating the Document Object Model (DOM).
49
An attacker finds a way to exploit a vulnerability in a target application that allows the attacker to bypass a password requirement. Which method did the attacker most likely use?
The attacker added LDAP filters as unsanitized input by creating a condition that is always true.
The attacker inserted code into a back-end database by submitting a post to a bulletin board with a malicious script embedded in the message.
The attacker embedded a request for a local resource via XML with no encryption.
The attacker modified a basic SQL function, adding code to some input that an app accepts, causing it to execute the attacker’s query.
The attacker added LDAP filters as unsanitized input by creating a condition that is always true.
50
Analyze the following statements and select the statement which correctly explains the difference between cross-site scripting (XSS) and cross-site request forgery (XSRF).
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
XSS is not an attack vector, but the means by which an attacker can perform XSRF, the attack vector.
XSRF requires a user to click an embedded malicious link, whereas the attacker embeds an XSS attack in the document object module (DOM) script.
XSRF is a server-side exploit, while XSS is a client-side exploit.
XSRF spoofs a specific request against the web application, while XSS is a means of running any arbitrary code.
51
Which type of attack disguises the nature of malicious input, preventing normalization from stripping illegal characters?
Fuzzing
Canonicalization
Code reuse
Code signing
Canonicalization
The threat actor might use a canonicalization attack to disguise the nature of the malicious input. Canonicalization refers to the way the server converts between the different methods by which a resource (such as a file path or URL) may be represented and submitted to the simplest (or canonical) method used by the server to process the input.
52
Which scenario best describes provisioning?
A developer removes an application from packages or instances.
A developer deploys an application to the target environment.
A developer sets up ID system for each iteration of a software product.
A developer commits and tests updates.
A developer deploys an application to the target environment.
53
Which of the following statements differentiates between input validation and output encoding?
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts.
Input validation is a server-side validation method, while output encoding is a client-side validation method.
Output encoding is a server-side validation method, while input validation encoding is a client-side validation method.
Input validation forces the browser to connect using HTTPS only, while output encoding sets whether the browser can cache responses.
Input validation ensures that data input into an application is in a compatible format for the application, while output encoding re-encodes data that transfers between scripts.
54
Which cookie attribute can a security admin configure to help mitigate a request forgery attack?
Secure
HttpOnly
SameSite
Cache-Control
SameSite
Cookies can be a vector for session hijacking and data exposure if not configured correctly. Use the SameSite attribute to control where a cookie may be sent, mitigating request forgery attacks.
55
A network user calls the help desk after receiving an error message. The caller complains that the error message does not indicate whether the username or password input was incorrect but simply states there was an authentication error. What does this situation illustrate?
Effective exception handling
Dynamic code analysis
Minimizing data exposure
Web application validation
Effective exception handling
56
An employee is attempting to install new software they believe will help them perform their duties faster. When the employee tries to install the software, an error message is received, stating they are not authorized to install the software. The employee calls the help desk for assistance. Evaluate the principles of execution control to conclude what has most likely occurred in this scenario.
The company is utilizing allow list control, and the software is included in the list.
The software is malicious, and execution control has identified the virus and is blocking the installation.
The company is utilizing allow list control, and the software is not included in the list.
The company is utilizing block list control, and the software is not included in the list.
The company is utilizing allow list control, and the software is not included in the list.
57
Which of the following is NOT a scripting language?
regex
PowerShell
JavaScript
Python
regex
58
Examine each of the following statements and determine which most accurately compares an allow and block list control practices.
An allow list depends on security clearance levels, while a block list depends on the primacy of the resource owner.
A block list operates on a default-deny policy, while an allow list is a default-allow policy.
A block list depends on the primacy of the resource owner, while an allow list depends on security clearance levels.
An allow list operates on a default-deny policy, while a block list is a default-allow policy.
An allow list operates on a default-deny policy, while a block list is a default-allow policy.
Execution control is the process of determining what additional software or scripts a host can run or install beyond its baseline. An allow list is a default-deny policy that means only running authorized processes and scripts. An allow list may impede accessibility and increase support time and costs.
59
A hacker compromises a web browser and uses access to harvest credentials users input when logging in to banking websites. What type of attack has occurred?
Evil twin
Man-in-the-Browser
Session hijacking
Clickjacking
Man-in-the-Browser
60
An attacker compromises a Linux host, installing a web shell as a backdoor. If the attacker gained access to the host through a connection the host established, what type of attack has occurred?
Man-in-the-Browser (MitB)
Reverse shell
Rootkit
Session hijacking
Reverse shell
A reverse shell is a common attack vector against a Linux host, where a victim host opens a connection to the attacking host through a maliciously spawned remote command shell.
61
Which scripting language is the preferred method of performing Windows administration tasks?
Javascript
Python
Ruby
Powershell
Powershell
62
A threat analyst is asked about malicious code indicators. Which indicator allows the threat actor's backdoor to restart if the host reboots or the user logs off?
Persistence
Credential dumping
Shellcode
Lateral movement/inside attacker
Persistence
63
Evaluate the Agile paradigm within a Software Development Lifecycle (SDLC) to determine which statement demonstrates the idea of continuous tasks.
Devising an application's initial scope and vision for the project
Prioritizing the requirements and work through the cycles of designing, developing, and testing
Releasing well-tested code in smaller blocks
Perform the final integration and testing of the solution
Releasing well-tested code in smaller blocks
64
Which malicious code indicator is a minimal program designed to exploit a buffer overflow?
Credential dumping
Persistence
Lateral movement/insider attack
Shellcode
Shellcode
Shellcode is a minimal program designed to exploit a buffer overflow or similar vulnerability to gain privileges, or to drop a backdoor on the host if run as a Trojan.
65
Code developers de-conflict coding with one another during which phase of the software development life cycle (SDLC)?
Continuous integration
Continuous delivery
Continuous validation
Continuous monitoring
Continuous integration
Continuous integration (CI) is the principle that developers should commit and test updates often. CI aims to detect and resolve coding conflicts early.
Continuous delivery is about testing all of the infrastructures that support an app, including networking, database functionality, client software, and so on.
Verification is a compliance testing process to ensure that the product or system meets its design goals. Validation is the process of determining whether the application is fit-for-purpose. These processes ensure the application conforms to the secure configuration baseline.
An automation solution will have a system of continuous monitoring to detect service failures, security incidents, and failover mechanisms.
66
A system administrator suspects a memory leak is occurring on a client. Determine which scenario would justify this finding.
A rapid decrease in disk space has been logged.
High page file utilization has been logged.
High memory utilization during scheduled backups after-hours.
Software does not release allocated memory when it is done with it.
Software does not release allocated memory when it is done with it.
67
Identify the type of attack that occurs when the outcome from execution process are directly dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended by the developer.
Stack overflow
Integer overflow
Race conditions
Dynamic Link Library (DLL) injection
Race conditions
68
A company conducts file sharing via a hosted private cloud deployment model. Which scenario accurately depicts this type of file sharing?
A cloud hosted by a third party for the exclusive use of the organization.
A cloud hosted by a third party and shared with other subscribers.
A cloud that is completely private to and owned by the company that utilizes it.
A cloud where several organizations share the costs of a cloud in order to pool resources for a common concern.
A cloud hosted by a third party for the exclusive use of the organization.
69
A company has recently started using a Platform as a Service (PaaS). Compare cloud service types to determine what is being deployed.
The company has leased storage on an as-needed basis.
The company has leased a suite of applications that were outside of the budget to purchase outright.
The company has outsourced the responsibility for information assurance.
The company has leased both software and infrastructure resources.
The company has leased both software and infrastructure resources.
70
An engineer creates a new virtualized cloud server with no security settings. What actions are typically recommended to secure such a resource? (Select all that apply.)
Ensure virtual machines are logging all events for auditing.
Enforce the principle of most privilege for access to VMs.
Ensure software and hosts are patched regularly.
Configure devices to support isolated communications.
Ensure software and hosts are patched regularly.
Configure devices to support isolated communications.
71
A company has many employees that work from home. The employees obtain data and post data to a shared file they access through a link on the Internet. Consider the types of virtualization and conclude which the company is most likely utilizing.
Rapid elasticity
Measured service
Cloud computing
Resource pooling
Cloud computing
72
Analyze and select the accurate statements about threats associated with virtualization. (Select all that apply.)
Virtualizing switches and routers with hypervisors make virtualization more secure.
VM escaping occurs as a result of malware jumping from one guest OS to the host OS.
A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times.
VMs providing front-end, middleware, and back-end servers should remain together to reduce security implications of a VM escaping attack on a host located in the DMZ.
VM escaping occurs as a result of malware jumping from one guest OS to the host OS.
A timing attack occurs by sending multiple usernames to an authentication server to measure the server response times.
73
An organization plans a move of systems to the cloud. In order to identify and assign areas of risk, which solution does the organization establish to contractually specify cloud service provider responsibilities?
Service level agreement
Trust relationship
Responsibilities matrix
High availability
Service level agreement
74
A large sales organization uses a cloud solution to store large amounts of data. One afternoon, the data becomes inaccessible due to an outage at a data center. Which replication service level is currently in use?
Regional
Local
Geo-redundant
Zone
Local
75
A systems administrator configures several subnets within a virtual private cloud (VPC). The VPC has an Internet gateway attached to it, however, the subnets remain private. What does the administrator do to make the subnets accessible by the public?
Configure any VPC endpoints.
Create a VPN between VPCs.
Configure a default route for each subnet.
Create a VPC for each subnet.
Configure a default route for each subnet.
76
A systems administrator deploys a cloud access security broker (CASB) solution for user access to cloud services. Evaluate the options and determine which solution may be configured at the network edge and without modifying a user's system.
Single sign-on
Application programming interface
Forward proxy
Reverse proxy
Reverse proxy
77
A security team suspects the unauthorized use of an application programming interface (API) to a private web-based service. Which metrics do the team analyze and compare to a baseline for response times and usage rates, while investigating suspected DDoS attacks? (Select all that apply.)
Number of requests
Error rates
Latency
Endpoint connections
Number of requests
Latency
78
When provisioning application services in network architecture, an engineer uses a microservices approach as a solution. Which principle best fits the engineer's implementation?
Components working together to perform a workflow
Being closely mapped to business workflows
The performing of a sequence of automated tasks
Each program or tool should do one thing well
Each program or tool should do one thing well
79
An engineer uses an abstract model that represents network functionality. Using infrastructure as code to deploy and manage a network, how does the engineer make control decisions?
By managing compatible physical appliances
By prioritizing and securing traffic
By monitoring traffic conditions
By using security access controls
By prioritizing and securing traffic
80
A security professional is looking to harden systems at an industrial facility. In particular, the security specialist needs to secure an HVAC system that is part of an IoT network. Which areas does the specialist look to secure from data exfiltration exploits? (Select all that apply.)
Edge devices
Data center
Fog node
Edge gateway
Fog node
Edge gateway
81
A developer considers using an API for service integration and automation. If choosing Representational State Transfer (REST) as the API, which features can the developer expect? (Select all that apply.)
The ability to submit a request as an HTTP operation/verb
It is a looser architectural framework
It uses XML format messaging
It has built-in error handling
The ability to submit a request as an HTTP operation/verb
It is a looser architectural framework
82
A startup designs a new online service and uses a serverless approach for some business functions. With this approach, how does the startup accomplish these functions? (Select all that apply.)
Virtual machines
Containers
Single service
Orchestration
Containers
Orchestration
83
Analyze and determine the role responsible for managing the system where data assets are stored, and is responsible for enforcing access control, encryption, and backup measures.
Data owner
Data steward
Data custodian
Privacy officer
Data custodian
84
A company utilizing formal data governance assigns the role of data steward to an employee. Evaluate the roles within data governance and conclude which tasks the employee in this role performs.
The employee ensures the processing and disclosure of Personally Identifiable Information (PII) complies within legal frameworks.
The employee ensures data is labeled and identified with appropriate metadata.
The employee enforces access control, encryption, and recovery measures.
The employee ensures the data is protected with appropriate controls and determines who should have access.
The employee ensures data is labeled and identified with appropriate metadata.
85
A document contains information about a company that is too valuable to permit any risks, and viewing is severely restricted. Analyze levels of classification and determine the appropriate classification for the document.
Critical
Confidential
Classified
Unclassified
Critical
86
Choose which of the following items classify as Personally Identifiable Information. (Select all that apply.)
Job position
Gender
Full name
Date of birth
Full name
Date of birth
87
A new cloud-based application will replicate its data on a global scale, but will exclude residents of the European Union. Which concerns should the organization that provides the data to consumers take into consideration? (Select all that apply.)
General Data Protection Regulations (GDPR)
Sovereignty
Data Location
Roles
Sovereignty
Data Location
88
Data exists in several states, each requiring different security considerations. Evaluate the following items and select which data state presents the greatest risk due to decryption.
Data in use
Data in transit
Data in motion
Data at rest
Data in use
89
A network manager assists with developing a policy to protect the company from data exfiltration. The employee devises a list of focus points to include. Which plans, when consolidated, provide the best protection for the company? (Select all that apply.)
Store backups of critical data, that may be targeted for destruction or ransom, on-site within a secure space.
Creating a training program for all employees that reiterates the importance of knowing how to use encryption to secure data.
Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels
Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network
Creating a training program for all employees that reiterates the importance of knowing how to use encryption to secure data.
Only allow removable media if it is company property, if it is required to perform a task, and if it has been cleared through the proper channels
Encrypt all sensitive data at rest and disconnect systems that are storing archived data from the network
90
Analyze the features of Microsoft's Information Rights Management (IRM) and choose the scenarios that accurately depict IRM. (Select all that apply.)
File permissions are assigned based on the roles within a document.
A document is emailed as an attachment, but cannot be printed by the receiver.
A document does not allow screen capture in a web browser view.
An email message cannot be forwarded to another employee.
File permissions are assigned based on the roles within a document.
A document is emailed as an attachment, but cannot be printed by the receiver.
An email message cannot be forwarded to another employee.
91
An employee is working on a project that contains critical data for the company. In order to meet deadlines, the employee decides to email the document containing the data to their personal email to work on at home. Consider the traits of Data Loss Prevention (DLP) and evaluate the scenario to select the DLP remediation the company should utilize.
The company should allow the employee to email the document to their personal email and trust that the employee will take proper security precautions.
Employee should be notified of the policy violation, and the incident should be recorded for future reference.
The company should utilize network DLP remediation to block all email traffic containing sensitive data.
The company should not take any remediation actions as the employee is just working from home and there is no risk of data loss.
Employee should be notified of the policy violation, and the incident should be recorded for future reference.
92
An organization suspects that a visitor is performing data exfiltration while on the premises. The organization knows that the visitor does not have any type of access to computer systems. Which of the following methods does the organization suspect the visitor of using? (Select all that apply.)
Phone
USB
Remote access
Camera
Phone
Camera
93
The first responder to a security incident decides the issue requires escalation. Consider the following and select the scenario that best describes escalation in this issue.
The first responder calls the company's legal team.
The first responder shuts down the affected system.
The first responder calls senior staff to get them involved.
The first responder reviews user privileges to look for users who may have gained unauthorized privileges.
The first responder calls senior staff to get them involved.
94
A systems administrator suspects that a virus has infected a critical server. In which step of the incident response process does the administrator notify stakeholders of the issue?
Recovery
Identification
Containment
Eradication
Identification
95
Arrange the following stages of the incident response life cycle in the correct order.
Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
Identification; Preparation; Containment, Eradication, and Recovery; Lessons Learned
Containment, Eradication, and Recovery; Identification; Preparation; Lessons Learned
Identification; Containment, Eradication, and Recovery; Preparation; Lessons Learned
Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned
96
Incident management relies heavily on the efficient allocation of resources. Which of the following factors should an IT manager consider regarding the overall scope of dealing with incidents in general? (Select all that apply.)
Planning time
Downtime
Detection time
Recovery time
Downtime
Detection time
Recovery time
97
The IT team at a company discovers that a Windows server is infected with malware. As a result, the server is not functioning properly. Which event log does the team review to find errors from failing services related to newly installed software?
Setup
Security
System
Application
Application
98
During weekly scans, a system administrator identifies a system that has software installed that goes against security policy. The system administrator removes the system from the network in an attempt to limit the effect of the incident on the remainder of the network. Apply the Computer Security Incident Handling Guide principles to determine which stage of the incident response life cycle the administrator has entered.
Preparation
Identification
Containment, eradication and recovery
Lessons learned
Containment, eradication and recovery
99
A user calls the help desk to report that Microsoft Excel continues to crash when used. The technician would like to review the logs in an attempt to determine the cause. Analyze the types of logs to determine which would contain the information the technician needs.
Event log
Audit log
Security log
Access log
Event log
100
An administrator uses data from a Security Information and Event Management (SIEM) system to identify potential malicious activity. Which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents?
Retention
Trend Analysis
Baseline
Correlation
Correlation
101
A security team desires to modify event logging for several network devices. One team member suggests using the configuration files from the current logging system with another open format that uses TCP with a secure connection. Which format does the team member suggest?
Syslog-ng
Rsyslog
Syslog
NXlog
Rsyslog
Rsyslog can work over TCP and use a secure connection. It uses the same configuration file syntax as Syslog. Rsyslog can use more types of filter expressions in its configuration file to customize message handling.
102
An engineer needs to review systems metadata to conclude what may have occurred during a breach. The first step the engineer takes in the investigation is to review MTA information in an Internet header. Which data type does the engineer review?
Web
Email
File
Cell
Email
103
A security expert needs to review systems information to conclude what may have occurred during a breach. The expert reviews NetFlow data. What samples does the expert review?
Protocol usage and endpoint activity
Traffic statistics at any layer of the OSI model
Statistics about network traffic
Bandwidth usage and comparative baselines.
Statistics about network traffic
104
When endpoint security experiences a breach, there are several classes of vector to consider for mitigation. Which type relates to exploiting an unauthorized service port change?
Configuration drift
Weak configuration
Lack of controls
Social Engineering
Configuration drift
105
Successful adversarial attacks mostly depend on knowledge of the algorithms used by the target AI. In an attempt to keep an algorithm secret, which method does an engineer use when hiding the secret?
AI training
Obscurity
Filtering
Analytics
Obscurity
106
An engineer creates a set of tasks that queries information and runs some PowerShell commands to automate several stages of the process, including the identification of threats and other malicious activity on multiple servers. The engineer defines these tasks using which of the following?
Runbook
Playbook
Orchestration
Automation
Runbook
Playbook
??? Confirm which it is?
107
A security analyst needs to contain a compromised system. The analyst would be most successful using which containment approach?
Black hole
VLAN
ACL
Air gap
Air gap
108
A system compromise prompts the IT department to harden all systems. The technicians look to block communications to potential command and control servers. Which solutions apply to working with egress filtering? (Select all that apply.)
Mediate the copying of tagged data
Restrict DNS lookups
Remove compromised root certificates
Allow only authorized application ports
Restrict DNS lookups
Allow only authorized application ports
109
Which term defines the practice of collecting evidence from computer systems to an accepted standard in a court of law?
Forensics
Due process
eDiscovery
Legal hold
Forensics
110
Which of the following is an example of the process of identifying and de-duplicating files and metadata to be stored for evidence in a trial?
Legal hold
Forensics
eDiscovery
Due process
eDiscovery
eDiscovery is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format to use as evidence in a trial.
111
A security expert archives sensitive data that is crucial to a legal case involving a data breach. The court is holding this data due to its relevance. The expert fully complies with any procedures as part of what legal process?
Chain of custody
Due process
Forensics
Legal hold
Legal hold
Legal hold refers to information that the security expert must preserve, which may be relevant to a court case. Regulators or the industry's best practice may define the information that is subject to legal hold.
112
An engineer retrieves data for a legal investigation related to an internal fraud case. The data in question is from an NTFS volume. What will the engineer have to consider with NTFS when documenting a data timeline?
UTC time
NTP Server
Time server
DHCP server
UTC time
NTFS uses UTC "internally." When collecting evidence, it is vital to establish the procedure to calculate a timestamp and note the difference between the local system time and UTC.
113
An engineer utilizes digital forensics for information gathering. While doing so, the first focus is counterintelligence. Which concepts does the engineer pursue? (Select all that apply.)
Identification and analysis of specific adversary tactics
Retrospective network analysis
Configure and audit active logging systems
Inform risk management provisioning
Identification and analysis of specific adversary tactics
Configure and audit active logging systems
114
A systems breach occurs at a manufacturer. The system in question contains highly valuable data. An engineer plans a live acquisition, but ultimately, is not successful. What reason may be stopping the engineer?
There is no hibernation file present
The tools are not preinstalled or running
The crash dump file is missing
The pagefile is corrupt
The tools are not preinstalled or running
115
An engineer plans to acquire data from a disk. The disk is connected to the forensics workstation and is ready for the engineer. Which steps indicate a correct order of acquisition as they relate to integrity and non-repudiation?
1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image
1. A hash of the disk is made 2. A copy is made of the reference image 3. A second hash is made 4. A bit-by-bit copy is made
1. A copy is made of the reference image 2. A hash of the disk is made 3. A bit-by-bit copy is made 4. A second hash is made
1. A copy is made of the reference image 2. A bit-by-bit copy is made 3. A hash of the disk is made 4. A second hash is made
1. A hash of the disk is made 2. A bit-by-bit copy is made 3. A second hash is made 4. A copy is made of the reference image
116
A cloud server has been breached. The organization realizes that data acquisition differs in the cloud when compared to on-premises. What roadblocks may the organization have to consider when considering data? (Select all that apply.)
On-demand services
Jurisdiction
Chain of custody
Notification laws
On-demand services
Jurisdiction
Chain of custody
117
A systems breach occurs at a financial organization. The system in question contains highly valuable data. When performing data acquisition for an investigation, which component does an engineer acquire first?
RAM
Browser cache
SSD data
Disk controller cache
Memory dump
SSD data
CPU cache
Disk controller cache
CPU cache
118
A system breach occurs at a retail distribution center. Data from a persistent disk is required as evidence. No write blocker technology is available. Which approach does a security analyst use to acquire the disk?
Carving
Cache
Snapshot
Artifact
Snapshot
119
A company performs risk management. Which action identifies a risk response approach?
A company develops a list of processes necessary for the company to operate.
A company develops a countermeasure for an identified risk.
A company conducts penetration testing to search for vulnerabilities.
A company determines how the company will be affected in the event a vulnerability is exploited.
A company develops a countermeasure for an identified risk.
120
Select the phase of risk management a company has performed if they analyzed workflows and identified critical tasks that could cause their business to fail, if not performed.
Identify mission essential functions
Identify vulnerabilities
Identify threats
Analyze business impacts
Identify mission essential functions
121
Select the example that provides an accurate simulation of a company engaging in the identifying threats phase of risk management.
A company develops a list of processes that are necessary for the company to operate.
A company conducts research to determine which vulnerabilities may be exploited.
A company conducts penetration testing to search for vulnerabilities.
A company determines how the company will be affected in the event a vulnerability is exploited.
A company conducts research to determine which vulnerabilities may be exploited.
122
Management of a company practices qualitative risk when assessing a move of systems to the cloud. How does the company indicate any identified risk factors?
With an exposure factor (EF)
With an annualized loss expectancy (ALE)
With a classification system
With transference
With a classification system
123
Management of a company identifies priorities during a risk management exercise. By doing so, which risk management approach does management use?
Inherent risk
Risk posture
Risk transference
Risk avoidance
Risk posture
124
Analyze the metrics governing Mission Essential Functions (MEF) and determine which example demonstrates Maximum Tolerable Downtime (MTD).
It takes two hours to identify an outage and restore the system from backup.
It takes three hours to restore a system from backup and the restore point is two hours prior to the outage.
A business function relies on five hours for restoration; otherwise, there is an irrecoverable business failure.
It takes three hours to restore a system from backup, reintegrate the system, and to test functionality.
A business function relies on five hours for restoration; otherwise, there is an irrecoverable business failure.
125
A company has thirty servers that run for 125 hours, with three servers that fail. Rounding to the nearest whole number, calculate the Mean Time Between Failures (MTBF) for this scenario.
125
41
3,750
1,250
1,250
The calculation for Mean Time Between Failures (MTBF) is the total time divided by the number of total failures. In this scenario, the company has 30 servers that run for 125 hours (30x125), with the resulting product of 3,750. This result is then divided by the number of failures (3,750/3), which equals an MTBF of 1,250.
126
Evaluate the metrics associated with Mission Essential Functions (MEF) to determine which example is demonstrating Work Recovery Time (WRT).
A business function takes five hours to restore, resulting in an irrecoverable business failure.
It takes two hours to identify an outage and restore the system from backup.
It takes three hours to restore a system from backup, and the restore point is two hours prior to the outage.
It takes three hours to restore a system from backup, reintegrate the system, and test functionality.
It takes three hours to restore a system from backup, reintegrate the system, and test functionality.
127
A company determines the mean amount of time to replace or recover a system. What has the company calculated?
MTBF
KPI
MTTR
MTTF
MTTR
128
A critical server has a high availability requirement of 99.99%. Solve the Maximum Tolerable Downtime (MTD) in hh:mm:ss to conclude which option will meet the requirement.
Question 2 options:
1:24:19 annual downtime
0:49:23 annual downtime
1:01.49 annual downtime
2:48:42 annual downtime
0:53:56 annual downtime
0:49:23 annual downtime
The Maximum Tolerable Downtime (MTD) metric states the requirement for a particular business function. High availability is usually described as 24x7. For a critical system, availability will be described from 99% to 99.9999%. In this scenario, the requirement is 99.99%, resulting in the maximum downtime of 00:52:34. Since 00:49:23 is less downtime than the maximum requirement, this results in the system meeting the requirement.
129
Analyze automation strategies to differentiate between elasticity and scalability. Which scenarios demonstrate scalability? (Select all that apply.)
A company is hired to provide data processing for 10 additional clients and has a linear increase in costs for the support.
A company is hired to provide data processing for 10 additional clients and is able to utilize the same servers to complete the tasks without performance reduction.
A company has a 10% increase in clients and a 5% increase in costs.
A company has a 10% increase in clients and a 10% decrease in server performance.
A company is hired to provide data processing for 10 additional clients and has a linear increase in costs for the support.
A company has a 10% increase in clients and a 5% increase in costs.
130
A Redundant Array of Independent Disks (RAID) is installed with data written to two disks with 50% storage efficiency. Which RAID level has been utilized?
Level 0
Level 1
Level 5
Level 6
Level 1
Redundant Array of Independent Disks (RAID) Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%.
131
IT staff looks to provide a high level of fault tolerance while implementing a new server. With which systems configuration approach does the staff achieve this goal?
Adapting to demand in real time
Adding more resources for power
Duplicating critical components
Increasing the power of resources
Duplicating critical components
Focusing on critical components
132
A systems engineer configures a disk volume with a Redundant Array of Independent Disks (RAID) solution. Which solution does the engineer utilize when allowing for the failure of two disks?
Level 1
Level 0
Level 5
Level 6
Level 6
Redundant Array of Independent Disks (RAID) Level 6 has double parity or Level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost.
Level 1 uses mirroring where data is written to two disks simultaneously, which provides redundancy. The main drawback is its storage efficiency is only 50%.
RAID Level 0 is striping without parity resulting in no fault tolerance. Data is written in blocks across several disks.
RAID Level 5 has striping with parity. Data is written across three or more disks but calculates additional information. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.
133
Security specialists create a sinkhole to disrupt any adversarial attack attempts on a private network. Which solution do the specialists configure?
Routing traffic to a different network
Using fake telemetry in response to port scanning
Configuring multiple decoy directories on a system
Staging fake IP addresses as active
Routing traffic to a different network
134
A hurricane has affected a company in Florida. What is the first step in the order of restoration?
Enable and test switch infrastructure
Enable and test power delivery systems
Enable and test network security appliances
Enable and test critical network servers
Enable and test switch infrastructure
The first step in the order of restoration is to enable and test power delivery systems such as grid power, Power Distribution Units (PDUs), and secondary generators.
135
A company is working to restore operations after a blizzard stopped all operations. Evaluate the order of restoration and determine the correct order of restoring devices from first to last.
Routers, firewalls, Domain Name System (DNS), client workstations
Domain Name System (DNS), routers, firewalls, client workstations
Firewalls, routers, Domain Name System (DNS), client workstations
Routers, client workstations, firewalls, Domain Name System (DNS)
Routers, firewalls, Domain Name System (DNS), client workstations
The order of restoration states that switch infrastructure, then routing appliances, followed by firewalls, and then Domain Name System (DNS) should be enabled in that order. The final step is to enable client workstations and devices.
136
A systems engineer reviews recent backups for a production server. While doing so, the engineer discovers that archive bits on files are clearing and incorrect backup types have been occurring. Which backup type did the engineer intend to use if the bit should not be cleared?
Snapshot
Full
Differential
Incremental
Differential
With a differential backup, all new and modified files since the last full backup are part of the backup set. With a differential backup type, the archive bit on a file is set to not cleared.
A full backup includes all selected data regardless of when the previous backup occurred. With a full backup type, the archive bit on a file is set to cleared.
Snapshots are a means of getting around the problem of open files when performing a backup. Snapshots use a copy of the data rather than the live data.
With an incremental type backup, new files, as well as files modified since the last backup are part of the backup set. With an incremental backup type, the archive bit on a file is set to cleared.
137
A recent systems crash prompts an IT administrator to perform recovery steps. Which mechanism does the administrator use to achieve nonpersistence?
Configuration validation
Data replication
Restoration automation
Revert to known state
Revert to known state
138
Management has reason to believe that someone internal to the organization is committing fraud. To confirm their suspicion, and to collect evidence, they need to set up a system to capture the events taking place. Evaluate which option will best fit the organization's needs.
Honeynet
Honeypot
Exploitation framework
Metasploit
Honeypot
A system that is placed on the network with the intent of attracting attackers or to detect internal fraud, snooping and malpractice is called a honeypot. This system will be placed within the current network.
An entire decoy network is called a honeynet. A honeynet can be an actual network or simulated.
139
A natural disaster has resulted in a company moving to an alternate processing site. The company has operations moved almost immediately as a result of having a building with all of the equipment and data needed to resume services. The alternative site was actively running prior to the natural disaster. Evaluate the types of recovery sites to determine which processing site the company is utilizing.
Replication site
Cold site
Warm site
Hot site
Hot site
The company is utilizing a hot site for recovery. A hot site can failover almost immediately. The site is already within the organization's ownership and is ready to deploy.
A cold site takes longer to set up (up to a week) and does not have the equipment or data needed to set up immediately.
A warm site contains features of both hot and cold sites. An example of a warm site is a building with the computer equipment available, but the company must supply the latest data set to be operational.
140
A system has a slight misconfiguration which could be exploited. A manufacturing workflow relies on this system. The admin recommends a trial of the proposed settings under which process?
Change management
Change control
Asset management
Configuration management
Change management
141
An organization configures both a warm site and a hot site for disaster preparedness. Doing so poses which challenges for the organization? (Select all that apply.)
Resiliency
Diversity
Complexity
Budgetary
Complexity
Budgetary
142
A systems engineer decides that security mechanisms should differ for various systems in the organization. In some cases, systems will have multiple mechanisms from multiple sources. Which types of diversity does the engineer practice? (Select all that apply.)
Control
Vendor
Change
Resiliency
Control
Vendor
Control diversity means that the layers of controls should combine different classes of technical and administrative controls with the range of control functions.
Vendor diversity means that security controls are sourced from multiple sources. A vulnerability in solutions from a single vendor approach is a security weakness.
143
A secure data center has multiple alarms installed for security. Compare the features of the types of alarms that may be installed, and determine which is an example of a circuit alarm.
Windows and emergency exits along the perimeter will sound an alarm when opened.
An alarm alerts authorities if movement occurs within the building after hours.
Security has a panic button under the desk in case of attack.
Employees wear a pendant they can push to alert authorities if needed.
Windows and emergency exits along the perimeter will sound an alarm when opened.
144
Compare physical access controls with network security to identify the statements that accurately connect the similarities between them. (Select all that apply.)
Authentication provides users access through the barriers, while authorization determines the barriers around a resource.
An example of authentication in networking is a user logging into the network with a smart card. Similarly, authentication in physical security is demonstrated by an employee using a badge to enter a building.
Authorization provides users access through barriers, while authentication creates barriers around a resource.
An example of authorization in networking is a user logging into the network with a smart card. Similarly, authorization in physical security is demonstrated by an employee using a badge to enter a building.
Authentication provides users access through the barriers, while authorization determines the barriers around a resource.
An example of authentication in networking is a user logging into the network with a smart card. Similarly, authentication in physical security is demonstrated by an employee using a badge to enter a building.
145
A project manager is developing a site layout for a new facility. Consider the principles of site layout design to recommend the best plan for the project.
Locate secure zones near the front of the building and next to the security desk, for monitoring entry and exit.
Do not make the building a target by placing signs and warnings of the security within the building.
Minimize traffic passing between zones so that the flow of people are in and out, instead of across and between.
Place windows in rooms within secure zones to deter unauthorized people or actions due to the higher visibility.
Minimize traffic passing between zones so that the flow of people are in and out, instead of across and between.
146
A project manager has designed a new secure data center and has decided to use multifactor locks on each door to prevent unauthorized access. Compare the following types of locks that the project manager may use to determine which example the facility is utilizing.
A lock that requires an employee to use a smart card and pin to enter
A lock that requires an employee to use a magnetic swipe card to enter
A cipher lock on a door
A bolt on the door frame
A lock that requires an employee to use a smart card and pin to enter
147
An engineer receives an alert from a mobile system equipped with an RFID tag. Upon investigating, the mobile system is missing from its assigned station. Which alarm type prompted the engineer to investigate?
Duress
Proximity
Motion
Circuit
Proximity
148
Which of the following are appropriate methods of media sanitization? (Select all that apply.)
Use random data to overwrite data on each location of a hard drive.
Reset a hard disk to its factory condition utilizing tools provided by the vendor.
Degauss a hard drive using a machine with a powerful electromagnet.
Degauss Compact Disks (CDs) using a machine with a powerful electromagnet
Use random data to overwrite data on each location of a hard drive.
Reset a hard disk to its factory condition utilizing tools provided by the vendor.
Degauss a hard drive using a machine with a powerful electromagnet.
149
The security team at an organization looks to protect highly confidential servers. Which method does the team propose when protecting the servers against explosives?
Air gap
Faraday cage
Colocation cage
Vault
Vault
A vault is a room that is hardened against unauthorized entry by physical means, such as drilling or explosives.
150
A security team is setting up a secure room for sensitive systems which may have active wireless connections that are prone to eavesdropping. Which solution does the team secure the systems with to remedy the situation?
Vault
Colocation cage
Faraday cage
DMZ
Faraday cage
A faraday cage is an enclosure that features a charged conductive mesh that blocks signals from entering or leaving the area.
151
An organization plans the destruction of old HDDs. In an effort to save money, the organization decides that the technicians will hit the drives with hammers. Which method is the being used?
Degaussing
Pulping
Shredding
Pulverizing
Pulverizing
Pulverizing involves destroying media by impact. It is important to note that hitting a hard drive with a hammer can actually leave a surprising amount of recoverable data. Industrial machinery should perform this type of destruction.
152
An organization plans the destruction of old flash drives. In an attempt to erase the media, an employee uses an electromagnet, only to discover that it did not destroy the data. Which method has the employee tried?
Pulping
Degaussing
Pulverizing
Burning
Degaussing
Degaussing involves exposing a magnetic hard disk to a powerful electromagnet. This disrupts the magnetic pattern that stores the data on the disk surface. Degaussing cannot erase non-magnetic disks, such as flash drives.
