Shared Flashcard Set

Details

Exam Cram Security + 501
Exam Cram Security + 501
147
Computer Science
Not Applicable
03/23/2019

Additional Computer Science Flashcards

 


 

Cards

Term
A small IT consulting firm has installed new wireless routers across all your small regional offices. Within days, you learn that you are unable to access the administrative interfaces of these routers due to an incorrect password. Which one of the following is most likely the reason?


A.The wireless routers were set up with the default configuration, which included a default password that was never changed.

B.The wireless routers are not powered on.

C.The wireless routers have been placed on end-of-life by the manufacturer and are no longer supported for remote login.

D.The wireless routers have been designed to allow improper input handling, resulting in failed password input.
Definition
A.The wireless routers were set up with the default configuration, which included a default password that was never changed.

Explanation:
In this scenario, the wireless routers most likely include a known default password that was never changed upon installation. This gave an outsider a simple means of access. Answer B is incorrect because, in that case, you would not be able to even attempt login. Answers C and D are also incorrect. Not being able to log in is not associated with end-of-life systems. Improper input handling refers to solutions that are not properly validating input to the system; this would more likely result in the capability to put arbitrary strings within the input fields to cause some type of undesirable behavior.
Term
You are the security administrator for a bank. The users are complaining about the network being slow. It is not a particularly busy time of the day, however. You capture network packets and discover that hundreds of ICMP packets have been sent to the host. What type of attack is likely being executed against your network?


A.Spoofing

B.Man-in-the-middle attack

C.Password attack

D.Denial-of-service attack
Definition
D.Denial-of-service attack

Explanation:
A ping flood is a DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP. Spoofing involves modifying the source address of traffic or source of information. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. A password attack attempts to gain unauthorized access by going after the authentication control for an account. Answers A, B, and C are incorrect.
Term
Which one of the following is the term given to a fraudulent wireless access point that is configured to lure connections to it?


A.Evil twin

B.ARP replay attack

C.Bluejacking

D.NFC
Definition
A.Evil twin

Explanation:
An evil twin is a type of rogue access point that gets between a client and a legitimate wireless access point. The evil twin can then be used to attack the systems that connect to it. Answer B is incorrect: An ARP reply attack describes an attack against a wireless access point in an attempt to determine the key. Answer C is incorrect: Bluejacking refers to a Bluetooth wireless device sending messages to other Bluetooth-enabled devices. Answer D is incorrect because NFC refers to the communications protocol between devices within close proximity to each other.
Term
An initialization vector should be which of the following?


A.Unique and unpredictable

B.Unique and predictable

C.Repeatable and random

D.Repeatable and unique
Definition
Unique and unpredictable
A.Unique and unpredictable

Explanation:
An initialization vector (IV) should be unique and unpredictable. Answers B, C, and D do not apply to IV and are incorrect.
Term
Which one of the following best describes a penetration test?


A.A passive evaluation and analysis of operational weaknesses using tools and techniques that a malicious source might use

B.An evaluation mimicking real-world attacks to identify ways to circumvent security

C.The monitoring of network communications and examination of header and payload data

D.A technique used to identify hosts and their associated vulnerabilities
Definition
B.An evaluation mimicking real-world attacks to identify ways to circumvent security

Explanation:
A penetration test reveals security weaknesses through real-world attacks. The results can help prioritize risk and identify areas for improvement. Penetration tests are active evaluations, so answer A is incorrect. Answer C is incorrect because it describes network sniffing. Answer D is incorrect because it describes vulnerability scanning. However, both network sniffing and vulnerability scanning can be used as part of the penetration process.
Term
Which of the following is a reason to conduct a penetration test?


A.To passively test security controls

B.To identify the vulnerabilities

C.To test the adequacy of security measures put in place

D.To steal data for malicious purposes
Definition
C.To test the adequacy of security measures put in place

Explanation:
A penetration test helps quantify the adequacy of security measures put in place and helps organizations understand the potential impact of threats against the environment. Answers A and B are incorrect because these describe the purpose of a vulnerability scan. Answer D is also incorrect. A penetration test is a "friendly" attack to help safeguard an organization from a real attack. A penetration test should never be used for malicious purposes, even if it succeeds in deeply penetrating an organization.
Term
You discover you are unable to access files on your computer. A message appears asking for payment to allow for the recovery of your files. Which of the following is most likely?


A.Your files have been deleted.

B.Your files have been moved to a remote server.

C.Your files have been encrypted.

D.Your files have been copied.
Definition
C.Your files have been encrypted.

Explanation:
This situation implies ransomware or crypto-malware. In this attack, files are encrypted and are essentially "held ransom" until payment is made. Answer A is incorrect because the attacker wants to ensure that you have the ability to access your files, which will further encourage others who are infected to also pay. Often, however, the attacker deletes or threatens to delete files if the ransom isn't paid after a defined period of time. Answers B and D are incorrect because the files are encrypted only on the target system.
Term
After conducting a vulnerability assessment, which of the following is the best action to perform?


A.Disable all vulnerable systems until mitigating controls can be implemented

B.Contact the network team to shut down all identified open ports

C.Immediately conduct a penetration test against identified vulnerabilities

D.Organize and document the results based on severity
Definition
D.Organize and document the results based on severity

Explanation:
After an assessment, the results should be organized based on the severity of risk to the organization. Answer A is incorrect because it is generally an extreme response, except in rare situations. Answer B is incorrect because many open ports are required for a network to function. Answer C is incorrect because, although a penetration test often does follow a vulnerability scan, it is not an immediate necessity and certainly is not required to be run against all identified vulnerabilities.
Term
With which of the following is a "low and slow" attack most associated?


A.APT

B.Ransomware

C.OSINT

D.Script kiddies
Definition
A.APT

Explanation:
An advanced persistent threat (APT) is a "low and slow" style of attack executed to infiltrate a network and remain inside while going undetected. Answer B is incorrect because ransomware is obvious and sends a clear message to the end user in an attempt to extort compensation from the victim. Answer C is incorrect. OSINT describes Open Source Intelligence, which is the term given to information available for collection from publicly available sources. Answer D is incorrect because script kiddies, unlike APTs, are usually not sophisticated in their methods and are usually easily detected.
Term
Which of the following describes the difference between a worm and a virus?


A.Viruses are self-replicating.

B.Viruses are often malicious.

C.Worms are self-replicating.
Definition
Worms are self-replicating.

Explanation:
Worms are self-replicating. Viruses require an infected file to be executed or launched to replicate. Both viruses and worms are usually malicious.
Term
Which one of the following best describes a polymorphic virus?


A.A virus that infects EXE files

B.A virus that attacks the boot sector and then attacks the system files

C.A virus inserted into a Microsoft Office document such as Word or Excel

D.A virus that changes its form each time it is executed
Definition
D.A virus that changes its form each time it is executed

Explanation:
Polymorphic viruses can change their form each time they are run. Answers A, B, and C describe different types of viruses, such as program, multipartite, and macro, respectively, so those answers are incorrect.
Term
Which one of the following is a best practice to prevent code injection attacks?


A.Session cookies

B.Input validation

C.Implementing the latest security patches

D.Using unbound variables
Definition
B.Input validation

Explanation:
Input validation is the one of the most important countermeasures to prevent code injection attacks. Answer A is incorrect because session cookies pertain to maintaining state within a visit to a website. Answer C is incorrect because, although ensuring that systems are patched is a good practice, it is not specifically a best practice to prevent code injection attacks. Answer D is incorrect because proper input validation to prevent code injection relies on bound variables.
Term
You are conducting a penetration test on a software application for a client. The client provides you with the details around the source code and development process. What type of test will you likely be conducting?


A.Black box

B.Vulnerability

C.White box

D.Answers A and C
Definition
C.White box

Explanation:
White box testing is more transparent. Because you are provided with source code, you have more knowledge about the system before you begin your penetration testing. Answer A is incorrect because black box testing assumes no prior knowledge. Answer B is incorrect because this refers to a weakness. Therefore, answer D is also incorrect.
Term
Which of the following are potential impacts of a race condition?


A.System malfunction

B.Denial of service

C.Escalated privileges

D.All of the above
Definition
D. All of the above

Explanation:
System malfunction, denial of service, and escalated privileges are all potential impacts because of a race condition.
Term
Which one of the following is designed to execute malicious actions when a certain event occurs or a specific time period elapses?


A.Logic bomb

B.Spyware

C.Botnet

D.DDoS
Definition
A. Logic bomb

Explanation:
Logic bombs are designed to execute after certain events, on a certain date, or after a specific time period. Answers B, C, and D are incorrect. Spyware, Botnets, and DDoS are all threats, but they do not execute malicious code after a specific event or period.
Term
At your place of employment, you are rushing to the door with your arms full of bags. As you approach, the woman before you scans her badge to gain entrance while holding the door for you, but not without asking to see your badge. What did she just prevent?


A.Phishing

B.Whaling

C.Tailgating

D.Door diving
Definition
C.Tailgating

Explanation:
Tailgating involves closely following someone with authorized physical access to gain access to the environment. Answers A and B are incorrect because these describe methods of acquiring sensitive information by masquerading as a trustworthy source. Answer D is also incorrect.
Term
Which one of the following is not a type of phishing attack?


A.Spear phishing

B.Wishing

C.Whaling

D.Smishing
Definition
B.Wishing

Explanation:
Wishing is not a type of phishing attack. Answers A, C, and D are incorrect because these all do describe a type of phishing attack. Spear phishing is targeted. Whaling is spear phishing that specifically targets high-profile personnel. Smishing is SMS-based phishing.
Term
Which of the following types of attacks can result from the length of variables not being properly checked in the code of a program?


A.Buffer overflow

B.Replay

C.Spoofing

D.Denial of service
Definition
A.Buffer overflow

Explanation:
Buffer overflows result from programming flaws that allow too much data to be sent. When the program does not know what to do with all this data, it crashes, leaving the machine in a state of vulnerability. Answer B is incorrect because a replay attack records and replays previously sent valid messages. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information. Answer D is incorrect because the purpose of a DoS attack is to deny the use of resources or services to legitimate users.
Term
You identify a system that becomes progressively slower over a couple days until it is unresponsive. Which of the following is most likely the reason for this behavior?


A.Improper error handling

B.Race condition

C.Memory leak

D.Untrained user
Definition
C.Memory leak


Explanation:
A memory leak is the most likely culprit. A memory leak occurs when an application or process continually consumes memory. Memory is usually finite; after it is consumed, the system becomes unresponsive. Answers A and B might ultimately lead to a memory leak, but these are not the best answer. Improper input handling will likely impact the data flow and expectations of the system. This can also potentially lead to a memory leak. A race condition can result in a variety of malfunctions, but this is not the best answer. Answer D is also incorrect because an untrained user is not likely the explicit reason for such a condition.
Term
How do relationship and capability pertain to understanding specific threat actors?


A.They indicate the likelihood of vulnerabilities being discovered.

B.They are characteristics associated with building a threat profile.

C.They describe attributes that apply equally to all threats.

D.They are the two most important attributes when analyzing threat actors.
Definition
B.They are characteristics associated with building a threat profile.

Explanation:
Relationship and capability are characteristics that can be attributed to threat actors. Other common attributes include motive and intent, both of which are associated with building a threat profile. Answer A is incorrect because these do not pertain to the discovery of vulnerabilities. Answer C is incorrect because each attribute varies, based on specific threat actors. Answer D is incorrect because threat actors and overall risk are unique to each organization.
Term
Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets?


A.Vishing

B.Shoulder surfing

C.Reverse social engineering

D.Phishing
Definition
B.Shoulder surfing

Explanation:
Shoulder surfing uses direct observation techniques. It gets its name from the tactic of looking over someone's shoulder to obtain information. Answer A is incorrect because vishing uses a phone to obtain information. Answer C is incorrect because reverse social engineering involves an attacker convincing the user that he or she is a legitimate IT authority, causing the user to solicit assistance. Answer D is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email.
Term
Which one of the following best describes the four primary phases of a penetration test?


A.Planning, discovery, attack, reporting

B.Exploit, escalation, pivot, persistence

C.Planning, exploit, attack, persistence

D.Discovery, attack, pivot, reporting
Definition
A.Planning, discovery, attack, reporting

Explanation:
Planning, discovery, attack, and reporting are the four primary phases of a penetration attack. Answer B is incorrect because it describes the four key steps within the attack phase. Answers C and D are incorrect because they do not describe the proper four primary phases.
Term
Your team is tasked with conducting a vulnerability assessment and reports back with a high number of false positives. Which of the following might you recommend to reduce the number of false positives?


A.Have the team run a vulnerability scan using noncredentialed access

B.Have the team run a vulnerability scan using credentialed access

C.Have the team run a port scan across all common ports

D.Have the team run a port scan across all ports
Definition
B.Have the team run a vulnerability scan using credentialed access

Explanation:
Noncredentialed vulnerability scans result in a greater number of false positives. This type of scan provides an outsider point-of-view, and although it might indicate what an outsider is more likely to see, it does not as effectively show the full extent of vulnerabilities. A credentialed vulnerability scan provides access into systems that might otherwise not be accessible, to further determine legitimate vulnerabilities. As a result, answer A is incorrect. Answers C and D are incorrect because vulnerability scans initially do scan specified ports as part of the process.
Term
Which one of the following is not an example of a denial-of-service attack?


A.Fraggle

B.Smurf

C.Gargomel

D.Teardrop
Definition
C.Gargomel

Explanation:
A Gargomel attack sounds cool, but it does not actually exist. Fraggle, Smurf, and Teardrop are names of specific denial-of-service attacks. Therefore, answers A, B, and D are incorrect.
Term
An organization is looking for a mobile solution that will allow data to be deleted if a device is lost or stolen. Which of the following fulfills this requirement?


A.GPS tracking

B.Remote wipe

C.Voice encryption

D.Passcode policy
Definition
B.Remote wipe

Explanation:
A remote wipe allows mobile device data to be remotely deleted if the device is lost or stolen. Answer A is incorrect because if a mobile device is lost, GPS tracking can be used to find the location. Answer C is incorrect because mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. Answer D is incorrect because a screen lock or passcode is used to prevent access to the phone.
Term
Which of the following is a use for a VPN concentrator?


A.Intrusion detection

B.Internet connectivity

C.Load balancing

D.Remote access
Definition
D.Remote access

Explanation:
A VPN concentrator is used to allow multiple external users to access internal network resources. It uses secure features that are built into the device and are deployed where a single device must handle a very large number of VPN tunnels. Answer A is incorrect because VPN concentrators are not used for intrusion detection. Answers B and C are incorrect because they are uses for a proxy server.
Term
Which of the following best describes data exfiltration?


A.Unauthorized transfer of data

B.Release of private or confidential information

C.Algorithm mismatch error

D.Prevention of legitimate content
Definition
A.Unauthorized transfer of data

Explanation:
Data exfiltration is the unauthorized transfer of data. A more basic definition is data theft. Answer B is incorrect because a data breach is the release of private or confidential information. Answer C is incorrect because an algorithm mismatch is associated with certificate issues. Answer D is incorrect because prevention of legitimate content is associated with a misconfigured web content filter.
Term
Which of the following enables decentralized authentication through trusted agents?


A.Key management

B.Data ownership

C.Credential management

D.Transitive trusts
Definition
D.Transitive trusts

Explanation:
Transitive trusts enable decentralized authentication through trusted agents. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer B is incorrect because ownership of data stored on the device is part of a BYOD or CYOD policy. Answer C is incorrect because credentials validate the identities of users, applications, and devices.
Term
Which of the following is used for penetrating testing and risk assessments?


A.Honeypot

B.Configuration compliance scanner

C.Exploitation framework

D.Banner grabbing
Definition
C.Exploitation framework

Explanation:
Exploitation frameworks are used for penetrating testing and risk assessments. Each exploitation framework contains a set of exploits for known vulnerabilities that are run against a host to determine whether the host is vulnerable to the exploit. Answer A is incorrect because honeypots are often used to identify the level of aggressive attention directed at a network and to study and learn from an attacker's common methods of attack. Answer B is incorrect because a configuration compliance scanner audits network device configurations against a set policy. Answer D is incorrect because banner grabbing describes a technique to identify what operating system is running on a machine, as well as the services that are running.
Term
Which of the following is a use case for subscription services?


A.Regulatory mandates that require accurate time stamping

B.Arrangement of hosts into the different logical groups that isolate each subnet

C.Network automation and data analytics

D.Reduced risks during data exchanges
Definition
C.Network automation and data analytics

Explanation:
Network automation and data analytics subscription services are part of XaaS and are offered so that organizations do not have the expense of upgrading hardware and software. The organization pays a monthly fee for a certain number of users or devices, and the service provider takes care of the software or hardware requirements. Answer A is incorrect because timestamping is a time function, and this is a use case for NTP. Answer B is incorrect because splitting one network into two or more and using routers to connect each subnet is a function of subnetting and network address allocation. Answer D is incorrect because reducing risks during data exchanges is a common use case for the implementation of FTPS and SFTP.
Term
You are required to implement a solution to identify baseline deviations for varying workloads across different days. Which of the following should you choose?


A.Static baselining

B.Alarms

C.Alerts

D.Dynamic baselining
Definition
D.Dynamic baselining

Explanation:
Dynamic baselining is ideal for analyzing varying workloads across different days or application performance based on seasonal usage. Answer A is incorrect because static thresholds are not good for analyzing varying workloads across different days. Answer B is incorrect because the purpose of an alarm is to report a critical event that typically requires some type of immediate response. Answer C is incorrect because an alert is similar to an alarm, but it is less critical and likely does not require an immediate response.
Term
If the organization requires a switch feature that makes additional checks in Layer 2 networks to prevent STP issues, which of the following safeguards should be implemented?


A.Loop protection

B.Flood guard

C.Implicit deny

D.Port security
Definition
A.Loop protection

Explanation:
The loop guard feature makes additional checks in Layer 2 switched networks to prevent loops. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with DoS attacks. Answer C is incorrect because implicit deny is an access control practice in which resource availability is restricted to only logons that are explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.
Term
An organization is looking to add a layer of security and maintain strict control over the apps employees are approved to use. Which of the following fulfills this requirement?


A.Blacklisting

B.Encryption

C.Lockout

D.Whitelisting
Definition
D.Whitelisting

Explanation:
Application whitelisting permits only known good apps. When security is a concern, whitelisting applications is a better option because it allows organizations to maintain strict control over the apps employees are approved to use. Answer A is incorrect because although blacklisting is an option, it is not as effective as whitelisting. Answer B is incorrect because encryption has nothing to do with restricting application usage. Answer C is incorrect because lockout has to do with the number of times a user can enter a passcode.
Term
Which of the following is a protocol that incorporates enhanced security features for VoIP (Voice over IP) or video network communications?


A.LDAPS

B.HTTPS

C.NTP

D.SRTP
Definition
D.SRTP

Explanation:
SRTP is an extension to RTP that incorporates enhanced security features. As with RTP, it is intended particularly for VoIP (voice over IP) or video network communications. Answer A is incorrect because LDAPS is used to protect the authentication session when an application authenticates with Active Directory Domain Services (AD DS). Answer B is incorrect because HTTPS is used to establish a secured connection between a client and a web server. Answer C is incorrect because Network Time Protocol (NTP) is a UDP communication protocol used to synchronize devices with a network time server.
Term
Recently, some employees have fallen victim to social engineering. Which of the following is the best way to manage this personnel issue?


A.Termination

B.Awareness training

C.Written warning

D.A new policy
Definition
B.Awareness training

Explanation:
The best defense against personnel issues such as social engineering is user education and awareness training. Answers A and C are incorrect because social engineering plays on human behavior and interactions; it doesn't feel like an attack, so it is difficult to spot. Answer D is incorrect because writing a new policy cannot control human behavior.
Term
If the organization requires a firewall feature that controls network activity associated with DoS attacks, which of the following safeguards should be implemented?


A.Loop protection

B.Flood guard

C.Implicit deny

D.Port security
Definition
B.Flood guard

Explanation:
A flood guard is a firewall feature to control network activity associated with DoS attacks. Answer A is incorrect because a loop guard feature makes additional checks in Layer 2 switched networks to prevent loops. Answer C is incorrect because implicit deny is an access control practice in which resource availability is restricted to only logons that are explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.
Term
Which of the following uses a secure cryptoprocessor that accelerates cryptographic processes and provides strong access authentication for critical application encryption keys?


A.Hardware security module

B.Full disk encryption

C.File-level encryption

D.Public key infrastructure
Definition
A.Hardware security module

Explanation:
An HSM is a type of cryptoprocessor that manages digital keys, accelerates cryptographic processes, and provides strong access authentication for critical application encryption keys. Answer B is incorrect because full-disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because in file- or folder-level encryption, individual files or directories are encrypted by the file system itself. Answer D is incorrect because PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
Term
You have been tasked with testing the strength of user passwords. Which of the following tools is the best choice to help accomplish this task?


A.Metasploit

B.Brutus

C.Nmap

D.OpenPuff
Definition
B.Brutus

Explanation:
Brutus is a common password cracker. Password crackers are software utilities that allow direct testing of user logon password strength by conducting a brute force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Answer A is incorrect because Metasploit is an exploitation framework. Answer C is incorrect because Network Mapper (Nmap) is a network scanning tool used for locating network hosts, detecting operating systems, and identifying services. Answer D is incorrect because OpenPuff is a common steganography tool.
Term
It has been reported that some weak user passwords from your organization have shown up on the Internet. Which of the following tools would provide information to confirm or deny this allegation?


A.Tcpdump

B.Camouflage

C.SolarWinds

D.Cain and Abel
Definition
D.Cain and Abel

Explanation:
Cain and Abel is a password cracker. Password crackers are software utilities that allow direct testing of user logon password strength by conducting a brute force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Answer A is incorrect because Tcpdump is a command-line packet analyzer tool that captures TCP/IP packets sent and received on a specific interface. Answer B is incorrect because Camouflage is a common steganography tool. Answer C is incorrect because SolarWinds is a configuration compliance scanner.
Term
Which of the following is associated with certificate issues?


A.Unauthorized transfer of data

B.Release of private or confidential information

C.Algorithm mismatch error

D.Prevention of legitimate content
Definition
C.Algorithm mismatch error

Explanation:
An algorithm mismatch is associated with certificate issues. Answer A is incorrect because data exfiltration is the unauthorized transfer of data. A more basic definition is data theft. Answer B is incorrect because a data breach is the release of private or confidential information. Answer D is incorrect because prevention of legitimate content is associated with a misconfigured web cont
Term
Which of the following is used to identify the level of aggressive attention directed at a network and to study and learn from an attacker's common methods of attack?


A.Honeypot

B.Configuration compliance scanner

C.Vulnerability scanner

D.Banner grabbing
Definition
A.Honeypot

Explanation:
Honeypots are often used to identify the level of aggressive attention directed at a network and to study and learn from an attacker's common methods of attack. Answer B is incorrect because configuration compliance scanners audit network device configurations against a set policy. They are most often used in either auditing or vulnerability checking. Answer C is incorrect because a vulnerability scanner is a software utility that scans a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Answer D is incorrect because banner grabbing describes a technique to identify what operating system is running on a machine, as well as the services that are running.
Term
You are setting remote access for users and want be sure a secure channel is used. Which technology should you implement?


A.DMZ

B.VPN

C.VLAN

D.NAT
Definition
B.VPN

Explanation:
A VPN is a network connection that grants you access via a secure tunnel created through an Internet connection. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.
Term
Which standard port is used to establish a web connection using the 40-bit RC4 encryption protocol?


A.21

B.80

C.443

D.8250
Definition
C.443

Explanation:
A connection using the HTTP protocol over SSL (HTTPS) is made using the RC4 cipher and port 443. Answer A is incorrect because port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer D is incorrect because port 8250 is not designated to a particular
Term
You are required to check user permissions for the finance group that includes specific registry keys. Which of the following should you choose?


A.Content filter

B.Audit user permissions

C.HTTPS

D.DNS
Definition
B.Audit user permissions

Explanation:
Auditing user permissions identifies access violations and issues. Tools such as AccessChk show the permissions specific users and groups have for files, folders, registry keys, Windows services, and other objects. Answer A is incorrect because content filters are used to control Internet content that is available for use in the organizational environment. Answer C is incorrect because HTTPS helps prevent malicious users from capturing clear-text passwords. Answer D is incorrect because DNS is used to resolve IP addresses and domain names.
Term
You have recently had problems with clients not being able to resolve domain names correctly. Which of the following tools should you use?


A.Ping

B.Nslookup

C.Ifconfig

D.Netstat
Definition
B.Nslookup

Explanation:
Nslookup is a command-line utility used to troubleshoot a Domain Name Server (DNS) database. It queries the DNS server to check whether the correct information is in the zone database. Answer A is incorrect because Packet Internet Grouper (ping) is a utility that tests network connectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. Answer C is incorrect because Ifconfig is used for a network interface configuration. Answer D is incorrect because Netstat displays all the ports on which the computer is listening. It can also be used to display the routing table and preprotocol statistics.
Term
Which of the following is used to help troubleshoot network issues by gathering packet-level information across the network?


A.Protocol analyzer

B.Vulnerability scanner

C.Port scanner

D.Data sanitation tools
Definition
A.Protocol analyzer

Explanation:
A protocol analyzer is used to capture network traffic and generate statistics for creating reports. Answer B is incorrect because a vulnerability scanner is a software utility that scans a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Answer C is incorrect because port scanners are useful in creating an inventory of services hosted on networked systems. Answer D is incorrect because data-sanitizing tools are used for removing the contents from the device or media as fully as possible, making it extremely difficult to restore.
Term
An organization is looking to add a layer of security by maintaining strict control over the devices employees are approved to use. Which of the following fulfills this requirement?


A.HIPS

B.Encryption

C.DLP

D.Whitelisting
Definition
C.DLP

Explanation:
Most DLP solutions have the capability to control or manage removable media such as USB devices, mobile devices, email, and storage media. Answer A is incorrect because a HIPS protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Answer B is incorrect because encrypting media devices does not provide the same functionality as the capability to control use of the media device. Application whitelisting is a process in which the organization approves software applications to be used on assets; only those approved applications can be run, making answer D incorrect.
Term
Which of the following is included in a BYOD, CYOD, or COPE policy?


A.Key management

B.Data ownership

C.Credential management

D.Transitive trusts
Definition
B.Data ownership

Explanation:
When formulating a BYOD, CYOD, or COPE policy, the organization should clearly state who owns the data stored on the device, specifically addressing what data belongs to the organization. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer C is incorrect because the use of credentials is to validate the identities of users, applications, and devices. Answer D is incorrect because transitive trusts enable decentralized authentication through trusted agents.
Term
Which of the following are uses for proxy servers? (Choose all correct answers.)

A.Intrusion detection

B.Internet connectivity

C.Load balancing

D.Web content caching
Definition
B.Internet connectivity
C.Load balancing
D.Web content caching

Explanation:
You can place proxy servers between the private network and the Internet for Internet connectivity or internally for web content caching. If the organization is using the proxy server for both Internet connectivity and web content caching, you should place the proxy server between the internal network and the Internet, with access for users who are requesting the web content. In some proxy server designs, the proxy server is placed in parallel with IP routers. This facilitates network load balancing by forwarding all HTTP and FTP traffic through the proxy server and forwarding all other IP traffic through the router. Answer A is incorrect because proxy servers are not used for intrusion detection.
Term
Which of the following is a use case for subnetting?


A.Regulatory mandates that require accurate time stamping

B.Host arrangement into the different logical groups that isolate each subnet

C.Subscription services

D.Reduced risks during data exchanges
Definition
B.Host arrangement into the different logical groups that isolate each subnet

Explanation:
Splitting one network into two or more and using routers to connect each subnet together is a function of subnetting and network address allocation. Answer A is incorrect because timestamping is a time function, and this is a use case for NTP. Answer C is incorrect because subscription services are a monthly fee to a service provider for a certain number of users or devices. Answer D is incorrect because reducing risks during data exchanges is a common use case for the implementation of FTPS and SFTP.
Term
Which of the following are used as a most basic form of security in handheld devices? (Choose two correct answers.)

A.Encryption

B.PIN

C.Passcode

D.Fingerprint biometrics
Definition
B.PIN
C.Passcode

Explanation:
PINs/passcodes and pattern locks are used as a most basic form of security and a first line of defense. Answer A is incorrect because mobile device encryption is difficult to implement. Answer D is incorrect because fingerprint biometrics require additional internal hardware.
Term
An organization is looking to add a layer of security by implementing a solution that protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Which of the following fulfills this requirement?


A.HIPS

B.Encryption

C.DLP

D.Whitelisting
Definition
A.HIPS

Explanation:
A HIPS protects hosts against known and unknown malicious attacks from the network layer up through the application layer. Answer B is incorrect because encrypting media devices does not provide the same functionality as controlling use of the media device. Answer C is incorrect because DLP solutions are used to prevent data loss by controlling removable media such as USB devices, mobile devices, email, and storage media. Application whitelisting is a process in which the organization approves software applications to be used on assets; only those approved applications can be run, making answer D incorrect.
Term
Which of the following is useful in preventing users and attackers from executing unauthorized applications but does not prevent malicious code from executing?


A.DLP

B.Patch management

C.Application whitelisting

D.Malware inspection filter
Definition
C.Application whitelisting

Explanation:
Application whitelisting is useful in preventing users and attackers from executing unauthorized applications, but it does not prevent malicious code from executing. Answer A is incorrect because DLP products identify confidential or sensitive information through content analysis. Answer B is incorrect because patch management is used to assess, test, deploy, and install software updates. Answer D is incorrect. A malware inspection filter is basically a web filter applied to traffic that uses HTTP.
Term
Wired traffic must be encrypted because there is concern about protecting the security of login and password information for internal high-level users. Which technology should you implement?


A.DMZ

B.VPN

C.VLAN

D.NAT
Definition
B.VPN

Explanation:
A VPN concentrator can be used internally to encrypt WLAN or wired traffic, where there is concern about protecting the security of login and password information for high-level users and sensitive information. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.
Term
A Windows system is software DEP enabled. An attacker runs an exploit that injects code into a program, and the program uses known memory space. What will the result be?


A.The code will run with limited functionality.

B.The machine will automatically blue screen and shutdown.

C.The malware will be blocked from running the injected code.

D.The malware code will run because it was injected into a known process.
Definition
C.The malware will be blocked from running the injected code.

Explanation:
Software-based DEP prevents malicious code from taking advantage of exception-handling mechanisms in Windows by throwing an exception when the injected code attempts to run. This essentially blocks the malware from running the injected code. Based on this explanation, answers A, B, and D are incorrect.
Term
Advanced malware tools use which of the following analysis methods?


A.Static analysis

B.Context based

C.Signature analysis

D.Manual analysis
Definition
B.Context based

Explanation:
Advanced malware tools use behavior- and context-based detection methods instead of signature-based methods. Advanced malware tools tend to be complex enterprise solutions that are built to protect organizations before, during, and after a malware attack. Therefore, static, signature, and manual analysis methods are not effective, making answers A, C, and D incorrect.
Term
An organization wants to be sure that certain application data is protected. Which of the following fulfills this requirement?


A.Blacklisting

B.Encryption

C.Lockout

D.Whitelisting
Definition
B.Encryption

Explanation:
Application encryption is used to encrypt sensitive information stored by the app or to limit content accessibility to users who have the appropriate access key. Answer A is incorrect because although blacklisting is an option, it is not as effective as whitelisting. Answer C is incorrect because lockout has to do with the number of times a user can enter a passcode. Answer D is incorrect because application whitelisting permits only known good apps to be installed.
Term
Which of the following protocols is used to secure email?


A.SFTP

B.S/MIME

C.SNMP

D.SSH
Definition
B.S/MIME

Explanation:
S/MIME is a widely accepted technology for sending digitally signed and encrypted messages that provides authentication, message integrity, and nonrepudiation for email. Answer A is incorrect SFTP, or secure FTP, a program that uses SSH to transfer files. Answer C is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used to monitor the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPSs). Answer D is incorrect because the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection.
Term
It has been reported that some clear-text passwords are being transmitted within your organization. Which of the following can mitigate this situation?


A.Auditing of user permissions

B.Content filtering

C.HTTPS

D.DNS
Definition
C.HTTPS

Explanation:
When an application or service stores or sends passwords in clear text, risk to the organization can be reduced by sending the credentials via an encrypted channel such as HTTPS. This helps prevent malicious users from capturing the clear-text passwords. Answer A is incorrect because auditing user permissions works for identifying access violations and issues. Answer B is incorrect because content filters are used to control Internet content that is available for use in the organizational environment. Answer D is incorrect because DNS is used to resolve IP addresses and domain names.
Term
Which of the following is necessary to implement an effective BYOD, CYOD, or COPE program? (Choose two correct answers.)

A.Key management

B.Legal considerations

C.Infrastructure considerations

D.Storage limitations
Definition
B.Legal considerations
C.Infrastructure considerations

Explanation:
To establish an effective BYOD, CYOD, or COPE program, all legal concerns should be addressed before program implementation. Implementing a BYOD, CYOD, or COPE program requires planning and understanding infrastructure considerations, such as the access methods and device management options for the devices. Answer A is incorrect because key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely; it also makes key distribution easier. Answer D is incorrect because storage limitations are not a primary consideration in BYOD, CYOD, or COPE.
Term
Which standard port is used to establish a FTP connection?


A.21

B.80

C.443

D.8250
Definition
A.21

Explanation:
Port 21 is used for FTP connections. Answer B is incorrect because port 80 is used for unsecure plain-text HTTP communications. Answer C is incorrect because a connection using the HTTP protocol over SSL (HTTPS) is made using port 443. Answer D is incorrect because port 8250 is not designated to a particular TCP/IP protocol.
Term
You have recently had problems with clients in one particular area of the network not being able to connect to a server. Which of the following tools should you use to begin troubleshooting?


A.Ping

B.Nslookup

C.Telnet

D.Netstat
Definition
A.Ping

Explanation:
Packet Internet Grouper (ping) is a utility that tests network connectivity by sending an Internet Control Message Protocol (ICMP) echo request to a host. Answer B is incorrect because Nslookup is a command-line utility used to troubleshoot a Domain Name Service (DNS) database. It queries the DNS server to check whether the correct information is in the zone database. Answer C is incorrect because Telnet is a terminal emulation program used to access remote routers and UNIX systems. Answer D is incorrect because Netstat displays all the ports on which the computer is listening. It can also be used to display the routing table and preprotocol statistics.
Term
Which of the following types of antivirus scanning looks for instructions or commands that are not typically found in application programs?


A.Manual

B.Heuristic

C.Static

D.Pattern matching
Definition
B.Heuristic

Explanation:
Heuristic scanning looks for instructions or commands that are not typically found in application programs. Therefore, manual, static, and pattern matching analysis methods do not perform this function, making answers A, C, and D incorrect.
Term
Which of the following should be used to establish a session between client and host computers using an authenticated and encrypted connection?


A.SFTP

B.S/MIME

C.SNMP

D.SSH
Definition
D.SSH

Explanation:
The Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SFTP, or secure FTP, is a program that uses SSL to transfer files. S/MIME is a widely accepted technology for sending digitally signed and encrypted messages that provides authentication, message integrity, and nonrepudiation for email. SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices.
Term
Buffer overflows, format string vulnerabilities, and utilization of shell escape codes can be mitigated by using which of the following practices to test an application?


A.Fuzzing

B.Testing

C.Input validation

D.Browser initiated token request
Definition
C.Input validation

Explanation:
Input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer A is incorrect because fuzzing allows the injection of random-looking data into a program to see if it can cause the program to crash. Answer B is incorrect because testing is a generic term that encompasses more than what the question is asking. Answer D is incorrect because it is a method used to mitigate cross-site request forgery (XSRF) attacks.
Term
An organization is implementing a data availability solution based on a striped disk array without redundancy. Which of the following best describes this implementation?


A.RAID 0

B.RAID 1

C.RAID 5

D.RAID 10
Definition
A.RAID 0

Explanation:
RAID Level 0 is a striped disk array without fault tolerance. Answer B is incorrect because RAID Level 1 is mirroring and duplexing. This solution requires a minimum of two disks and offers 100 percent redundancy because all data is written to both disks. Answer C is incorrect because RAID Level 5 consists of independent data disks with distributed parity blocks. In RAID 5, each entire block of the data and the parity is striped. Answer D is incorrect because RAID Level 10 is high reliability combined with high performance. This solution is a striped array that has RAID 1 arrays.
Term
The organization is building a new application and is more interested in being able to use a rigorous methodical process to verify each phase along the way than it is in selecting a fast delivery method. Which of the following should the organization choose?


A.IaC

B.Agile

C.Waterfall

D.Continuous integration
Definition
C.Waterfall

Explanation:
The Waterfall SDLC model is traditional, starting with a defined set of requirements and a well-developed plan with adjustments confined to the current development stage. Answer A is incorrect because Infrastructure as code (IaC) is also known as programmable infrastructure, meaning that infrastructure configuration can be incorporated into application code. Answer B is incorrect because the Agile SDLC model starts with less rigorous guidelines and allows for adjustments during entire process. Answer D is incorrect because continuous integration (CI) is a process in which the source code updates from all developers working on the same project are continually monitored and merged from a central repository when a new commit is detected.
Term
An organization wants to use a service provider to implement processes for the organization such as identity and access management (IAM) and encryption. Which of the following should the organization choose?


A.IaaS

B.SecaaS

C.DRaaS

D.SaaS
Definition
B.SecaaS

Explanation:
In SecaaS, a security service provider uses a subscription-based model to implement security for the organization. SecaaS providers offer a wide variety of security services, including but not limited to identity and access management (IAM), email security, and encryption. Answer A is incorrect because IaaS is a cloud computing model in which hardware, storage, and networking components are virtualized and provided by an outsourced service provider. Answer C is incorrect because DRaaS is the replication and hosting of physical or virtual servers by a third party to provide failover in case of a man-made or natural catastrophe. Answer D is incorrect because SaaS is a cloud computing model in which software applications are virtualized and provided by an outsourced service provider.
Term
You are setting up a switched network and want to group users by department. Which technology should you implement?


A.DMZ

B.VPN

C.VLAN

D.NAT
Definition
C.VLAN

Explanation:
The purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer B is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.
Term
Which of the following can result in the exploitation of a BIOS vulnerability? (Select all correct answers.)

A.Hard drive failure occurs

B.System cannot boot

C.System locks up

D.Denial of service occurs
Definition
B.System cannot boot
D.Denial of service occurs

Explanation:
A vulnerability in the BIOS can allow local users to cause a denial of service and result in the system not booting. Answer A is incorrect because a hard drive failure has to do with the hard disk itself and nothing to do with the BIOS. Answer C is incorrect because system lockup implies that the machine was already booted; this is associated more with attacks that happen after the machine is up and running.
Term
In which of the following are attestation challenges from computed hashes of system or application information used to obtain confidence in the trustworthiness and identity of a platform or software?


A.Application baselines

B.Integrity measurement

C.Staging environments

D.Sandboxing
Definition
B.Integrity measurement

Explanation:
Integrity measurement is a method that uses attestation challenges from computed hashes of system or application information to obtain confidence in the trustworthiness and identity of a platform or software. Answer A is incorrect because application baselining is similar to operating system baselining: It provides a reference point for normal and abnormal activity. Answer C is incorrect because a staging environment is primarily used to unit test the actual deployment of code. Answer D is incorrect because the basic idea of sandboxing is to provide a safe execution environment for untrusted programs.
Term
A vulnerability assessment has revealed that legacy internal heart monitors of a hospital's intensive care unit (ICU) are visibly exposed to the Internet. Which of the following should be implemented?


A.Network segmentation

B.Code wrappers

C.Control diversity

D.Manual updates
Definition
A.Network segmentation

Explanation:
Network segmentation is one of the most effective controls an organization can implement to mitigate the effect of a network intrusion. In sensitive systems such as SCADA networks, applying segmentation in layers, from the data link layer through the application layer, can go a long way in protecting vital infrastructure services. Answer B is incorrect because wrappers are used in several types of implementations, such as smart grids and integration of legacy systems. They reduce the risk of web-based attacks. Answer C is incorrect because control diversity refers to having multiple versions of software packages in which redundant software versions differ. Answer D is incorrect because although manual updates are inconvenient, they might also be necessary when the system contains sensitive data and is segmented.
Term
Which of the following devices is used to accept encrypted connections from users and then send the connection to the server unencrypted?


A.VPN

B.DMZ

C.DDoS mitigation appliance

D.SSL accelerator
Definition
D.SSL accelerator

Explanation:
SSL accelerators are devices that accept SSL connections from users and then send the connection to the server unencrypted. They are typically positioned in-line between the users and a server. Answer A is incorrect because a VPN is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer B is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer C is incorrect because DDoS mitigation appliances are used to mitigate DDoS attacks and can be implemented through external ISP-based solutions, on-premises solutions, or third-party based solutions.
Term
An organization that operates a small web-based photo backup business is evaluating single points of failure. The organization has three servers, four switches, and 100 client systems. Which of the following is the most likely component(s) to be the single point of failure?

A.Servers

B.ISP connection

C.Client systems

D.Switches
Definition
B.ISP connection

Explanation:
Neglecting single points of failure can prove disastrous. A single point of failure is any piece of equipment that can bring your operation down if it stops working. Based on this, the Internet connection would be the single point of failure. Answers A, C, and D are incorrect; the system has more than one of each of these pieces of equipment, so they are not single points of failure.
Term
You are setting up a web server that both the internal employees and external customers need to access. What type of architecture should you implement?


A.VLAN

B.DMZ

C.NAT

D.VPN
Definition
B.DMZ

Explanation:
A DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. For example, web servers are often placed in a DMZ. Answer A is incorrect because the purpose of a VLAN is to unite network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer C is incorrect because NAT acts as a liaison between an internal network and the Internet. Answer D is incorrect because a VPN is a network connection that allows access via a secure tunnel created through an Internet.
Term
Which of the following is most likely to use network segmentation as a security method?


A.SCADA systems

B.Mainframes

C.Android devices

D.Gaming consoles
Definition
A.SCADA systems

Explanation:
SCADA systems would most likely use network segmentation. Answer B is incorrect because mainframes would most likely use security layers. Answer C is incorrect because Android would most likely use security layers. Answer D is incorrect because most gaming consoles only run signed code, encrypt memory, and use firmware updates to patch vulnerabilities.
Term
An organization is experiencing a large amount of electromagnetic interference (EMI). Which of the following is the best method to provide continuous operations?


A.Extra shielding

B.A generator

C.A redundant electric connection

D.A RAID configuration
Definition
A.Extra shielding

Explanation:
Power variations called noise are also referred to as electromagnetic interference (EMI). To protect your environment from such damaging fluctuations in power, always connect your sensitive electronic equipment to power conditioners, surge protectors, and a UPS, which provides the best protection of all. Answer B is incorrect because a generator is used for rolling blackouts, emergency blackouts, or electrical problems. Answer C is incorrect because most electric companies service only one area. If it is possible to contract with another service provider, the cost will most likely be prohibitive. Answer D is incorrect because RAID does not protect against electrical failures.
Term
Which of the following provides a sandboxed environment that can be used to investigate unsafe executables?


A.Virtualization

B.Network storage

C.Host software baselining

D.Application baselining
Definition
A.Virtualization

Explanation:
A virtualized sandboxed environment can help in computer security research, which studies the effects of unsafe executables without the possibility of compromising the host system. Answer B is incorrect because network storage has nothing to do with desktop management. Answer C is incorrect because host software baselining can be done for a variety of reasons, including monitoring malware and creating system images. Answer D is incorrect because application baselining is used to monitor changes in application behavior.
Term
Which of the following operating systems is run in a SoC environment?


A.Windows Server 2016

B.RedHat Enterprise Linux (RHEL)

C.CAN bus

D.RTOS
Definition
D.RTOS

Explanation:
A real-time operating system (RTOS) is a small operating system used in embedded systems and IoT applications that is typically run in a SoC environment. Answer A is incorrect because Windows 2016 is a server operating system. Answer B is incorrect because Red Hat Enterprise Linux (RHEL) is a server operating system. Answer C is incorrect because a CAN bus is associated with internal vehicle communications.
Term
What is the plenum?


A.A mesh enclosure designed to block EMI

B.A mechanism for controlling condensation

C.A type of dry-pipe fire control system

D.A mechanism for thermal management
Definition
D.A mechanism for thermal management

Explanation:
A plenum is the space below a raised floor or above a drop ceiling that can be used in hot aisle/cold aisle server rooms to efficiently manage thermal dissipation. Answer A is incorrect because a grounded mesh enclosure for EMI shielding is called a Faraday cage. Answer B is incorrect because management of condensation is handled as part of the HVAC function as air is cooled. Answer C is incorrect because a dry-pipe system is a fire-extinguishing system that uses pressurized air as a triggering mechanism for water.
Term
An organization is interested in using a vendor SaaS application but is concerned about the lack of cloud security. What type of cloud architecture is the most appropriate?


A.Public

B.Private

C.Hybrid

D.Community
Definition
C.Hybrid

Explanation:
A hybrid cloud environment is the best choice when an organization offers services that need to be configured for diverse vertical markets or wants to use a SaaS application but is concerned about security. Answer A is incorrect because using a public cloud increases concern about security. Answer B is incorrect because a private cloud does not allow the public vendor SaaS implementation. Answer D is incorrect because a community cloud provides collaborative business processes in a cloud environment.
Term
Which of the following uses a secure cryptoprocessor to authenticate hardware devices such as a PC or laptop?


A.Public key infrastructure

B.Full disk encryption

C.File-level encryption

D.Trusted platform module
Definition
D.Trusted platform module

Explanation:
TPM refers to a secure cryptoprocessor used to authenticate hardware devices such as a PC or laptop. The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Answer A is incorrect because the public key infrastructure (PKI) is a set of hardware, software, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Answer B is incorrect because full disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because, in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.
Term
Using a combination of firewalls, intrusion detection systems, content filters, encryption, and auditing procedures in the organization for protection against intrusions is an example of which of the following?


A.Defense in depth

B.Infrastructure as a Service

C.Community cloud

D.Layered security
Definition
D.Layered security

Explanation:
Layered security is based on the premise that, by implementing security at different levels or layers to form a complete security strategy, better protection is provided than by implementing an individual security defense. Answer A is incorrect. Defense in depth is rooted in military strategy and requires a balanced emphasis on people, technology, and operations to maintain information assurance (IA). Answer B is incorrect because Infrastructure as a Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. Answer C is incorrect because a community cloud provides collaborative business processes in a cloud environment.
Term
An organization has a sensitive network that needs to have physically insolated machines. Which of the following practices would be used to meet this requirement?


A.Air gap

B.VLAN

C.RAS

D.Honeynet
Definition
A.Air gap

Explanation:
Air gaps are physically isolated machines or networks. They should not have any connection to the Internet or any machine that connects to the Internet. Answer B is incorrect because a virtual local-area network (VLAN) unites network nodes logically into the same broadcast domain, regardless of their physical attachment to the network. Answer C is incorrect because Remote Access Services (RAS) lets you connect your computer from a remote location, such as your home or any on-the-road location, to a corporate network. Answer D is incorrect because honeynets are used to distract attackers from valid network content, to study the attacker's methods, and to provide early warning of attack attempts.
Term
Which of the following methods of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department?


A.SaaS

B.IaaS

C.PaaS

D.DaaS
Definition
B.IaaS

Explanation:
Infrastructure as a Service (IaaS) is the delivery of computer infrastructure in a hosted service model over the Internet. This method of cloud computing allows the client to literally outsource everything that would normally be in a typical IT department. Saas is incorrect because Software as a Service (SaaS) is the delivery of a licensed application to customers over the Internet for use as a service on demand. Platform as a Service (PaaS) is the delivery of a computing platform, often an operating system with associated services, that is delivered over the Internet without downloads or installation. Desktop as a Service (DaaS), also called virtual desktop or hosted desktop services, is the outsourcing of a virtual desktop infrastructure (VDI) to a third-party service provider.
Term
Which of the following is considered good practice for separation of development and test environments? (Select two correct answers.)

A.Different physical locations

B.Firewall

C.VPN

D.VLAN
Definition
B.Firewall
D.VLAN

Explanation:
In a physical isolation environment, a firewall normally separates the environments from each other and the outside world. In VLAN segmentation, VLANs are often mapped into security zones. Traffic between zones must pass through a firewall, which enforces the segmentation rules between the environments. Answer A is incorrect because physical separation, unless air gapped, does not guarantee that the two environments cannot access each other. Answer C is incorrect because a VPN is used for remote access.
Term
Which type of fire extinguisher is best for putting out burning wires?


A.Water

B.Carbon dioxide

C.Sodium chloride

D.Copper powder
Definition
C.Carbon dioxide

Explanation:
The carbon dioxide extinguisher replaces the halon extinguisher for putting out electrical (Class C) fires. Answer A is incorrect because water is used for Class A fires (trash, wood, and paper). Answers C and D are incorrect because both sodium chloride and copper-based dry powder extinguishers are used for Class D (combustible materials) fires.
Term
Which of the following are the most compelling reasons that secure configuration baselines have been established? (Select all correct answers.) Select 3 answers

A.Industry standards

B.Organizational requests

C.Governmental mandates

D.Regulatory bodies
Definition
A.Industry standards
C.Governmental mandates
D.Regulatory bodies

Explanation:
Security baselines are often established by governmental mandate, regulatory bodies, or industry representatives - for example, think of the PCI requirements established by the credit card industry for businesses that collect and transact using credit information. Answer B is incorrect because organizational requests are merely requests, and security baselines are often established to comply with some type of regulation or standard.
Term
Which of the following type of control is a surveillance system?


A.Logical control

B.Technical control

C.Physical control

D.Management control
Definition
C.Physical control

Explanation:
Physical controls form the outer line of defense against direct access to data, such as protection of backup media; secure output and mobile file storage devices; and facility design details such as layout, doors, guards, locks, and surveillance systems. Answer A is incorrect because logical controls are the same as technical controls. Answer B is incorrect because technical controls include logical access control systems, security systems, encryption, and data classification solutions. Answer D is incorrect because management and administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change management procedures.
Term
In which of the following phases should code security first be implemented?


A.Testing

B.Review

C.Implementation

D.Design
Definition
D.Design

Explanation:
It is important to implement security from the very beginning. In the early design phase, potential threats to the application must be identified and addressed. Ways to reduce the associated risks must also be taken into consideration. Therefore, answers A, B, and C are incorrect.
Term
Which of the following best describes the result of adding an email address to the blocked list?


A.It is considered part of the whitelist.

B.It is considered part of the blacklist.

C.It is considered part of the graylist.

D.It is considered part of the brownlist.
Definition
B.It is considered part of the blacklist.

Explanation:
In general, an email address added to the approved list is never considered spam. This is also known as a whitelist. Using whitelists allows more flexibility in the type of email you receive. Putting the addresses of your relatives or friends in your whitelist allows you to receive any type of content from them. An email address added to the blocked list is always considered spam. This is also known as a blacklist. Answer A is incorrect because whitelisting is allowing an email address. Answer C is incorrect because graylisting is related to whitelisting and blacklisting. Each time a given mailbox receives an email from an unknown contact (IP), that mail is rejected with a "try again later." Answer D is incorrect because brownlisting is a concept based on a CBL type system driven by tokens from blocked sites.
Term
Because of seasonal business fluctuations, an organization uses cloud environments to purchase resources for a short period of time based on demand. Which of the following terms best describes this principle?


A.Snapshots

B.Elasticity

C.Scalability

D.Server redundancy
Definition
B.Elasticity

Explanation:
Elasticity is most often found in cloud environments where resources can be purchased for a short period of time, based on demand, and then deleted when they are no longer needed. Answer A is incorrect because a snapshot preserves the entire state and data of the virtual machine at the time it is taken. Answer C is incorrect because scalability is the capacity to expand the amount of production from the current infrastructure without negatively impacting performance. Answer D is incorrect because server redundancy is implemented to ensure high availability and reliability.
Term
Which directory services protocol should be implemented to protect against man-in-the-middle data interception attacks?


A.Kerberos

B.NTLM

C.LDAP

D.Shibboleth
Definition
A.Kerberos

Explanation:
The Kerberos protocol supports mutual authentication between two systems, protecting against man-in-the-middle forms of data interception or manipulation by ensuring that both network endpoints are authenticated to one another. Answer B is incorrect because NTLM is an older Microsoft authentication protocol that requires Active Directory and relies on Microsoft Windows user credentials in the authentication process. Answer C is incorrect because LDAP is used for directory services and is not secure. Answer D is incorrect because Shibboleth is an open source federated identity solution that provides single sign-on (SSO) capabilities and federated services popular in research and educational institutions.
Term
Which of the following reduces the effectiveness of a good password policy?


A.Account lockout

B.Password recovery

C.Account disablement

D.Password reuse
Definition
D.Password reuse

Explanation:
The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. Allowing users to reuse an old password greatly reduces the effectiveness of a good password policy. Answer A is incorrect because making the password length at least eight characters and requiring the use of the account lockout policy settings helps you prevent attackers from guessing users' passwords. This decreases the likelihood of successful attacks on your network. Answer B is incorrect because it is used when a user forgets a password. Generally, two options exist for this: password recovery or a password reset. Answer C is incorrect because disabling user accounts is used when there might be a need to keep the settings, files, and folders intact so that the company can later access information tied to the user account by reenabling the account.
Term
Which of the following best describes the Policy Enforcement Point (PEP) component of AAA functions?


A.Data holder

B.Final decision maker

C.Authenticator

D.Auditor
Definition
C.Authenticator

Explanation:
The Policy Enforcement Point (PEP) is the authenticator. The PEP enforces the conditions of the client's access. Answer A is incorrect because the Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. Answer B is incorrect because the Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client. Answer D is incorrect because the accounting and reporting system tracks the client network usage and reports the
Term
Which of the following is considered best practice when formulating minimum standards for developing password policies?


A.Password length set to six characters

B.Required password change at 90 days

C.Maximum password age set to 0

D.Account lockout threshold set to 0
Definition
B.Required password change at 90 days

Explanation:
Require users to change passwords every 90 to 180 days, depending on how secure the environment needs to be. Remember that the more often users are required to change passwords, the greater the chance that they will write them down, potentially exposing them to unauthorized use. Answer A is incorrect because making the password length at least eight characters and requiring the use of combinations of uppercase and lowercase letters, numbers, and special characters is good practice. Answer C is incorrect because good policy is to set the maximum password age to a value between 30 and 90 days. Answer D is incorrect because if the lockout threshold is set to zero, accounts will not be locked out due to invalid logon attempts.
Term
Which of the following is one of the first steps that must be taken to provide a secure account access environment?


A.Set user-assigned privileges

B.Implement user access reviews

C.Eliminate the use of shared accounts

D.Initiate continuous account monitoring
Definition
C.Eliminate the use of shared accounts

Explanation:
One of the first steps that must be taken to provide a secure account access environment is to eliminate the use of shared accounts. Their use cannot be attributed to a particular user's credentials, which precludes the determination of specific access rights and audit of access use. Answers A, B, and D are incorrect because they should be considered after original configuration and after the shared accounts have been eliminated. Answer A is incorrect because, in a user-based model, permissions are uniquely assigned to each user account; this happens after any shared accounts are eliminated. This access type is also found in government and military situations, as well as in private companies where patented processes and trademark products require protection. Answer B is incorrect because user access reviews allow the identification of misapplied changes or other access control adjustments through direct assignment or inherited nesting of role access rights. This is done after accounts are created. Answer D is incorrect because the purpose of continuous monitoring is to ensure that the processes for user account provisioning, life cycle management, and termination are followed and enforced. This process happens after the accounts have been secured.
Term
Which type of password policy protects against reuse of the same password?


A.Account lockout

B.Password complexity

C.Expiration

D.Password history
Definition
D.Password history

Explanation:
The password history policy prevents reuse of the same passwords. Account lockout deactivates an account after a certain number of failed access attempts, making answer A incorrect. Answer B is incorrect because password complexity is a policy that determines how many types of characters must be used to create a strong password (lower- and uppercase letters, numbers, and symbols are the four general types of characters possible on a standard keyboard). Account expiration policies ensure that unused or no-longer-used accounts are properly disabled, making answer C incorrect.
Term
Which of the following is used with OAuth 2.0 as an extension to the authorization process?


A.Shibboleth

B.NTLM

C.LDAP

D.OpenID Connect
Definition
D.OpenID Connect

Explanation:
OpenID Connect takes attacks into consideration and resolves many of the security issues with OAuth 2.0. Answer A is incorrect because Shibboleth is a SAML-based, open-source federated identity solution that provides single sign-on capabilities and federated services popular in research and educational institutions. Answer B is incorrect because NTLM is an older Microsoft authentication protocol that requires Active Directory and relies on Microsoft Windows user credentials in the authentication process. Answer C is incorrect because LDAP is used for directory services.
Term
An organization that relies heavily on cloud and SaaS service providers, such as Salesforce.com, WebEx, or Google, would have security concerns about which of the following?


A.TACACS+

B.SAML

C.LDAP

D.OpenID Connect
Definition
B.SAML

Explanation:
SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. The weakness in the SAML identity chain is the integrity of users. To mitigate risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS. Answer A is incorrect because the TACACS+ protocol provides authentication and authorization in addition to accounting of access requests against a centralized service for authorization of access requests. Answer C is incorrect because LDAP is used for directory services. Answer D is incorrect because OpenID Connect uses a JSON Web Token (JWT) for authentication.
Term
Which type of "something you have" factor do U.S. federal governmental employees and contractors use under HSPD 12?


A.Smart card

B.CAC

C.PIV

D.SecurID
Definition
C.PIV

Explanation:
The personal identity verification (PIV) card is used by U.S. federal employees and contractors under HSPD 12. Answer A is incorrect because A, B, and C are all smart card variations, but only C is specifically used for federal employees and contractors under HSPD 12. Answer B is incorrect because the common access card (CAC) is used by U.S. military, military reserve, and military contractors. Answer D is incorrect because the RSA SecurID is an example of a time-shifting key token.
Term
Which of the following is a type of "something you have" that uses a time-shifting key token?


A.Smart card

B.CAC

C.PIV

D.SecurID
Definition
D.SecurID

Explanation:
The RSA SecurID is an example of a time-shifting key token. Answer A is incorrect because it is a generic term and many smart card variations exist. Answer B is incorrect because the common access card (CAC) is used by the U.S. military, the military reserve, and military contractors. Answer C is incorrect because the personal identity verification (PIV) card is used by U.S. federal employees and contractors under HSPD 12.
Term
Which of the following best describes a biometric false acceptance rate (FAR)?


A.The point at which acceptances and rejections are equal

B.Rejection of an authorized user

C.Access allowed to an unauthorized user

D.Failure to identify a biometric image
Definition
C.Access allowed to an unauthorized user

Explanation:
The false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. Answer A is incorrect because the crossover error rate (CER) is the percentage at which the FAR and FRR are equal. Answer B is incorrect because the false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. Answer D is incorrect because the failure to acquire rate (FTA) is the rate of recognition attempts in which a biometric system fails to identify a biometric image.
Term
Which of the following is used to create a user identity profile and get the necessary information required to describe the identity?


A.Least privilege

B.Offboarding

C.Onboarding

D.Recertification
Definition
C.Onboarding

Explanation:
Onboarding is the process for creating an identity profile and the necessary information required to describe the identity. Answer A is incorrect because least privilege is an access control practice in which a logon is provided only the bare minimum access to resources required to perform its tasks. Answer B is incorrect because offboarding is the process used when user identities that no longer require access to the environment are disabled or deactivated. Answer D is incorrect because access recertification is a more formal form of user access review.
Term
Which of the following best describes a biometric false rejection rate (FRR)?


A.The point at which acceptances and rejections are equal

B.Rejection of an authorized user

C.Access allowed to an unauthorized user

D.Failure to identify a biometric image
Definition
B.Rejection of an authorized user

Explanation:
The false rejection rate (FRR) is the percentage of identification instances in which false rejection occurs. Answer A is incorrect because the crossover error rate (CER) is the percentage at which the FAR and FRR are equal. Answer C is incorrect because the false acceptance rate (FAR) is a measure of the likelihood that the access system will wrongly accept an access attempt. Answer D is incorrect because the failure to acquire rate (FTA) is the rate of recognition attempts in which a biometric system fails to identify a biometric image.
Term
Which of the following processes occurs first when a user or device presents information such as a username, a process ID, a smart card, or another unique identifier?


A.Identification

B.Authenication

C.Authorization

D.Accounting
Definition
A.Identification

Explanation:
Identification occurs when a user or device presents information such as a username, a process ID, a smart card, or another unique identifier, claiming an identity. Answer B is incorrect because authentication is the process of validating an identity. This occurs when the user provides appropriate credentials such as the correct password and a username. Answer C is incorrect because after identification and authentication, authorization of the request is determined before access rights during the session can be established. Authorization is based on security policy. Answer D is incorrect because accounting keeps track of the resources a user accesses by keeping a record of events of authentication and authorization actions.
Term
Which of the following processes occurs when the user provides appropriate credentials such as the correct password and a username?


A.Identification

B.Authentication

C.Authorization

D.Accounting
Definition
B.Authentication

Explanation:
Authentication is the process of validating an identity. This occurs when the user provides appropriate credentials such as the correct password and a username. Answer A is incorrect because identification occurs when a user or device presents information such as a username, a process ID, a smart card, or another unique identifier, claiming an identity. Answer C is incorrect because after identification and authentication, authorization of the request is determined before access rights during the session can be established. Authorization is based on security policy. Answer D is incorrect because accounting keeps track of the resources a user accesses by keeping a record of events of authentication and authorization actions.
Term
An organization is implementing an application that needs service access to its own resources using OA 2.0. Which of the following grant types should be used?


A.Authorization code

B.Implicit

C.Password credentials

D.Client credentials
Definition
D.Client credentials

Explanation:
The client credentials grant type is used for application code to allow an application to access its own resources. Answer A is incorrect because the authorization code grant type is used for server-side applications. Answer B is incorrect because the implicit grant type is used for client-side web applications. This grant type does not have a server-side component. Answer C is incorrect because the password credentials grant type is used for first-class web applications or mobile applications.
Term
If you have a smart card that contains details of your iris coloring and retinal patterns, which two types of authentication would be involved in a successful access request?


A.Something you have and something you do

B.Something you do and something you are

C.Something you are and something you know

D.Something you have and something you are
Definition
D.Something you have and something you are

Explanation:
The smart card is an example of "something you have," and the biometric measures are an example of "something you are." Answer A is incorrect because there are no biometrics relating to "something you do" - only simple measurements of bodily configuration. Answer B is incorrect for the same reason; no "something you do" metric is present. Answer C is incorrect because no PIN or password is employed as a "something you know" factor.
Term
Which of the following best describes the Policy Decision Point (PDP) component of AAA functions?


A.Data holder

B.Final decision maker

C.Authenticator

D.Auditor
Definition
B.Final decision maker

Explanation:
The Policy Decision Point (PDP) is responsible for making the final decision on whether to grant access to the client The PEP enforces the conditions of the client's access. Answer A is incorrect because the Policy Information Point (PIP) holds data relevant to the decision of whether to grant access to the client. Answer C is incorrect because the Policy Enforcement Point (PEP) is the authenticator. Answer D is incorrect because the accounting and reporting system tracks the client network usage and reports the "who, what, where, when, and why."
Term
Which of the following is the best way to secure NoSQL databases such as MongoDB?


A.Implement separate authentication methods

B.Use the default port

C.Bind the interface to multiple IPs

D.Encrypt the data after it is written to the database
Definition
A.Implement separate authentication methods

Explanation:
The best way to secure NoSQL databases such as MongoDB is to implement separate authentication methods. Best practices for protecting NoSQL databases include changing the default ports, binding the interface to only one IP, and encrypting data in the application before writing it to the database. Databases such as MongoDB have added support for Kerberos authentication, more granular access controls, and SSL encryption, which allows for the implementation of separate authentication methods. Based on the explanation for answer A, answers B, C, and D are incorrect.
Term
A user calls the help desk saying that she changed her password yesterday. She did not get any email on her mobile phone last night and she cannot log on this morning. Which password policy is most likely at fault for her difficulties?


A.Account lockout

B.Password complexity

C.Expiration

D.Password history
Definition
A.Account lockout

Explanation:
If the user failed to also change her password on her phone, its repeated attempts to access email during the night would have triggered the account lockout protections and temporarily disabled her account. Password complexity and history would not lock out her account after successfully changing it, making answers B and D incorrect. Answer C is incorrect because, although account expiration is possible, it is unlikely that this happened unless it was near the end of her employment.
Term
An organization is implementing a server-side application using OAuth 2.0. Which of the following grant types should be used?


A.Authorization code

B.Implicit

C.Password credentials

D.Client credentials
Definition
A.Authorization code

Explanation:
The authorization code grant type is used for server-side applications. Answer B is incorrect because the implicit grant type is used for client-side web applications. This grant type does not have a server-side component. Answer C is incorrect because the password credentials grant type is used for first-class web applications or mobile applications. Answer D is incorrect because the client credentials grant type is used for application code to allow an application to access its own resources.
Term
An educational institution requires a secure solution that is capable of interfacing with state systems and other state-run universities. Which of the following is the best solution?


A.OAuth

B.SAML

C.Shibboleth

D.OpenID Connect
Definition
C.Shibboleth

Explanation:
Shibboleth is a flexible solution because it is based on standards. Some federated systems are designed to work only when the identity provider and the service provider are in the same organization. Shibboleth, however, works across organizations. Answer A is incorrect because OAuth provides only authorization services; it does not support secure methods such as client verification, encryption, or channel binding. Answer B is incorrect because the main purpose of SAML is single sign-on for enterprise users; it has a weakness in handling the integrity of users. Answer D is incorrect because OpenID Connect is an identity layer based on OAuth 2.0 specifications used for consumer single sign-on.
Term
Which of the following is a nonproprietary protocol that provides authentication and authorization in addition to accounting of access requests against a centralized service for the authorization of access requests?


A.TACACS+

B.SAML

C.LDAP

D.OAuth
Definition
A.TACACS+

Explanation:
TACACS+, released as an open standard, is a protocol that provides authentication and authorization, as well as accounting of access requests against a centralized service for authorization of access requests. TACACS+ is similar to RADIUS but uses TCP instead of UDP transport. Answer B is incorrect because SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between online partners. Answer C is incorrect because LDAP is a directory services protocol. Answer D is incorrect because OAuth is an authorization framework.
Term
If an organization wants to implement an enterprise access solution that does not require a user to remember passwords across multiple distinct business units, which of the following is the best choice?


A.Federation

B.Single sign-on

C.Transitive trusts

D.Retinal scanning
Definition
A.Federation

Explanation:
Federation eliminates the requirement to use a password. The federation server stores the username in each application and presents that application with a token that is then used for authentication. Answer B is incorrect because SSO still requires the user to remember passwords. Answer C is incorrect because transitive trusts work only across trusted domains. Answer D is incorrect because retinal biometric identification involves the scanning and identification of blood vessels and tissues in the back of the eye, requiring specialized equipment.
Term
Which of the following token-based solutions is considered the most secure?


A.OTP

B.TOTP

C.HOTP

D.OATH
Definition
B.TOTP

Explanation:
TOTP passwords keep changing and are valid for only a short period of time. Because of this difference, TOTP is considered to be more secure. Answer A is incorrect because one-time passwords (OTPs) are passwords that can be only used one time. The term is too generic since because the two main standards for generating OTPs are TOTP and HOTP. Answer C is incorrect because HOTP passwords can be valid for an unknown amount of time, making it less secure than TOTP. Answer D is incorrect because OAUTH is the Initiative for Open Authentication that governs TOTP and HOTP.
Term
In which of the following type of analysis might an examiner have difficulty proving that the evidence is original?


A.Disk-to-image file

B.Disk-to-disk image

C.Big data

D.Log files
Definition
C.Big data

Explanation:
Because big data is unstructured and located in diverse environments, the examiner might have difficulty proving that the evidence is original: The data has neither a validating hash nor a forensic image of the device. Answer A is incorrect because disk-to-image files are hashed to prove originality. Answer B is incorrect because disk-to-disk images are hashed to prove originality. Answer D is incorrect because when logs are needed as court evidence, organizations can collect copies of the original log files, the centralized log files, and interpreted log data.
Term
Which recovery site has only power, telecommunications, and networking active all the time?


A.Hot site

B.Cold site

C.Warm site

D.Shielded site
Definition
C.Warm site

Explanation:
The warm site has basics such as power, networking, and telecommunications active all the time. Although alternate computers might be present, they are not loaded and operational as in a hot site, making answer A incorrect. Answer B is incorrect because a cold site generally includes only power and physical space when not in use. Answer D is incorrect because any of the recovery site types might or might not be shielded against electromagnetic interference.
Term
Which of the following is information that is unlikely to result in a high-level financial loss or serious damage to the organization but whose confidentiality should still be protected?

A.Public data

B.Confidential data

C.Sensitive data

D.Private data
Definition
D.Private data

Explanation:
Private data is information that is unlikely to result in a high-level financial loss or serious damage to the organization but that still should be protected. Public data is incorrect because the unauthorized disclosure, alteration, or destruction of public data would result in little or no risk to the organization. Confidential data is incorrect because confidential information is internal information that defines the way in which the organization operates. Security should be high. Sensitive data is considered confidential data.
Term
Which of the following are steps an organization can take to be sure compliance and performance standards are met in third-party or partner agreements? (Select two correct answers.)

A.Implement an acceptable use policy

B.Take appropriate action if the relationship presents elevated risk

C.Review third-party arrangements and performance annually

D.Sign a data ownership agreement
Definition
B.Take appropriate action if the relationship presents elevated risk

C.Review third-party arrangements and performance annually

Explanation:
Some additional steps an organization can take to ensure that compliance and performance standards are met include approving and reviewing third-party arrangements and performance annually, maintaining an updated list of all third-party relationships and reviewing the list periodically, taking appropriate action with any relationship that presents elevated risk, and reviewing all contracts for compliance with expectations and obligations. Answer A is incorrect because an acceptable use policy is geared toward terms a user must agree to follow to be provided with access service. Answer D is incorrect because a data ownership agreement is an agreement that some cloud service providers offer that specifically identifies the data owner and outlines ownership of relevant data.
Term
Which of the following provides a clear record of the path evidence takes from acquisition to disposal?


A.Video capture

B.Chain of custody

C.Hashes

D.Witness statements
Definition
B.Chain of custody

Explanation:
The chain of custody provides a clear record of the path evidence takes from acquisition to disposal. Answer A is incorrect because videotaping the actual entrance of a forensics team into the area helps refute claims that evidence was planted at the scene. Answer C is incorrect because hashes allow validation that the forensic analysis itself has not produced unexpected modifications of evidentiary data. Answer D is incorrect because witnesses provide statements about what they saw, including when, where, and how.
Term
Which of the following policies addresses the need for other employees who can do the job of each employee so that corruption does not occur, and also helps minimize the impact when personnel leave their jobs?


A.Acceptable use

B.Least privilege

C.Mandatory vacations

D.Privacy policy
Definition
C.Mandatory vacations

Explanation:
Mandatory vacations addresses the need for other employees who can do the job of each employee. This helps mitigate corruption and minimizes the impact when personnel resign from their positions. Answer A is incorrect because an organization's acceptable use policy provides details specifying what users may do with their network access. Answer B is incorrect. Least privilege addresses access rights for user accounts, mandating that only the minimum permissions necessary to perform work should be assigned to a user. Answer D is incorrect because privacy policy describes federal and state legislation requiring owners of commercial websites or online services to post how they collect and protect personal data.
Term
If an organization takes a full backup every Sunday morning and a daily differential backup each morning, what is the fewest number of backups that must be restored following a disaster on Friday?


A.1

B.2

C.5

D.6
Definition
B.2

Explanation:
With a differential backup scheme, only the last full and last differential backups need to be restored. Daily full backups would require only the last full backup, making Answer A incorrect in this configuration. Answer C is incorrect because only the last full and last differential backups need to be restored. Answer D is incorrect because six is correct for an incremental backup instead of a differential backup, where the last full backup and all intervening incremental backups must be restored for recovery.
Term
Eliminating email to avoid the risk of email-borne viruses is an effective solution but is not likely to be a realistic approach for which of the following?


A.Risk avoidance

B.Risk transference

C.Risk acceptance

D.Risk mitigation
Definition
A.Risk avoidance

Explanation:
Risk avoidance involves eliminating the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but it often not possible due to organizational requirements. Answer B is incorrect because risk transference involves either moving the risk to hosted providers who assume the responsibility for recovery and restoration or acquiring insurance to cover the costs from a risk. Answer C is incorrect because risk acceptance involves recognizing a risk, identifying it, and then accepting that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. Answer D is incorrect because risk mitigation involves reducing the likelihood or impact of a risk's exposure by putting systems and policies into place to mitigate a risk and guard against the exploitation of vulnerabilities.
Term
Which of the following requires users to remove sensitive and confidential materials from workspaces and lock items that are not in use are locked when they leave their workstations?


A.Data handling policy

B.Clean desk policy

C.Tailgating training

D.Phishing attack training
Definition
B.Clean desk policy

Explanation:
A clean desk policy requires users to remove sensitive and confidential materials from workspaces and to also lock items that are not in use when they leave their workstations. Answer A is incorrect because a data handling policy should address legal or regulatory requirements for accessing, transporting, storing, or disposing of data and data storage devices. Answer C is incorrect because tailgating involves following an authorized individual to avoid having to provide personal authorization credentials. Answer D is incorrect because phishing attacks training teaches users to avoid the natural response of opening every email that seems to be coming from family members, a boss, or coworkers.
Term
An organization is partnering with another organization that requires shared systems. Which of the following documents outlines how the shared systems will interface?


A.SLA

B.BPA

C.MOU

D.ISA
Definition
D.ISA

Explanation:
An interconnection security agreement (ISA) is an agreement between organizations that have connected IT systems. Answer A is incorrect because a service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. Answer B is incorrect because a business partner agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. Answer C is incorrect because a memorandum of understanding (MOU) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities.
Term
Which of the following information should be collected when collecting volatile data? (Select all correct answers.)Select 3 answers

A.System date and time

B.Current network connections

C.Current open ports and applications listening on those ports

D.Full disk image
Definition
A.System date and time

B.Current network connections

C.Current open ports and applications listening on those ports

Explanation:
The following volatile information should be collected: system date and time, current network connections, current open ports and applications listening on those ports, and applications currently running. Answer D is incorrect because a full disk image is not volatile data.
Term
Which of the following individual items are examples of PII? (Choose all correct answers.) Select 2 answers

A.Social security number

B.Home address

C.Gender

D.State of residence
Definition
A.Social security number

B.Home address

Explanation:
Examples of personally identifiable information (PII) are name, address, phone number, fax number, email address, financial profiles, social security number, and credit card information. PII is not limited to these examples: It includes any other personal information that is linked or linkable to an individual. Answers C and D are incorrect because, individually, they are not considered to be PII; only when combined with other information could they become PII.
Term
Which one of the following federal laws address privacy, data protection, and breach notification?


A.HIPAA

B.Gramm-Leach-Bliley Act

C.Children's Online Privacy Protection Act

D.All of the above
Definition
D.All of the above

Explanation:
Federal laws addressing privacy, data protection, and breach notification include HIPAA and HITECH, Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children's Online Privacy Protection Act.
Term
Which of the following parties typically are notified first when a confirmed incident has occurred? (Select two correct answers.)

A.Press

B.CISO

C.End users

D.Legal
Definition
B.CISO

D.Legal

Explanation:
The exact reporting requirements vary among organizations, but parties that are typically notified include the Chief Information Officer (CIO), Chief Information Security Officer (CISO), other internal incident response team members, human resources officers, public affairs personnel, the legal department, and law enforcement officers, when necessary. Answer A is incorrect because the press is not normally notified when an incident occurs. Answer C is incorrect because the users are not normally notified initially when an incident occurs.
Term
Which of the following designates the amount of data loss that is sustainable and up to what point in time data recovery could happen before business is disrupted?


A.RTO

B.MTBF

C.RPO

D.MTTF
Definition
C.RPO

Explanation:
The recovery point objective (RPO) is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds business continuity planning's maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery can happen before business is disrupted. Answer A is incorrect because the recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. Answer B is incorrect because mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent waiting for or undergoing repairs. Answer D is incorrect because mean time to failure (MTTF) is the length of time a device or product is expected to last in operation.
Term
Which one of the following best provides an example of detective controls versus prevention controls?


A.IDS/camera versus IPS/guard

B.IDS/IPS versus camera/guard

C.IPS/camera versus IDS/guard

D.IPS versus guard
Definition
A.IDS/camera versus IPS/guard

Explanation:
Both IDS and a camera are examples of detective controls. IPS and a guard are examples of prevention controls. Answers B, C, and D are incorrect because they do not properly align the detective control against the prevention control.
Term
Which one of the following mechanisms places the responsibility for handling certificate status requests on the web server instead of the CA?


A.OCSP pinning

B.OCSP stapling

C.CRL pinning

D.CRL stapling
Definition
B.OCSP stapling

Explanation:
OCSP stapling allows the web server to instead "staple" a time-stamped OCSP response as part of the TLS handshake with the client. The web server is now responsible for handling OCSP requests instead of the CA. Answers A, C, and D are incorrect. A CRL provides a mechanism for distributing certificate revocation information, and certificate pinning helps mitigate man-in-the-middle attacks.
Term
To check the validity of a digital certificate, which one of the following is used?


A.Corporate security policy

B.Certificate policy

C.Certificate revocation list

D.Expired domain names
Definition
C.Certificate revocation list

Explanation:
A CRL provides a detailed list of certificates that are no longer valid. A corporate security policy does not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy does not provide information on the validity of issued certificates, either; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect.
Term
You are tasked with configuring your web server with strong cipher suites. Which of the following should you choose as part of your cipher suite? (Choose three correct answers.) Select 3 answers

A.RSA

B.RC4

C.AES


D.SHA
Definition
A.RSA

C.AES

D.SHA

Explanation:
RSA, AES, and SHA comprise a suite for strong key exchange, authentication, bulk cipher, and message authentication. Answer B is incorrect because RC4 is considered a weak bulk cipher
Term
Which one of the following EAP authentication protocols should you deploy to avoid having to deploy client or server certificates?


A.EAP-TLS

B.PEAP

C.EAP-TTLS

D.EAP-FAST
Definition
D.EAP-FAST

Explanation:
EAP-FAST does not require either client or server certificates; instead, it uses a Protected Access Credential (PAC). Answer A is incorrect because EAP-TLS requires both client and server certificates. Answer B is incorrect because PEAP requires a server certificate. Answer C is incorrect because EAP-TTLS requires a server certificate.
Term
Which of the following is not true about the expiration dates of certificates?


A.Certificates may be issued for a week.

B.Certificates are issued only at 1-year intervals.

C.Certificates may be issued for 20 years.

D.Certificates must always have an expiration date.
Definition
B.Certificates are issued only at 1-year intervals.

Explanation:
Digital certificates contain a field indicating the date until which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are true statements.
Term
Which of the following is not a certificate trust model for arranging Certificate Authorities?


A.Bridge CA architecture

B.Sub-CA architecture

C.Single-CA architecture

D.Hierarchical CA Architecture
Definition
B.Sub-CA architecture

Explanation:
Sub-CA architecture does not represent a valid trust model. Answers A, C, and D all represent legitimate trust models. Another common model is cross-certification; however, implementing a bridge architecture usually makes more sense than using this type of model.
Term
Which of the following are included within a digital certificate? (Choose all the correct answers.) Select 3 answers

A.User's public key

B.User's private key

C.Information about the user

D.Digital signature of the issuing CA
Definition
A.User's public key

C.Information about the user

D.Digital signature of the issuing CA

Explanation:
Information about the user, the user's public key, and the digital signature of the issuing CA are all included within a digital certificate. A user's private key should never be contained within the digital certificate and should remain under tight control; therefore, answer B is incorrect.
Term
Which one of the following best describes diffusion?


A.A principle that the plain-text input should be significantly changed in the resulting cipher text

B.A principle that if the plain text is changed, no matter how minor, then at least half of the cipher text should change

C.A principle that states only secrecy of the key provides security

D.A key stretching technique in which a password is used as part of a KDF
Definition
B.A principle that if the plain text is changed, no matter how minor, then at least half of the cipher text should change

Explanation:
Diffusion is the principle that, if plain text is changed, even if just a little, then at least half the cipher text should also change. Answer A is incorrect because this describes the principle of confusion. Answer C is incorrect because this describes Kerckhoff's principle. Answer D is incorrect as well: A KDF is a function that provides the capability to perform key stretching.
Term
Which of the following statements is true when comparing CCMP and TKIP?


A.TKIP is more resource intensive than CCMP, but it supports longer keys.

B.CCMP is more resource intensive than TKIP, but it supports longer keys.

C.CCMP is less resource intensive than TKIP, and it supports longer keys.

D.TKIP is less resource intensive than CCMP, and it supports longer keys.
Definition
B.CCMP is more resource intensive than TKIP, but it supports longer keys.

Explanation:
CCMP replaced TKIP with the introduction of WPA2, providing for much longer keys and more advanced security. Although CCMP is more resource intensive, modern systems can handle the additional resources required. Answer A is entirely incorrect. Answer C is incorrect because although CCMP does support longer keys, it is not less resource intensive than TKIP. Answer D is also incorrect because TKIP does not support longer keys, although it is less resource intensive.
Term
Which of the following are elements provided by nonrepudiation? (Choose three correct answers.) Select 3 answers

A.Proof of origin

B.Proof of submission

C.Proof of delivery

D.Proof of concept
Definition
A.Proof of origin

B.Proof of submission

C.Proof of delivery

Explanation:
Proof of origin, proof of submission, proof of delivery, and proof of receipt are the key elements nonrepudiation services provide. Answer D is incorrect because proof of concept is not a valid choice.
Term
Which of the following algorithms are examples of an asymmetric encryption algorithm? (Choose two correct answers.)

Elliptic curve
3DES
AES
RSA
Definition
A.Elliptic curve

D.RSA

Explanation:
In this case, both elliptic curve and RSA are types of asymmetric encryption algorithms. Although the elliptic curve algorithm is typically a type of algorithm that is incorporated into other algorithms, it falls into the asymmetric family of algorithms because of its use of public and private keys, just like the RSA algorithm. Answers B and C are incorrect because 3DES and AES are symmetric encryption algorithms.
Term
Which of the following algorithms are examples of a symmetric encryption algorithm? (Choose three correct answers.)

Rijndael
Diffie-Hellman
RC6
AES
Definition
A.Rijndael

C.RC6

D.AES

Explanation:
Because Rijndael and AES are now the same, they both can be called symmetric encryption algorithms. RC6 is symmetric, too. Answer B is incorrect because Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm.
Term
What type of certificate supplies mechanisms to help prevent phishing attacks and provides the highest level of trust?


A.DV

B.OV

C.EV

D.SAN
Definition
C.EV

Explanation:
EV, or extended validation, provides the highest level of trust and security features. Included are also mechanisms to prevent phishing attacks. DV certificates validate only the domain. OV certificates provider stronger validation over DV certificates, but the validation is not as comprehensive as for EV certificates. Thus, answers A and B are incorrect. Answer D is incorrect because a SAN certificate provides for multiple domain names or IP addresses with a single certificate, and is not considered a validated certificate type.
Term
Which one of the following is not true regarding DER-encoded certificates?


A.They are binary encoded.

B.They include the BEGIN CERTIFICATE header.

C.The .cer and .crt extensions can be used instead of .der.

D.They are common to Java platforms.
Definition
B.They include the BEGIN CERTIFICATE header.

Explanation:
Because they are binary encoded and not Base64 ASCII, DER certificates cannot be edited with a text editor and do not contain such text, as PEM certificates do, for example. Answers A, C, and D are incorrect because these are all true of DER-encoded certificates.
Supporting users have an ad free experience!