Practice Tests Flashcards by David Carter

You’ve hired a third-party to gather information about your company’s servers and data. The third party will not have direct access to your internal network but can gather information from any other source. Which of the following would best describe this approach?

A. Backdoor Testing
B. Passive Reconnaissance
C. OS Fingerprinting
D. Grey box pen Testing

B. Passive Reconnaissance

How well did you know this?

Not at all

Perfectly

Which of these protocols use TLS to provide secure communication? (Select Two)

A. HTTPS
B. SSH
C. FTPS
D. SNMPv2
E. DNSSEC
F. SRTP

A. HTTPS
C. FTPS

HTTPS - Hypertext Transfer Protocol over TLS
FTPS - File Transfer Protocol over TLS

TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. TLS is a newer version of SSL

How well did you know this?

Not at all

Perfectly

Which of these threat actors would be MOST likely to attack systems for direct financial gain?

A. Organized Crime
B. Hacktivist
C. Nation State
D. Competitor

A. Organized Crime

Its not competitor because it doesn’t have any DIRECT financial gain

How well did you know this?

Not at all

Perfectly

A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO)

A. Partition data
B. Kernel statistics
C. ROM data
D. Temporary file systems
E. Process table

A. Partition data
D. Temporary file systems

Both temporary file system data and partition data are part of the file storage subsystem

How well did you know this?

Not at all

Perfectly

An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allow the device to be remotely controlled by a third-party. Which category would BEST describe these devices?

A. IoT
B. RTOS
C. MFD
D. SoC

C. MFD - Multifunction Device

How well did you know this?

Not at all

Perfectly

Which of the following would attempt to exploit a vulnerability associated with a specific application?

A. Vulnerability scan
B. Active reconnaissance
C. Penetration test
D. Port scan

C. Penetration Test

How well did you know this?

Not at all

Perfectly

Elizabeth, a security administrator, is concerned about
the potential for data exfiltration using external storage
drives. Which of the following would be the BEST way to
prevent this method of data exfiltration?

A. Create an operating system security policy to prevent the use of the removable media
B. Monitor removable media usage in host-based firewall logs
C. Only whitelist applications that do not use removable media
D. Define a removable media block rule in the UTM

A. Create an operating system security policy to prevent the use of the removable media.

Removeable media uses hot-pluggable interfaces such as USB to connect storage devices. A security policy in the operating system can prevent any files from being written to a removable drive

How well did you know this?

Not at all

Perfectly

Tayla is a help desk administrator for a major
transportation company. Her help desk has suddenly
been overwhelmed by phone calls from customers. The
customers are complaining that their browser is giving a
message that the company’s website is untrusted. Which
of the following would be the MOST likely reason for
this issue?

A. The web server is not running the latest version of software
B. The corporate firewall is misconfigured
C. A content filter is blocking web server traffic
D. The web server has a certificate issue

D. The web server has a certificate issue

Any web server issues relating to trust are generally associated with the status of the web server certificate. If a certificate has expired or the fully-qualified domain name on the certificate does not match the name of the web server, the end users will see errors in their browser

How well did you know this?

Not at all

Perfectly

An insurance company has created a set of policies to
handle data breaches. The security team has been given
this set of requirements based on these policies:
• Access records from all devices must be
saved and archived
• Any data access outside of normal working hours
must be immediately reported
• Data access must only occur inside of the country
• Access logs and audit reports must be created from a
single database
Which of the following should be implemented by the
security team to meet these requirements?
(Select THREE)

A. Restrict login access by IP address and GPS location
B. Require government-issued identification during the onboarding process
C. Add additional password complexity for accounts that access data
D. Conduct monthly permissions auditing
E. Consolidate all logs on a SIEM
F. Archive the encryption keys of all disabled accounts
G. Enable time-of-day restrictions on the authentication server

A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server

Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.

How well did you know this?

Not at all

Perfectly

Leslie is projecting timelines to complete various analysis reports. Which list presents the correct order in which each analysis should be performed?

A. Threat, risk
B. Risk, threat
C. Threat, vulnerability
D. Business impact, risk

A. Threat, risk

Because a risk assessment relies on organizing threats to maximize potential opportunity, it cannot be conducted before a threat assessment

How well did you know this?

Not at all

Perfectly

Rodney, a security engineer, is viewing this record from the firewall logs:

UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.

Which of the following can be observed from this log information?

A. The victim’s IP address is 136.127.92.171
B. A download was blocked from a web server
C. A botnet DDoS attack was blocked
D. The Trojan was blocked, but the file was not

B. A download was blocked from a web server

A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked.

How well did you know this?

Not at all

Perfectly

Richard, an engineer, has been posting pictures of a
not-yet-released company product on an online forum.
Richard believed the forum was limited to a small group,
but his pictures were actually posted on a publicly
accessible area of the site. Which of the following
company policies should be discussed with Richard?

A. Personal Email
B. Unauthorized software
C. Social media
D. Certificate issues

C. Social Media

How well did you know this?

Not at all

Perfectly

A group of universities sponsor a monthly speaking event
that is attended by faculty from many different schools.
Each month, a different university is selected to host
the event. The IT staff for the event would like to allow
access to the local wireless network using the faculty
member’s normal authentication credentials. These
credentials should properly authenticate, even when the
faculty member is not physically located at their home
campus. Which of the following authentication methods
would be the BEST choice for this requirement?

A. RADIUS federation
B. 802.1X
C. PEAP
D. EAP-FAST

A. RADIUS Federation

RADIUS (Remote Authentication Dial-In User Service) with federation would allow members of one organization to authenticate using the credentials of another organization

802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.

PEAP (Protected Extensible Authentication Protocol) provides a method of
authentication over a protected TLS (Transport Layer Security) tunnel, but
it doesn’t provide the federation needed for these requirements.

How well did you know this?

Not at all

Perfectly

A system administrator, Daniel, is working on a contract that will specify
a minimum required uptime for a set of Internet-facing firewalls. Daniel
needs to know how often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe this information?

A. MTBF
B. RTO
C. MTTR
D. MTTF

A. MTBF

The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail

RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level.

MTTR (Mean Time to Restore) is the amount of time it takes to repair a component

MTTF (Mean Time to Failure) is the expected lifetime of a non-repairable product or system

How well did you know this?

Not at all

Perfectly

An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. The help desk engineer requests the employee’s ID number and sends a password reset validation code to the user’s registered mobile device number. What kind of attack is the help desk engineer preventing by following these processes?

A. Social engineering
B. Tailgating
C. Vishing
D. Man-in-the-middle

A. Social Engineering

A social engineering attack takes advantage of authority and urgency principles in an effort to convince someone else to circumvent normal normal security controls.

Not Vishing

Because these attacks use the phone to obtain private information from others. In this question the attacker was not asking for confidential information

How well did you know this?

Not at all

Perfectly

A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company’s network team now needs to support additional authentication protocols inside of an encrypted tunnel. Which of the following would meet the network team’s requirements?

A. EAP-TLS
B. PEAP
C. EAP-TTLS
D. EAP-MSCHAPv2

C. EAP-TTLS

EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows the use of any authentication while maintaining confidentiality with TLS

Not EAP-TLS

Does not provide a mechanism for using multiple authentication types within a TLS tunnel.

How well did you know this?

Not at all

Perfectly

Which of the following would be commonly provided by a CASB? (Select TWO)

A. List of all internal Windows devices that have not installed the latest security patches
B. List of applications in use
C. Centralized log storage facility
D. List of network outages for the previous month
E. Verification of encrypted data transfers
F. VPN connectivity for remote users

B. A list of applications in use
E. Verification of encrypted data transfers

A CASP (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats.

How well did you know this?

Not at all

Perfectly

The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On on of the time clocks, this file system error occurs during the startup process causes the system to constantly reboot. This loop continues until the time clock is powered down. Which of the following BEST describes this issue?

A. DLL injection
B. Resource exhaustion
C. Race condition
D. Weak configuration

C. Race condition

A race condition occurs when two processes occur at similar times, usually with unexpected results. The file system problem is usually fixed before a reboot, but a reboot is occurring before the fix can be applied. This has created a race condition that results in constant reboots.

How well did you know this?

Not at all

Perfectly

A recent audit has found that existing password policies
do not include any restrictions on password attempts,
and users are not required to periodically change their
passwords. Which of the following would correct these
policy issues? (Select TWO)

A. Password complexity
B. Password expiration
C. Password history
D. Password lockout
E. Password recovery

B. Password expiration
D. Password lockout

Password expiration would require a new password after the expiration
date. Password lockout would disable an account after a predefined
number of unsuccessful login attempts.

How well did you know this?

Not at all

Perfectly

What kind of security control is associated
with a login banner?

A. Preventive
B. Deterrent
C. Corrective
D. Detective
E. Compensating
F. Physical

B. Deterrent

A deterrent control does not directly stop an attack, but it may discourage
an action.

How well did you know this?

Not at all

Perfectly

Your security team has been provided with an uncredentialled vulnerability
scan report created by a third-party. Which of the following would you
expect to see on this report?

A. A summary of all files with invalid group assignments
B. A list of all unpatched operating system files
C. The version of web server software in use
D. A list of local user accounts

C. The version of web server software in use

A scanner like Nmap can query services and determine version numbers
without any special rights or permissions, which makes it well suited for
non-credentialed scans.

How well did you know this?

Not at all

Perfectly

The security team of a small manufacturing company is investigating a
compromised server that resulted in a defaced internal website home
page. The web server had been running for a year, but no security patches
were ever applied. Logs from the web server show a large number of
attacks containing well-known exploits occurred just before the server was
defaced. Which of these would be the MOST likely source of this attack?

A. Hacktivist
B. Script kiddie
C. Insider
D. Nation state

B. Script kiddie

A script kiddie commonly runs pre-made scripts without any knowledge of
what the script is actually doing. The script kiddie is simply hoping that at
least one of the many exploit attempts will be successful.

How well did you know this?

Not at all

Perfectly

Which of these would be MOST significant security concern for
an insider threat?

A. Passwords written on sticky notes
B. An unpatched file server
C. A VPN concentrator that uses an older encryption cipher
D. Limited bandwidth available on the Internet link

A. Passwords written on sticky notes

A password written down and left in an open area can be used by any
insider who happens to walk by

How well did you know this?

Not at all

Perfectly

A security administrator would like to limit access from a user VLAN to
the server VLAN. All traffic to the server VLAN communicates through
the core router. Users should only be able to connect to servers using
standard protocols. Which of the following options would be the BEST
way to implement this security feature?

A. Configure a reverse proxy
B. Define an ACL on the core router
C. Replace the core router with a layer 3 firewall
D. Add a load balancer for each server cluster

B. Define an ACL on the core router

Configuring an ACL (Access Control List) is a feature already included with
the router. The ACL will allow the filtering of traffic by IP address and port
number.

How well did you know this?

Not at all

Perfectly

A file server has a full backup performed each Monday at 1 am. Incremental backups are performed at 1 am on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? A. 2 B. 3 C. 4 D. 1

C. 4 Each incremental backup will archive all of the files that have changed since the last full incremental backup. To complete this full restore, the administrator will need the full backup from Monday and the incremental backups from Tuesday, Wednesday, and Thursday

A company is creating a security policy that will protect all corporate mobile devices: • All mobile devices must be automatically locked after a predefined time period. • Some mobile devices will be used by the remote sales teams, so the location of each device needs to be traceable. • The mobile devices should not be operable outside of the country. • All of the user’s information should be completely separated from company data. Which of the following would be the BEST way to establish these security policy rules? ``` A. Containerization strategy B. Biometrics C. COPE D. VDI E. Geofencing F. MDM ```

F. MDM An MDM (Mobile Device Manager) provides a centralized management system for all mobile devices. From this central console, security administrators can set policies for many different types of mobile devices.

Jack, a security engineer, runs a monthly vulnerability scan and creates a report with the results. The latest report doesn’t list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. The vulnerability scanner is running the latest set of signatures. Which of the following best describes this result? A. Exploit B. False positive C. Zero-day attack D. False negative

D. False Negative A false negative is a result that fails to detect an issue when one actually exists.

A security administrator is reviewing a 30-day access report to determine if there are any unusual or unexpected authentications. After these reviews, the security administrator decides to add additional authentication controls to the existing infrastructure. Which of the following should be added by the security administrator? (Select TWO) ``` A. TOTP B. Least privilege C. Role-based awareness training D. Separation of duties E. Job rotation F. Smart Card ```

A. TOTP (Time-based One-Time password) F. Smart Card TOTP and smart cards are useful authentication controls when used in conjunction with other authentication factors.

A network administrator would like to reconfigure the authentication process on the company’s wireless network. Instead of using the same wireless password for all users, the administrator would like each user to authenticate with their personal username and password. Which of the following should the network administrator configure on the wireless access points? A. WPA2-PSK B. 802.1X C. WPS D. WPA2-AES

B. 802.1X 802.1X uses a centralized authentication server, and all users can use their normal credentials to authenticate to an 802.1X network

Which of the following technologies use a challenge message during the authentication process A. TLS B. TACACS+ C. Kerberos D. CHAP

D. CHAP CHAP (Challenge-Handshake Authentication Protocol) combines a server's challenge message with the client's password hashing during the authentication process.

. A user has saved a presentation file to a network drive, and the user has assigned individual rights and permissions to the file. Prior to the presentation date, the user adds three additional individuals to have read-only access to the file. Which of the following would describe this access control model? A. DAC B. MAC C. ABAC D. RBAC

A. DAC (Discretionary Access Control) DAC (Discretionary Access Control) is used in many operating systems and this model allows the owner of the resource to control who has access.

The network administrator for an organization is building a security strategy that can continually monitor the network and systems for threats. This strategy focuses on protecting the automated creation of cloud-based services, the teardown process of cloud-based services, and the rollback of cloud-based services from one version to another. Which of the following BEST describes the environment that the network administrator will secure? A. Redundant B. Highly-available C. Fault-tolerant D. Non-persistent

D. Non-persistent A non-persistent environment is always in motion, and application instances can be created, changed, or removed at any time.

A department store offers gift certificates that can be used to purchase merchandise. The store policy requires that a floor manager approves each transaction when a gift certificate is used for payment. The security team has found that some of these transactions have been processed without the approval of a manager. Which of the following would provide a separation of duties to enforce this store policy? A. Use a WAF to monitor all gift certificate transactions B. Disable all gift certificate transactions for cashiers C. Implement a discretionary access control policy D. Require an approval PIN for the cashier and a separate approval PIN for the manager

D. Require an approval PIN for the cashier and a separate | approval PIN for the manager

Which of the following is true of a rainbow table? (Select TWO) A. The rainbow table is built in real-time during the attack B. Rainbow tables are the most effective online attack type C. Rainbow tables require significant CPU cycles at attack time D. Different tables are required for different hashing methods E. A rainbow table won’t be useful if the passwords are salted

D. Different tables are required for different hashing methods E. A rainbow table won’t be useful if the passwords are salted A rainbow table is built prior to an attack to match a specific password hashing technique is used, a completely different rainbow table must be built The use of a salt will modify the expected results of a hash. Since a salted hash will not be predictable, the rainbow tables can't be built for these hashes.

Before an application is moved into production, a company’s development team runs a static code analyzer to identify any security vulnerabilities. In the latest scan, the analyzer has identified seven security issues. After reviewing the code, the development team finds that only five of the reported vulnerabilities are actual security problems. Which of the following would BEST describe the two incorrect vulnerability reports? A. Normalization B. Fuzzing C. Obfuscation D. False positive

D. False positive A false positive is the report of an issue where no issue actually exists. In this example, two of the seven reported security issues were false positives.

Which of these cloud deployment models would share resources between a private virtualized data center and externally available cloud services? A. SaaS B. Community C. Hybrid D. Containerization

C. Hybrid A hybrid cloud model combines both private and public cloud infrastructures.

A company hires a large number of seasonal employees, and those contracts commonly end after the beginning of the calendar year. All system access should be disabled when an employee leaves the company, and the security administrator would like to verify that their systems cannot be accessed by any of the former employee accounts. Which of the following would be the BEST way to provide this verification? (Select TWO) A. Confirm that no unauthorized accounts have administrator access B. Validate the account lockout policy C. Audit and verify the operational status of all accounts D. Create a report that shows all authentications for a 24-hour period E. Validate the processes and procedures for all outgoing employees F. Schedule a required password change for all accounts

C. Audit and verify the operational status of all accounts, and E. Validate the processes and procedures for all outgoing employees The disabling of an employee account is commonly part of the offboarding process. One way to validate an offboarding policy is to perform an audit of all accounts and compare active accounts with active employees.

Sam has just replaced a broken wireless access point in a warehouse. With the new access point online, only a portion of the wireless devices are able to connect to the network. Other devices can see the access point, but they are not able to connect even when using the correct wireless settings. Which of the following security features did Sam MOST likely enable? ``` A. MAC filtering B. SSID broadcast suppression C. 802.1X authentication D. Anti-spoofing E. LWAPP management ```

A. MAC filtering Filtering addresses by MAC (Media Access Control) address will limit which devices can connect to the wireless network. If a device is filtered by MAC address, it will be able to see an access point but it will not be able to connect.

A security administrator has gathered this information: Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED Which of the following is being used to create this information? A. tracert B. netstat C. dig D. nbtstat

B. netstat The netstat command provides a list of network statistics, and the default view shows the traffic sessions between the local device and other devices on the network.

An attacker has discovered a way to disable a server by sending a specially crafted packet to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this situation? A. Privilege escalation B. Spoofing C. Replay D. DoS

D. DoS A DoS (Denial of Service) is an attack that overwhelms or disables a service to prevent the service from operating normally. A Packet that disables a server would be an example of a DoS attack

A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions? A. Lessons learned B. Isolation and containment C. Reconstitution D. Precursors

C. Reconstitution The recovery after a breach can be phased approach that may take months to complete

A service technician would like to protect some private information sent over email. This is information should only be viewable by the recipient. Which of these cryptographic algorithms would be the BEST choice? A. MD5 B. HMAC C. SHA-2 D. RC4

D. RC4 RC4 (Rivest Cipher 4) is the only encryption cipher in the list. All of the other algorithms are used for hashing. MD5 (Message Digest 5) hashing algorithm and does not provide a method of encrypting and decrypting info HMAC (Hash-based Message Authentication Code) SHA-2 (Secure Hash Algorithm 2)

Your CISO (Chief Information Security Officer) has contracted with a third-party to identify security vulnerabilities associated with all Internetfacing systems. This organization has identified a significant vulnerability in the newly-released firewall used in your DMZ. When you contact the firewall company, you find there are no plans to create a patch for this specific vulnerability. Which of the following would BEST describe this issue? A. Lack of vendor support B. Improper input handling C. Improper key management D. End-of-life

A. Lack of vendor support Security issues can be identified in a system or application at any time, so it’s important to have a vendor that can support their software and correct issues as they are discovered. If a vendor won’t provide security patches, then you may be susceptible to security vulnerabilities.

A company has decided to perform a disaster recovery exercise during an annual meeting. This exercise will include the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes requires to resolve the disaster. Which of the following would BEST describe this exercise? A. After-action report B. Business impact analysis C. Alternate business practice D. Tabletop exercise

D. Tabletop exercise A tabletop exercise allows a disaster recovery team to evaluate and plan disaster recovery processes without performing a full-scale drill.

Which of the following would be the MOST secure hashing method? A. RIPEMD B. AES C. SHA-2 D. MD5

C. SHA-2 Of the available options, SHA-2 (Secure Hash Algorithm 2) is the only hashing algorithm listed that does not currently have a collision attack vector. Not AES (Advanced Encryption Standard) because is an encryption standard and not a hashing algorithm

A system administrator uses an EV certificate for the corporate web server. Which of these would be the MOST likely reason for using this certificate type? A. Adds addition encryption features over a non-EV certificate B. Shows that additional checks have been made to validate the site owner C. Allows the certificate to support many different domains D. Shows that the owner of the certificate has control over a DNS domain

B. Shows that additional checks have been made to validate the site owner An EV (Extended Validation) certificate is provided by a Certificate Authority after additional checks have been made to validate the certificate owner's identity. This may require additional documentation or validation requirements with the site owners.

How can a company ensure that all data on a mobile device is unrecoverable if the device is lost or stolen? A. Storage segmentation B. Geofencing C. Screen locks D. Remote wipe

D. Remote wipe Most organizations will use a mobile device manager (MDM) to manage mobile phones and tablets. Using the MDM, specific security policies can be created for each mobile device, including the ability to remotely send a remote wipe command that will erase all data on a mobile device.

A server team has just installed a new web service in the DMZ, and has added firewall rules to allow web browser access to the service from the Internet. After the server is active, the security team captures this network traffic between the Internet and the server: Accept-Encoding: gzip, deflate\r\n Accept-Language: en-US,en;q=0.8\r\n Cookie: _fzvid=l=PM&rv=55f9b606bb547e235476e660; __VerificationToken=g4-iTGqsT5BA5zqYiR0FIRf29rtG8-M59Lq5Y Cookie pair: _fzvid=l=9/16/2015 6:33:42 PM&rv=55f9b606bb547e235 Cookie pair: __VerificationToken=g4-iTGqsT69Qo87MjixNqTBDT-x8FA Cookie pair: __fzg=g=5993ad10bb547e238cca3ff5&l Cookie pair: _ga=GA1.2.924799034.1442428422 Cookie pair: _gid=GA1.2.110485488.1502030607 Cookie pair: __fz55facc21bb547f0ec82ad5a7=l Which of these should the security team be MOST concerned about this server implementation? A. Unauthorized software B. Data exfiltration C. Unencrypted traffic D. Access violations

C. Unencrypted traffic Attackers can easily gather information sent across the network in the clear, and cookie information may contain valuable information that could be used in a replay attack

Sam is a user in the accounting department, and she uses the corporate accounting software to perform her daily job duties. Sam’s organization uses a role-based access control model to assign permissions. Who is responsible for managing these roles and permissions? A. Data owners B. Administrators C. Users D. Application owners

B. Administrators ``` With RBAC (Role-based Access Control), administrators define the access that a particular role will have. As users are added to a role, they will gain the rights and permissions that have been defined for members of that role. ```

Which of these best describes two-factor authentication? A. A printer that uses a password and a PIN B. The door to a building that requires a fingerprint scan C. An application that checks your GPS coordinates D. A Windows Domain that requires a username, password, and smart card

D. A Windows Domain that requires a username, password, and smart card The multiple factors of authentication used to login to this Windows Domain are a password (something you know), and a smart card (something you have).

A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include: * The company does not have a way to manage the mobile devices in the field * Company data on mobile devices in the field introduces additional risk * Team members have many different kinds of mobile devices Which of the following deployment models would address these concerns? A. Corporate-owned B. COPE C. VMI D. BYOD

C. VMI VMI (Virtual Mobile Infrastructure) would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices.

An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? A. Compensating B. Preventive C. Administrative D. Detective

A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs. It is not Preventive because a preventive control physically limits access to a device or area.

Your security team has been tasked with completing a comprehensive study that will involve all devices in the corporate data center. Because of the sensitive nature of your business, all of the testing must be completed by internal team members. A requirement of the study is to identify any security weaknesses in the operating systems or applications running on data center hardware. There can be no downtime or data loss during the testing process. Which of the following would best describe this project? A. Threshold analysis B. Vulnerability scanning C. Fault tolerance D. Penetration testing

B. Vulnerability scanning A vulnerability scan will examine devices for potential security holes, but it will stop short of actively exploiting a vulnerability. This process will minimize the potential for any downtime or data loss.

Jack is a member of the incident response team at his company. Jack has been asked to respond to a potential security breach of the company's databases, and he needs to gather the most volatile data before powering down the database servers. In which order should Jack collect this information? A. CPU registers, temporary files, memory, remote monitoring data B. Memory, CPU registers, remote monitoring data, temporary C. Memory, CPU registers, temporary files, remote monitoring data D. CPU registers, memory, temporary files, remote monitoring data

D. CPU registers, memory, temporary files, remote monitoring data The most volatile data disappears quickly, so data such as the CPU registers and information in memory will be lost before temporary files and remote monitoring data are no longer available

Samantha, a Linux administrator, is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? A. Verifies that the file was not corrupted during the file transfer B. Provides a key for decrypting the ISO after download C. Authenticates the site as an official ISO distribution site D. Confirms that the file does not contain any malware

A. Verifies that the file was not corrupted during the file transfer Once the file is downloaded, Samantha can calculate the file's SHA256 hash and confirm that it matches the value on the website.

The security policy at a company requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement? A. TOTP B. Biometric scanner C. PIN D. SMS

B. Biometric scanner A biometric scanner would require a person to be physically present to verify authentication.

Your development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, you find that the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue? A. Improper error handling B. Misconfiguration C. Race Condition D. Memory leak

B. Misconfiguration Just like your local systems, proper permissions and security controls are also required when information is added to a cloud-based system. If any of your systems leave an open door, your data may be accessible by anyone on the Internet.

One of the computers in the shipping department is showing signs of a malware infection. Which of the following would be the BEST next step to completely remove the malware? A. Run a virus scan B. Degauss the hard drive C. Format the system partition D. Reimage the computer

D. Reimage the computer Completely wiping the drive with a new image is an effective way to completely remove any malware from a computer.

Which of these would best describe the use of a nonce? A. Information encrypted with a public key is decrypted with a private key B. Prevents replay attacks during authentication C. Information is hidden inside of an image D. The sender of an email can be verified

B. Prevents replay attacks during authentication A nonce adds additional randomization to a cryptographic function. This means that an authentication hash sent across the network will be different for each authentication request

Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? A. Compare the production application to the sandbox B. Perform an integrity measurement C. Compare the production application to the previous version D. Perform QA testing on the application instance

B. Perform an integrity measurement An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions.

Which of the following would BEST describe a security feature based on administrative control diversity? A. Data center cameras B. Active directory authentication C. Off-boarding process D. Laptop full disk encryption

C. Off-boarding process When a person leaves the organization, there needs to be a formal administrative policy on how to handle the hardware, software, and data associated with that person. These formal policies and procedures would be an important administrative control associated with defense-in-depth.

An analyst is examining the traffic logs to a server in the DMZ. The analyst has identified a number of sessions from a single IP address that appear to be received with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has destination of your DMZ server. Which of the following BEST describes this log information? A. Someone is performing a vulnerability scan against your firewall and DMZ server B. Your users are performing a DNS lookups C. A remote user is grabbing banners of your firewall and DMZ server D. Someone is performing a traceroute to the DMZ server

D. Someone is performing a traceroute to the DMZ server A traceroute maps each hop by slowly incrementing a TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drop the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station.

Rodney is a security administrator for a large manufacturing company. His company has just acquired a transportation company, and Rodney has connected the two networks together with an IPsec VPN. Rodney needs to allow access to the manufacturing company network for anyone who authenticates to the transportation company network. Which of these authentication methods BEST meets Rodney’s requirements? A. One-way trust B. Mobile device location services C. Smartphone software tokens D. Two-factor authentication

A. One-way Trust A one-way trust would allow the manufacturing company to trust the transportation company, but there would not be a trust in the other direction.

A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow? A. Private B. CA C. Session D. Public

A. Private With asymmetric encryption, the private key is used to decrypt information that has been encrypted with the public key. To ensure continued access to the encrypted data, the company must have a copy of each private key.

Daniel, a security administrator, is designing an authentication process for a new remote site deployment. Daniel would like the users to provide their credentials when they authenticate in the morning, and he does not want any additional authentication requests to appear during the rest of the day. Which of the following should Daniel use to meet this requirement? A. TACACS+ B. LDAPS C. Kerberos D. 802.1X

C. Kerberos Kerberos uses a ticket-based system to provide SSO (Single Sign-On) functionality. You only need to authenticate once with Kerberos to gain access to multiple resources. TACACS+ (Terminal Access Controller Access-Control System) is a common authentication method, but it does not provide any single sign-on functionality.

A manufacturing company would like to use an existing router to separate a corporate network and the manufacturing floor. The corporate network and manufacturing floor currently operate on the same subnet and the same physical switch. The company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? A. Connect the corporate network and the manufacturing floor with a VPN B. Build an air gapped manufacturing floor network C. Use personal firewalls on each device D. Create separate VLANs for the corporate network and the manufacturing floor

D. Create separate VLANs for the corporate network and the manufacturing floor ``` Creating VLANs (Virtual Local Area Networks) will segment a network without requiring additional switches. ```

Hank, a security administrator has received an email from an employee regarding their VPN connection from home. When this user connects to the corporate VPN, they are no longer able to print to their network printer at home. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? A. The VPN uses IPSec instead of SSL B. Printer traffic is filtered by the VPN client C. The VPN is stateful D. The VPN tunnel is configured for full tunnel

D. The VPN tunnel is configured for full tunnel A split tunnel is a VPN configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel.

A data center manager has built a Faraday cage in the data center. A set of application servers has been placed into racks inside the Faraday cage. Which of the following would be the MOST likely reason for the data center manager to install this configuration of equipment? A. Protect the servers against any unwanted electromagnetic fields B. Prevent physical access to the servers without the proper credentials C. Provide additional cooling to all devices in the cage D. Adds additional fire protection for the application servers

A. Protect the servers against any unwanted electromagnetic fields A Faraday cage is a mesh of conductive material that will cancel electromagnetic fields.

A security administrator is evaluating a monthly vulnerability report associated with web servers in the data center. The report shows the return of a vulnerability that was previously patched four months ago. The report shows that the vulnerability has been active on the web servers for three weeks. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? A. Templates B. Elasticity C. Master image D. Continuous monitoring

D. Continuous monitoring It’s common for organizations to continually monitor services for any changes or issues. A nightly vulnerability scan across important servers would identify issues like this one.

A critical security patch has been rolled out on short notice to a large number of servers in a data center. IT management is requiring verification that this patch has been properly installed on all applicable servers. Which of the following would be the BEST way to verify the installation of this patch? A. Use a vulnerability scanner B. Examine IPS logs C. Use a data sanitization tool D. Monitor real-time traffic with a protocol analyzer

A. Use a vulnerability scanner A vulnerability scanner can check the status of a vulnerability on a device and create a report of which devices may susceptible to a particular vulnerability.

Which cryptographic method is used to add trust to a digital certificate? A. X.509 B. Hash C. Symmetric encryption D. Digital signature

D. Digital Signature A certificate authority will digitally sign a certificate. This standard format makes it easy for everyone to view the contents of a certificate authority, you can then trust the certificate.

Which of these would be commonly used during the authentication phase of the AAA framework? A. Username B. Login time C. Password D. Access to the /home directory

C. Password The authentication portion of the AAA framework is used to prove that you are who you say you are. This would include passwords and other authentication factors.

An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? A. Data steward B. Data owner C. Privacy officer D. Data custodian

D. Data custodian The data custodian manages access rights and sets security controls to the data.

An organization’s content management system (CMS) currently labels files and documents as “Unclassified” and “Restricted.” On a recent updated to the CMS, a new classification type of “PII” was added. Which of the following would be the MOST likely reason for this addition? A. Healthcare system integration B. Simplified categorization C. Expanded privacy compliance D. Decreased search time

C. Expanded privacy compliance The labeling of PII (Personally Identifiable Information) is often associated with privacy and compliance concerns.

A corporate security team has performed a data center audit and found that most web servers store their certificates on the server itself. The security team would like to consolidate and protect the certificates across all of their web servers. Which of these would be the BEST way to securely store these certificates? A. Use an HSM B. Implement full disk encryption on the web servers C. Use a TPM D. Upgrade the web servers to use a UEFI BIOS

A. Use an HSM An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely store keys and certificates for all devices. Its not TPM because that is used on individual devices to provide cryptographic functions and securely store encryption keys. Individual TPMs would not provide any consolidation of web server certificates

Jennifer is reviewing this security log from her IPS: ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" key="key7" value="