• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

20 Cards in this Set

  • Front
  • Back

Which of the following is most closely associated with residual risk?

A. Risk acceptance

B. Risk avoidance

C. Risk deterrence

D. Risk mitigation

E. Risk transference

Correct Answer: A. Residual risk is the risk that an organization accepts after implementing controls to reduce risk. An organization can avoid a risk by not providing a service or not participating in a risk activity. Risk deterrence attempts to discourage attacks with preventive controls such as a security guard. Risk mitigation reduces risks through internal controls. Purchasing insurance is a common method of risk transference.

You need to calculate the ALE for a server. The value of the server is $3,000, but it has crashed 10 times in the past year. Each time it crashed, it resulted in a 10 percent loss? What is the ALE?

A. $300

B. $500

C. $3,000

D. $30,000

Correct Answer: C. The annual loss expectancy (ALE) is $3,000. It is calculated as single loss expectancy (SLE) x annual rate of occurrence (ARO). The SLE is 10 percent of $3,000 ($300) and the ARO is 10. 10 x $300= $3,000.

You need to calculate the expected loss of an incident. Which of the following value combinations would you MOST likely use?

A. ALE and ARO

B. ALE and SLE

C. SLE and ARO

D. ARO and ROI

Correct Answer: A. The expected loss is the single loss expectancy (SLE) and you can calculate it with the annual loss expectancy (ALE) and annual rate of occurrence (ARO), as ALE/ARO. The SLE is what you are trying to determine, so you don't have that value. The return on investment (ROI) will not help in identifying the SLE.

You want to identify all of the services running on a server. Which of the following tools is the BEST choice to meet this goal?

A. Penetration test

B. Protocol analyzer

C. Sniffer

D. Port scanner

Correct Answer: D. A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. A penetration test attempts to exploit a vulnerability. A protocol analyzer (also called a sniffer) could analyze traffic and discover protocols in user, but this would be much more difficult than using a port scanner.

You recently completed a vulnerability scan on your network. It reported that several servers are missing key operating system patches. However, after checking the servers, you've verifies the servers have these patches installed. Which of the following BEST describes this?

A. False negative

B. Misconfiguration on servers

C. False positive

D. Servers not hardened

Correct Answer: C. In this scenario, the vulnerability scanner reported a false positive indicating that the servers had a vulnerability, but in reality, the servers did not have the vulnerability. A false negative occurs if a vulnerability scanner does not report a known vulnerability. There isn't any indication that the servers are misconfigured and they are not hardened.

You suspect that a database server used by a web application does not have current patches. Which of the following is the BEST action to take to verify the server has up-to-date patches?

A. Vulnerability scan

B. Port scan

C. Protocol analyzer

D. Host enumeration

Correct Answer: A vulnerability scan determines if the system has current patches and is the best choice of those given. A port scan identifies open ports. A protocol analyzer (sniffer) captures traffic for analysis. Host enumeration identifies hosts on a network based on their IP addresses.

You need to perform tests on your network to identify missing security controls. However, you want to have the least impact on systems that users are accessing. Which of the following tools is the best to meet this need?

A. Code review

B. Vulnerability scan

C. Ping sweep

D. Penetration test

Correct Answer: B. A vulnerability scanner is passive and has the least impact on systems, but it can detect systems that are lacking specific security controls. A code review is effective for identifying vulnerabilities in software. However, it doesn't identify missing security controls elsewhere. A ping sweep can identify hosts on a network based on their IP addresses. A penetration test does not have the least impact on systems.

Lisa needs to identify if a risk exists on a web application and if attackers can potentially bypass security controls. However, she should not actively test the application. Which of the following is the BEST choice?

A. Perform a penetration test

B. Perform a port scan

C. Perform a vulnerability scan

D. Perform traffic analysis with a sniffer

Correct Answer: C. A vulnerability scan identifies vulnerabilities that attackers can potentially exploit, and vulnerability scanners perform passive testing. A penetration test actively tests the application and can potentially compromise the system. A port scan only identifies open ports. A sniffer can capture traffic for analysis, but it doesn't check for security controls.

A recent vulnerability scan reported that a web application server is missing some patches. However, after inspecting the server, you realize that the patches are for a protocol that administrators removed from the server. Which of the following is the BEST explanation for this disparity?

A. False negative

B. False positive

C. Lack of patch management tools

D. The patch isn't applied

Correct Answer: B. A false positive on a vulnerability scan indicates that a vulnerability is positively detected, but the vulnerability doesn't actually exist. A false negative indicates that the vulnerability scan did not detect a vulnerability that does exist on a system. False positives can occur even if an organization has a strong patch management process in place. Although it's true that the patch isn't applied, it's also true that the patch cannot be applied because it is for a protocol that administrators removed.

Your organization develops web application software, which it sells to other companies for commercial use. Your organization wants to ensure that the software isn't susceptible to common vulnerabilities, such as buffer overflow attacks and race conditions. What should the organization implement to ensure software meets this standard?

A. Input validation

B. Change management

C. Code review

D. Regression testing

Correct Answer: C. A code review goes line-by-line through the software code looking for vulnerabilities, such as buffer overflows and race conditions. Input validation helps prevent buffer overflows but not race conditions. Change management controls help prevent unintended outages from unauthorized changes. Regression testing is a type of testing used to ensure that new patches do not cause errors.

An organization has a legacy server within the DMZ. It is running older software that is not compatible with current patches, so it remains unpatched. Management accepts the risk on this system, but wants to know if attackers can access the internal network if they successfully compromise this server. Which of the following is the MOST appropriate test?

A. Vulnerability

B. Port scan

C. Code review

D. Pentest

Correct Answer: D. A pentest (or penetration test) attempts to compromise the server and then attempts to access the internal network. A vulnerability scan is passive. It does not attempt to compromise a system, so it cannot verify if an attacker can access the internal network. A port scan only identifies open ports. A code review is useful for newly developed software, but there isn't any indication that the original code is available for the legacy server.

Testers do not have access to product documentation or any experience with an application. What type of test will they MOST likely perform?

A. Gray box

B. White box

C. Black box

D. Black hat

Correct Answer: C. A black box tester does not have access to product documentation or experience with an application. White box testers have full knowledge and gray box testers have some knowledge. Black hat refers to a malicious attacker.

Your organization has hired a group of external testers to perform a black box penetration test. One of the testers asks you to provide information about your internal network. What should you provide?

A. A list of IP ranges and the types of security devices operational on the network.

B. Network diagrams but without internal IP addresses

C. Some network diagrams and some IP addresses, but not all.

D. Nothing

Correct Answer: D. Black box testers should not have access to any information before starting the test, so technicians and administrators should not provide any information if asked. It's appropriate to give white box testers all the information on the network, and give gray box testers some information on the internal network.

A network administrator is troubleshooting a communication problem between a web server and a database server. Which of the following tools would MOST likely be useful in this scenario?

A. Protocol analyzer

B. Port scanner

C. Switch

D. URL filter

Correct Answer: A. A protocol analyzer (or sniffer) is useful for capturing traffic between systems for analysis and is the best choice for this scenario. A port scanner identifies open ports in single systems, so it wouldn't be helpful there. Traffic between the systems likely goes through the switch and you can monitor traffic going through the switch with a protocol analyzer, but by itself, the switch wouldn't help troubleshoot a communication problem. A URL filter filters outgoing web traffic.

A network administrator needs to identify the type of traffic and packet flags used in traffic sent from a specific IP address. Which of the following is the BEST tool to meet this need?

A. UTM security appliance

B. Router logs

C. Protocol analyzer

D. Vulnerability scan

Correct Answer: C. A protocol analyzer (or sniffer) can capture traffic sent over a network and identify the type of traffic, the source of the traffic, and protocol flags used within individual packets. A unified threat management (UTM) security appliance combines multiple security solutions into a single solution but doesn't typically capture traffic. Router logs identify the type of traffic going through it, but do not include packet flag data. A vulnerability scan identifies vulnerabilities on a network.

While analyzing a packet capture log, you notice the following entry: 16:12:50, src, dst, syn/ack

Of the following choices, what is the BEST explanation of this entry?

A. An HTTP connection attempt

B. An RDP connection attempt

C. An FTP connection attempt

D. A buffer overflow attack

Correct Answer: B. This log entry indicates that a source (src) system with an IP of sent a connection attempt using port 3389, which is the Remote Desktop Protocol (RDP) port, at time 4:12:50p.m. The destination (dst) was sent to IP using a common proxy server listening port of 8080. Hypertext Transfer Protocol (HTTP) uses port 80, not port 3389. File Transfer Protocol (FTP) uses ports 20 and 21, not port 3389. A buffer overflow attack sends unexpected data, but this entry indicates that it is a SYN/ACK (synchronize/acknowledge) packet establishing a connection.

Security administrators have recently implemented several security controls to enhance the network's security posture. Management wants to ensure that these controls continue to function as needed. Which of the following tools is the BEST choice to meet this goals?

A. Routine audit

B. Change management

C. Design review

D. Black box test

Correct Answer: A. A routine audit can verify controls are continuing to operate as intended. Change management controls can help ensure that systems don't suffer from unintended outages after a change, and although change management helps ensure the controls aren't modified, it doesn't necessarily ensure the controls continue to operate as intended. A design review would be done before the controls are deployed. A black box test is a type of penetration test where the testers don't have any knowledge of the system, so it wouldn't be able to identify if the controls are functioning as intended.

Your organization recently hired an outside security auditor to review internal processes. The auditor identified several employees who had permissions for previously held jobs within the company. What should the organization implement to prevent this in the future?

A. Design reviews

B. Code reviews

C. Baseline review

D. User rights and permissions reviews

Correct Answer: D. A user rights and permissions review detects permission bloat situations such as this. Account management controls also help ensure these situations don't occur. A design review helps ensure that systems and software are developed properly. A code review is a line-by-line review of code by peer programmers. A baseline review compares current configurations against baseline settings.

Your organization's security policy states that administrators should follow the principle of least privilege. Which of the following tools can ensure that administrators are following the policy?

A. User rights and permissions review

B. Risk assessment

C. Vulnerability assessment

D. Threat assessment

Correct Answer; A. A user rights and permissions review verifies users have the permissions they need for their job, and no more, which verifies the principle of least privilege is being followed. Risk, vulnerability, and threat assessments assess current risks, and they might verify the principle of least privilege is being followed, but they do much more.

Your organization wants to ensure that security controls continue to function, helping to maintain an appropriate security posture. Which of the following is the BEST choice to meet this goal?

A. Auditing logs

B. Routine audits

C. Continuous security monitoring

D. Vulnerability scans

Correct Answer: C. Continuous security monitoring helps an organization maintain its security posture, by verifying that security controls continue to function as intended. Auditing logs, performing routine audits, and performing vulnerability scans are all part of a continuous monitoring plan. However, individually, they do no verify all security controls are operating properly.