Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

'Security + > SEC - Six - U > Flashcards

SEC - Six - U Flashcards

(45 cards)

Start Studying
1
Q

Question 1:

During what stage of the account management lifecycle should a user receive his or her first exposure to security awareness training?

Privilege assignment

Deprovisioning

Onboarding

Renewal

A

Privilege assignment

Deprovisioning

Correct answer

Onboarding

Your answer is incorrect

Renewal

Overall explanation

Security awareness training should begin at the earliest possible stage of the account management lifecycle, which is during onboarding. This ensures that new users understand the organization’s security policies and practices from the start. Deprovisioning, renewal, and privilege assignment occur later in the lifecycle and are not the first opportunities for introducing security awareness training.

This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance.

For more information, see Sybex Security+ Study Guide Chapter 16.

Domain

5.0 Security Program Management and Oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Question 2:

Which one of the following attacks exploits a race condition in a software implementation?

TOC/TOU

Buffer overflow

Integer overflow

SQL injection

A

Correct answer

TOC/TOU

Buffer overflow

Integer overflow

Your answer is incorrect

SQL injection

Overall explanation

A time-of-check/time-of-use (TOC/TOU) attack exploits a race condition by taking advantage of the time lag between when a system checks access permissions and when it uses those permissions. This delay allows an attacker to alter conditions or data between the check and the use, thereby gaining unauthorized access or causing unintended actions.

An integer overflow attack involves manipulating a program to exceed its numerical limits, causing unexpected behavior or errors, but it does not involve timing issues.

A buffer overflow attack occurs when more data is written to a buffer than it can hold, which can overwrite adjacent memory and potentially lead to arbitrary code execution or crashes, but it does not exploit race conditions.

SQL injection is an attack that inserts or manipulates SQL queries to interfere with the execution of database operations, typically used to gain unauthorized access or manipulate data, and it does not rely on timing or race conditions.

This question comes from Security+ exam objective 2.3 Explain various types of vulnerabilities.

For more information, see Sybex Security+ Study Guide Chapter 6.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question 3:

Ryan is reviewing logs for his wireless network controller and discovers that a single system attempted to connect to the wireless network once every minute with incorrect credentials until finally logging in successfully after several hours. In reviewing the logs, Ryan noticed that the system had been used by the same user on the network several days ago. What is the most likely explanation of these log entries?

The user’s device was stolen.

The user changed his or her password.

The user’s password was compromised via a brute force attack.

The user fell victim to a social engineering attack.

A

The user’s device was stolen.

Correct answer

The user changed his or her password.

Your answer is incorrect

The user’s password was compromised via a brute force attack.

The user fell victim to a social engineering attack.

Overall explanation

While any of these explanations are plausible, this pattern of activity is indicative of a password change. After the user changed their password, the device continued attempting to connect with the old, incorrect credentials. The repeated failed attempts reflect the device’s automated retries, which persisted until the user updated the password on the device, allowing it to connect successfully again.

A brute force attack would likely show a much higher frequency of attempts and would not necessarily come from a device previously recognized on the network.

A social engineering attack could lead to compromised credentials, but it would not typically result in the observed pattern of repeated, automated connection attempts with the old password.

If the user’s device was stolen, it would not explain the previous legitimate use of the same system on the network several days ago and the pattern of automated retries seen in the logs.

This question comes from Security+ exam objective 4.9 Given a scenario, use data sources to support an investigation.

For more information, see Sybex Security+ Study Guide Chapter 14.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question 4:

Tom is investigating a report from his organization’s intrusion detection system. After an exhaustive investigation, he determines that the activity detected by the system was actually not an attack. What type of report took place?

False positive

True negative

False negative

True positive

A

Correct answer

False positive

True negative

False negative

Your answer is incorrect

True positive

Overall explanation

In a true positive report, the system reports an attack when an attack actually exists. A false positive report occurs when the system reports an attack that did not take place. A true negative report occurs when the system reports no attack and no attack took place. A false negative report occurs when the system does not report an attack that did take place.

This question comes from Security+ exam objective 4.3 Explain various activities associated with vulnerability management.

For more information, see Sybex Security+ Study Guide Chapter 5.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question 5:

Darlene is concerned about the level of security at a cloud service provider that her organization is considering using and would like to review the results of an independent audit that verifies that the cloud provider has appropriate controls in place and that they are operating efficiently and effectively. What type of audit report would provide this assurance?

SOC 2 Type 2

SOC 2 Type 1

SOC 1 Type 1

SOC 1 Type 2

A

Correct answer

SOC 2 Type 2

SOC 2 Type 1

Your answer is incorrect

SOC 1 Type 1

SOC 1 Type 2

Overall explanation

System and Organization Control (SOC) reports provide the results of an independent audit of a service provider. SOC 1 reports are done to verify controls that could impact a client’s financial reporting. SOC 2 reports are done to verify controls that could impact security and privacy of data. Type 1 reports simply verify that controls are in place. Type 2 reports verify that the controls are operating efficiently and effectively. Therefore, Darlene should choose a SOC 2 Type 2 report.

This question comes from Security+ exam objective 5.4 Summarize elements of effective security compliance.

For more information, see Sybex Security+ Study Guide Chapter 5.

Domain

5.0 Security Program Management and Oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question 6:

Harold is designing an access control system that will require the concurrence of two system administrators to gain emergency access to a root password. What security principle is he most directly enforcing?

Least privilege

Two-person control

Security through obscurity

Separation of duties

A

Least privilege

Correct answer

Two-person control

Security through obscurity

Your answer is incorrect

Separation of duties

Overall explanation

Systems that require two individuals to concur before performing a single action follow the principle of two-person control. This principle ensures that no single person has complete control, reducing the risk of misuse or unauthorized access.

Least privilege involves granting users the minimum level of access necessary to perform their duties, but it is not directly related to requiring two people for a single action.

Separation of duties is about dividing tasks and responsibilities among multiple people to prevent fraud or error, but it does not specifically require two-person control for a single action.

Security through obscurity relies on secrecy for security, which is not relevant to requiring the concurrence of two administrators.

This question comes from Security+ exam objective 4.6 Given a scenario, implement and maintain identity and access management.

For more information, see Sybex Security+ Study Guide Chapter 8.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question 7:

Which one of the following categories of account should normally exist on a secured server?

Guest account

Shared account

Service account

Generic account

A

Guest account

Shared account

Correct answer

Service account

Your answer is incorrect

Generic account

Overall explanation

Generic, shared, and guest accounts should not be used on secure servers due to their lack of accountability to an individual user. Service accounts normally exist on all servers and are required for routine operation of services.

This question comes from Security+ exam objective 4.6 Given a scenario, implement and maintain identity and access management.

For more information, see Sybex Security+ Study Guide Chapter 8.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question 8:

Don would like to ensure that traveling users are provided with encryption services for all of their network connections while on the road. Which one of the following cryptographic technologies would best meet this need?

SSH

Web browser supporting HTTPS

Encrypted web proxy

VPN

A

SSH

Web browser supporting HTTPS

Encrypted web proxy

Your answer is correct

VPN

Overall explanation

All of these techniques will provide some degree of cryptographic security. However, the best approach is to use a VPN that will tunnel all communications to the main office over a secure encrypted tunnel. A proxy using HTTPS will only support the specific applications that are proxied. The HTTPS web browser will only encrypt web communications. SSH will only provide encrypted terminal sessions between systems.

This question comes from Security+ exam objective 3.2 Given a scenario, apply security principles to secure enterprise infrastructure.

For more information, see Sybex Security+ Study Guide Chapter 12.

Domain

3.0 Security Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question 9:

Brian is the physical security official for a data center hosting organization. While entering the building this morning, he noticed that one employee used his badge to enter the building and then held the door open for two other employees. Which one of the following situations occurred?

Impersonation

Shoulder surfing

Dumpster diving

Piggybacking

A

Impersonation

Shoulder surfing

Dumpster diving

Your answer is correct

Piggybacking

Overall explanation

This is a classic example of a piggybacking attack where one person enters a physical facility and then holds the door open for others to enter without requiring that they also use the access control system. In a dumpster diving attack, individuals rummage through the trash searching for sensitive information. In a shoulder surfing attack, the perpetrator looks over the shoulder of an individual while they use a computer. There is no sign that the individuals entering the building without authenticating were making false claims of identity, so there is no evidence of an impersonation attack.

This question comes from Security+ exam objective 2.2 Explain common threat vectors and attack surfaces.

For more information, see Sybex Security+ Study Guide Chapter 9.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question 10:

Lila is concerned about the security of a database table that contains Social Security Numbers. The organization needs to maintain this information for tax reporting purposes, but Lila wants to make sure that database administrators are not able to access this very sensitive field. Which one of the following security controls would best meet Lila’s need?

Database activity monitoring

Column-level encryption

Column-level hashing

Database access controls

A

Database activity monitoring

Correct answer

Column-level encryption

Your answer is incorrect

Column-level hashing

Database access controls

Overall explanation

Lila should encrypt the Social Security Number column using an encryption key that is not known to the database administrators. Hashing is not a good solution because it would not be possible to reverse the hash and retrieve the SSN for tax reporting purposes. Database access controls would not be effective against a database administrator, who likely has the privileges necessary to bypass those controls. Database activity monitoring might detect unauthorized access but cannot prevent it.

This question comes from Security+ exam objective 1.4 Explain the importance of using appropriate cryptographic solutions.

For more information, see Sybex Security+ Study Guide Chapter 7.

Domain

1.0 General Security Concepts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question 11:

Rory is reviewing an iPhone used by a former employee and finds that the device contains apps that were not purchased through the app store. These apps allow the modification of security controls on the device. What most likely occurred on this device?

Jailbreaking

Geofencing

Tethering

Carrier unlocking

A

Correct answer

Jailbreaking

Geofencing

Tethering

Your answer is incorrect

Carrier unlocking

Overall explanation

The presence of apps not purchased through the Apple App Store and allowing modification of security controls indicates that the device was likely jailbroken. Jailbreaking removes the restrictions imposed by Apple, enabling users to install unauthorized apps and modify the operating system.

Carrier unlocking involves removing restrictions set by a carrier to allow the phone to be used on different networks but does not affect app installation or security controls.

Geofencing restricts device functionality based on geographic location, which is unrelated to the installation of unauthorized apps.

Tethering allows a device to share its Internet connection with other devices and does not relate to installing unapproved apps or modifying security controls.

This question comes from Security+ exam objective 2.3 Explain various types of vulnerabilities.

For more information, see Sybex Security+ Study Guide Chapter 13.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question 12:

Haley recently started a new job and was issued a multifactor authentication token during her account provisioning. The token has a button that she pushes when she wishes to obtain a new authentication code. What algorithm does this token use?

TOTP

TLS

IPSec

HOTP

A

TOTP

TLS

IPSec

Your answer is correct

HOTP

Overall explanation

Tokens that generate passcodes based upon a counter that increments when the user pushes a button are using the HMAC-based one-time password (HOTP) algorithm. Those that increment automatically based upon the current time are using the time-based one-time password (TOTP) algorithm.

IPSec is a suite of protocols used for securing Internet protocol (IP) communications through authentication and encryption, not for generating authentication codes.

TLS (Transport Layer Security) is a protocol for securing communications over a computer network, not for generating authentication codes.

TOTP generates passcodes based on the current time, not based on a button press and counter increment.

This question comes from Security+ exam objective 4.6 Given a scenario, implement and maintain identity and access management.

For more information, see Sybex Security+ Study Guide Chapter 8.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question 13:

Taylor is building a server where data will be infrequently written but frequently read. He would like to use a redundant storage solution that maximizes read performance. Which one of the following approaches would best meet his needs?

RAID 1

RAID 0

RAID 5

RAID 3

A

Correct answer

RAID 1

RAID 0

RAID 5

Your answer is incorrect

RAID 3

Overall explanation

RAID 1, also known as disk mirroring, writes identical data to two disks. This approach allows read operations to recover all data by accessing a single disk and is quite efficient for that use. RAID 3 and RAID 5 stripe data across multiple disks and incur overhead in reassembling information that reduces read performance. RAID 0 does not provide redundancy, as it simply stripes data across multiple disks without parity information.

This question comes from Security+ exam objective 3.1 Compare and contrast security implications of different architecture models.

For more information, see Sybex Security+ Study Guide Chapter 9.

Domain

3.0 Security Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question 14:

Val is conducting a black box penetration test against a website and would like to try to gain access to a user account. If she has not yet gained access to any systems on the target network, which one of the following attacks would be most effective?

Offline brute force

Offline dictionary

Online brute force

Rainbow table

A

Offline brute force

Offline dictionary

Correct answer

Online brute force

Your answer is incorrect

Rainbow table

Overall explanation

While it is not an incredibly productive attack, an online brute force attack is Val’s only option of the choices provided. Val does not have access to a password file, which would be a requirement for an offline attack, such as an offline dictionary attack, a rainbow table attack, or an offline brute force attack.

This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity.

For more information, see Sybex Security+ Study Guide Chapter 4.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question 15:

Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack?

DNS poisoning

ARP poisoning

Network eavesdropping

Social engineering

A

DNS poisoning

ARP poisoning

Network eavesdropping

Your answer is correct

Social engineering

Overall explanation

The most effective way to carry out a domain hijacking attack is through social engineering. This technique often involves tricking individuals into providing access credentials or other sensitive information that can then be used to change domain registration details, thus redirecting web traffic to a third-party site.

ARP poisoning is a method for intercepting network traffic within a local network but does not directly impact domain registrations.

Network eavesdropping involves intercepting communications, which can lead to information theft but not directly to domain hijacking.

DNS poisoning involves corrupting DNS records to redirect traffic, which can cause similar effects but is distinct from gaining control over the domain registration itself.

This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity.

For more information, see Sybex Security+ Study Guide Chapter 12.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question 16:

Dennis is reviewing the logs from a content filter and notices that a user has been visiting pornographic websites during business hours. What action should Dennis take next?

Take no action.

Report the issue to management.

Block access to the websites.

Discuss the issue with the user.

A

Take no action.

Correct answer

Report the issue to management.

Block access to the websites.

Your answer is incorrect

Discuss the issue with the user.

Overall explanation

Dennis should consult with his manager to determine appropriate next steps. He should not confront the user directly. While his manager may direct him to block the websites, this is a management decision that Dennis should not take himself.

This question comes from Security+ exam objective 4.9 Given a scenario, use data sources to support an investigation.

For more information, see Sybex Security+ Study Guide Chapter 14.

Domain

4.0 Security Operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Question 17:

Which one of the following awareness exercises is most likely to cause anger among end users?

Reminder emails

Online training

Posters

Phishing simulation

A

Reminder emails

Online training

Posters

Your answer is correct

Phishing simulation

Overall explanation

It is possible that users will find any cybersecurity awareness efforts annoying. However, phishing simulations have a higher level of risk of angering users because they are deceptive in nature. Organizations should only conduct phishing simulations with the full support of management.

Online training, posters, and reminder emails are more straightforward awareness methods and are less likely to cause significant anger among end users compared to the deceptive approach of phishing simulations.

This question comes from Security+ exam objective 5.6 Given a scenario, implement security awareness practices.

For more information, see Sybex Security+ Study Guide Chapter 16.

Domain

5.0 Security Program Management and Oversight

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Question 18:

Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network?

IDS

WAF

DLP

TLS

A

IDS

Correct answer

WAF

DLP

Your answer is incorrect

TLS

Overall explanation

A web application firewall (WAF), if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities, such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.

This question comes from Security+ exam objective 3.2 Given a scenario, apply security principles to secure enterprise infrastructure.

For more information, see Sybex Security+ Study Guide Chapter 6.

Domain

3.0 Security Architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Question 19:

Helen recently moved from the marketing department to the sales department and retained the permissions assigned to her previous job, despite the fact that they are no longer necessary. What security principle does this violate?

Two-person control

Least privilege

Security through obscurity

Separation of duties

Study These Flashcards
A

Two-person control

Correct answer

Least privilege

Security through obscurity

Your answer is incorrect

Separation of duties

Overall explanation

There is no evidence presented that this violates any separation of duties or two-person control requirements. Security through obscurity is the idea that the details of security controls should be kept secret, which is not an issue in this scenario. The fact that Helen is retaining privileges from a prior position violates the principle of least privilege.

This question comes from Security+ exam objective 2.5 Explain the purpose of mitigation techniques used to secure the enterprise.

For more information, see Sybex Security+ Study Guide Chapter 8.

Domain

2.0 Threats, Vulnerabilities, and Mitigations

20
Q

Question 20:

Paul is conducting a penetration test and has gained a foothold on a web server used by the target organization. He is now attempting to use that web server to gain access to a file server on the organization’s internal network. What stage of the penetration testing process is Paul in?

Pivot

Reconnaissance

Initial exploitation

Scoping

Study These Flashcards
A

Correct answer

Pivot

Reconnaissance

Initial exploitation

Your answer is incorrect

Scoping

Overall explanation

Paul has already gained initial access to a system: the web server. He is now attempting to take that access and pivot from the initial compromise to a more lucrative target: the file server.

Reconnaissance involves gathering information about the target before gaining access.

Initial exploitation is the phase where the attacker first gains access to a target system, which Paul has already accomplished.

Scoping involves defining the boundaries and objectives of the penetration test before any active testing begins.

This question comes from Security+ exam objective 5.5 Explain types and purposes of audits and assessments.

For more information, see Sybex Security+ Study Guide Chapter 5.

Domain

5.0 Security Program Management and Oversight

21
Q

Question 21:

Fred created a set of IP restrictions on his Cisco router using Cisco’s extended access control list (ACL) functionality. What type of access control model is Fred enforcing?

Role-based access control

Rule-based access control

Discretionary access control

Attribute-based access control

Study These Flashcards
A

Role-based access control

Correct answer

Rule-based access control

Discretionary access control

Your answer is incorrect

Attribute-based access control

Overall explanation

Network access control lists are examples of rule-based access control because the router will make decisions based upon the rules that Fred provides. The router does not know the identity of the user, so it cannot perform role-based or attribute-based access control. Users have no authority to delegate access control decisions, so this is not an example of discretionary access control.

This question comes from Security+ exam objective 4.6 Given a scenario, implement and maintain identity and access management.

For more information, see Sybex Security+ Study Guide Chapter 8.

Domain

4.0 Security Operations

22
Q

Question 22:

Which one of the following risks would be addressed by applying full disk encryption to a computer?

Insider attack

Theft of the device

Eavesdropping on the network segment used by the device

Malware infection on the device

Study These Flashcards
A

Insider attack

Correct answer

Theft of the device

Eavesdropping on the network segment used by the device

Your answer is incorrect

Malware infection on the device

Overall explanation

Full disk encryption is effective against data-at-rest situations where the data is not being actively accessed. For example, full disk encryption protects the contents of a lost or stolen device. Full disk encryption is not effective when a user has accessed the device legitimately, so it would not be effective against an insider attack or against malware running within a user account. It also does not protect data in transit so it would not be effective against an eavesdropping attack.

This question comes from Security+ exam objective 1.4 Explain the importance of using appropriate cryptographic solutions.

For more information, see Sybex Security+ Study Guide Chapter 7.

Domain

1.0 General Security Concepts

23
Q

Question 23:

During a risk assessment, an IT team uses expert judgment and historical data to assign a likelihood and impact rating to each identified risk without using numerical data. What type of risk analysis is being conducted?

Quantitative

Continuous

Qualitative

Recurring

Study These Flashcards
A

Quantitative

Continuous

Correct answer

Qualitative

Your answer is incorrect

Recurring

Overall explanation

Qualitative risk analysis is being conducted, as it involves using expert judgment and historical data to assign likelihood and impact ratings to risks without relying on numerical data. This approach typically uses descriptive terms like “high,” “medium,” or “low” to evaluate the risks.

Quantitative risk analysis, in contrast, involves numerical data and statistical methods to calculate the potential impact and likelihood of risks.

Continuous risk analysis refers to an ongoing process of regularly reviewing and updating risk assessments, which can involve either qualitative or quantitative methods.

Recurring risk analysis involves conducting risk assessments at regular intervals but does not specify the use of qualitative or quantitative techniques.

This question comes from Security+ exam objective 5.2 Explain elements of the risk management process.

For more information, see Sybex Security+ Study Guide Chapter 17.

Domain

5.0 Security Program Management and Oversight

24
Q

Question 24:

Which one of the following backup types typically takes the shortest amount of time to perform when done several times per day?

Full backup

Incremental backup

Differential backup

Complete backup

Study These Flashcards
A

Full backup

Correct answer

Incremental backup

Differential backup

Your answer is incorrect

Complete backup

Overall explanation

Incremental backups only back up files that were changed since the most recent full or incremental backup. Therefore, they are faster than full/complete backups, which would back up all files. Differential backups contain all files modified since the last full or incremental backup and would therefore take longer, as each differential backup in a series grows larger by including all files from previous incremental backups. Each differential backup in a series contains all of the files included in prior differential backups, while each file is only contained in one incremental backup from a series.

This question comes from Security+ exam objective 3.4 Explain the importance of resilience and recovery in security architecture.

For more information, see Sybex Security+ Study Guide Chapter 9.

Domain

3.0 Security Architecture

25
Question 25: After a user enters an incorrect password, many authentication systems record this activity in an authentication log. What phase of the identity and access management process is taking place? Authorization Identification Accounting Authentication
Authorization Identification Correct answer Accounting Your answer is incorrect Authentication Overall explanation Logging the activity of an incorrect password entry is part of the accounting phase of the identity and access management process. Accounting involves creating an unalterable record of authentication activity, which helps in tracking and monitoring user actions. The identification phase occurs when the user provides their username or user ID. The authentication phase occurs when the user attempts to verify their identity by entering a password, which in this case was incorrect. Authorization does not take place because the authentication attempt was unsuccessful. This question comes from Security+ exam objective 4.6 Given a scenario, implement and maintain identity and access management. For more information, see Sybex Security+ Study Guide Chapter 8. Domain 4.0 Security Operations
26
Question 26: Which one of the following activities is not a passive test of security controls? Penetration testing Network monitoring Intrusion detection Configuration analysis
Correct answer Penetration testing Network monitoring Intrusion detection Your answer is incorrect Configuration analysis Overall explanation Penetration tests interact with systems and seek to exploit vulnerabilities. Therefore, they are an active test of security controls. Configuration analysis involves reviewing system settings and configurations without actively engaging with the system, making it a passive activity. Network monitoring involves observing and analyzing network traffic without interacting with it, making it a passive activity. Intrusion detection involves monitoring systems for signs of unauthorized access or anomalies without actively engaging with the systems, making it a passive activity. This question comes from Security+ exam objective 4.3 Explain various activities associated with vulnerability management. For more information, see Sybex Security+ Study Guide Chapter 5. Domain 4.0 Security Operations
27
Question 27: Brianna recently accepted a position working for a U.S. financial institution that handles U.S. consumer checking account records. Which one of the following laws regulates this type of information? SOX GLBA GDPR PCI DSS
SOX Correct answer GLBA GDPR Your answer is incorrect PCI DSS Overall explanation Financial institutions are required to preserve the privacy of consumer records by the Gramm-Leach-Bliley Act (GLBA). The Payment Card Industry Data Security Standard (PCI DSS) does apply to financial records, but its scope is limited to credit and debit card records. The General Data Protection Regulation (GDPR) would apply to these records if they were about European Union residents but that is not the case here. The Sarbanes Oxley Act (SOX) regulates the financial accounting practices of publicly traded companies and is not applicable here. This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance. For more information, see Sybex Security+ Study Guide Chapter 16. Domain 5.0 Security Program Management and Oversight
28
Question 28: Alan’s firm recently engaged a cloud service provider to handle credit card transactions on the company’s behalf. What role is the provider playing in this scenario? Data processor Data owner Data regulator Data controller
Correct answer Data processor Data owner Data regulator Your answer is incorrect Data controller Overall explanation In this scenario, the cloud service provider is processing data on behalf of Alan’s organization, making it a data processor. Alan’s firm remains the data owner and controller. Neither organization serves as a regulator, as those responsibilities are reserved for government agencies and self-regulatory bodies. This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance. For more information, see Sybex Security+ Study Guide Chapter 17. Domain 5.0 Security Program Management and Oversight
29
Question 29: What encryption protocol does the WPA2 algorithm use to provide confidentiality for wireless communications? 3DES CCMP TKIP SAE
3DES Correct answer CCMP TKIP Your answer is incorrect SAE Overall explanation WPA2 uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) to provide enhanced security using AES. The Temporal Key Integrity Protocol (TKIP) is used by WPA to rapidly cycle encryption keys and overcome the weaknesses of WEP. WPA3 uses Simultaneous Authentication of Equals (SAE). This question comes from Security+ exam objective 4.1 Given a scenario, apply common security techniques to computing resources. For more information, see Sybex Security+ Study Guide Chapter 13. Domain 4.0 Security Operations
30
Question 30: Wanda is developing an incident response team for her organization. Which one of the following individuals would be the best person to have direct oversight of the team’s activities? CFO CIO CEO CISO
CFO CIO CEO Your answer is correct CISO Overall explanation The incident response team should be overseen by the Chief Information Security Officer (CISO), who has the authority and responsibility for cybersecurity activities. The CISO is best positioned to provide direct oversight and ensure that the team's actions align with the organization's security policies and objectives. The CEO has overall responsibility for the organization but typically does not focus on the day-to-day oversight of cybersecurity efforts. The CIO is responsible for the overall IT strategy and infrastructure but may not have the specialized focus on security that the CISO has. The CFO handles financial aspects and would not typically oversee cybersecurity activities. This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance. For more information, see Sybex Security+ Study Guide Chapter 16. Domain 5.0 Security Program Management and Oversight
31
Question 31: Which one of the following approaches attaches an OCSP validation message to the digital certificate sent to users by a website? Certificate chaining Certificate attachment Certificate stapling Certificate pinning
Certificate chaining Certificate attachment Correct answer Certificate stapling Your answer is incorrect Certificate pinning Overall explanation Certificate stapling attaches an OCSP validation to the digital certificate, saving the client and server the time of repeatedly querying the OCSP server for certificate validity. Certificate pinning is a technique used to prevent changes in the valid certificate for a domain. Certificate chaining is used to delegate authority to subordinate certificate authorities. Certificate attachment is not a valid technique. This question comes from Security+ exam objective 1.4 Explain the importance of using appropriate cryptographic solutions. For more information, see Sybex Security+ Study Guide Chapter 7. Domain 1.0 General Security Concepts
32
Question 32: An employee reports that their new company laptop is running very slowly, even though it has not been used for any intensive tasks yet. Upon inspection, you notice that the laptop is loaded with numerous unnecessary applications that were pre-installed by the manufacturer. What type of issue is most likely causing the performance degradation? Spyware Logic bomb Ransomware Bloatware
Spyware Logic bomb Your answer is incorrect Ransomware Correct answer Bloatware Overall explanation Bloatware is most likely causing the performance degradation on the new company laptop. These are unnecessary applications pre-installed by the manufacturer that consume system resources, slowing down the device even if it hasn't been used for intensive tasks. Spyware gathers information about a user without their knowledge, which can slow down a system, but it is not typically pre-installed by manufacturers. A logic bomb is malicious code that activates under specific conditions, but it would not usually be pre-installed on a new laptop. Ransomware encrypts files and demands payment for their release, causing significant disruption, but it is not typically pre-installed and does not align with the description of numerous unnecessary applications. This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity. For more information, see Sybex Security+ Study Guide Chapter 3. Domain 2.0 Threats, Vulnerabilities, and Mitigations
33
Question 33: Joan is trying to break a cryptographic algorithm where she has the encryption key but does not have the decryption key. She is generating a series of encrypted messages and using them in her cryptanalysis. Which term best describes Joan’s attack? Chosen ciphertext Known plaintext Known ciphertext Chosen plaintext
Chosen ciphertext Known plaintext Known ciphertext Your answer is correct Chosen plaintext Overall explanation This is a tricky question, because any of the answers other than chosen ciphertext could be correct. We can rule out that answer because Joan cannot choose her own ciphertext. She can however, choose the plaintext used to create the ciphertext. When she does choose her own plaintext, she must, therefore, have knowledge of the plaintext. Once she encrypts the message, she also has access to the ciphertext. However, the best term to describe this attack is a chosen plaintext attack because it is the most specific of the three names. Every chosen plaintext attack is also a known plaintext and a known ciphertext attack. This question comes from Security+ exam objective 1.4 Explain the importance of using appropriate cryptographic solutions. For more information, see Sybex Security+ Study Guide Chapter 7. Domain 1.0 General Security Concepts
34
Question 34: When providing security awareness training to privileged users, what threat should be emphasized that is a more likely risk with these employees than standard users? Water cooler attack On-path attack Spear phishing attack Brute force attack
Water cooler attack On-path attack Correct answer Spear phishing attack Your answer is incorrect Brute force attack Overall explanation Privileged users are clearly susceptible to all of these attacks. However, there is no reason to believe that they are more likely to be victims of water cooler attacks, brute force attacks, or on-path attacks than any other user. Spear phishing attacks target specific people and are more likely to target privileged users because of their elevated privileges. This question comes from Security+ exam objective 5.6 Given a scenario, implement security awareness practices. For more information, see Sybex Security+ Study Guide Chapter 16. Domain 5.0 Security Program Management and Oversight
35
Question 35: Yvonne is investigating an attack where a user visited a malicious website and the website sent an instruction that caused the browser to access the user’s bank website and initiate a money transfer. The user was logged into the bank website in a different browser tab. What type of attack most likely took place? Reflected XSS XSRF Stored XSS DOM XSS
Reflected XSS Correct answer XSRF Your answer is incorrect Stored XSS DOM XSS Overall explanation In this attack, the attacker executed a request against a third-party website by taking advantage of the fact that the user already had an established session with that site. This is an example of a cross-site request forgery (XSRF) attack. Stored XSS involves injecting malicious scripts into a website's database, which are then served to users. Reflected XSS occurs when malicious scripts are reflected off a web server and executed immediately by the user's browser. DOM XSS involves the modification of the Document Object Model in the user's browser to execute scripts. This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity. For more information, see Sybex Security+ Study Guide Chapter 6. Domain 2.0 Threats, Vulnerabilities, and Mitigations
36
Question 36: Brianne is concerned that the logs generated by different devices on her network have inaccurate timestamps generated by the differing internal clocks of each device. What protocol can best assist her with remediating this situation? NTP TLS SSH OCSP
Correct answer NTP TLS SSH Your answer is incorrect OCSP Overall explanation The Network Time Protocol (NTP) is used to synchronize the clocks of devices to a standardized time source. NTP is quite useful in helping to ensure consistent timestamps on log entries. TLS is used to secure communications over a network, but it does not address time synchronization. SSH provides secure remote access to devices, but it does not synchronize device clocks. OCSP (Online Certificate Status Protocol) checks the revocation status of digital certificates, but it does not synchronize device clocks. This question comes from Security+ exam objective 4.5 Given a scenario, modify enterprise capabilities to enhance security. For more information, see Sybex Security+ Study Guide Chapter 12. Domain 4.0 Security Operations
37
Question 37: Fran recently completed development of a new code module and the module successfully completed user acceptance testing. Now that testing is complete, she would like to request that the module be moved to the next step in the process. What environment is most appropriate for the code at this stage of the process? Staging environment Test environment Production environment Development environment
Correct answer Staging environment Test environment Your answer is incorrect Production environment Development environment Overall explanation After successfully completing user acceptance testing, the most appropriate environment for Fran's code module is the staging environment. The staging environment serves as the final preparation area before deployment to the production environment, ensuring that the code works correctly in a setting that closely mimics the live production environment. The development environment is for creating and modifying new code and is no longer appropriate once testing is complete. The production environment is the live environment where the application is used by end users, and the code should only be moved here after passing through staging. The test environment is used for initial testing and has already been completed, so it is no longer the correct stage for the code module. This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance. For more information, see Sybex Security+ Study Guide Chapter 16. Domain 5.0 Security Program Management and Oversight
38
Question 39: Vic is the security administrator for a field engineering team that must make connections back to the home office. Engineers also must be able to simultaneously connect to systems on their customer’s networks to perform troubleshooting. Vic would like to ensure that connections to the home office use a VPN. What type of VPN would best meet his needs? Full tunnel IPSec TLS Split tunnel
Full tunnel IPSec Your answer is incorrect TLS Correct answer Split tunnel Overall explanation A split tunnel VPN policy allows Vic to specify that only traffic destined to the home office should be routed through the VPN. If Vic used a full tunnel policy, engineers would not be able to access systems on the customer’s local network. Vic may use either an IPSec or TLS VPN to meet this requirement. That technology decision is separate from determining what traffic is sent through the VPN. This question comes from Security+ exam objective 3.2 Given a scenario, apply security principles to secure enterprise infrastructure. For more information, see Sybex Security+ Study Guide Chapter 12. Domain 3.0 Security Architecture
39
Question 40: Rhonda is preparing a role-based awareness training program and recently developed a module designed to raise awareness among users of wire transfer fraud schemes where the attacker poses as a business leader seeking to transfer money to a foreign account. Of the following audiences, which would be the most likely to need this training? Sales director System administrator Accounts payable clerk Executive user
Sales director System administrator Your answer is correct Accounts payable clerk Executive user Overall explanation While basic awareness of wire transfer fraud schemes is beneficial for everyone in the company, the accounts payable clerk is the individual most in need of this training. This role is directly responsible for initiating wire transfers and is therefore the primary target for fraudsters attempting these schemes. System administrators, executive users, and sales directors may benefit from general awareness, but they are not typically the ones processing wire transfers. This question comes from Security+ exam objective 5.6 Given a scenario, implement security awareness practices. For more information, see Sybex Security+ Study Guide Chapter 16. Domain 5.0 Security Program Management and Oversight
40
Question 41: Hannah is investigating a security incident and discovers that a network client sent false MAC address information to a switch. What type of attack likely took place? On-path Eavesdropping ARP poisoning DNS poisoning
On-path Eavesdropping Correct answer ARP poisoning Your answer is incorrect DNS poisoning Overall explanation An ARP poisoning attack likely took place, as this attack involves sending false MAC address information to a network switch, causing the switch to associate the incorrect MAC address with a particular IP address. This can disrupt network traffic and potentially lead to further attacks like eavesdropping or an on-path attack, but those cannot be confirmed without more information. DNS poisoning involves manipulating the DNS server to redirect traffic to malicious sites, which is unrelated to the scenario of false MAC address information being sent. An on-path attack involves intercepting and potentially altering communication between two parties, which might be facilitated by ARP poisoning but is not explicitly indicated by the provided information. Eavesdropping refers to unauthorized listening to private communications, which could be a result of ARP poisoning but is not specifically indicated in this scenario. This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity. For more information, see Sybex Security+ Study Guide Chapter 12. Domain 2.0 Threats, Vulnerabilities, and Mitigations
41
Question 42: A natural gas utility recently sent customers messages similar to the one below in an effort to convince them to reduce their energy consumption. What principle of social engineering is this message attempting to exploit? Authority Familiarity Consensus Intimidation
Authority Familiarity Your answer is correct Consensus Intimidation Overall explanation This message is attempting to influence behavior by telling a customer that they differ from the energy consumption habits of their energy-efficient neighbors. This is an example of consensus, or social proof, where individuals are influenced to change their behavior based on the actions and behaviors of others around them. Authority would involve leveraging the influence of a respected or authoritative figure to convince someone to take action, which is not the case here. Familiarity relies on using a sense of personal connection or known relationships to influence behavior, which is not directly being used in this message. Intimidation uses fear or threats to compel someone to take action, which is not the tactic employed in this comparison of energy usage. This question comes from Security+ exam objective 2.2 Explain common threat vectors and attack surfaces. For more information, see Sybex Security+ Study Guide Chapter 4. Domain 2.0 Threats, Vulnerabilities, and Mitigations
42
Question 43: You are investigating a physical intrusion where the intruder was able to drive into your parking garage and the access gate simply opened for them. You checked the logs of the access control system and it showed that the access was made by another employee. That employee confirmed that they had their access control device in their possession the entire time. What is the most likely explanation for this scenario? The attacker conducted a privilege escalation attack The attacker cloned the employee’s RFID device The security system malfunctioned The attacker stole the device from the employee without their knowledge
The attacker conducted a privilege escalation attack Correct answer The attacker cloned the employee’s RFID device Your answer is incorrect The security system malfunctioned The attacker stole the device from the employee without their knowledge Overall explanation The attacker likely cloned the employee’s RFID device, which would allow them to gain access using a duplicate device without the employee’s knowledge. Cloning an RFID device involves copying the signal or data from the original device to a new one, which can then be used to access secure areas. A security system malfunction would typically not show access being made by a specific employee; it would more likely show an error or lack of entry in the logs. If the attacker stole the device from the employee, the employee would not have had the device in their possession the entire time. A privilege escalation attack usually pertains to gaining higher access privileges within a computer system, not physically accessing secure areas. This question comes from Security+ exam objective 2.4 Given a scenario, analyze indicators of malicious activity. For more information, see Sybex Security+ Study Guide Chapter 9. Domain 2.0 Threats, Vulnerabilities, and Mitigations
43
Question 45: Fred is designing a new web application that will be hosted with a cloud service provider. He would like to configure the web application so that it adds additional servers when demand spikes and then removes those servers from the pool when demand falls again. What characteristic of cloud computing is Fred most directly taking advantage of ? Economies of scale Elasticity Agility Scalability
Economies of scale Correct answer Elasticity Your answer is incorrect Agility Scalability Overall explanation Fred is likely taking advantage of all of the characteristics listed in this question. However, the situation described in the scenario, adding additional servers when demand spikes and then removing those servers from the pool when demand falls again, is the definition of elasticity. This question comes from Security+ exam objective 3.1 Compare and contrast security implications of different architecture models. For more information, see Sybex Security+ Study Guide Chapter 10. Domain 3.0 Security Architecture
44
Question 46: Roger’s organization recently activated their disaster recovery plan in response to a facility emergency. At what point would the organization typically deactivate the plan? When senior leaders arrive on scene to take command When the organization is returned to its normal operating environment When the organization completes the initial response effort When the organization has a stable operating environment set up in an alternate facility
When senior leaders arrive on scene to take command Correct answer When the organization is returned to its normal operating environment When the organization completes the initial response effort Your answer is incorrect When the organization has a stable operating environment set up in an alternate facility Overall explanation The disaster recovery plan is deactivated when the organization is returned to its normal operating environment. This marks the end of the disaster recovery process, as the goal is to restore normal operations and ensure all systems are functioning as they were before the emergency. Completing the initial response effort is just the first phase of the disaster recovery process, and deactivating the plan at this stage would be premature. Setting up a stable operating environment in an alternate facility is a temporary measure and does not signify the return to normal operations. The arrival of senior leaders to take command is part of the response coordination and does not indicate the end of the disaster recovery efforts. This question comes from Security+ exam objective 5.1 Summarize elements of effective security governance. For more information, see Sybex Security+ Study Guide Chapter 17. Domain 5.0 Security Program Management and Oversight
45
Question 47: Linda is investigating a security incident that took place in her organization. The attacker issued himself checks from an organization account and then created false journal entries in the accounting system to cover them up. There are no signs of unauthorized activity in IPS or firewall logs. What type of attacker most likely conducted this attack? Unskilled attacker Insider Competitor Organized crime
Unskilled attacker Correct answer Insider Your answer is incorrect Competitor Organized crime Overall explanation The most likely culprit is an insider with access to the accounting system. There are no signs of IPS or firewall anomalies, which reduces the likelihood that this was an external attack. An unskilled attacker typically lacks the skills and access required for this level of manipulation within an accounting system. Organized crime might be involved in financial fraud, but the lack of external signs suggests an insider is more likely. A competitor would likely target more strategic data rather than direct financial theft and manipulation of internal records. This question comes from Security+ exam objective 2.1 Compare and contrast common threat actors and motivations. For more information, see Sybex Security+ Study Guide Chapter 2. Domain 2.0 Threats, Vulnerabilities, and Mitigations

'Security + (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions