1 Mark is authorized to access the company data center and can get in by using his RFID badge.
Randy from facilities, who isn’t authorized to access the data center, just followed Mark into the
data center without Mark’s knowledge. What is Randy guilty of?




Tailgating
Identity fraud
Phishing
Vishing
You answered this question correctly.×
Explanation:
Tailgating involves piggybacking, or following closely behind someone who has authorized
physical access. Vishing and phishing are incorrect because vishing involves using a phone to
obtain information, and phishing is an attempt to acquire sensitive information by masquerading
as a trustworthy entity via an electronic communication, usually email. Identity fraud is incorrect
because identity fraud is the use of a person’s personal information, without authorization, to
deceive or commit a crime. If Randy had stolen Mark’s RFID badge to enter the server room, he
would possibly be guilty of identity fraud.
You are a security analyst for your organization. A user tells you that someone from the FBI
called her and asked for her username and password. What principle of influence (reason for
effectiveness) has been employed against the user to gain her credentials?




Urgency
Scarcity
Authority
Familiarity/liking
You answered this question correctly.×
Explanation:
Job titles, uniforms, symbols, badges, and even specific expertise are all elements we often
equate with authority. The perpetrator in this example used authority (the FBI) to influence the
user into giving up her credentials. The other answers are incorrect. Scarcity is commonly used
as a marketing ploy (sometimes more effectively than at other times), such as to say that special
pricing is available to only the first 50 callers. We tend to want or value something more if we
believe it is less available. We are likely to be more impulsive if we believe something is the last
one. A social engineer might use the principle of scarcity to spur someone to quickly act on a
request instead of giving the request more thought. The social engineer can use urgency to gain
support. Perhaps dreadful consequences will occur unless action takes place immediately. People
tend to comply with requests from those whom they like or have common ground with. Liking
often leads to trust. A social engineer might try to use humor or connect more personally through
shared interests or common past events and institutions.
A user misspells the URL for a travel website and is taken to a competing website. What has
occurred here?




Typo squatting
Watering hole attack
Influence campaign
Hoax
You answered this question correctly.×
Explanation:
Typo squatting, also known as URL hijacking, is a simple method used frequently for benign
purposes, but it is also sometimes used for malicious reasons. Typo squatting most commonly
relies on typographic errors users make on the Internet. Hoax is incorrect. A hoax presents a
threat, but the threat does not actually exist at face value. Instead, the actions people take in
response to the perceived threat create the actual threat. Influence campaign is incorrect because
an influence campaign involves coordinated actions that seeks to affect the development, actions,
and behavior of the targeted population. Watering hole attack is incorrect. A watering hole attack
is commonly used in conjunction with a zero-day exploit—an attack against a vulnerability that
is unknown to software and security vendors. By taking advantage of a cross-site scripting
vulnerability on the visited site, which allows the attacker to execute scripts in the victim’s web
browser, the attacker can ensure that the trusted site helps deliver an exploit to the victim’s
machine.
Trent asks you what is the difference between a worm and virus. How would you best explain
the difference to him?




Worms self-replicate without a host file.
Worms are programs disguised as useful applications.
A worm is also known as a remote access Trojan (RAT).
A stealth worm is memory resident and uses techniques to avoid detection.
You answered this question correctly.×
Explanation:
Worms are similar in function and behavior to viruses, with one exception: Worms are selfreplicating and do not need a host file. A worm is built to take advantage of a security hole in an
existing application or operating system, and then it finds other systems running the same
software and automatically replicates itself to the new host. “Worms are programs disguised as
useful applications” is incorrect. Trojans, or Trojan horses, are programs disguised as useful
applications. Trojans do not replicate themselves as viruses do, but they can be just as
destructive. “A stealth worm is memory resident and uses techniques to avoid detection” is
incorrect. A stealth virus is memory resident and uses techniques to avoid detection, such as
temporarily removing itself from an infected file or masking a file’s size. “A worm is also known
as a remote access Trojan (RAT)” is incorrect because a backdoor Trojan is also known as a
remote access Trojan (RAT). RATs installed on a system allow a remote attacker to take control
of the targeted system.
Carol is reading about a newer attack type that resides in memory and uses the system’s own
vulnerable services and programs such as Windows PowerShell or WMI to allow the attacker to
infiltrate the system. What type of malware is she reading about?




Logic bomb
Trojan
Fileless malware
Worm
You answered this question correctly.×
Explanation:
A more recent virus type known as fileless malware is much like a memory-resident virus but
more insidious. While the latter still requires some components of the virus to be written to disk,
a fileless virus does not. Such a virus “lives off the land” and uses legitimate tools that are
usually part of the operating system or development packages to do their work, such as Windows
PowerShell, Windows Management Instrumentation (WMI), and macros. Trojan is incorrect.
Trojans are programs disguised as useful applications. Trojans do not replicate themselves as
viruses do, but they can be just as destructive. Worm is incorrect. A worm is similar in function
and behavior to a virus, with one exception: Worms are self-replicating and do not need a host
file. Logic bomb is incorrect because a logic bomb is a virus or Trojan horse designed to execute
malicious actions when a certain event occurs or after a certain period of time.
The following message appears on your display. What is this an example of?
Ransomware
Crypto-malware
Machine learning
Artificial intelligence
Select 2 answers




You answered this question correctly.×
Explanation:
Crypto-malware is specifically designed to find potentially valuable data on a system and uses
cryptography to encrypt the data to prevent access. The decryption key is then required to access
the data. Crypto-malware is often associated with ransomware. Ransomware is a form of
malware that attempts to hold a user ransom, often for monetary gain. In this case, the attacker
will provide the decryption key only after payment has been made. The attacker typically has
already compromised a system and demands payment to prevent negative consequences such as
deleting files. Payment is typically demanded in cryptocurrency such as Bitcoin. Artificial
intelligence and machine learning are incorrect because artificial intelligence (AI) applies
various techniques that solve a variety of problems and challenges. Machine learning (ML) is
one of the key techniques used in AI. With machine learning, as its name implies, a machine is
able to learn.
Malicious code is inserted into a running process, taking advantage of instructions that call upon
other programs designed for the running application to load at runtime. What attack is occurring
here?




XML injection
SQL injection
LDAP injection
DLL injection
You answered this question correctly.×
Explanation:
DLL injection involves inserting malicious code into a running process. This technique takes
advantage of dynamic link libraries (DLLs), which are designed for the running application to
load at runtime. A successful attack occurs when the legitimate process hooks into the malicious
DLLs and then runs them. SQL injection is incorrect. In an SQL injection attack, malicious code
is inserted into strings that are later passed to a database server. The SQL server then parses and
executes this code. LDAP injection is incorrect. An LDAP injection attack is similar to SQL
injection, but malicious input is applied to a directory server, which may result in unauthorized
queries, granting of permissions, and even password changes. XML injection is incorrect. In an
XML injection attack, an attacker can manipulate the logic of an application in order to perform
unauthorized activity or gain unauthorized access by inserting content into an Extensible Markup
Language (XML) message. For the Security+ exam, remember that LDAP injections target
directory servers, XML and DLL injections target applications, and SQL injections target
databases.
An attacker has captured packets by using a sniffer, extracted pertinent information, and placed
the packets back on the network. What type of attack is this?




SSL stripping
Replay attack
API attack
Race condition
You answered this question correctly.×
Explanation:
In a replay attack, the attacker captures packets by using sniffers. After extracting the pertinent
information, the attacker places the packets back on the network. This type of attack can be used
to replay bank transactions or other similar types of data transfer in the hopes of replicating or
changing activities such as deposits or transfers. SSL stripping is incorrect. With Secure Sockets
Layer (SSL) stripping, the attacker strips or removes the encryption between the client and the
website. Acting as a proxy or go-between, however, the attacker establishes a secure connection
between himself and the server. API attack is incorrect. An application programming interface
(API) attack involves hostile use of an API. APIs are so pervasive across web applications that
OWASP now publishes an annual list for API security. Race condition is incorrect because a
race condition relates to the way a program executes sequences of code.
What can an attacker use to hijack a user’s session or cause the user accessing malware-tainted
Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A?




OWASP
Input validation
Pass the hash
XSS
You answered this question correctly.×
Explanation:
Cross-site scripting (XSS) attacks place malicious scripts on trusted websites. XSS
vulnerabilities can be used to hijack a user’s session or to cause the user accessing malwaretainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.
Pass the hash is incorrect. In a pass the hash attack, the attacker does not need access to a user’s
password. Instead, the attacker needs only the hashed value of the password. This attack is
performed against systems that accept specific implementations of authentication schemes
known as LAN Manager (LM) or New Technology LAN Manager (NTLM). OWASP is
incorrect. The Open Web Application Security Project (OWASP) is a foundation that works to
improve software security. It annually publishes the OWASP Top 10 for web application
security risks. Input validation is incorrect because input validation is the structured testing of
input to ensure that data is properly formatted before it is used in applications or programs.
Which of the following are true statements regarding PowerShell and Python?



PowerShell is a command-line shell and scripting interface for Microsoft Windows
environments. PowerShell files use the file extension .ps1.
PowerShell is a general-purpose programming language available on many Linux
distributions and Apple’s macOS. PowerShell files use the file extension .py.
Python is a command-line shell and scripting interface for Microsoft Windows
environments. The Python file extension is .ps1.
Python is a general-purpose programming language available on many Linux
distributions and Apple’s macOS. The Python file extension is .py.
Select 2 answers

You answered this question correctly.×
Explanation:
Applications and development environments may include their own shell environments. For
example, PowerShell is a command-line shell and scripting interface for Microsoft Windows
environments. PowerShell files use the file extension .ps1. Python is a general-purpose
programming language available on many Linux distributions and Apple’s macOS. The Python
file extension is .py. The other two statements are invalid.
Which of the following are considered Layer 2 attacks?
Media access control (MAC) spoofing
Address Resolution Protocol (ARP) poisoning
Port stealing
Malicious script execution
Select 3 answers




You answered this question correctly.×
Explanation:
Layer 2 is the second layer of the Open Systems Interconnection (OSI) model for computer
networks. This layer is responsible for transferring data between systems on a local network. Port
stealing (at Layer 2) is a man-in-the-middle attack that exploits the binding between a port and a
MAC address. In port stealing, an attacker sends numerous packets with the source IP address of
the victim and the destination MAC address of the attacker. This attack applies to broadcast
networks built from switches. MAC spoofing (at Layer 2) is a method of providing false identity
information to gain unauthorized access. Spoofing a MAC address is a method of changing the
built-in MAC address (factory assigned to each network interface) of a networked device, which
is hard-coded. ARP poisoning (at Layer 2) is an attack in which a perpetrator tricks a device into
thinking any IP address is related to any MAC address. In addition, perpetrators can broadcast a
fake or spoofed ARP reply to an entire network and poison all computers. Malicious script
execution is incorrect because malicious script execution is not a specific OSI Layer 2 type of
attack. Scripts aid system administrators in efficiently performing operations and automating
actions that would otherwise require multiple steps and manual interaction. This benefit provides
an attacker with the same outcomes but for nefarious purposes. These scripting languages can be
used as part of malware and can be used once inside a network to further the malicious work.
Which of the following is a Trojan that infects web browser components such as browser plugins and is particularly dangerous because everything occurs at the application level on the user’s
system?




MITB
Port stealing
MITM
ARP poisoning
You answered this question correctly.×
Explanation:
A man-in-the-browser (MITB) attack is a Trojan that infects web browser components such as
browser plug-ins and other browser helper objects. MITB attacks are particularly dangerous
because everything occurs at the application level on the user’s system. These attacks are capable
of avoiding web application controls that might otherwise be alerted to a traditional man-in-themiddle (MITM) attack at the network layer, so MITM is incorrect. Recently, MITB and MITM
attacks have become known as on-path attacks, as attackers place themselves in the middle of
two devices to intercept communications between them. ARP poisoning and port stealing are
incorrect. Address Resolution Protocol (ARP) poisoning is limited to attacks that are locally
based, so an intruder needs either physical access to the network or control of a device on the
local network. A lesser vulnerability of ARP is port stealing. Port stealing is a MITM attack that
exploits the binding between the port and the media access control (MAC) address. The principle
behind port stealing is that an attacker sends numerous packets with the source IP address of the
victim and the destination MAC address of the attacker. This attack applies to broadcast
networks built using switches.
What deception technology is used to make a honeypot look as enticing as possible to an
attacker?




Fake telemetry
Fog computing
Edge computing
Hybrid
You answered this question correctly.×
Explanation:
Deception technologies such as fake telemetry are used to lure attackers to honeypots and
honeynets. For example, a honeypot may be configured to look like a regular system in full
operation with user logins, running services, and the like. Fog computing and edge computing
are incorrect. Fog computing and edge computing are essentially the same. The fog computing
concept, developed by Cisco, basically describes the operations that occur between end devices
called nodes (switches, routers, controllers, video cameras, and so on) and storage locations
where the data will eventually be stored (for example, in cloud or on-premises data centers).
Hybrid is incorrect. Hybrid can mean hybrid cloud or hybrid warfare, neither of which are
directly related to the deception technology provided in the given example.
Which of the following best describes a disgruntled or careless employee?




Criminal syndicate
Insider threat
CVE
Script kiddie
You answered this question correctly.×
Explanation:
Insider threat actors can be malicious, as in the case of a disgruntled employee, or simply
careless. In many cases, insider threat actors are employees who have the right intentions but
either are unaware of an organization’s security policy or simply ignore it. Script kiddie is
incorrect because script kiddies do not normally possess great talent. However, even with few
skills, they can run exploits that others have developed. Usually script kiddies cannot write
sophisticated code and might not even know how to program. Still, script kiddies can
undoubtedly have a huge negative impact on an organization. Criminal syndicate is incorrect
because a criminal syndicate is sophisticated and has adequate financial means. In fact,
organized crime itself has established its own complete economy, including an underground
system that affects information security. The Organized Crime Control Act indicates that funding
comes from illegal activities such as gambling, loan sharking, property theft, distribution of
drugs, and other forms of social exploitation. Organized criminal syndicates have simply adapted
to become organized cybercriminals. CVE is incorrect. Common Vulnerabilities and Exposures
(CVE) is a publicly available list of known cybersecurity vulnerabilities. Each entry in the CVE
includes an ID number, decryption, and reference for more information.
Which of the following is a standardized and structured language that represents threat
information in a flexible, automatable, and easy-to-use manner?




AIS
STIX
TAXII
TTP
You answered this question correctly.×
Explanation:
Structured Threat Information eXpression (STIX) is a standardized and structured language that
represents threat information in a flexible, automatable, and easy-to-use manner. Answer A is
incorrect. Trusted Automated eXchange of Indicator Information (TAXII) is a specification for
machine-to-machine communications that allows organizations to share security information
with others, as desired. AIS is incorrect. Automated Indicator Sharing (AIS) is an initiative from
the U.S. Department of Homeland Security (DHS) that enables the exchange of cybersecurity
threat indicators using the STIX and TAXII standards. TTP is incorrect. Adversary Tactics,
Techniques and Procedures (TTP) is an approach that provides attack methods and activities
associated with specific threat actors.
Your company is losing money with every passing minute because a critical web server is not
running. During your analysis of the web server, you notice that various services are not running,
and you are not sure what they are for. What should be done in this scenario?
Enable only the necessary server and web services
Open all closed ports on the web server
Document all actions and outcomes
Enable all services on the web server
Select 2 answers




You did not answer this question completely correctly. The fully correct answer
is indicated above.×
Explanation:
Although time is of the essence in this scenario, you should take the time to enable only the
necessary server and web services needed to get the web server running. As good practice
dictates, you should always document all actions and outcomes. In this scenario, you should
document what you did to get the web server up and running for future reference. The other
answers are incorrect because it is never good practice to enable all services on a system,
especially when you are unsure of their purposes. Also, each additional unnecessary service or
open port could carry additional flaws that might go unnoticed.
Why should you change the default credentials in older equipment?




To avoid log aggregation
To avoid false positives
To harden avenues for attack
To meet contractual requirements of hardware vendors
You answered this question correctly.×
Explanation:
Default credentials and unmonitored accounts such as the guest or admin accounts commonly
established in older equipment and software soften security because they give attackers one
component of access credentials. “To meet contractual requirements of hardware vendors” is
incorrect. Contractual requirements of hardware vendors do not normally include changing
credentials, although doing so is often advised by vendors. “To avoid log aggregation” is
incorrect. Log aggregation is the process by which security information and event management
(SIEM) systems combine similar events to reduce event volume. “To avoid false positives” is
incorrect because a false positive occur when a security scanner detects or flags an attack or
vulnerability when no attack or vulnerability exists.
Which of the following are weak configurations that can increase the likelihood of
vulnerabilities?
Default accounts
Open ports
Secured root accounts
Unneeded apps and services
Select 3 answers




You answered this question correctly.×
Explanation:
Unneeded applications and services provide additional avenues for attackers, especially if default
accounts aren’t removed or changed. These apps and services also leave open ports, providing
another vector for reconnaissance and attack. Secured root accounts is incorrect. Secured root
(Linux) and administrator (Windows) accounts represent strong configurations. An unsecured
root or administrator account could have a serious impact on the entire system and anything it’s
connected to.
What is the term for the process by which SIEM systems combine similar events into a log to
reduce event volume and consolidate data so that crucial events are not missed?




Log aggregation
Maneuvering
Threat hunting
SIEM dashboard
You answered this question correctly.×
Explanation:
Log aggregation is the process by which security information and event management (SIEM)
systems combine similar events to reduce event volume. SIEMs can aggregate data into log
format from many network sources and consolidate the data so that crucial events are not missed.
SIEM dashboard is incorrect because a SIEM dashboard contains multiple views that allow you
visualize and monitor patterns and trends. Maneuvering is incorrect. Maneuvering allows a
security team to completely disrupt an attacker or quickly mitigate an attacker’s ability to move
across the attack chain. The threat hunting process combined with knowledge of the cyber kill
chain allows a security analyst to quickly outmaneuver an attacker. Threat hunting is incorrect
because threat hunting is a proactive approach to finding an attacker before alerts are triggered.
Rinaldo wants to run a scan to find more information and determine the complete vulnerability
status with greater certainty. What type of scan should he run?




Credentialed scan
Boolean logic scan
Non-credentialed scan
WORM scan
You answered this question correctly.×
Explanation:
With a credentialed scan (using, for example, a username and password), the system can
ascertain more information, which results in a more complete vulnerability status with greater
certainty. Non-credentialed scan is incorrect because a non-credentialed scan is less invasive and
provides an outsider’s point of view. Both credentialed and non-credentialed scans can
mistakenly identify a vulnerability when none exists. WORM scan is incorrect. WORM (write
once, read many) drives keep log data protected so that evidence cannot be altered. WORM
drives permanently protect administrative data. Boolean logic scan is incorrect. Boolean logic is
a data type based on algebraic equations that produce either a true or false value.
You are a security analyst for a large social media company and are currently tasked with
assessing vulnerabilities. What two catalogs of known vulnerabilities should you be familiar
with?
SOAR
CVSS
Syslog
CVE
Select 2 answers




You answered this question correctly.×
Explanation:
Vulnerability scanners rely heavily on catalogs of known vulnerabilities. The two catalogs of
known vulnerabilities you need to be familiar with as a security analyst are Common
Vulnerabilities and Exposures (CVE), which is a list of publicly known vulnerabilities
containing an ID number, description, and reference, and Common Vulnerability Scoring System
(CVSS), which provides a score from 0 to 10 that indicates the severity of a vulnerability. SOAR
is incorrect. Security orchestration, automation, and response (SOAR) tools can aggregate
intelligence from internal and external sources to provide fusion analysis and more. SOAR
integrates all of the security tools available in an organization and automates incident responses.
Syslog is incorrect. Syslog is a decades-old standard for message logging. It is available on most
network devices (such as routers, switches, and firewalls), as well as printers and Unix/Linux
based systems. Over a network, a syslog server listens for and logs data messages coming from
the syslog client.
Your organization is running security assessments, and you are on the blue team. What are your
goals?




Set goals, be neutral, and adjudicate
Attack, defend, test, and improve
Defend, alert, and respond
Attack and evade
You answered this question correctly.×
Explanation:
In teaming security assessments, the blue team is the defenders. It is their job to counter the red
team and keep them from accomplishing their mission. This type of assessment has the
advantage of measuring and improving alerting and response. Attack and evade is incorrect
because this describes the red team, which acts as the adversary, attacking and trying to remain
unnoticed. Set goals, be neural, and adjudicate is incorrect because this describes the white team,
which is neutral. The members of the white team are the referees who define the goals and rules
and adjudicate the exercise. Attack, defend test, and improve is incorrect because this describes
the goals of the purple team, which effectively combines the skills and knowledge of the red and
blue teams to achieve maximum effectiveness.
In order to infiltrate a host system, an attacker uses nmap to view open ports. What type of
reconnaissance is this?

Passive

OSINT

Active

Spear phishing
You answered this question correctly.×
Explanation:
Active reconnaissance involves engaging the target to gather information. In this case, the
attacker is engaging the target host with a port scan to view open ports. Passive is incorrect
because passive reconnaissance is done without actually connecting to a target. Passive
reconnaissance might involve gathering information from public sources regarding a target, for
example. OSINT is incorrect. Open-source intelligence (OSINT) is the term for information
available for collection from publicly available sources. Spear phishing is incorrect. Spear
phishing is a social engineering attack commonly done through email that targets a specific
person or group of individuals who work for the same company.
As part of a bug bounty program, you will be running a zero-knowledge test, in which you have
no understanding of the inner workings of the system. What type of environment testing will you
be running?




Partially known
Known
Unknown
Footprinting
You answered this question correctly.×
Explanation:
The participants of a bug bounty program have no understanding of the inner workings of the
system, as the system is usually an unknown environment (black box). In an unknown
environment test (black-box test), the assessor has no knowledge of the inner workings of the
system or the source code. Known is incorrect because in a known environment, with white-box
testing, also called clear-box or glass-box testing, the assessor has knowledge of the inner
workings of either the system or the source code. Partially known is incorrect. A partially known
(gray-box) environment combines known (white-box) and unknown (black-box) techniques.
Think of this approach as translucent: The tester has some understanding or limited knowledge
of the inner workings. Footprinting is incorrect. Footprinting is part of a reconnaissance process.
It is used to gather as much information about a target as possible in order to penetrate it.
Which of the following should Bernie be most concerned with, given that his company deals
with intellectual property that is copyrighted?




IP theft
EOL
Measurement systems analysis
EOSL
You answered this question correctly.×
Explanation:
Intellectual property (IP) theft is the stealing of intellectual property and/or copyrighted material.
This material can be music, literary works, recipes, symbols, or anything else that is
trademarked. Digital rights management (DRM) is used for the protection of copyrighted
material. An early use of DRM technology was with CDs and DVDs. Measurement systems
analysis is incorrect. Measurement systems analysis (MSA) is an experimental or mathematical
assessment that attempts to find variation in measurement processes. EOL is incorrect because
end of life (EOL) marks the end of a product’s life cycle, which began with the product first
being generally available. While security patches may still be offered, the vendor does not
provide for new features or continued compatibility. EOSL is incorrect because end of service
life (EOSL) means that service and maintenance for the solution are no longer provided. For
example, a software vendor may not sell or add features to a solution that has gone EOL but may
still provide security updates and fix vulnerabilities up to the EOSL date.