Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
77 Cards in this Set
- Front
- Back
|
Lisa hid several plaintext documents within an image file. Which security goal is she pursuing? A. Encryption B. Integrity C. Steganography D. Confidentiality |
Correct Answer: D. Hiding files in another file is one way to achieve the security goal of confidentiality. In this scenario, Lisa is using steganography as the method by hiding files within a file. Encryption is the best way to achieve confidentiality, but simply hiding files within a file doesn't encrypt the data. Hashing methods and digital signatures provide integrity. |
|
|
You are the security administrator in your organization. You want to ensure that a file maintains integrity. Which of the following choices is the BEST choice to meet your goal? A. Steganography B. Encryption C. Hash D. AES |
Correct Answer: C. A hash provides integrity for files, emails, and other types of data. Steganography provides confidentiality by hiding data within other data and encryption provides confidentiality by ciphering the data. Advanced Encryption Standard (AES) is an encryption protocol.
|
|
|
An e-commerce web site does not currently have an account recovery process for customers who have forgotten their passwords. Which of the following choices are the BEST items to include if web site designers add this process (Select TWO). A. Create a web-based form that verifies customer identities using another method. B. Set a temporary password that expires upon first use. C. Implement biometric authentication. D. Email the password to the user. |
Correct Answer: A, B. A web-based form using an identity-proofing method, such as requiring users to enter the name of their first pet, can verify their identity. Setting a password that expires upon first use ensures that the user changes the password. Biometric authentication is not reasonable for an online e-commerce web site. Emailing the password is a possibility, but not without configuring the password to expire upon first use.
|
|
|
Your organization is planning to implement stronger authentication for remote access users. An updated security policy mandates the use of token-based authentication with a password that changes every 30 seconds. Which of the following choices BEST meets this requirement? A. CHAP B. Smart card C. HOTP D. TOTP |
Correct Answer: D. A time-based One-time password (TOTP) creates passwords that expire after 30 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do not expire. Challenge Handshake Authentication Protocol uses a nonce ( a number used once), but a nonce does not expire after 30 seconds.
|
|
|
Your organization issues laptops to mobile users. Administrators configured these laptops with full disk encryption, which requires users to enter a password when they first turn on the computer. After the operating system loads, users are required to log on with a username and password. Which of the following choices BEST describes this? A. Single-factor authentication B. Dual-factor authentication C. Multifactor authentication D. SAML |
Correct Answer: A. Both passwords are in the something you know factor of authentication, so this process is single-factor authentication. Dual-factor authentication requires the use of two different authentication factors. Multifactor authentication requires two or more factors of authentication. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO), but this is unrelated to this question.
|
|
|
Users are your organization currently use a combination of smart cards and passwords, but an updated security policy requires multifactor security using three different factors. Which of the following can you add to meet the new requirement? A. Four-digit PIN B. Hardware tokens C. Fingerprint readers D. USB tokens |
Correct Answer: C. Fingerprint readers would add biometrics from the something you are factor of authentication as a third factor of authentication. The current system includes methods in the something you have factor (smart cards) and in the something you know (passwords), so any solution requires a method that isn't using one of these two factors. A PIN is in the something you know factor. Hardware tokens and USB tokens are in the something you have factor.
|
|
|
A network includes a ticket-granting ticket server used for authentication. What authentication service does this network use? A. TACACS+ B. SAML C. LDAP D. Kerberos |
Correct Answer: D. Kerberos uses a ticket-granting ticket server, which creates tickets for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication service created by Cisco. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for single sign-on (SSO) solutions. Lightweight Directory Access Protocol (LDAP) is an X.500-based authentication service that can be secured with Transport Layer Security (TLS)
|
|
|
You are modifying a configuration file used to authenticate Unix accounts against an external server. The file includes phrases such as DC=Server1 and DC=Com. Which authentication service is the external server using? A. Diameter B. RADIUS C. LDAP D. SAML |
Correct Answer: C. Lightweight Directory Access Protocol (LDAP) uses X.500-based phrases to identify components such as the domain component (DC). Diameter is an alternative to Remote Authentication Dial-In User Service (RADIUS), but neither of these use X.500-based phrases. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for web-based single sign-on (SSO) solutions.
|
|
|
Which of the following choices is an AAA protocol that uses shared secrets as a method of security? A. Kerberos B. SAML C. RADIUS D. MD5 |
Correct Answer: B. Remote Authentication Dial-In User Service (RADIUS) is an authentication, authorization, and accounting (AAA) protocol that uses shared secrets (or passwords) for security. Kerberos uses tickets. SAML provides SSO for web-based applications, but it is not an AAA protocol. MD5 is a hashing protocol, not an AAA protocol.
|
|
|
Your organization wants to reduce the amount of money it is losing due to thefts. Which of the following is the BEST example of an equipment theft deterrent? A. Remote wiping B. Cable locks C. Strong passwords D. Disk encryption |
Correct Answer: B. Cable locks are effective equipment theft deterrents for laptops and other systems. Remote wiping can erase data on stolen systems, but it doesn't deter theft. Strong passwords help prevent someone from accessing a stolen device, but it doesn't deter theft. Disk encryption can protect the data after a device is stolen, but it doesn't deter theft.
|
|
|
A manager recently observed an unauthorized person in a secure area, which is protected with a cipher lock door access system. After investigation, he discovered that an authorized employee gave this person the cipher lock code. Which of the following is the BEST response to this issue at the minimum cost? A. Implement a physical security control B. Install tailgates C. Provide security awareness training. D. Place a guard at the entrance |
Correct Answer: C. Security awareness training is often the best response to violations of security policies. If individuals do not abide by the policies after training, management can take disciplinary action. The cipher lock is a physical security control, but it is not effective due to employees bypassing it. Tailgating occurs when one user follows closely behind another user without using credentials and mantraps prevent tailgating, but tailgates are on the back of trucks. Guards can prevent this issue by only allowing authorized personnel in based on facial recognition or identification badges, but as a much higher cost.
|
|
|
Management recently rewrote the organization's security policy to strengthen passwords created by users. It now states that passwords should support special characters. Which of the following choices is the BEST setting to help the organization achieve this goal? A. History B. Maximum age C. Minimum length D. Complexity |
Correct Answer: D. The complexity setting is the best answer because it includes using multiple character types, such as special characters, numbers, and uppercase and lowercase letters. The history setting remembers previous passwords and prevents users from reusing them. The maximum age setting forces users to change their password after a set number of days has passed. The minimum length setting forces users to create passwords with a minimum number of characters, such as eight. |
|
|
You have discovered that some users have been using the same passwords for months, even though the password policy requires users to change their password every 30 days. You want to ensure that users cannot reuse the same password. Which settings should you configure? (Select TWO). A. Maximum password age B. Password length C. Password history D. Password complexity E. Minimum password age |
Correct Answer: C, E. The password history setting records previously used passwords (such as the last 24 passwords) to prevent users from reusing the same passwords. Using the password history setting combined with the minimum password age setting prevents users from changing their password repeatedly to get back to their original password. The maximum password age setting ensure users change their passwords regularly, but this is already set to 30 days in the scenario. Password length requires a minimum number of characters in a password. Password complexity requires a mix of uppercase and lowercase letters, numbers, and special characters.
|
|
|
A company recently hired you as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response? A. Disable all the temporary accounts. B. Disable the temporary accounts you've noticed are enabled. C. Craft a script to identify inactive accounts based on the last time they logged on. D. Set account expiration dates for all accounts when creating them. |
Correct Answer: C. Running a lost logon script allows you to identify inactive accounts, such as accounts that haven't been logged on to in the last 30 days. It's appropriate to disable unused accounts, but it isn't necessarily appropriate to disable all temporary accounts, because some might still be in use. If you disable the accounts you notice, you might disable accounts that some employees are still using, and you might miss some accounts that should be disabled. Setting expiration dates for newly created accounts is a good step, but it doesn't address previously created accounts.
|
|
|
An organization supports remote access, allowing users to work from home. However, management wants to ensure that personnel cannot log on to work systems from home during weekends and holidays. Which of the following BEST supports this goal? A. Least privilege B. Need to know C. Time-of-day restrictions D. Mandatory access control |
Correct Answer: C. Time-of-day restrictions prevent users from logging on during certain times. Least privilege and need to know restrict access to only what the user needs, and these concepts are not associated with time. Mandatory access control uses labels and can restrict access based on need to know, but it is not associated with time. |
|
|
You configure access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice? A. User-assigned privileges B. Group-based privileges C. Domain-assigned privileges D. Network-assigned privileges |
Group-based privileges is a form of role-based access control and it simplifies administration. Instead of assigning permissions to new employees individually, you can just add new employee user accounts into the appropriate groups to grant them the rights and permission they need for the job. User-assigned privileges require you to manage privileges for each user separately, and it increases the account administration burden. Domain-assigned and network-assigned privileges are not valid administration practices.
|
|
|
You are configuring a file server used to share files and folders among employees within your organization. However, employees should not be able to access all folders on this server. Which of the following choices is the BEST method to manage security for these folders? A. Assign permissions to each user as needed B. Wait for users to request permission and then assign the appropriate permissions. C. Delegate authority to assign these permissions D. Use security groups with appropriate permissions. |
Correct Answer: D. You can create security groups, place users into these groups, and grant access to the folder by assigning appropriate permissions to the security groups. For example, the security groups might be Sales, Marketing, and HR, and you place users into the appropriate group based on their job. This is an example of using group-based privileges. Waiting for users to ask, and then assigning permission to users individually has a high administrative overhead. Although delegating authority to assign permission might work, it doesn't provide the same level of security as centrally managed groups and without groups, it will still have a high administrative overhead for someone.
|
|
|
The Retirement Castle uses groups for ease of administration and management. They recently hired Jasper as their new accountant. Jasper needs access to all the files and folders used by the Accounting department. What should the administrator do to give Jasper appropriate access? A. Create an account for Jasper and add the account to the Accounting group B. Give Jasper the password for the Guest account C. Create an account for Jasper and use rule-based access control for accounting. D. Create an account for Jasper and add the account to the Administrators group. |
Correct Answer: A. The administrator should create an account for Jasper and add it to the Accounting group. Because the organization uses groups, it makes sense that they have an Accounting group. The Guest account should be disabled to prevent the use of generic accounts. This scenario describes role-based access control, not rule-based access control. Jasper does not require administrator privileges, so his account should not be added to the Administrators group.
|
|
|
Your organization recently updated its security policy and indicated that Telnet should not be used within the network. Which of the following should be used instead of Telnet? A. SCP B. SFTP C. SSL D. SSH |
Correct Answer: D. Secure Shell (SSH) is a good alternative to Telnet. SSH encrypts transmissions, whereas Telnet transmits data in cleartext. Secure Copy (SCP) and Secure File Transfer Protocol (SFTP) use SSH to encrypt files sent over the network. |
|
|
One of your web servers was recently attacked and you have been tasked with reviewing firewall logs to see if you can determine how an attacker accessed the system remotely. You identified the following port Pin log entries: 21, 22, 25, 53, 80, 110, 443, and 3389. Which of the following protocols did the attacker MOST likely use? A. Telnet B. HTTPS C. DNS D. RDP |
Correct Answer: D. The attacker most likely used Remote Desktop Protocol (RDP) over port 3389. Telnet can connect to systems remotely, but it uses port 23 and that isn't one of the listed ports. HTTPS uses port 443 for secure HTTP sessions. DNS uses port 52 for name resolution queries and zone transfers.
|
|
|
Which of the following provides the largest address space? A. IPv4 B. IPv5 C. IPv6 D. IPv7 |
Correct Answer: C. Internet Protocol version 6 provides the largest address space using 128 bits to define an IP address. IPv4 uses 32 bits. IPv5 uses 64 bits, but was never adopted. IPv7 has not been defined.
|
|
|
While analyzing a firewall log, you notice traffic going out of your network on UDP port 53. What does this indicate? A. Connection with a botnet B. DNS traffic C. SMTP traffic D. SFTP traffic |
Correct Answer: B. Domain Names System (DNS) traffic uses UDP port 53 by default to resolve host names to IP addresses. It is not malicious traffic connecting to a botnet. Simple Mail Transfer Protocol (SMTP) uses port 25. Secure File Transfer Protocol (SFTP) uses port 22.
|
|
|
A team of users in your organization needs a dedicated subnet. For security reasons, other users should not be able to connect to this subnet. Which of the following choices is the BEST solution? A. Restrict traffic based on port numbers. B. Restrict traffic based on physical addresses. C. Implement DNS on the network. D. Enable SNMP |
Correct Answer: B. Of the given choices, the best answer is to restrict traffic based on physical addresses. This is also known as media access control (MAC) address filtering and is configured on a switch. Port numbers are related to protocols, so it wouldn't be feasible to restrict traffic for this group based on protocols. Domain Name System (DNS) provides name resolution, but it doesn't restrict traffic. Simple Network Management Protocol version 3 (SNMPv3) monitors and manages network devices.
|
|
|
An organization recently updated its security policy. A new requirement dictates a need to increase protection from rogue devices plugging into physical ports. Which of the following choices provides the BEST protection? A. Disable ununsed ports. B. Implement 802.1x C. Enable MAC limiting D. Enable MAC filtering |
Correct Answer: B. IEEE 802.1x is a port-based authentication protocol and it requires systems to authenticate before they are granted access to the network. If an attacker plugged a rogue device into a physical port, the 802.1x server would block it from accessing the network. Disabling unused ports is a good practice, but it doesn't prevent an attacker from unplugging a system from a used port and plugging the rogue device into the port. While MAC limiting and filtering will provide some protection against rogue devices, an 802.1x server provides much stronger protection.
|
|
|
What would administrators typically place at the end of an ACL of a firewall? A. Allow all all B. Timestamp C. Password D. Implicit deny |
Correct Answer: D. Administrators would place an implicit deny rule at the end of an access control list (ACL) to deny all traffic that hasn't been explicitly allowed. Many firewalls place this rule at the end by default. An allow all all rule explicitly allows all traffic and defeats the purpose of a firewall. Timestamps aren't needed in an ACL. ACLs are in cleartext so should not include passwords. |
|
|
Your organization wants to protect its web server from cross-site scripting attacks. Which of the following choices provides the BEST protection? A. WAF B. Network-based firewall C. Host-based firewall D. IDS |
Correct Answer: A. A web application firewall (WAF) is an Application layer firewall designed specifically to protect web servers. Although both host-based and network-based firewalls provide protection, they aren't necessarily Application layer firewalls, so they do not provide the same level of protection for a web server as a WAF does. An intrusion detection system (IDS) can help detect attacks, but it isn't as good as the WAF when protecting the web server. |
|
|
Management recently learned that several employees are using the company network to visit gambling and gaming web sites. They want to implement a security control to prevent this in the future. Which of the following choices would meet this need? A. WAF B. UTM C. DMZ D. NIDS |
Correct Answer: B. A unified threat management (UTM) device typically includes a URL filter and can block access to web sites, just as a proxy server can block access to web sites. A web application firewall (WAF) protects a web server from incoming attacks. A demilitarized zone (DMZ) is a buffered zone between protected and unprotected networks, but it does not include URL filters. A network-based intrusion detection system (NIDS) can detect attacks, but doesn't include outgoing URL filters.
|
|
|
Which of the following protocols operates on Layer 7 of the OSI model? A. IPv6 B. TCP C. ARP D. SCP |
Correct Answer: D. Secure Copy (SCP) operates on Layer 7 of the OSI model. IPv6 operates on Layer 3. TCP operates on Layer 4. Address Resolution Protocol (ARP) operates on Layer 3.
|
|
|
Which of the following BEST describes a false negative? A. An IDS falsely indicates a buffer overflow attack occurred. B. Antivirus software reports that a valid application is malware. C. A locked door opens after a power failure. D. An IDS does not detect a buffer overflow attack. |
Correct Answer: D. An intrusion detection system (IDS) should detect a buffer overflow attack and report it, but if it does not, it is a false negative. If the IDS falsely indicates an attack occurred, it is a false positive. If antivirus software indicates a valid application is malware, it is a false positive. A locked door that opens after a power failure is designed to fail-open. |
|
|
Company management suspects an employee is stealing critical project information and selling it to a competitor. They'd like to identify who is doing this, without compromising any live data. What is the BEST option to meet this goal? A. Install antivirus software on all user systems. B. Implement an IPS C. Implement an IDS D. Add fabricateed project data on a honeypot
|
Correct Answer: D. Fabricated data on a honeypot could lure the malicious insider and entice him to access it. Antivirus software blocks malware. An intrusion prevention systems (IPS) and an intrusion detection system (IDS) each detect attacks, but won't detect someone accessing data on a server.
|
|
|
Attackers frequently attack your organization, and administrators want to learn more about zero-day attacks on the network. What can they use? A. Anomaly-based HIDS B. Signature-based HIDS C. Honeypot D. Signature-based NIDS |
Correct Answer: C. A honeypot is a server designed to look valuable to an attacker and can help administrators learn about zero-day exploits, or previously known attacks. A host-based intrusion detection systems (HIDS) protects host systems, but isn't helpful against network attacks. Signature-based tools would not have a signature for zero-day attacks because the attack method is unknown by definition.
|
|
|
Security personnel recently noticed a successful exploit against an application used by many employees at their company. They notified the company that sold them the software and asked for a patch. However, they discovered that a patch wasn't available. What BEST describes this scenario? A. Zero-day B. Buffer overflow C. LSO D. SQL injection |
Correct Answer: A. This scenario describes a zero-day exploit on the software application. A zero-day exploit is one that is unknown to the vendor, or the vendor knows about, but hasn't yet released a patch or update to mitigate the threat. The other answers are specific types of attacks, but the scenario isn't specific enough to identify the type of exploit. A buffer overflow attack occurs when an attacker attempt to write more data into an application's memory than it can handle, or to bypass the application's structured exception handling (SEH). Adobe Flash content within web pages uses locally shared objects (LSOs), similar to how regular web pages use cookies, and attackers can modify both cookies and LSOs in different types of attacks. A Structured Query Language (SQL) injection attack attempts to inject SQL code into an application to access a database. |
|
|
What type of encryption is used with WPA2 CCMP? A. AES B. TKIP C. RC4 D. SSL |
Correct Answer: A. Wi-Fi Protected Access II (WPA2) with Counter Mode Cipher Block Chaining Message Authentication Protocol (CCMP) uses Advanced Encryption Standard (AES). Temporal Key Integrity Protocol (TKIP) and Secure Sockets Layer (SSL) both use Rivest Cipher 4 (RC4), but not AES. |
|
|
Administrators in your organization are planning to implement a wireless network. Management has mandated that they use a RADIUS server and implement a secure wireless authentication method. Which of the following should they use? A. LEAP B. WPA-PSK C. WPA2-PSK D. AES |
Enterprise mode implements 802.1x as a Remote Authentication Dial-In User Service (RADIUS) server and Lightweight Extensible Authentication Protocol (LEAP) can secure the authentication channel. LEAP is a Cisco proprietary protocol, but other EAP variations can also be used, such as Protected EAP (PEAP), EAP-Transport Layer Security (EAP-TLS), and EAP Tunneled TLS (EAP-TTLS). Wi-Fi Protected Access (WPA) and WPA2 using a preshared key (PSK) do not use RADIUS. Many security protocols use Advanced Encryption Standard (AES), but AES by itself does not use RADIUS.
|
|
|
Which of the following wireless security mechanisms is subject to a spoofing attack? A. WEP B. IV C. WPA2 Enterprise D. MAC address filtering |
Correct Answer: D. Media access control (MAC) address filtering is vulnerable to spoofing attacks because attackers can easily change MAC addresses on network interface cards (NICs). Wired Equivalents Privacy (WEP) can be cracked using an initialization vector (IV) attack, but not by spoofing. WPA2 Enterprise requires users to enter credentials, so it isn't susceptible to a spoofing attack.
|
|
|
Which of the following is the BEST description of why disabling SSID broadcast is not an effective security measure against attackers? A. The network name is contained in wireless packets in plaintext. B. The passphrase is contained in wireless packets in plaintext. C. The SSID is included in MAC filters. D. The SSID is not used with WPA2 |
Correct Answer: A. The service set identifier (SSID) is the network name and it is included in certain wireless packets in plaintext. Disabling SSID broadcast hides the wireless network from casual users, but not attackers. Passphrases are not sent across the network in plaintext and are unrelated to the SSID. Media access control (MAC) address filters do not include the SSID. Wi-Fi Protected Access II (WPA2) does not use SSID.
|
|
|
You are reviewing logs from a wireless survey within you organization's network due to a suspected attack and you notice the following entries: MAC SSID Encryption Power 12:AB:34:CD:56:EF GCGA WPA2 47 12:AB:34:CD:56:EF GCGA WPA2 62 56:CD:34:EF:12:AB GCGA WPA2 20 12:AB:34:CD:56:EF GCGA WPA2 57 12:AB:34:CD:56:EF GCGA WPA2 49 Of the following choices, what is the most likely explanation of these entries? A. An evil twin is in place. B. Power of the AP needs to be adjusted C. A rogue AP is in place D. The AP is being pharmed |
Correct Answer: A. The logs indicate an evil twin is in place. An evil twin is a rogue wireless access point with the same service set identifier (SSID) as a live wireless access point. The SSID is GCGA and most of the entries are from an access point (AP) with a media access control (MAC) address of 12:AB:34:CD:56:EF. However one entry shows a MAC of 56:CD:34:EF:12:AB, indicating an evil twin with the same name as the legitimate AP. Power can be adjusted if necessary to reduce the visibility of the AP, but there isn't any indication this is needed. The power of the evil twin is lower, indicating it is in a different location farther away. A rogue AP is an unauthorized AP and although the evil twin is unauthorized, it is more correct to identify this as an evil twin because that is more specific. Generally, a rogue AP has a different SSID. A pharming attack redirects a web site's traffic to another web site, but this isn't indicated in this question at all.
|
|
|
Mobile users in your network report that they frequently lose connectivity with the wireless network on some days, but on other days they don't have any problems. Which of the following types of attacks could cause this? A. IV B. Wireless jamming C. Replay D. WPA cracking |
Correct Answer: B. A wireless jamming attack is a type of denial-of-service (DoS) attack that can cause wireless devices to lose their association with access points and disconnect them from the network. None of the other attacks are DoS attacks. An initialization vector (IV) is a specific type of attack on Wired Equivalent Privacy (WEP) to crack the key. A replay attack captures traffic with the goal of replaying it later to impersonate one of the parties in the original transmission. Wi-Fi Protected Access (WPA) cracking attacks attempt to discover the passphrase.
|
|
|
Management within your organization wants some users to be able to access internal network resources from remote locations. Which of the following is the BEST choice to meet this need? A. WAF B. VPN C. IDS D. IPS |
Correct Answer: B. A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. A web application firewall (WAF) provides protection for a web application or a web server. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access. |
|
|
You suspect that an executable file on a web server is malicious and includes a zero-day exploit. Which of the following steps can you take to verify your suspicions? A. Perform a code review B. Perform an architecture review. C. Perform a design review D. Perform an operating system baseline comparison |
Correct Answer: D. An operating system baseline comparison is the best choice of the available answers. It can verify if the file is in the baseline, or was added after the server was deployed. A code review is possible if you have access to the original code, but this isn't easily possible with an executable file. Code reviews look at the code before it is released and architecture reviews look at architecture designs, but neither of these identifies malicious files after a web server has been deployed.
|
|
|
Lisa has scanned all the user computers in the organization as part of a security audit. She is creating an inventory of these systems, including a list of applications running on each computer and the application versions. What is she MOST likely trying to identify? A. System architecture B. Application baseline C. Code vulnerabilities D. Attack surface |
Correct Answer: B. Administrators create a list of applications installed on systems as part of an application baseline (also called a host software baseline). An architecture review typically looks at the network architecture, not individual systems. A code review looks for vulnerabilities within code, but applications are compiled so the code is not easily available for review. The attack surface looks at much more than just applications and includes protocols and services.
|
|
|
An updated security policy identifies authorized applications for company-issued mobile devices. Which of the following would prevent users from installing other applications on these devices? A. Geo-tagging B. Authentication C. ACLS D. Whitelisting |
Correct Answer: D. Whitelisting identifies authorized software and prevents users from installing or running any other software. Geo-tagging adds location information to media such as photographs, but the scenario only refers to applications. Authentication allows users to prove their identity, such as with a username and password, but isn't relevant in this question. Access control lists (ACLs) are used with routers, firewalls, and files, but do not restrict installation of applications.
|
|
|
A company is implementing a feature that allows multiple servers to operate on a single physical server. What is this? A. Virtualization B. IaaS C. Cloud computing D. DLP |
Correct Answer: A Virtualization allows multiple virtual servers to exist on a single physical server. Infrastructure as a Service (IaaS) is a cloud-computing option where the vendor provides access to a computer, but customers manage it. Cloud computing refers to accessing computing resources via a different location than your local computer. Data loss prevention (DLP) techniques examine and inspect data looking for unauthorized data transmissions.
|
|
|
A software vendor recently developed a patch for one of its applications. Before releasing the patch to customers, the vendor needs to test it in different environments. Which of the following solutions provides the BEST method to test the patch in different environments? A. Baseline image B. BYOD C. Virtualized sandbox D. Change management |
Correct Answer: C. A virtualized sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring you own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.
|
|
|
Your company has recently standardized servers using imaging technologies. However, a recent security audit verified that some servers were immune to known OS vulnerabilities, whereas other systems were not immune to the same vulnerabilities. Which of the following would reduce these vulnerabilities? A. Patch management B. Sandboxing C. Snapshots D. Baselines |
Correct Answer: A. Patch management procedures ensure operating systems (OSs) are kept up to date with current patches. Patches ensure systems are immune to known vulnerabilities, but none of the other answers protects systems from these known vulnerabilities. Sandboxing isolates systems for testing. Snapshots record the state of a virtual machine at the moment in time. Baselines identify the starting point for systems.
|
|
|
Someone stole an executive's smartphone, and the phone includes sensitive data. What should you do to prevent the thief from reading the data? A. Password-protect the phone B. Encrypt the data on the phone C. Use remote wipe D. Track the location of the phone |
Correct Answer: C. Remote wipe capabilities can send a remote wipe signal to the phone to delete all the data on the phone, including any cached data. The phone is lost, so it's too late to password-protect or encrypt the data now if these steps weren't completed previously. Although tracking the phone might be useful, it doesn't prevent the thief from reading the data.
|
|
|
Your organization has issued mobile devices to several key personnel. These devices store sensitive information. What can administrators implement to prevent data loss from these devices if they are stolen? A. Inventory control B. GPS tracking C. Full device encryption D. Geo-tagging |
Correct Answer: C. Full device encryption helps prevent data loss in the event of theft of a mobile device storing sensitive information. Other security controls (not listed as answers in this question) the help prevent loss of data in this situation are a screen lock, account lockout, and remote wipe capabilities. Inventory control methods help ensure devices aren't lost or stolen. Global positioning system (GPS) tracking helps locate the device. Geo-tagging includes geographical information with pictures posted to social media sites.
|
|
|
Homer wants to ensure that other people cannot view data on his mobile device if he leaves it unattended. What should be implement? A. Encryption B. Cable lock C. Screen lock D. Remote wiping |
Correct Answer: C. A screen lock locks a device until the proper passcode is entered and prevents access to mobile devices when they are left unattended. Encryption protects data, especially if the device is lost or stolen. A cable lock is used with laptops to prevent them from being stolen. Remote wiping can erase data on a lost or stolen device.
|
|
|
Management wants to implement a system that will provide automatic notification when personnel remove devices from the building. Which of the following security controls will meet this requirement? A. Video monitoring B. RFID C. Geo-tagging D. Account lockout |
Correct Answer: B. Radio-frequency identification (RFID) provides automated inventory control and can detect movement of devices. Video monitoring might detect removal of devices, but it does not include automatic notification. Geo-tagging provides geographic location for pictures posted to social media sites. Account lockout controls lock accounts when the incorrect password is entered too many times.
|
|
|
Your organization was recently attacked, resulting in a data breach, and attackers captured customer data. Management wants to take steps to better protect customer data. Which of the following will BEST support this goal? A. Succession planning and data recovery procedures. B. Fault tolerance and redundancy C. Stronger access controls and encryption D. Hashing and digital signatures |
Correct Answer: C. Strong access controls and encryption are two primary methods of protecting the confidentiality of any data, including customer data. Succession planning and data recovery procedures are part of business continuity. Fault tolerance and redundancy increase the availability of data. Hashing and digital signatures provide integrity.
|
|
|
A business owner is preparing to decommission a server that has processed sensitive data. He plans to remove the hard drives and send them to a company that destroys them. However, he wants to be certain that personnel at that company cannot access data on the drives. Which of the following is the BEST option to meet this goal? A. Encrypt the drives using full disk encryption. B. Capture an image of the drives C. Identify data retention policies D. Use file-level encryption to protect the data. |
Correct Answer: A. Full disk encryption is the best option of the available answers. Another option (not listed) is to use disk wiping procedures to erase the data. Capturing an image of the drives won't stop someone from accessing the data on the original drives. Retention policies identify how long to keep data, but do not apply here. Depending on how much data is on the drives, file-level encryption can be very tedious and won't necessarily encrypt all of the sensitive data. |
|
|
Your organization is considering the purchase of new computers. A security professional stresses that these devices should include TPMs. What benefit does a TPM provide? (Select all that apply) A. It uses hardware encryption, which is quicker than software encryption. B. It uses software encryption, which is quicker than hardware encryption C. It includes an HSM file system. D. It stores RSA keys. |
Correct Answer: A, D. A Trusted Platform Module (TPM) is a hardware chip that stores RSA encryption keys and uses hardware encryption, which is quicker than software encryption. A TPM does not use software encryption. An HSM is a removable hardware device that uses hardware encryption, but it does not have a file system and TPM does not provide HSM as a benefit.
|
|
|
What functions does an HSM include? A. Reduces the risk of employees emailing confidential information outside the organization. B. Provides webmail to clients C. Provides full drive encryption D. Generates and stores keys used with servers |
Correct Answer: D. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers for data encryption. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization. Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops.
|
|
|
Homer installed code designed to enable his account automatically, three days after someone disables it. What did Homer create? A. Backdoor B. Rootkit C. Armored virus D. Ransomware |
Correct Answer: A. By ensuring that his account is automatically reenabled, Homer has created a backdoor. He is creating this with a logic bomb, but a logic bomb isn't available as a choice in this question. Rootkits include hidden processes, but they do not activate in response to events. An armored virus uses techniques to make it difficult for researchers to reverse engineer it. Ransomware demands payment to release a user's computer or data.
|
|
|
Your local library is planning to purchase new computers that patrons can use for Internet research. Which of the following are the BEST choices to protect these computers. (SELECT TWO). A. Mantrap B. Anti-malware software C. Cable locks D. Pop-up blockers E. Disk encryption |
Correct Answer: B,C. Anti-malware software and cable locks are the best choices to protect these computers. Anti-malware software protects the systems from viruses and other malware. The cable locks deter theft of the computers. A mantrap prevents tailgating, but this is unrelated to this question. Pop-up blockers are useful, but they are often included with anti-malware software, so anti-malware software is most important. Disk encryption is useful if the computers have confidential information, but it wouldn't be appropriate to put confidential information on a public computer.
|
|
|
Your organization has been receiving a significant amount of spam with links to malicious web sites. You want to stop the spam. Of the following choices, what provides the BEST solution? A. Add the domain to a block list B. Use a URL filter C. Use a MAC filter D. Add antivirus software |
Correct Answer: A. You can block emails from a specific domain sending spam by adding the domain to a block list. While the question doesn't indicate that the spam is coming from a single domain, this is still the best answer of the given choices. A URL filter blocks outgoing traffic and can be used to block the links to the malicious web sites in this scenario, but it doesn't stop the email. Switches use MAC filters to restrict access within a network. Antivirus software does not block spam.
|
|
|
Attackers have launched an attack using multiple systems against a single target. What type of attack is this? A. DoS B. DDoS C. SYN flood D. Buffer overflow |
Correct Answer: B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target's resources. A DoS attack comes from a single system and a SYN flood is an example of a DoS attack. A buffer overflow is a type of DoS attack that attempts to write data into an application's memory. |
|
|
Security administrators are reviewing security controls and their usefulness. Which of the following attacks will account lockout controls prevent (SELECT TWO). A. DNS poisoning B. Replay C. Brute force D. Buffer overflow E. Dictionary |
Correct Answer: C,E. Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times. The other attacks are not password attacks, so they aren't mitigated using account lockout controls. Domain Name System (DNS) poisoning attempts to redirect web browsers to malicious URLs. Replay attacks attempt to capture packets to impersonate one of the parties in an online session. Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data.
|
|
|
A web developer wants to reduce the chances of an attacker successfully launching XSRF attacks against a web site application. Which of the following provides the BEST protection? A. Client-side input validation B. Web proxy C. Antivirus software D. Server-side input validation |
Correct Answer: D. Validating and filtering input using server-side input validation can restrict the use of special characters needed in cross-site forgery (XSRF) attacks. Both server-side and client-side input validation is useful, but client-side input validation can be bypassed, so it should not be used alone. A web proxy can filter URLs, but it cannot validate data. Additionally, web proxies can be used to bypass client-side input validation techniques. Antivirus software cannot detect XSRF attacks.
|
|
|
A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process? A. Perform the validation on the server side. B. Perform the validation on the client side. C. Prevent boundary checks D. Encrypt data with TLS |
Correct Answer: A. Input validation should be performed on the server side. Client-side validation can be combined with server-side validation, but it can be bypassed so it should not be used alone. Boundary or limit checks are an important part of input validation. Input validation does not require encryption of data with Transport Layer Security (TLS) or any other encryption protocol. |
|
|
An attacker is attempting to write more data into a web application's memory than it can handle. What type of attack is this? A. XSRF B. LDAP injection C. Fuzzing D. Buffer overflow |
Correct Answer: D. One type of buffer overflow attack attempts to write more data into an application's memory than it can handle. A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code. Lightweight Directory Application Protocol (LDAP) injection attacks attempt to query directory service databases such as Microsoft Active Directory. Fuzzing inputs random data into an application during testing.
|
|
|
During a penetration test, a tester injected extra input into an application causing the application to crash. What does this describe? A. SQL injection B. Fuzzing C. Transitive access D. XSRF |
Correct Answer: B. Fuzzing or fuzz testing sends extra input to an application to test it. Ideally, the application can handle the extra input, but it is possible that fuzz testing causes an application to crash. Other answers do not cause the application to crash. A SQL injection attack sends specific SQL code to access or modify data in a database. A cross-site request forgery (XSRF) attack uses HTML or JavaScript code to take actions on behalf of a user.
|
|
|
A security expert is attempting to identify the number of failures a web server has in a year. Which of the following is the expert MOST likely identifying? A. SLE B. MTTR C. ALE D. MTTF |
Correct Answer: C. Annual loss expectancy (ALE) is part of a quantitative risk assessment and is the most likely answer of those given. It is calculated by multiplying the single loss expectancy times the annual rate of occurrence (ARO). Mean time to recover (MTTR) and mean time to failure (MTTF) do not identify the number of failures in a year.
|
|
|
You are trying to add additional security controls for a database server that indicates customer records and need to justify the cost of $1000 for these controls. The database includes 2,500 records. Estimates indicate a costs of $300 for each record if an attacker successfully gains access to them. Research indicates that there is a 10 percent possibility of a data breach in the new year. What is the ALE? A. $300 B. $37,500 C. $75,000 D. $750,000 |
Correct Answer: C. The annual loss expectancy (ALE) is $75,000. The single loss expectancy (SLE) is $750,000 ($300 per record x 2,500 records). The annual rate of occurrence (ARO) is 10 percent or .10. You calculate the ALE as SLE x ARO ($750,000 x .10). One single record is $300, but if an attacker can gain access to the database, the attacker can access all 2,500 records. If the ARO was .05 the ALE would be $37,500.
|
|
|
A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command? A. Identify if server1 is running a service using port 80 and is reachable. B. Launch an attack on server1 sending 80 separate packets in a short period of time. C. Use Telnet to remotely administer server1 D. Use Telnet to start an RDP session. |
Correct Answer: A. This command sends a query to server1 over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, Telnet would attempt to connect using its default port of 23 and attempt to create a Telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.
|
|
|
A recent vulnerability assessment identified several issues related to an organization's security posture. Which of the following issues is most likely to affect the organization on a day-to-day basis? A. Natural disasters B. Lack of antivirus software C. Lack of protection for data at rest D. Lack of protection for data in transit |
Correct Answer: B. Malware is a constant threat and without antivirus software, systems are sure to become infected in a short period of time. Natural disasters are a risk, but not on a day-to-day basis. Encryption protects data at rest and data in transit, but a lack of encryption isn't likely to affect the organization on a day-to-day basis.
|
|
|
Which of the following tools would a security administrator use to identify misconfigured systems within a network? A. Pentest B. Virus scan C. Load test D. Vulnerability scan |
Correct Answer: D. A vulnerability scan checks systems for potential vulnerabilities, including vulnerabilities related to misconfiguration. Although a penetration test (pentest) can identify misconfigured systems, it also attempts to exploit vulnerabilities on these systems, so it isn't appropriate if you only want to identify the systems. A virus scan identifies malware and a load test determines if a system can handle a load, but neither of these identifies misconfigured systems.
|
|
|
A security expert is running tests to identify the security posture of a network. However, these tests are not exploiting any weaknesses. Which of the following types of test is the security expert performing? A. Penetration test B. Virus scan C. Port scan D. Vulnerability scan |
Correct Answer: D. A vulnerability scan identifies the security posture of a network, but it does not actually exploit any weaknesses. In contrast, a penetration test attempts to exploit weaknesses. A virus scan searches a system for malware and a port scan identifies open ports, but neither identifies the security posture of an entire network.
|
|
|
Which of the following tools is the LEAST invasive and can verify if security controls are in place? A. Pentest B. Protocol analyzer C. Vulnerability scan D. Host enumeration |
Correct Answer: C. A vulnerability scan can verify if security controls are in place, and it does not try to exploit these controls using any invasive methods. A pentest (or penetration test) can verify if security controls are in place, but it is invasive and can potentially compromise a system. A protocol analyzer is not invasive, but it cannot determine if security controls are in place. Host enumeration identifies hosts on a network, but does not check for security controls. |
|
|
Your organization develops web application software, which it sells to other companies for commercial use. To ensure the software is secure, your organization uses a peer assessment to help identify potential security issues related to the software. Which of the following is the BEST term for this process? A. Code review B. Change management C. Routine audit D. Rights and permissions review |
Correct Answers: A. Peers, such as other developers, perform code reviews going line-by-line through the software code looking for vulnerabilities, such as buffer overflows and race conditions. Change management helps prevent unintended outages from configuration changes. Routine audits review processes and procedures, but not software code. A user rights and permissions review ensures users have appropriate privileges. |
|
|
Your organization plans to deploy new systems within the network within the next six months. What should your organization implement to ensure these systems are developed properly? A. Code review B. Design review C. Baseline review D. Attack surface review |
Correct Answer: B. A design review ensures that systems and software are developed properly. A code review is appropriate if the organization is developing its own software for these new systems, but the scenario doesn't indicate this. A baseline review identifies changes from the initial baseline configuration, but couldn't be done for systems that aren't deployed yet. Identifying the attack surface, including the required protocols and services, would likely be part of the design review, but the design review does much more.
|
|
|
You need to periodically check the configuration of a server and identify any changes. What are you performing? A. Code review B. Design review C. Attack surface review D. Baseline review |
Correct Answer: D. A baseline review changes from the original deployed configuration. The original configuration is also known as the baseline. A code review checks internally developed software for vulnerabilities. A design review verifies the design of software or applications to ensure they are developed properly. Determining the attack surface is an assessment technique, but it does not identify changes.
|
|
|
Your organization hired an external security expert to test a web application. The security expert is not given any access to the application interfaces, code, or data. What type of test will the security expert perform? A. Black hat B. White box C. Gray box D. Black box |
Correct Answer: D. A black box tester doesn't have access to any data prior to a test and this includes application interfaces, code, and data. White box testers would be given full access to the application interfaces, code, and data, and gray box testers would be given some access. Black hat refers to a malicious attacker.
|
|
|
A security administrator needs to inspect headers of traffic sent across the network. What tool is the BEST choice for this task? A. Web security gateway B. Protocol analyzer C. Honeypot D. Vulnerability assessment |
Correct Answer: B. A protocol analyzer (or sniffer) can capture traffic allowing an administrator to inspect the protocol headers. A web security gateway is a type of security appliance that protects against multiple threats, but doesn't necessarily capture traffic for inspection. A honeypot contains fake data designed to entice attackers. A vulnerability assessment identifies a system or network's security posture and it might include using a protocol analyzer, but does much more.
|
|
|
You are troubleshooting issues between two servers on your network and need to analyze this traffic? Of the following choices, what is the BEST tool to capture and analyze this traffic? A. Switch B. Protocol analyzer C. Firewall D. NIDS |
Correct Answer: B. A protocol analyzer (also called a sniffer) is the best choice to capture and analyze network traffic. Although the traffic probably goes through a switch, the switch doesn't capture the traffic in such a way that you can analyze it. It's unlikely that the traffic is going through a firewall between two internal servers and even if it did, the best you could get is data from the firewall log, but this wouldn't provide the same level of detail as a capture from the sniffer. A network intrusion detection system (NIDS) detects traffic, but it isn't the best tool to capture and analyze it.
|
|
|
Which of the following is the lowest-cost solution for fault tolerance? A. Load balancing B. Clustering C. RAID D. Cold site |
Correct Answer: C. A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for fault tolerance for disks. RAID also increases data availability. Load balancing and failover clustering add in additional servers, which is significantly more expensive than RAID. A cold site is a completely separate location, which can be expensive, but a cold site does not provide fault tolerance.
|
|
|
You need to modify the network infrastructure to increase availability of web-based applications for internet clients. Which of the following choices provides the BEST solution? A. Load balancing B. Proxy server C. UTM D. Content inspection |
Correct Answer: A. Load-balancing solutions increase the availability of web-based solutions by spreading the load among multiple servers. A proxy server is used by internal clients to access the Internet resources and does not increase availability of a web server. A unified threat management (UTM) system protects internal resources from attacks, but does not directly increase the availability of web-based applications. Content inspection is one of the features of a UTM and it protects internal clients but does not directly increase the availability of web-based applications. |
