Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CompTIA Security+ SY0-301 Authorized Cert Guide By David L. Prowse - Pearson - Exams > Exam 1 > Flashcards

Exam 1 Flashcards

(100 cards)

Start Studying
1
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

What are the three main goals of information security? (Select the three best answers.)
A. Auditing
B. Integrity
C. Nonrepudiation
D. Confidentiality
E. Risk assessment
F. Availability
A

Answers: B, D, and F. Confidentiality, Integrity, and Availability
Explanation: Confidentiality, Integrity, and Availability (known as CIA or the CIA triad) are the three main goals of information security. Another goal within information security is Accountability. See the section titled “Security 101” in Chapter 1, “Introduction to Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Which of the following describes an application that accepts more input than it was originally expecting?
A. Buffer overflow
B. Denial of service (DoS)
C. Sandbox
D. Brute force
A

Answer: A. Buffer overflow
Explanation: Buffer overflows occur when an application or an operating system accepts more input than it expects. This could cause a radical behavior in applications especially if the affected memory already has other data in it. A denial of service is a network attack perpetuated on servers to stop them from performing their proper functions for users. Sandbox is when a web script runs in its own environment so that it won’t interfere with other processes; this is often used in testing environments. Brute force is a type of password cracking attack. See the section titled “Securing Other Applications” in Chapter 4, “Application Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

A security assessment of an existing application has never been made. Which of the following is the best assessment technique to use to identify an application’s security posture?
A. Functional testing
B. Threat modeling
C. Baseline reporting
D. Protocol analysis
A

Answer: C. Baseline reporting
Explanation: Baseline reporting is the best answer for identifying the application’s security posture. A Security Posture Assessment (SPA) is used to find out the baseline security of an application, a system, or a network, as long as the application (or system or network) already exists. By checking past results and comparing them with current (and future) results, a security professional can see whether an application is secure, or has a “secure posture.” Some applications come with built-in baseline reporting tools, which allow you to tell whether a system is compliant and secure. The other three answers don’t (by definition) associate with the “security posture” of an application. Functional testing is a method of verifying a program by inputting information to the program and analyzing the output. Threat modeling defines a set of possible attacks that could exploit a vulnerability. Protocol analysis deals with examining packet streams with a sniffer or protocol analyzer. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Why would a system administrator have both a user-level account and an administrator-level account?
A. To prevent privilege escalation
B. To prevent admin account lockout
C. To prevent password sharing
D. To prevent loss of access through implicit deny

A

Answer: A. To prevent privilege escalation
Explanation: Some organizations that use UAC might employ a policy where all administrators are expected to log on as their standard user account. With UAC enabled, the “administrator” will not be able to accomplish administrative tasks unless he types in his administrator-level account username and password at the UAC prompt. It’s really UAC that is used to prevent privilege escalation for all users. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

What is the best reason why security researchers use virtual machines?
A. To offer a secure virtual environment where they can conduct online deployments
B. To offer an environment where they can discuss security research
C. To offer an environment where network applications can be tested
D. To offer an environment where malware might be executed but with minimal risk to equipment

A

Answer: D. To offer an environment where malware might be executed but with minimal risk to equipment.
Explanation: The best reason why security researchers use virtual machines is to offer an environment where malware might be executed but with minimal risk to the equipment. This is because the virtual machine is isolated from the actual operating system, and the virtual machine can simply be deleted if it is affected by viruses or other types of malware. Although the other answers are possible reasons why a security researcher would use a virtual machine, the best answer is that it offers the isolated environment where a malicious activity can occur but be easily controlled and monitored. See the section titled “Virtualization Technology” in Chapter 3, “OS Hardening and Virtualization,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

You need to monitor network devices on your network. Which of the following protocols will best help you complete this task?
A. ICMP
B. SNMP
C. SMTP
D. NetBIOS
A

Answer: B. SNMP
Explanation: The Simple Network Management Protocol (SNMP) is meant to be used within network monitoring programs, which are used to monitor the parameters of devices on your network. ICMP stands for Internet Control Message Protocol, which among other things is an integral part of the ping command. SMTP stands for Simple Mail Transfer Protocol, which is used to send mail. NetBIOS stands for Network Basic Input/Output System and provides name services. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

You are configuring an 802.11n wireless network. You need to have the best combination of encryption and authorization. Which of the following options should you select?
A. WPA2-PSK
B. WEP and 802.1x
C. WPA-Enterprise
D. WPA and TKIP
A

Answer: C. WPA-Enterprise
Explanation: WPA-Enterprise offers a decent level of encryption (WPA) as well as a powerful means of authorization (Enterprise). Enterprise usually means you are using a separate RADIUS server or something similar to handle the authorization side of things and are not relying on the wireless device itself. While WPA2-PSK offers a better level of encryption, it does not offer authorization the way an enterprise configuration does. WEP and 802.1x does offer a form of authorization, but WEP is deprecated and is not recommended in any scenario. WPA and TKIP offers the same level of encryption as WPA-Enterprise but does not offer authorization. See the section titled “Securing Wireless Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Tim needs to collect data from users that utilize an Internet-based application. Which of the following should he reference before doing so?
A. Secure code review
B. SOX
C. Acceptable use policy
D. Privacy policy
A

Answer: D. Privacy policy
Explanation: Tim should refer to his organization’s privacy policy before collecting any data from users of the Internet-based application. This policy will dictate whether he is allowed to collect the information he requires. Secure code reviews check for incorrect and possibly risky coding techniques in applications. SOX stands for Sarbanes-Oxley Act, which sets standards for management and public accounting organizations. Acceptable use policies (AUP) state how a network or system may be used. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

You have been asked to set up a web server that will service regular HTTP requests as well as HTTP secure requests. Which of the following ports would you use by default? (Select the two best answers.)
A. 21
B. 25
C. 80
D. 135
E. 443
F. 445
A

Answers: C. 80 and E. 443
Explanation: The default port for HTTP requests is port 80. The default port for HTTP Secure (HTTPS) requests is port 443. Port 21 is FTP. Port 25 is SMTP. Port 135 is known as the DCE endpoint manager port or RPC (Remote Procedure Call); it is a DCOM related port that is used to remotely manage services and is generally considered insecure. Port 445 is the Server Message Block (SMB) port that deals with Microsoft directory services. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Sandy is comparing six different computers on a network. She wants to know which of the systems is more susceptible to attack. Which is the best tool for her to use?
A. Vulnerability scanner
B. Port scanner
C. Ping scanner
D. Baseline reporting
A

Answer: A. Vulnerability scanner
Explanation: The vulnerability scanner will be able to scan for various vulnerabilities on multiple computers. A port scanner would be the next choice but will only tell Sandy which ports are open, not what vulnerabilities the computers have, and by default it will only work with one computer at a time (although this is configurable). Ping scanners can find out what computers exist on the network but won’t display any vulnerabilities. Baseline reporting is used to compare a system’s current configuration to an older configuration to find out its security posture. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Which of the following reduces the chances of a single point of failure on a server when it fails?
A. Virtualization
B. Clustering
C. RAID
D. Cold site
A

Answer: B. Clustering
Explanation: Clustering enables a technician to use two or more servers together. In a failover cluster, a failure on the working server will cause that server to be disabled, but the next server in the cluster will then become active; so most single points of failure can be overcome. Virtualization of a server creates an entirely new server in a virtual machine, but it will have the same possibility of a single point of failure as a physical server. RAID (Redundant Array of Inexpensive Disks) reduces the chances of a server’s single point of failure by allowing for fault tolerant disks—but only for disks, and only certain kinds of RAID. If any other points on the server fail, RAID will not be able to recover. A cold site does not have servers ready to go in the case there is a single point of failure on a particular server. However, hot sites could usually recover from these types of issues, though the users might have to physically go to the building depending on the configuration. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Which of the following statements is true about a certificate revocation list (CRL)?
A. It should be kept secret.
B. It must be encrypted.
C. It should be kept public.
D. It should be used to sign other keys.
A

Answer: C. It should be kept public.
Explanation: Certificate revocation lists (CRLs) should be published regularly so that users know whether an issuer’s certificate is valid. If the CRL was secret, it would defy its purpose. The CRL is not usually encrypted but will be digitally signed by the certificate authority (CA). The CRL does not sign any keys; instead the CA takes care of this. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

HIDS and NIDS are similar intrusion detection systems. However, one is for individual computers, and the other is for networks. Which of the following would a HIDS be installed to monitor?
A. System files
B. CPU performance
C. Network adapter performance
D. Temporary Internet files
A

Answer: A. System files
Explanation: HIDS, or host-based intrusion detection system, is software installed to an individual computer to monitor important files and watch for intrusions. System files are some of the most important files that will be monitored by a HIDS. Temporary Internet files are not nearly as important and are usually removed automatically by way of a policy in many organizations. CPU and network adapter performance is usually monitored by some type of performance monitoring program; these are often built into the operating system. See the section titled “Implementing Security Applications” in Chapter 2, “Computer Systems Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Thumb drives can be used to compromise systems and enable unauthorized access. What kind of malware was most likely installed to the thumb drive?
A.	Bot
B.	Logic bomb
C.	Virus
D.	Trojan
A

Answer: D. Trojan
Explanation: Trojans are used to access a system without authorization. They can be installed to USB flash drives, can be remote access programs, or could be unwittingly stumbled upon when accessing disreputable websites. The key phrase here is “unauthorized access”; that is what the Trojan is trying to do. A bot is a computer that performs actions without the user’s consent and is often controlled by a remote master computer. Though the bot doesn’t enable unauthorized access, a Trojan might carry a bot program as part of its payload. Logic bombs are generally a method of transferring malware and are meant to initiate a malicious function at a specific time. Viruses infect a computer but are not used for unauthorized access. See the section titled “Computer Systems Security Threats” in Chapter 2, “Computer Systems Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

You are the systems administrator for your organization. You have been tasked to block database ports at the firewall. Which port should you block?
A. 3389
B. 1433
C. 443
D. 53
A

Answer: B. 1433
Explanation: Port 1433 is used by Microsoft SQL Server databases and should be blocked at the firewall if you want to block SQL Server activity. Port 3389 is used by the Remote Desktop Protocol. Port 443 is used by HTTPS. Port 53 is used by DNS. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Your boss speculates that an employee in a sensitive position is committing fraud. What is the best way to identify if this is true?
A. Mandatory vacations
B. Separation of duties
C. Due diligence
D. Acceptable usage policy
A

Answer: A. Mandatory vacations
Explanation: Mandatory vacations should be implemented to help detect (and possibly stop) fraud, sabotage, or other malicious activity on the part of a person working in a sensitive position in an organization. Separation of duties (and job rotation) are employed when more than one person is utilized to complete a task. While this might be a way to identify fraud, it does not take into account the possibility that one user is still committing fraud without the other user(s) noticing. It also doesn’t take into account the chance that all users involved in the job rotation system could be committing fraud together. Mandatory vacations are a better method of detecting ongoing fraud. Due diligence ensures that IT risks are known and managed. Acceptable usage policies define the rules that restrict how a system may be used. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Your organization’s network has a main office and two remote sites that connect back to the main office solely. You have been tasked with blocking TELNET access into the entire network. Which would be the best way to go about this?
A. Block port 25 on the main office’s firewall
B. Block port 25 on each of the L2 switches at the remote sites
C. Block port 23 on each of the L2 switches at the remote sites
D. Block port 23 on the main office’s firewall

A

Answer: D. Block port 23 on the main office’s firewall
Explanation: You should block port 23 on the main office’s firewall because by default TELNET uses port 23. Port 25 is used by SMTP. By blocking port 23 on the main office’s firewall you will by default be blocking it for the entire network in the scenario. L2 (layer 2) switches deal with MAC addresses and other principles of the Data Link Layer of the OSI Model. They do not usually have the option to block particular TCP/IP ports. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Tom is getting reports from several users that they are unable to download specific items from particular websites although they can access other pages of those websites. Also, they can download information from other websites just fine. Tom’s IDS is also sending him alarms about possible malicious traffic on the network. What is the most likely cause why the users cannot download the information they want?
A. The firewall is blocking web activity.
B. The NIDS is blocking web activity from those specific websites.
C. The NIPS is blocking web activity from those specific websites.
D. The router is blocking web activity.

A

Answer: C. The NIPS is blocking web activity from those specific websites.
Explanation: The most likely answer is that the network intrusion prevention system (NIPS) is blocking the specific traffic because it has detected that particular downloads could be malicious. A NIDS would only detect this and send alarms to Tom; it would not prevent the traffic. The firewall will usually block entire websites from being accessed, not just prevent specific downloads. The router will not block web activity, although it could block access to particular IP addresses. However, if this was the case, the users would not be able to access the website in question at all. See the section titled “NIDS Versus NIPS” in Chapter 6, “Network Perimeter Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Users on your network are identified with tickets. Which of the following systems is being used?
A. Kerberos
B. RADIUS
C. TACACS+
D. LDAP
A

Answer: A. Kerberos
Explanation: Kerberos is the only authentication system listed that uses tickets to identify users—the ticketing system proves the identity of users. RADIUS uses authentication schemes such as CHAP and EAP. RADIUS and TACACS+ are normally used for remote authentication of users, whereas Kerberos is used in Domains. TACACS+ uses TCP, and RADIUS uses UDP for connections. LDAP is used for accessing and modifying directory services data. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Which of the following invalidates SQL injection attacks that were launched from a lookup field of a web server?
A. Input validation
B. Security template
C. NIDS
D. Buffer overflow protection
A

Answer: A. Input validation.
Explanation: Input validation is a process that ensures the correct usage of data. It is important when dealing with any types of forms on a web server. Because these forms can be compromised by various attacks, forms should be coded in such a way where any input from the user will be validated by the web page before it is accepted. For example, if you were to type in six digits in a ZIP code field when it expects only a maximum of five digits, input validation should deny that entry, and if coded properly will ask the user to re-enter the information. Security templates import many secure policies at one time. A NIDS protects an entire network from intrusion. Buffer overflow protection ensures that memory is storing data the way that the developer intended. Input validation also prevents buffer overflow attacks in addition to other types of attacks such as SQL injection attacks. See the section titled “Securing Other Applications” in Chapter 4, “Application Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

You want to curtail users from e-mailing confidential data outside your organization. Which of the following would be the best method?
A. Block port 110 on the firewall.
B. Prevent the usage of USB flash drives.
C. Install a network-based DLP device.
D. Implement PGP.

A

Answer: C. Install a network-based DLP device.
Explanation: A network-based data loss prevention (DLP) device is the best solution listed. This device normally sits on the perimeter of the network and can be configured to analyze traffic for confidential information and prevent it from going outside the network. DLP devices can also be storage-based and endpoint-based, but in this case the network-based DLP would be best. Blocking port 110 on the firewall might stop all outbound POP3 e-mails from leaving the network, and while that would probably stop confidential e-mails from going out, it would cause a whole slew of other problems—as you might imagine! Preventing the usage of flash drives probably wouldn’t affect the scenario either way. PGP is used to encrypt and digitally sign e-mails, which is a decent option when attempting to keep data confidential but won’t help when you want to keep that confidential data from leaving the network. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

What should be incorporated with annual awareness security training?
A. Signing of a user agreement
B. Implementation of security controls
C. User rights and permissions review
D. Succession planning
A

Answer: A. Signing of a user agreement
Explanation: Security awareness training should be coupled with the signing of a user agreement. This agreement states that the user acknowledges and accepts specific rules of behavior, conduct, and nondisclosure of the training. Some organizations might add other policies that the user must agree to as well. Security controls deal with the proper implementation of a security plan. User rights and permissions reviews are part of security audits. Succession planning is the process of developing and readying new servers and other equipment in the case that the current equipment fails, is compromised, or becomes outdated. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

A critical system in the server room was never connected to a UPS. The security administrator for your organization has initiated an authorized service interruption of the server to fix the problem. Which of the following best describes this scenario?
A. Succession planning
B. Fault tolerance
C. Continuity of operations
D. Disaster recovery
A

Answer: B. Fault tolerance
Explanation: Because the security administrator is deliberately interrupting service in a proactive effort to fix the problem, this scenario would be best described as fault tolerance. Also, the fact that a UPS is being installed to make the system tolerant of power loss lends to the fault tolerance answer. If the administrator was planning how a new server was to be implemented, then it would be succession of planning. Continuity of operations and disaster recovery deal with the scenario of an actual disaster and the planning for recovery from that disaster. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further.

Which of the following devices is used to optimize and distribute data workloads across multiple computers or networks?
A. VPN concentrator
B. Protocol analyzer
C. Proxy server
D. Load balancer
A

Answer: D. Load balancer
Explanation: A load balancer is used to distribute workload across multiple computers or a computer cluster. It could be done by a dedicated hardware or software. VPN concentrators are devices used for remote access. Protocol analyzers are used to examine packets of information that are captured from a computer. Proxy servers act as go-betweens for client computers and the Internet and often cache information that comes from websites. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following is used to cache content? A. Firewall B. Load balancer C. Proxies D. VPN concentrator ```
Answer: C. Proxies Explanation: A proxy is used to cache or store content for later use. An example of this would be an HTTP proxy that remembers the content of a web page that a client computer accessed. This information can then be accessed by other client computers without the computer having to access the Internet. Firewalls are used to protect a network and secure ports. Load balancers are used to distribute workload across two or more computers or networks. VPN concentrators allow for secure encrypted remote access. See the section titled “Firewalls and Network Security” in Chapter 6, “Network Perimeter Security,” for more information.
26
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following enables a person to view the IP headers on a data packet? A. Protocol analyzer B. NIDS C. Firewall D. L2 switch ```
Answer: A. Protocol analyzer Explanation: A protocol analyzer (or packet sniffer) allows a person to break down a packet and view its contents including IP headers. Network intrusion detection systems (NIDS) detect malicious activity on a network. Firewalls are used to protect the entire network from malicious activity by closing and securing ports. L2 switches are used as central connecting devices for computers on a LAN—they identify each computer by its MAC address. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
27
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. A programmer wants to prevent cross-site scripting. Which of the following should the programmer implement? A. Validation of input to remove bit code B. Validation of input to remove shell scripts C. Validation of input to remove batch files D. Validation of input to remove hypertext
Answer: D. Validation of input to remove hypertext Explanation: Cross-site scripting (XSS) is a vulnerability to web applications. For example, a malicious attacker might attempt to inject hypertext into a standard text-based web form. Shell scripts, batch files, and Java bit code are not associated with XSS attacks. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
28
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You have been asked by your boss to protect the confidentiality of sensitive data entered into a database table. What is the best method to use? A. Encryption B. Hashing C. Secure Copy D. Biometrics ```
Answer: B. Hashing Explanation: Hashing is used in databases for indexing and file retrieval and is used to protect the confidentiality of data in database tables. It is faster and easier to use than encryption methods. Secure Copy (SCP) is used to securely transfer files between two computers. Biometrics is the science of identifying humans from their physical characteristics. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
29
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Jane is a systems administrator and must revoke the access of a user who has been terminated. Which policy must she implement? A. Password recovery B. Password expiration C. Account disablement D. Account lockout ```
Answer: C. Account disablement Explanation: If an employee is terminated, the employee’s account should be disabled. This way, the employee will not be able to log in to the system, but the history of the user account is still intact and can be viewed by administrators if necessary. There is no need to modify the password recovery or expiration settings. The password will no longer do the user any good, and the administrator should be able to access anything the employee did. Even if the user password is required, it can be reset by the administrator. It would be unwise to lock out the user, because many policies have a timeout on the lockout, thus allowing the user to log back in later on. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
30
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. What is one reason to implement security logging on a DNS server? A. To perform penetration testing on the server B. To prevent DNS DoS C. To watch for unauthorized zone transfers D. To measure server performance
Answer: C. To watch for unauthorized zone transfers. Explanation: It is important to log your DNS server to monitor for unauthorized zone transfers. This type of logging can only let you know if an unauthorized zone transfer has occurred; it will not prevent it, nor will it prevent any types of denial of service (DoS) attacks. Penetration testing is usually done with some type of vulnerability scanning software, and performance measuring is usually done with some type of performance monitoring software. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
31
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What is the best way to prevent ARP poisoning across a network? A. MAC flooding B. Log analysis C. Loop protection D. VLAN segregation ```
Answer: D. VLAN segregation Explanation: By segregating a network into multiple virtual LANs, ARP poisoning attacks will hopefully falter when trying to cross from one VLAN to the next. This isn’t always successful, but it is one smart way to try to avoid ARP poisoning attacks. A MAC flood is an attack where numerous packets are sent to a switch, each with a different MAC address. Log analysis is used to determine what happened at a specific time on a particular system. Loop protection can be enabled on some switches, which protects from a person connecting both ends of a patch cable to two different switch ports on a switch. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
32
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Stephen has been instructed to update all three routers’ firmware for his organization. Where should he document his work? A. Change management system B. Router system log C. Event Viewer D. Chain of custody ```
Answer: A. Change management system Explanation: Change management is the structured way of making changes to systems and devices. It includes implementation, testing, monitoring, and documentation. Routers will have logs, not necessarily called a system log, which can be used to identify what has happened on the router in the past, but these aren’t used to document work done to the router. The Event Viewer contains the log files in Microsoft operating systems. A chain of custody is the chronological documentation of evidence but does not include work done on a regular basis to routers or other equipment. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
33
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following would be installed on a single computer to prevent intrusion? A. Network firewall B. Host-based firewall C. Host intrusion detection system D. VPN concentrator ```
Answer: B. Host-based firewall Explanation: Firewalls are designed to prevent intrusion. To prevent intrusion on a single computer, install a host-based firewall. Another viable option would be to install a host-based intrusion prevention system (HIPS) but not a host-based intrusion detection system (HIDS) since the HIDS will only detect the intrusion, not prevent it. A VPN concentrator is used to enable secure remote connections between hosts and networks. See the section titled “Implementing Security Applications” in Chapter 2, “Computer Systems Security,” for more information.
34
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. One of the users in your organization informs you that her 802.11n network adapter is connecting and disconnecting to and from an access point that was recently installed. The user has Bluetooth enabled on the laptop. A neighboring company had its wireless network compromised last week. Which of the following is the most likely cause of the disconnections? A. The attacker that compromised the neighboring company is running a wardriving attack. B. A Bluetooth device is interfering with the user’s laptop. C. An attacker in your organization is attempting a bluejacking attack. D. The new access point was not properly configured and is interfering with another access point.
Answer: D. The new access point was not properly configured and is interfering with another access point. Explanation: The most likely cause is that the new access point that the laptop is connecting to was not configured properly. Perhaps the antennae were not set to a high enough power level, or the placement of the AP is not close enough to the laptop. Less likely is the possibility that an attacker is running a wardriving attack against your network. It is possible that a Bluetooth device is causing interference (since both share the 2.4 GHz spectrum), but it is also less likely. A bluejacking attack (if successful) would probably not affect the ability for an 802.11n network adapter to connect with an access point. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
35
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. You have critical backups that are made at night and taken to an offsite location. Which of the following would allow for a minimal amount of downtime in the case of a disaster? A. Have a backup server at the offsite location B. Make the offsite location into a hot site C. Make the offsite location into a warm site D. Make the offsite location into a cold site
Answer: B. Make the offsite location into a hot site Explanation: A hot site would be the best option in the case of a disaster because it can be up and running faster than any of the other answers listed. A backup server is only a single facet of many organizations’ disaster recovery plans. Warm sites and cold sites do not offer as little downtime as a hot site does. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
36
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. What is the purpose of LDAP authentication services? A. To prevent multifactor authentication B. To act as a single point of management C. To implement MAC D. To issue one-time passwords
Answer: B. To act as a single point of management Explanation: LDAP (Lightweight Directory Access Protocol) contains the directory for a network and allows for a single point of user management of that directory. Multifactor authentication is when more than one type of identification is required to gain access to a system, network or building. MAC (Mandatory Access Control) is a type of access control system not usually associated with LDAP. One-time passwords can be issued by several technologies including RSA tokens. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
37
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Where would you store a revoked certificate? A. Key escrow B. Recovery agent C. CRL D. PKI ```
Answer: C. CRL Explanation: The CRL (certificate revocation list) is where revoked certificates should be stored. Key escrow is when certificate keys are held in the case that third parties need to access information. The recovery agent is used to recover lost keys. PKI stands for Public Key Infrastructure, which is the entire system of parts that allows for certificates, certificate authorities, and so on. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
38
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` An attacker uses a method that is meant to obtain information from a specific person. What type of attack is this? A. Spear phishing B. DNS poisoning C. Pharming D. Fraggle ```
Answer: A. Spear phishing Explanation: Spear phishing is the attempt at fraudulently obtaining information from specific individuals—usually done through e-mail. DNS poisoning is a compromise of a DNS server’s name cache database. Pharming is an attack that redirects a website’s traffic to another illegitimate website. A Fraggle attack contains UDP traffic sent to port 7 and 19—it is a type of DoS attack. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
39
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following is a type of photo ID that is used by government officials to gain access to secure locations? A. Biometrics B. DAC C. RSA tokens D. CAC ```
Answer: D. CAC Explanation: CAC (Common Access Card) is a smart card used by the DoD to identify military personnel, government employees, and so on. Biometrics is the science of using a human’s physical characteristics for identification. DAC is the Discretionary Access Control method. RSA tokens allow for rolling one-time passwords. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
40
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Which of following best describes a NIDS? A. Used to attract and trap potential attackers B. Filters out various types of Internet activities such as websites accessed C. Detects malicious network activities such as port scans and DoS attacks D. Redirects malicious traffic
Answer: C. Detects malicious network activities such as port scans and DoS attacks Explanation: NIDS, or network intrusion detection system, detects malicious network activities such as port scans and DoS attacks. A honeypot or honeynet is used to attract and trap potential attackers. An Internet filter filters out various types of Internet activities such as websites accessed. A NIPS, or network intrusion prevention system, removes, detains, or redirects malicious traffic. See the section titled “NIDS Versus NIPS” in Chapter 6, “Network Perimeter Security,” for more information.
41
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` A co-worker’s laptop has been compromised. What is the best way to mitigate data loss? A. Common Access Card B. Strong password C. Biometric authentication D. Full disk encryption ```
Answer: D. Full disk encryption Explanation: Full disk encryption is the best way (listed) to mitigate data loss in the case of a stolen or otherwise compromised laptop because it will be difficult to decrypt the data on the laptop. A Common Access Card is a smart card/photo ID used by the DoD. Strong passwords are a good idea on portable devices but can be cracked or circumvented more easily than decrypting a full disk encryption solution. Biometric authentication can also be cracked given enough time. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
42
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your organization wants you to set up a wireless router so that only certain wireless clients can access the wireless network. Which of the following is the best solution? A. Disable the SSID broadcast B. Enable 802.11n only C. Configure AP isolation D. Implement MAC filtering ```
Answer: D. Implement MAC filtering Explanation: MAC filtering enables you to specify which MAC addresses will be allowed to access the wireless AP—and by extension the rest of the wireless network. Disabling the SSID will stop all new wireless clients from connecting (unless they know the SSID and do it manually). 802.11n will allow connections by 802.11n clients only, but won’t allow you to pick and choose particular wireless clients that you want to connect. AP isolation separates and isolates each wireless client connected to it. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
43
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` A user is required to have a password that is 14 characters or more. What is this an example of? A. Password length B. Password recovery C. Password complexity D. Password expiration ```
Answer: A. Password length Explanation: If a user is required to have a password that is longer than a set amount of characters, this is known as password length requirements. Password recovery deals with self-service resets and password recovery programs. Password complexity refers to passwords that require capital letters, numbers, and special characters. Password expiration is associated with a policy that a system administrator sets that defines how long a password is valid before it needs to be changed. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
44
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following only encrypts the password portion of a packet between the client and server? A. TACACS B. RADIUS C. TACACS+ D. XTACACS ```
Answer: B. RADIUS Explanation: RADIUS only encrypts the password portion of an access-request packet that is transmitted between the client and the server. TACACS, XTACACS, and TACACS+ encrypt the entire body of the packet. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
45
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which is the most secure option when transferring files from one host to another? A. FTP B. TFTP C. SFTP D. TELNET ```
Answer: C. SFTP Explanation: SFTP (Secure File Transfer Program) is a secure version of regular FTP that is based on SSH, which enables it to run over a secure channel. TFTP (Trivial FTP) is a simplistic, insecure, and somewhat deprecated protocol. TELNET is also insecure and deprecated. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network changed. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
46
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your boss has instructed you to shred some confidential documents. Which threat does this mitigate? A. Dumpster diving B. Tailgating C. Shoulder surfing D. Baiting ```
Answer: A. Dumpster diving Explanation: Dumpster diving is a type of social engineering where a person sifts through an organization’s paper recycling and garbage in the hopes of finding sensitive or confidential information. By shredding documents, it makes it near impossible for a dumpster diver to recreate the confidential information. Tailgating is when an unauthorized person follows an authorized person into a secured area. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
47
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` To be proactive, you use your vehicle to take several wardriving routes each month though your company’s campus. Recently you have found a large number of unauthorized devices. Which of the following security breaches have you most likely encountered? A. Bluejacking B. Interference C. IV attack D. Rogue access points ```
Answer: D. Rogue access points Explanation: Chances are that there are rogue APs that need to be named properly and added to a network, or disabled altogether. Bluejacking is the sending of unsolicited messages to Bluetooth devices. Interference happens when devices share channels, are too close to each other, or multiple technologies share the same frequency spectrum. Interference could be happening in the above scenario, but it is difficult to say exactly without more information. In addition, interference isn’t necessarily an attack. IV attacks are attacks on wireless stream ciphers. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
48
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following methods will identify which services are running on a computer? A. Calculate risk B. Determine open ports C. Review baseline reporting D. Review firewall logs ```
Answer: B. Determine open ports Explanation: By using a port scanner (and some vulnerability scanners) you can identify which ports are open on a computer (or other device), which in turn will tell you the corresponding services that are running on that computer. For example, if you see that port 80 is open, then you know that the HTTP service is running, and most likely the computer is also acting as a web server. All other answers are incorrect as they do not have to do with identifying services running on a computer. See the section titled “Assessing Vulnerability with Security Tools” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
49
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` A user can enter improper input into a new computer program and is able to crash the program. What has your organization’s programmer most likely failed to implement? A. Error handling B. CRC C. SDLC D. Data formatting ```
Answer: A. Error handling Explanation: Error handling is the practice of anticipating, detecting, and resolving programming errors. Programs should be thoroughly tested with various user input before being implemented in a real environment. A CRC (cyclic redundancy check) is a hash function that produces a checksum that can detect errors in data to be sent across a network. SDLC is the Systems Development Life Cycle, a process for creating computing systems. Data formatting deals with the type of data in question and the organization of that data. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
50
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What would be an example of a device used to shield a server room from data emanation? A. Faraday cage B. TEMPEST C. EMI D. Crosstalk ```
Answer: A. Faraday cage. Explanation: A Faraday cage is used to shield a server room from data emanation or signal emanation. Data emanation is the electromagnetic (EM) field generated by a network cable or network device. These cables and devices can be affected by external EMI (electromagnetic interference), and cables can be affected by crosstalk. TEMPEST refers to a group of standards that investigate emissions conducted from electrical and mechanical devices. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
51
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` The security company you work for has been contracted to discern the security level of a software application. The company building the application has given you the login details, production documentation, a test environment, and the source code. Which of the following testing types has been offered to you? A. Black box B. Red teaming C. Gray box D. White box ```
Answer: D. White box Explanation: White box testing is when you are given as many details as possible about the application you are about to test. White box testing tests the internal workings of an application. Black box testing tests the functionality of an application without any real specific knowledge of the application. Gray box testing is when the owners of the application give you the internal knowledge of white box testing, but when you actually test the functionality of the application. A red team is a group of penetration testers that assess the security of an organization as opposed to an individual application. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
52
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following gives the user a one-time password? A. PIV B. Tokens C. Single sign-on D. Biometrics ```
Answer: B. Tokens Explanation: Tokens can incorporate a one-time password (OTP), which is a password that is only valid for one session. For example, RSA SecurID time synchronization tokens will utilize an OTP. PIV stands for Personal Identity Verification. Single sign-on means that a user can use a single username/password to access multiple systems. Biometrics is the science of authenticating humans by way of their physical characteristics. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
53
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Kate is allowed to perform a self-service password reset. What is this an example of? A. Password expiration B. Password length C. Password recovery D. Password complexity ```
Answer: C. Password recovery Explanation: If a user performs a self-service password reset, this would fall into the category of password recovery. For example, if Kate couldn’t log in to a shopping portal website, she could ask the website to reset her password and e-mail the new one to her. Password expiration entails a minimum and maximum expiration date and specifies how long a user can make use of a password before the user is required to change it. Password length is a policy that requires a user to type a password at least x characters long. Anything shorter than the policy dictates and the computer will request a new password from the user. Password complexity deals with capital letters, numerical characters, and special characters. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
54
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following are PII that are used in conjunction with each other? (Select the two best answers.) A. Birthday B. Full name C. Favorite food D. Marital status E. Pet’s name ```
Answers: A and B. Explanation: PII stands for personally identifiable information. Out of the answers listed, the two used in conjunction the most often to identify a person are the person’s full name and the person’s birthday. The other answers are secondary information that won’t identify the person nearly as well. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
55
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your organization has a PKI. Data loss is unacceptable. What method should you implement? A. CRL B. Web of trust C. CA D. Key escrow ```
Answer: D. Key escrow Explanation: Key escrow should be implemented if data loss is unacceptable. This is when keys are held in case another party needs access to secured communications. The CRL is the certificate revocation list. A web of trust is a decentralized model used for the management of keys. A CA (certificate authority) is a centralized model used for the management of keys. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
56
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Jake is in the process of running a bulk data update. However, the process writes incorrect data throughout the database. What has been compromised? A. Integrity B. Confidentiality C. Availability D. Accountability ```
Answer: A. Integrity Explanation: If incorrect data has been written throughout the database, then the integrity of the data has been compromised. It is still secret or as confidential as it is supposed to be. It is still available, though the data will now have errors. Someone (or something) needs to be held accountable for this problem, but accountability isn’t necessarily something that can be compromised in the way that the other three concepts of the CIA triad can be. See the section titled “Security 101” in Chapter 1, “Introduction to Security,” for more information.
57
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following should you install to stop unwanted and unsolicited e-mails? A. Spyware definitions B. Pop-up blockers C. Spam filters D. Virus definitions ```
Answer: C. Spam filters Explanation: Spam filters will help to filter out spam (unwanted e-mail). They can be configured in most e-mail programs or can be implemented as part of an antimalware package. Spyware definitions are used to update a spyware application making web browsing sessions more safe. Pop-up blockers remove a percentage of the pop-up windows common with many websites. Virus definitions should be updated often to prevent a virus from executing on a computer. See the section titled “Securing other Applications” in Chapter 4, “Application Security,” for more information.
58
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your organization has implemented cloud computing. Which of the following security controls do you no longer possess? A. Logical control of data B. Physical control of data C. Administrative control of data D. Executive control of data ```
Answer: B. Physical control of data Explanation: Cloud computing relies on an external service provider. Your organization would still be able to logically manipulate data services and have administrative control over them similar to if the data and services were administered locally. But physical control would be lost and the organization would rely solely on the cloud computing service for hardware, servers, network devices, and so on. In security there is no “executive control” per se as part of a standard security plan, and even if there was, your organization, by definition, would still maintain that control. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
59
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` One of the users in your organization is attempting to access a secure website. However, the certificate is not recognized by his web browser. Which of the following is the most likely reason? A. Weak certificate cipher B. No key escrow was implemented C. Intermittent Internet connection D. Self-signed certificate ```
Answer: D. Self-signed certificate Explanation: A self-signed certificate is one that the website creator has created and signed. Since the certificate did not come from a known third-party security company the web browser does not recognize it in this scenario. A weak certificate cipher is usually recognized, but the web browser will display a warning of some sort or perhaps block initial attempts to access the web page. Key escrow is when keys are held for third-party organizations in case they need access to data. Intermittent Internet connections would either allow access to the web page or not, and are otherwise not associated with certificates. Although a secure page with a certificate might take longer to access in a web browser than a standard page, this has nothing to do with the Internet connection—rather it has to do with the speed of the secure connection to the website. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
60
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following might be used to start a DDoS attack? A. Spyware B. Worm C. Botnet D. Rootkit ```
Answer: C. Botnet Explanation: A botnet is often used to start a coordinated DDoS (distributed denial-of-service) attack. One master computer synchronizes many compromised zombie computers, which form the botnet, launching an all-out attack at the same time. Spyware is software that tracks a user’s actions on the Internet. A worm is malicious code that can self-replicate. A rootkit is software that subverts the operating system so that a person can gain access at the level of an administrator. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
61
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Jennifer has been tasked with configuring multiple computers on the WLAN to use RDP on the same wireless router. Which of the following might be necessary to implement? A. Enable a DMZ for each wireless computer B. Forward each computer to a different RDP port C. Turn off port forwarding for each computer D. Turn on AP isolation on the wireless router
Answer: B. Forward each computer to a different RDP port Explanation: If there are multiple computers allowing incoming Remote Desktop Protocol (RDP) sessions on the WLAN, you might have to configure the wireless router to forward each computer to a different RDP port. For example, the standard RDP port is 3389 (Also known as Terminal Services). If that is open on the router, then clients on the Internet will be able to initiate RDP sessions to your network. But usually, the port on the router can only be forwarded to one computer. It might be necessary to set up additional port numbers and have each one map to a separate computer on the WLAN. Of course, the users on the Internet would need to know the special port number that corresponds to the computer they want to connect to. Often this will be used for remote access by the employee who would otherwise be working at the computer in the office. You would not normally create a DMZ for each computer, and this would make it difficult to configure so that the computers could communicate with each other. Turning off port forwarding would make the situation worse and would stop any remote connections from flowing through the router. AP isolation would also separate the wireless clients and would not have any effect on the goal at hand. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
62
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You scan the network and find a counterfeit access point that is using the same SSID as an already existing access point. What is this an example of? A. Evil twin B. Wardriving C. AP isolation D. Rogue access point ```
Answer: A. Evil twin Explanation: The evil twin is another access point or base station that uses the same SSID as an existing access point. It attempts to fool users into connecting to the wrong AP, compromising their wireless session. Wardriving is the act of using a vehicle and laptop to find open unsecured wireless networks. AP isolation compartmentalizes the wireless network and separates each client. Rogue access points are ones that are not part of your wireless network infrastructure. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
63
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following provides a user with a rolling password for one-time use? A. PIV card B. CAC card C. Multifactor authentication D. RSA tokens ```
Answer: D. RSA tokens Explanation: RSA tokens (and other tokens for that matter) can provide a user with an OTP (one-time password). PIV cards are Personal Identity Verification cards, which are special ID cards used by the NIST. CAC cards are Common Access Cards used by the DoD. Neither of these cards uses OTPs. Multifactor authentication is when a user must provide two types of identification before they are authenticated to a building, computer, or network—for example, a username/password and a smart card used in conjunction. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
64
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. What is the purpose of a chain of custody as it is applied to forensic image retention? A. To provide documentation as to who handled the evidence B. To provide a baseline reference C. To provide proof the evidence hasn’t been tampered with D. To provide data integrity
Answer: A. To provide documentation as to who handled the evidence Explanation: A chain of custody is the chronological documentation of evidence. A procedure is involved when creating the chain of custody that logically defines how the documentation will be entered. Baseline references and baseline reporting deal with checking the security posture of a system, as in a security posture assessment. To prove that the image hasn’t been tampered with (to prove its integrity), a security professional will hash the image. See the section titled “Legislative and Organizational Policies” in Chapter 15, “Policies, Procedures, and People,” for more information.
65
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Robert has been asked to make sure that a server is highly available. He must ensure that hard drive failure will not affect the server. Which of the following methods allows for this? (Select the two best answers.) A. True clustering B. Software RAID 1 C. Load balancing D. Hardware RAID 5 E. Software RAID 0 ```
Answers: B. Software RAID1 and D. Hardware RAID5 Explanation: RAID 1 (mirroring) and RAID 5 (striping with parity) are both fault tolerant methods that will allow for high availability ensuring that hard drive failure will not affect the server. True clustering is when multiple computers’ resources are used together to create a faster more efficient system—it often uses load balancing to accomplish this. However, it does not necessarily allow for fault tolerance of data. RAID 0 (striping) is not fault tolerant because there is no parity information. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
66
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Sherry must prevent users from accessing the network after 6PM. She must also prevent them from accessing the accounting department’s shares at all times. Which of the following should Sherry implement? (Select the two best answers.) A. Single sign-on B. Access control lists C. MAC D. Job rotation E. Time of day restrictions ```
Answers: B. Access control lists and E. Time of day restrictions Explanation: To prevent users from accessing the network after 6PM Sherry should implement time of day restrictions. If configured properly, the users will not be able to log in accept for the times she allows. To prevent the users from accessing the accounting department shares, she should set up access control lists. In most operating systems this is known as rights or permissions. Single sign-on is when a user can supply one set of credentials but be able to access multiple systems or networks. MAC is mandatory access control, in which the system defines the rights and permissions, not a user or administrator. Job rotation is when multiple users work together to complete a task. See the section titled “Rights, Permissions, and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
67
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You analyze the network and see that a lot of data is being transferred on port 22. Which of the following protocols are most likely being used? A. SSL and SFTP B. SCP and TELNET C. FTP and TFTP D. SCP and SFTP ```
Answer: D. SCP and SFTP Explanation: SCP (Secure Copy) and SFTP (Secure FTP) both rely on SSH, which uses port 22. SSL uses port 443. Telnet uses port 23. FTP uses port 21, and TFTP uses port 69. See the section titled “Ports and Protocols” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
68
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You want to stop malicious eavesdroppers from capturing network traffic. What should you implement? A. Hot and cold aisles B. Video surveillance C. EMI shielding D. HVAC shielding ```
Answer: C. EMI shielding Explanation: EMI shielding can be implemented as shielded network cable or as something that protects network devices or even entire server rooms. If a malicious user cannot access the data emanation from EMI then they cannot capture network traffic. Hot and cold aisles are used for heating and cooling in data centers and server rooms. Video surveillance is used to find out when a person entered or left a building or secure area. HVAC shielding is used to prevent interference with network cables and network devices. See the section titled “Environmental Controls” in Chapter 15, “Policies, Procedures, and People,” for more information.
69
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What are the best reasons to use an HSM? (Select the two best answers.) A. To recover keys B. To store keys C. For a CRL D. To generate keys E. To transfer keys to the hard drive ```
Answers: B. To store keys and D. To generate keys Explanation: An HSM (hardware security module) is a device that manages digital keys for cryptography. It allows for onboard secure storage of data. It is used to generate and store keys. Key recovery and the transferring of keys is done by other methods. Although an HSM can be used in conjunction with PKI, it does not have the option of storing a CRL. See the section titled “Securing Computer Hardware and Peripherals” in Chapter 2, “Computer Systems Security,” for more information.
70
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` If you were to deploy your wireless devices inside a TEMPEST-certified building, what could you prevent? A. Bluesnarfing B. Weak encryption C. Bluejacking D. Wardriving ```
Answer: D. Wardriving Explanation: If a building is TEMPEST-certified, it can prevent wardriving, the act of accessing organizations’ wireless networks in a malicious manner. This would require various shielding, Faraday cages, shielded cabling, and so on. Bluesnarfing and bluejacking are attacks on devices equipped with Bluetooth. Weak encryption invites wardriving; for example, if an organization used WEP, the wireless access point would be much easier to hack. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Networked Media and Devices,” for more information.
71
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Why is fiber-optic cable considered to be more secure than category 5 twisted-pair cable? (Select the two best answers.) A. It is made of glass instead of copper. B. It is hard to tap. C. It is not susceptible to interference. D. It is more difficult to install.
Answers: B and C. It is hard to tap, and it is not susceptible to interference. Explanation: Fiber-optic cable is difficult to tap into because it does not emanate signal the way a twisted-pair cable would. More advanced tools are necessary to tap a fiber-optic cable as compared to a twisted-pair cable. Fiber-optic cable is not susceptible to interference because it does not run on electricity and is not copper-based. Fiber-optic cable does indeed have a glass core, but because it does not use electricity and is not susceptible to interference, it is safer than twisted-pair cable. Fiber-optic cable generally is more difficult to install than twisted-pair cable, but that does not make it more secure. See the section titled “Securing Wired Networks and Devices” in Chapter 7, “Securing Network Media and Devices,” for more information.
72
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What would a password be characterized as? A. Something a user has B. Something a user is C. Something a user does D. Something a user knows ```
Answer: D. Something a user knows Explanation: Passwords, pin numbers, and other types of passphrases and codes are characterized as something a user knows. Examples of something a user has include smart cards or other ID cards. Examples of something a user is include thumbprints, retina scans, and other biometric information. An example of something a user does could be a signature or voice-recognition. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
73
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` James wants to set up a VPN connection between his main office and a satellite office. Which protocol should he use? A. 802.1X B. IPSec C. RDP D. TELNET ```
Answer: B. IPSec Explanation: IPSec is used to secure VPN connections (such as L2TP tunnels). 802.1X specifies port-based network access control (NAC). RDP is the remote desktop protocol. TELNET is used to remotely connect to other computers and routers, but it is insecure and deprecated, and is not used in VPNs. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
74
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your boss asks you to purchase additional insurance in an effort to reduce risk. What is this an example of? A. Risk transference B. Risk elimination C. Risk acceptance D. Risk avoidance ```
Answer: A. Risk transference Explanation: Risk transference is when risk is passed on to an external agency, for example, an insurance company. While in reality some insurance companies will have a clause that states the risk is still the responsibility of the organization in question, the definition is still the best one listed. There is no such thing as risk elimination; it is impossible to remove all risk. Risk acceptance is when a company is okay with a certain amount of risk and considers it the cost of doing business if a risk does manifest itself. An example of risk avoidance would be if a company decided to shut down a server that was being attacked by botnets sending DDoS attacks every day. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessments,” for more information.
75
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What type of cloud service is webmail known as? A. Software as a Service B. Remote Desktop C. Platform as a Service D. Infrastructure as a Service ```
Answer: A. Software as a Service Explanation: Webmail can be classified as Software as a Service (SaaS). This is when an external provider (in the cloud) offers e-mail services that a user can access with a web browser. Examples include Gmail and Hotmail. Remote desktop or RDP allows a person to remotely control another computer. Platform as a Service (PaaS) is when a cloud-based service provider offers an entire application development platform that can be accessed via a web browser or other third-party application. Infrastructure as a Service (IaaS) is when a cloud-based service provider offers an entire network located on the Internet. See the section titled “Network Design” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
76
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your boss asks you to implement multifactor authentication. Which of the following should you use? A. Username and password B. Common Access Card C. Pin number and smart card D. ACL entry and password ```
Answer: C. Pin number and smart card Explanation: The only answer listed that has two factors of authentication is pin number and smart card. Username and password is a single type of authentication. Common Access Card (CAC) is a type of photo ID/authentication card used by the DoD. An ACL entry is not a type of authentication but is a way of defining whether a person can be authorized to network resources. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
77
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Ann has been asked by her boss to periodically ensure that a domain controller/DNS server maintains the proper security configuration. Which of the following should she review? A. Firewall logs B. NIPS logs C. WINS configuration D. User rights ```
Answer: D. User rights Explanation: The best answer is user rights. A domain controller is in charge of user accounts and the permissions (rights) associated with those users. The domain controller might have a host-based firewall, but it is doubtful. Chances are that the firewall is network-based, or less commonly, is running on a separate server. The NIPS is the network intrusion prevention system, which is external from the server and usually resides on the perimeter of the network. The WINS configuration can be reviewed to verify the security of the WINS database and service but does not allow for review of the security configuration of the server as described, which is a domain controller/DNS server. Also, if the server is running the DNS server, it is doubtful that it is also running the WINS service. See the section titled “Rights, Permissions and Policies” in Chapter 9, “Access Control Methods and Models,” for more information.
78
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following asymmetric keys is used to encrypt data to be decrypted by an intended recipient only? A. Secret key B. Public key C. Private key D. Session key ```
Answer: B. Public key Explanation: In an asymmetric key system the public key is used to encrypt data while the intended recipient utilizes a private key to decrypt the data. Secret keys are another name for private keys. Session keys are also sometimes used synonymously with private keys and are used to encrypt all messages in a particular communications session. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
79
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your organization uses a type of cryptography that provides good security but uses smaller key sizes and utilizes logarithms that are calculated against a finite field. Which type of cryptography does your organization use? A. Quantum cryptography B. Diffie-Hellman C. RSA D. Elliptic curve ```
Answer: D. Elliptic curve Explanation: Elliptic curve cryptography (ECC) is based on the difficulty to solve certain math problems and is calculated against a finite field. It uses smaller key sizes than most other encryption methods. Quantum cryptography (as of 2011) is a newer type of encryption method based on quantum mechanics. The Diffie-Hellman method of key exchange relies on a secure key exchange based on each computer’s equation; however it can be adapted for use with ECC. RSA is an asymmetric algorithm that uses much larger size keys. See the section titled “Encryption Algorithms” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
80
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You and several others in the IT team are deciding on an access control model. The IT director wants to implement the strictest access control model available, ensuring that data is kept as secure as possible. Which of the following access control models should you and your IT team implement? A. Discretionary access control B. Mandatory access control C. Role-based access control D. Rule-based access control ```
Answer: B. Mandatory access control Explanation: Mandatory access control (MAC) is the strictest access control model listed in the answers. It is a well-defined model used primarily by the government. It uses security labels to define resources. In the discretionary access control (DAC) model, the owner decides what users are allowed to have access to objects; it is not as strict as MAC. Role-based access control (RBAC) is an access model that, like MAC, is controlled by the system but differs from MAC in how permissions are configured; it is not as strict as MAC. See the section titled “Access Control Models Defined” in Chapter 9, “Access Control Methods and Models,” for more information.
81
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You have been hired by an organization to design the security for its banking software. You need to implement a system where tasks regarding the transfer of money require action by more than one user. Activities should be logged and audited often. What access control methods should you implement? A. Job rotation B. Separation of duties C. Implicit deny D. Least privilege ```
Answer: B. Separation of duties Explanation: Separation of duties is when more than one person is required to complete a task. If one person has too much control and completes too many portions of a task, it can become a security risk. Checks and balances are employed to make sure that the proper equilibrium of users is maintained. Job rotation is one of the checks and balances that might be employed to enforce the proper separation of duties. Job rotation might be incorporated to increase user insight as to overall operations or increase operation security in general. Implicit deny denies access to resources by default unless the user is specifically granted access to that resource. Least privilege is when a user or a program is given only the amount of privileges needed to do the job and not one bit more. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
82
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following security actions should be completed before a user is given access to the network? A. Identification and authentication B. Authentication and authorization C. Identification and authorization D. Authentication and biometrics ```
Answer: A. Identification and authentication. Explanation: Before users are given access to a network, they need to identify themselves in one or more ways and be authenticated via whatever system is in place. After they are given access to the network, they can later be authorized to individual resources. The authentication step cannot be skipped. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
83
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Which of the following is the best reason to perform a penetration test? A. To identify all vulnerabilities and weaknesses within your network B. To passively test security controls C. To determine the impact of a threat against your network D. To find the security posture of the network
Answer: C. To determine the impact of a threat against your network Explanation: Penetration tests are usually designed to simulate a particular attack, allowing the administrator to determine the impact of that threat to the network. They are not designed to identify all vulnerabilities and weaknesses—to do that we would use a vulnerability scanner among other things. Penetration tests are not passive; they are active tests that should be done off hours and with much preparation beforehand. The security posture of the network is usually discerned by security assessments and baseline reporting. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
84
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You are tasked with implementing an access point to gain more wireless coverage area. What should you look at first? A. SSID B. Radio frequency C. Encryption type D. Power levels ```
Answer: D. Power levels Explanation: The power levels will dictate how far an access point can transmit its signal. For more coverage, increase the power levels, but be careful not to go beyond your organization’s work area, or other neighboring entities might try to compromise your network. The SSID is the name of the wireless network. The radio frequency used could possibly increase coverage (for example, if you change from 802.11b to 802.11n) but is not the first thing you should look at. The encryption type will not have an effect on the coverage area. See the section titled “Securing Wireless Networks” in Chapter 7, “Securing Network Media and Devices,” for more information.
85
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What are two reasons to use a digital signature? (Select the two best answers.) A. Nonrepudiation B. Availability C. Confidentiality D. Integrity E. Encryption ```
Answers: A. Nonrepudiation and D. Integrity Explanation: A valid digital signature ensures to the recipient that the message was created by the sender, and thereby validating the integrity of the message. Also, a sender cannot claim that they didn’t send the message; this is an example of nonrepudiation. Digital signatures do not affect the confidentiality or availability of a message. However, encryption will increase the confidentiality of a message. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
86
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Your web server’s private key has been compromised by a malicious intruder. What, as the security administrator, should you do? A. Issue a new CA B. Submit the public key to the CRL C. Submit the private key to the CRL D. Use key escrow ```
Answer: B. Submit the public key to the CRL Explanation: in a PKI, an asymmetric key pair is created. The private key is kept secret, but the public key is distributed as needed. It is this public key that should be submitted to the CRL so that no other entities utilize it. A new key pair will then be created at the CA, but a new CA is not necessary. That would only be necessary if the entire CA was compromised, which was not part of the scenario. The private key is not seen by other entities so only the public key should be submitted to the CRL. Key escrow is when copies of keys are kept in the case a third party needs access to data. See the section titled “Public Key Infrastructure” in Chapter 13, “PKI and Encryption Protocols,” for more information.
87
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You need to access a network router. Which of the following authentication services should you use? A. TACACS+ B. SSH C. TELNET D. SNMP ```
Answer: A. TACACS+ Explanation: Network devices (specifically Cisco devices) can be administered by a person with TACACS+ authentication. SSH is used primarily to remotely configure Linux/Unix hosts. TELNET was used to administer network devices, but it is not the best answer because it is insecure and outdated. SNMP is used to monitor network devices and hosts. See the section titled “Authentication Models and Components” in Chapter 8, “Physical Security and Authentication Models,” for more information.
88
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You have identified a security threat on a server, but you have decided not to exploit it. What method have you implemented? A. Penetration test B. Risk mitigation C. NIDS D. Vulnerability scan ```
Answer: D. Vulnerability scan Explanation: Vulnerability scans will identify threats but not exploit them the way a penetration test might. Nothing has been mitigated in this scenario, only identified. NIDS (network intrusion detection system) will detect malicious traffic on the network, but will not find security threats on a server. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
89
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` RAID is most concerned with what? A. Availability B. Baselining C. Confidentiality D. Integrity ```
Answer: A. Availability Explanation: RAID is most concerned with availability—the uptime of hard drives and the accessibility of data regardless of faults. Baselining can be accomplished with various tools such as Performance Monitor. Confidentiality can be achieved with encryption. Integrity can be brought about by way of hashing. See the section titled “Redundancy Planning” in Chapter 14, “Redundancy and Disaster Recovery,” for more information.
90
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following makes use of three components: a managed device, an agent, and a network management system? A. SNMP B. Wireshark C. Performance Monitor D. Security log file ```
Answer: A. SNMP Explanation: SNMP, which is the Simple Network Management Protocol, aids in monitoring a network attached to devices and computers. It can be broken down into three components: managed devices, agents, and a network management system (NMS). Wireshark is a protocol analyzer; Performance Monitor is a Windows program that analyzes the performance of the resources on a computer, and a Security log file is a log file within the event viewer used to audit systems. See the section titled “Using Tools to Monitor Systems and Networks” in Chapter 11, “Monitoring and Auditing,” for more information.
91
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following is not a record of the tracked actions of users? A. Previous logon notification B. Audit trails C. Application log D. Security log ```
Answer: C. Application log Explanation: The application log is not a record of the tracked actions of users. The application log does show events that have occurred concerning built-in Windows applications or third-party applications. Previous logon notation, audit trails, and security logs are all records of the tracked actions of users. See the section titled “Conducting Audits” in Chapter 11, “Monitoring and Auditing,” for more information.
92
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` NOP sleds are an indication of what kind of attack? A. Buffer overflow B. SQL injection C. XSS D. Smurf attack ```
Answer: A. Buffer overflow Explanation: NOP slide is a technique used to exploit a buffer overflow. This is done by corrupting the stack with no-op machine instructions. Because of this, NOP sleds are sometimes referred to as NOOP sleds. SQL injections exploit databases. XSS (cross-site scripting) attacks exploit web servers and web pages. Smurf attacks are DoS attacks. See the section titled “Secure Programming” in Chapter 4, “Application Security,” for more information.
93
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Eliot just finished taking a forensic image of a server’s memory. What should he employ to ensure image integrity? A. Compress the image B. Run the image though SHA256 C. Run the image through AES128 D. Make a duplicate of the image ```
Answer: B. Run the image though SHA256 Explanation: SHA256 is one of four algorithms in the SHA-2 hash function family. Hashes are used to prove integrity of data and images. Compressing the image would only decrease the storage space needed for the image; it would not ensure integrity. Running the image through AES128 would encrypt it, ensuring confidentiality but not integrity. Making a duplicate would allow for availability but not integrity; in fact, integrity might be compromised if this is done, but that will depend on several factors. See the section titled “Hashing Basics” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
94
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following describes hiding data within other files? A. Steganography B. PKI C. Encryption D. Digital signatures ```
Answer: A. Steganography Explanation: Steganography is the art and science of hiding messages within other messages or elsewhere. It is a form of security through obscurity. PKI is the public key infrastructure that deals with encryption—the modification of data so that it cannot be read. Digital signatures are used for integrity and nonrepudiation. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.
95
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` You surmise that a user’s session was interrupted by an attacker who inserted malicious code into the network traffic. What attack has occurred? A. DoS B. Spoofing C. Phishing D. Man-in-the-middle ```
Answer: D. Man-in-the-middle Explanation: Man-in-the-middle attacks (MITM) are when an attacker intercepts data between a client and a server and modifies the data in transit. DoS attacks are Denial of Service attacks meant to disrupt a server. Spoofing is when an attacker masquerades as another person. Phishing is when a person attempts to obtain information from a person via e-mail. See the section titled “Malicious Attacks” in Chapter 5, “Network Design Elements and Network Threats,” for more information.
96
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following can prevent tailgating? A. Video cameras B. Biometrics C. Mantraps D. Proximity cards ```
Answer: C. Mantraps Explanation: Tailgating is when an unauthorized user follows an authorized user into a secured area (usually without the person’s consent). The mantrap is meant to allow only one person to pass through a secure area at a time. Locking doors surround the area so that a tailgater cannot exit. Video cameras and video surveillance are used to report when a person entered or exited a building or other area. Biometrics are used to authenticate people according to their physical attributes. Proximity cards are used in electronic door systems. See the section titled “Social Engineering” in Chapter 15, “Policies, Procedures, and People,” for more information.
97
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` A proximity card is an example of what? A. Something a user has B. Something a user is C. Something a user knows D. Something a user does ```
Answer: A. Something a user has Explanation: Proximity cards are something that a person has; it is a tangible item that a person carries with them. In the world of authentication, an example of something the user is would be a thumbprint. An example of something a user knows is a password. An example of something a user does would be a written signature. See the section titled “Physical Security” in Chapter 8, “Physical Security and Authentication Models,” for more information.
98
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` What are recovery point objectives and recovery time objectives related to? A. Risk management B. Succession planning C. Business impact analysis D. Single points of failure ```
Answer: C. Business impact analysis Explanation: Business impact analysis is the examination of critical versus noncritical functions. These functions are assigned two different values: recovery point objectives (RPO), which is the acceptable latency of data, and recovery time objectives (RTO), which is the acceptable amount of time to restore a function. Risk management is identification, assessment, and prioritization of risks. Succession planning is a method for replacing servers and other equipment when they become outdated or if they fail permanently. A single point of failure is any hardware on a server or other device that will cause the device to shut down or otherwise stop serving users. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
99
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. Which of the following descriptions is true concerning external security testing? A. External security testing is conducted from outside the building where an organization’s servers are hosted. B. External security testing is conducted from outside the perimeter switch but inside the border router. C. External security testing is conducted from outside the organization’s security perimeter. D. External security testing is conducted from outside the perimeter switch but inside the organization’s firewall.
Answer: C. External security testing is conducted from outside the organization’s security perimeter. Explanation: Proper external security testing should be conducted from outside the organization’s security perimeter, wherever that might be. It is generally outside devices such as switches, routers, firewalls, and so on. This may incorporate more than one building; a proper external security test in this case can test an entire campus area network. See the section titled “Conducting Risk Assessments” in Chapter 10, “Vulnerability and Risk Assessment,” for more information.
100
# The 100 multiple-choice questions provided here help you to determine how prepared you are for the actual exam and which topics you need to review further. ``` Which of the following is the most complicated centralized key management scheme? A. Asymmetric B. Symmetric C. Whole disk encryption D. Steganography ```
Answer: A. Asymmetric Explanation: Asymmetric systems such as PKI (public key infrastructure) have a complicated centralized key management scheme. A system such as PKI creates asymmetric key pairs including a public key and a private key. The private key is kept secret, whereas the public key can be distributed. Symmetric systems use two keys, but they are the same type of key, usually identical, thus the name symmetric. Whole disk encryption schemes such as BitLocker use trusted platform modules (TPMs) that store the symmetric encrypted keys; these keys are often based on the Advanced Encryption Standard (AES). Steganography is the science of hiding messages within files and doesn’t use keys. See the section titled “Cryptography Concepts” in Chapter 12, “Encryption and Hashing Concepts,” for more information.

CompTIA Security+ SY0-301 Authorized Cert Guide By David L. Prowse - Pearson - Exams (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions