WBAEb9R3

1Chapter 1: Threats, Attacks, and Vulnerabilities
2
3Threats, Attacks, and
4Vulnerabilities
51. B. The correct answer is a boot sector virus, which is one that will affect the boot sector
6of the hard drive. Thus, what operating system you boot to is irrelevant.
7Option A is incorrect. There is no element of ransom in the description of this attack.
8Option C is incorrect. A rootkit can sometimes also affect the boot sector, but in this case
9the boot sector virus is the most accurate description.
10Option D is incorrect. Nothing in this description indicates key logging.
11
122. C. The correct answer is spear phishing. Spear phishing is targeted to a specific group,
13in this case insurance professionals. Attackers can find individuals from public sources to
14target. This is known as open source intelligence.
15Option A is incorrect because that is too broad a category.
16Option B is incorrect because, though social engineering is a part of every phishing attack,
17this is more than just social engineering.
18Option D is incorrect because this is not a Trojan horse. In fact, malware is not even part
19of the attack.
20
213. B. A logic bomb is malware that performs its malicious activity when some condition is met.
22Option A is incorrect because a worm is malware that self-propagates.
23Option C is incorrect because a Trojan horse is malware attached to a legitimate program.
24Option D is incorrect because a rootkit is malware that gets root or administrative privileges.
25
264. C. The text shown is the classic example of a basic SQL injection to log in to a site.
27Option A is incorrect. Cross-site scripting would have JavaScript in the text field.
28Option B is incorrect. Cross-site request forgery would not involve any text being entered
29in the web page.
30Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related
31to website hacking.
32
335. B. Half-open connections are the hallmark of a SYN flood.
34Option A is incorrect. We know from the question that this is a denial of service, but nothing
35indicates that it is (or is not) a distributed denial of service.
36Option C is incorrect. Buffer overflow involves putting too much data into a variable or array.
37Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related
38to website hacking.
39
406. B. The primary and best way to defend against the attacks mentioned is filtering user input.
41Option A is incorrect. Encrypting the web traffic will not have any effect on these two attacks.
42Option C is incorrect. A web application firewall (WAF) might mitigate these attacks, but
43it would be secondary to filtering user input.
44Option D is incorrect. An IDS will simply detect the attack—it won’t stop it.
45
467. C. If users have been connecting but the WAP does not show them connecting, then they
47have been connecting to a rogue access point. This could be the cause of an architecture
48and design weakness such as a network without segmentation and control of devices con-
49necting to the network.
50Option A is incorrect. Session hijacking involves taking over an already authenticated session.
51Most session hijacking attacks involve impersonation. The attacker attempts to gain access to
52another user’s session by posing as that user.
53Option B is incorrect. Clickjacking involves causing visitors to a website to click on the
54wrong item.
55Option D is incorrect. Bluejacking is a Bluetooth attack.
568. C. Cross-site scripting involves entering a script into text areas that other users will view.
57Option A is incorrect. SQL injection is not about entering scripts, but rather SQL commands.
58Option B is incorrect. Clickjacking is about tricking users into clicking on the wrong thing.
59Option D is incorrect. Bluejacking is a Bluetooth attack.
609. B. A Trojan horse wraps a malicious program to a legitimate program. When the user
61downloads and installs the legitimate program, they get the malware.
62Option A is incorrect. A logic bomb is malware that does its misdeeds when some condi-
63tion is met.
64Option C is incorrect. A rootkit is malware that gets administrative, or root access.
65Option D is incorrect. A macro virus is a virus that is embedded in a document as a macro.
6610. C. A backdoor is a method for bypassing normal security and directly accessing the system.
67Option A is incorrect. A logic bomb is malware that performs its misdeeds when some
68condition is met.
69Option B is incorrect. A Trojan horse wraps a malicious program to a legitimate program.
70When the user downloads and installs the legitimate program, they get the malware.
71Option D is incorrect. A rootkit is malware that gets root or administrative privileges.
7211. C. The machines in her network are being used as bots, and the users are not aware that
73they are part of a DDoS attack.
74Option A is incorrect. Social engineering is when someone tries to manipulate you into
75giving information. Techniques involved in social engineering attacks include consensus,
76scarcity, and familiarity.
77Option B is incorrect. There is a slight chance that all computers could have a back-
78door, but that is very unlikely, and attackers normally don’t manually log into each
79machine to do a distributed denial of service (DDoS)—it would be automated, as
80through a bot.
81Option D is incorrect. Crypto-viruses are not related to DDoS attacks.
8212. B. This is a classic example of ransomware.
83Option A is incorrect. A rootkit provides access to administrator/root privileges.
84Option C is incorrect. A logic bomb executes its malicious activity when some condition is met.
85Option D is incorrect. This scenario does not describe whaling.218
86
8713. D. The primary method for stopping both cross-site scripting and SQL injection is to
88check or filter user input.
89Option A is incorrect. A web application firewall might help, but a basic SPI firewall won’t
90prevent this.
91Option B is incorrect. Most IDSs/IPSs won’t detect cross-site scripting, and even if one
92will, option A is still the best way to prevent cross-site scripting.
93Option C is incorrect. This is not a buffer overflow, and checking buffer boundaries
94won’t help.
9514. B. This is the description of a buffer overflow.
96Option A is incorrect. Bluesnarfing is a Bluetooth attack.
97Option C is incorrect. Bluejacking is a Bluetooth attack.
98Option D is incorrect. This is not a distributed denial of service.
9915. A. Vulnerability scan uses automated tools such as Nessus and Microsoft Baseline
100Security Analyzer to find known vulnerabilities.
101Option B is incorrect. Penetration tests seek to actually exploit the vulnerabilities and
102break into systems.
103Option C is incorrect. Security audits usually focus on checking policies, incident reports,
104and other documents.
105Option D is incorrect. Security test is a generic term for any sort of test.
10616. A. Credentials the WAP shipped with are an example of default configuration.
107Option B is incorrect. Race conditions involve multithreaded applications accessing shared
108variables.
109Option C is incorrect. Patches won’t change the default password.
110Option D is incorrect. Encryption does not affect logging into the administrative screen.
11117. C. Social engineering can only be countered by user training and education.
112Options A and B are incorrect. No technology can prevent social engineering.
113Option D is incorrect. Strong policies can only help if users are well trained in the policies.
11418. C. ARP poisoning is used to change the ARP tables routing data to a different MAC
115address, which would explain why there were no entries.
116Option A is incorrect. A backdoor would not explain that the log entries were sent, but not
117received.
118Option B is incorrect. A buffer overflow would not explain that the log entries were sent
119but not received.
120Option D is incorrect. An IDS would not stop log entries even if it was malfunctioning.
12119. A. From the description it appears that they are not logging into the real web server but
122rather a fake server. That indicates typosquatting: have a URL that is named very similarly
123to a real site so that when users mistype the real site’s URL they will go to the fake site.
124Options B, C, and D are all incorrect. These are all methods of attacking a website, but in
125this case, the actual website was not attacked. Instead, some users are visiting a fake site.
12620. D. The term for low-skilled hackers is script kiddie.
127Option A is incorrect. Nothing indicates this is being done for ideological reasons.
128Option B is incorrect. “Amateur” may be an appropriate description, but the correct term
129is script kiddie.
130Option C is incorrect. Nothing in this scenario indicates an insider threat.
13121. B. The term for this is botnet, usually spelled as one word.
132Options A, C, and D are all incorrect. Although these terms might sound the same, they
133are simply not the terms used in the industry.
13422. B. Passive reconnaissance is any reconnaissance that is done without actually connecting
135to the target.
136Option A is incorrect. Active reconnaissance involves communicating with the target
137network, such as doing a port scan.
138Option C is incorrect. The initial exploitation is not information gathering; it is actually
139breaking into the target network.
140Option D is incorrect. A pivot is when you have breached one system and use that to move
141to another system.
14223. C. Some spyware takes screen captures of the system, and it is common for such spyware
143to hide them in the temp folder.
144Option A is incorrect. There is no evidence of any corporate data, just screenshots from
145the salesperson’s own machine. And if he was stealing data, he would not draw attention
146to his computer by reporting a problem.
147Option B is incorrect. Nothing in this scenario indicates a backdoor.
148Option D is incorrect. Updates won’t affect this.
14924. A. This is an exact description of DNS poisoning or domain hijacking.
150Option B is incorrect. ARP poisoning involves altering the MAC-IP tables in a switch.
151Options C and D are incorrect. These are both Bluetooth attacks.
15225. C. A black-box test involves absolutely minimal information.
153Option A is incorrect. A white-box test involves very complete information being given to
154the tester.
155Option B is incorrect. This scenario is probably done from outside the network, but exter-
156nal test is not the correct terminology.
157Option D is incorrect. Threat test is not a term used in penetration testing.
15826. D. A pivot occurs when you exploit one machine and use that as a basis to attack other
159systems.
160Option A is incorrect. Pivots can be done from internal or external tests.
161Options B and C are incorrect. These describe how much information the tester is given in
162advance, not how the tester performs the test.
16327. A. Shimming is when the attacker places some malware between an application and some
164other file, and intercepts the communication to that file (usually to a library or system API).
165Option B is incorrect. A Trojan horse might be used to get the shim onto the system, but
166that is not described in this scenario.
167Option C is incorrect. A backdoor is a means to circumvent system authorization and get
168direct access to the system.
169Option D is incorrect. Refactoring is the process of changing names of variables, functions,
170etc. in a program.
17128. A. A white-box test involves providing extensive information, as described in this scenario.
172Option B is incorrect. A white-box test could be internal or external.
173Option C is incorrect. This is the opposite of a black-box test.
174Option D is incorrect. Threat test is not a term used in penetration testing.
17529. B. His machines are part of a distributed denial-of-service attack.
176Option A is incorrect. This scenario describes a generic DDoS, not a specific one like SYN
177flood.
178Option C is incorrect. These machines could be part of a botnet, or just have a trigger
179that causes them to launch the attack at a specific time. The real key in this scenario is the
180DDoS attack.
181Option D is incorrect. A backdoor gives an attacker access to the target system.
18230. D. This is a textbook example of how ransomware works.
183Option A is incorrect. A rootkit gives administrative, or root, access.
184Option B is incorrect. A logic bomb executes its malicious activity when some specific con-
185dition is met.
186Option C is incorrect. A boot sector virus, as the name suggests, infects the boot sector of
187the target computer.
18831. D. Whaling is targeting a specific individual.
189Option A is incorrect. Spear phishing targets a small group.
190Option B is incorrect. Targeted phishing is not a term used in the industry.
191Option C is incorrect. Phishing is the generic term for a wide range of related attacks.
19232. C. You are concerned about buffer overflows, and thus checking buffer boundaries is the
193best defense.
194Options A and B are incorrect. While these technological solutions can always be a benefit
195for security, they are unlikely to address buffer overflow attacks effectively.
196Option D is incorrect. Checking user input helps defend against SQL injection and cross-
197site scripting.
19833. C. Security audits typically focus on checking policies, documents, and so forth.
199Option A is incorrect. Vulnerability scans use automated and semiautomated processes to
200check for known vulnerabilities.Chapter 1: Threats, Attacks, and Vulnerabilities
201221
202Option B is incorrect. Penetration tests attempt to actually exploit vulnerabilities and
203breach systems.
204Option D is incorrect. Security test is too general a term.
20534. A. Although many things could explain what she is experiencing, the scenario most
206closely matches connecting to a rogue access point where her login credentials were stolen.
207Options B and C are incorrect. Both involve malware, and the scenario states no sign of
208malware was found.
209Option D is incorrect. This does not match the symptoms of a buffer overflow attack.
21035. D. This is a classic example of an attacker using social engineering on the accountant, in
211order to gain access to his system.
212Options A and B are incorrect. This scenario does not describe either IP or MAC spoofing.
213Option C is incorrect. A man-in-the-middle attack would require an attacker to get in
214between a source and destination for some sort of electronic communication. That is not
215described in this scenario.
21636. D. An intrusion detection system will simply report issues, and not block the traffic.
217Option A is incorrect. An intrusion prevention system will stop suspected traffic, and in
218the event of a false positive, will shut down legitimate traffic.
219Option B is incorrect. A web application firewall (WAF), as the name suggests, primarily
220protects a web server against external attacks.
221Option C is incorrect. SIEMs aggregate logs for analysis.
22237. A. A rainbow table is a table of precomputed hashes, used to retrieve passwords.
223Option B is incorrect. A backdoor is used to gain access to a system, not recover passwords.
224Options C and D are incorrect. While both of these can be used to gain access to pass-
225words, they are not tables of precomputed hashes.
22638. A. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are
227in range.
228Option B is incorrect. Bluesnarfing involves getting data from the Bluetooth device.
229Options C and D are incorrect. Evil twin uses a rogue access point whose name is similar
230or identical to that of a legitimate access point.
23139. A. This is the term for rummaging through the waste/trash.
232Options B and D are incorrect. These terms, though grammatically correct, are simply not
233the terms used in the industry.
234Option C is incorrect. Nothing in this scenario describes social engineering.
23540. B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range.
236Option A is incorrect. Bluejacking involves sending unsolicited messages to Bluetooth
237devices when they are in range.
238Option C is incorrect. Evil twin uses a rogue access point whose name is similar or
239identical to that of a legitimate access point.
240Option D is incorrect. A RAT is a remote-access Trojan. Nothing in this scenario points to
241a RAT being the cause of the stolen data.
24241. A. This is a remote-access Trojan (RAT), malware that opens access for someone to
243remotely access the system.
244Option B is incorrect. A backdoor does provide access but it is usually in the system due to
245programmers putting it there, not due to malware on the system.
246Option C is incorrect. A logic bomb executes its misdeeds when some logical condition
247is met.
248Option D is incorrect. A rootkit provides root or administrative access to the system.
24942. D. The term used in the industry is excessive privileges, and it is the opposite of good
250security practice, which states that each user should have least privileges (i.e., just enough
251privileges to do his or her job).
252Options A through C are incorrect. While these are grammatically correct, they are not
253the terms used in the industry.
25443. Option B is correct; zero-day exploits are new, and they are not in the virus definitions for
255the antivirus programs. This makes them difficult to detect, except by their behavior.
256Options A, C, and D are incorrect. These are all forms of malware, but should be picked
257up by at least one of the antivirus programs.
25844. Option B is correct. When using products the vendor no longer supports, also known as
259end-of-life, one major concern is that there won’t be patches available for any issues or
260vulnerabilities.
261Option A is incorrect; this is certainly not normal.
262Option C is incorrect. SIEMs aggregate logs and are operating system agnostic.
263Option D is incorrect. An older system is not necessarily more susceptible to denial-of-
264service (DoS) attacks.
26545. D. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP).
266The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and
267then steal the WPA2 password.
268Options A and B are incorrect. Nothing in this scenario requires or describes a rogue
269access point/evil twin.
270Option C is incorrect. An IV attack is an obscure cryptographic attack.
27146. C. Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a
272flaw to use the IV to expose encrypted data.
273Options A and B are incorrect. Nothing in this scenario requires or describes a rogue
274access point/evil twin.
275Option D is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless
276access point (WAP). The WPS attack attempts to intercept that PIN in transmission, con-
277nect to the WAP, and then steal the WPA2 password.
27847. A. Any of these systems could help with detecting malicious activity by an insider, but the
279intrusion prevention system will block such activity, if detected.
280Option B is incorrect. SIEMs simply aggregate logs.
281Option C is incorrect. A honeypot can be useful in trapping a malicious actor but not in
282stopping data exfiltration.
283Option D is incorrect. Firewalls can block traffic, but normally data exfiltration looks like
284normal traffic and is hard for a firewall to block.
28548. D. This appears to be a situation where your network’s DNS server is compromised and
286sending people to a fake site.
287Option A is incorrect. A Trojan horse is malware tied to a legitimate program.
288Option B is incorrect. IP spoofing would be using a fake IP address, but that is not
289described in this scenario. In fact, the users are not even typing in IP addresses—they are
290typing in URLs.
291Option C is incorrect. Clickjacking involves tricking users into clicking something other
292than what they intended.
29349. B. This is a classic description of jamming.
294Option A is incorrect. IV attacks are obscure cryptographic attacks on stream ciphers.
295Option C is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless
296access point (WAP). The WPS attack attempts to intercept that PIN in transmission, con-
297nect to the WAP, and then steal the WPA2 password.
298Option D is incorrect. A botnet is a group of machines that are being used, without their
299consent, as part of an attack.
30050. A. This is the classic description of clickjacking.
301Options B and C are incorrect. These are Bluetooth attacks.
302Option D is incorrect. Nothing in this scenario requires or describes an evil twin.
30351. B. Cross-site request forgery sends fake requests to a website that purport to be from a
304trusted, authenticated user.
305Option A is incorrect. Cross-site scripting exploits the trust the user has for the website
306and embeds scripts into that website.
307Option C is incorrect. Bluejacking is a Bluetooth attack.
308Option D is incorrect. Nothing in this scenario requires or describes an evil twin.
30952. C. This is a classic example of typosquatting. The website is off by only one or two letters,
310hoping that when users to the real website mistype the URL they will go to the fake
311website.
312Option A is incorrect. Session hijacking is taking over an authenticated session.
313Option B is incorrect. Cross-site request forgery sends fake requests to a website that pur-
314port to be from a trusted, authenticated user.
315Option D is incorrect. Clickjacking attempts to trick users into clicking on something
316other than what they intended.
31753. A. Bluesnarfing uses Bluetooth to extract data from a Bluetooth device.
318Option B is incorrect. Session hijacking is taking over an authenticated session.
319Option C is incorrect. Backdoors are built-in methods to circumvent authentication.
320Option D is incorrect. Cross-site request forgery sends fake requests to a website that pur-
321port to be from a trusted, authenticated user.
32254. B. This is a classic example of a disassociation attack. The attacker tricks users into disas-
323sociating from the device.
324Option A is incorrect. Misconfiguration won’t cause authenticated users to de-authenticate.
325Option C is incorrect. Session hijacking involves taking over an authenticated session.
326Option D is incorrect. Backdoors are built-in methods to circumvent authentication.
32755. A. This is an example of a dictionary attack. The attacker uses a list of words that are
328believed to be likely passwords.
329Option B is incorrect. A rainbow table is a precomputed table of hashes.
330Option C is incorrect. Brute force tries every possible random combination. If attacker has
331the original plaintext and ciphertext for a message, they can determine the key space used
332through brute force attempts targeting the keyspace.
333Option D is incorrect. Session hijacking is when the attacker takes over an authenticated
334session.
33556. B. This is a classic example of a downgrade attack.
336Option A is incorrect. In a disassociation attack, the attacker attempts to force the victim
337into disassociating from a resource.
338Option C is incorrect. Session hijacking is when the attacker takes over an authenticated
339session.
340Option D is incorrect. Brute force attempts every possible random combination to get the
341password or encryption key.
34257. D. A collision is when two different inputs produce the same hash.
343Option A is incorrect. A rainbow table is a table of precomputed hashes.
344Option B is incorrect. Brute force attempts every possible random combination to get the
345password or encryption key.
346Option C is incorrect. Session hijacking is when the attacker takes over an authenticated
347session.
34858. C. An advanced persistent threat (APT) involves sophisticated (i.e., advanced) attacks over
349a period of time (i.e., persistent)
350Option A is incorrect. A distributed denial of service could be a part of an APT, but in and
351of itself is unlikely to be an APT.
352Option B is incorrect. Brute force attempts every possible random combination to get the
353password or encryption key.
354Option D is incorrect. In a disassociation attack, the attacker attempts to force the victim
355into disassociating from a resource.
35659. D. Whether the attacker is an organized criminal, hacktivist, nation-state attacker, or
357script kiddie, the amount of data stolen could be large or small.
358Options A, B, and C are all incorrect. These are exactly the attributes of an attack you do
359examine to determine the most likely attacker.
36060. A. When an IDS or antivirus mistakes legitimate traffic for an attack, this is called a false
361positive.
362Option B is incorrect. A false negative is when the IDS mistakes an attack for legitimate
363traffic. It is the opposite of a false positive.
364Options C and D are both incorrect. While these may be grammatically correct, these are
365not the terms used in the industry.
36661. A. The term for attempting to gain any privileges beyond what you have is privilege
367escalation.
368Option B is incorrect. Session hijacking is taking over an authenticated session.
369Options C and D are incorrect. These are not terms used in the industry.
37062. C. This is a classic definition of a race condition: when multiple threads in an application
371are using the same variable and the situation is not properly handled.
372Option A is incorrect. A buffer overflow is attempting to put more data in a buffer than it
373is designed to hold.
374Option B is incorrect. A logic bomb is malware that performs its misdeed when some logi-
375cal condition is met.
376Option D is incorrect. As the name suggests, improper error handling is the lack of ade-
377quate or appropriate error handling mechanisms within software.
37863. B. This is a classic example of a Trojan horse.
379Option A is incorrect. A rootkit gives root or administrative access.
380Option C is incorrect. Spyware is malware that records user activities.
381Option D is incorrect. A boot sector virus is a virus that infects the boot sector of the hard
382drive.
38364. A. If a certificate is revoked, it can be used until the new certificate revocation list is
384­published.
385Options B, C, and D are all incorrect. They do not accurately describe the scenario given.
38665. C. A buffer overflow is possible when boundaries are not checked and the attacker tries to
387put in more data than the variable can hold.
388Option A is incorrect. Cross-site scripting is a web page attack.
389Option B is incorrect. Cross-site request forgery is a web page attack.
390Option D is incorrect. A logic bomb is malware that performs its misdeed when some con-
391dition is met.
39266. B. This is the definition of a logic bomb.
393Option A is incorrect. A boot sector virus infects the boot sector of the hard drive.
394Option C is incorrect. A buffer overflow occurs when the attacker attempts to put more
395data in a variable than it can hold.
396Option D is incorrect. A sparse infector virus performs its malicious activity intermittently
397to make it harder to detect.
39867. D. A polymorphic virus changes from time to time, and that would explain the different
399behavior on different computers.
400Option A is incorrect. The scenario is about malware.
401Option B is incorrect. A boot sector virus infects the boot sector of the hard drive.
402Option C is incorrect. A macro virus is embedded into a document as a macro.
40368. A. This is the definition of a Smurf attack.
404Option B is incorrect. The scenario does not state if this attack is coming from multiple
405sources, thus being distributed (i.e., distributed denial of service).
406Option C is incorrect. A hijacking attack attempts to take over an authenticated session.
407Option D is incorrect. The signature of a SYN flood is multiple half-open connections.
40869. C. Polymorphic viruses periodically change their signature or even their code.
409Option A is incorrect. A boot sector virus infects the boot sector of the hard drive.
410Option B is incorrect. This is not a hoax—it is an actual virus.
411Option D is incorrect. The category of stealth virus is very broad and might include
412polymorphic as well as armored and sparse infectors, but the scenario is more specific,
413pointing to polymorphic.
41470. A. This is the definition of a macro virus.
415Option B is incorrect. A boot sector virus infects the boot sector of the hard drive.
416Option C is incorrect. A Trojan horse is malware that is tied to a legitimate program. In
417this scenario, the malware is actually embedded in an Office document. The two are simi-
418lar, but not the same.
419Option D is incorrect. A remote access Trojan (RAT) is a Trojan horse that gives the
420attacker remote access to the machine.
42171. C. The intermittent burst of malicious activity is the definition of a sparse infector virus.
422Option A is incorrect. A macro virus is embedded in a document as a macro.
423Option B is incorrect. A logic bomb executes its misdeeds when a specific condition is met.
424Option D is incorrect. A polymorphic virus changes its signature, or even its code,
425periodically.
42672. B. Multipartite viruses combine boot sector with file infection.
427Option A is incorrect. Polymorphic viruses periodically change their signature or even
428their code.Chapter 1: Threats, Attacks, and Vulnerabilities
429227
430Option C is incorrect. Stealth viruses use one or more techniques to make them harder
431to find.
432Option D is incorrect. This is not an industry term for any sort of virus.
43373. C. By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a
434scan with some privileges).
435Options A and B are incorrect. These describe the level of knowledge the tester is given of
436the network. A privilege scan cannot be a black-box test, but it could be either white-box
437or gray-box.
438Option D is incorrect. While this is grammatically correct, it is not the term used in the
439industry.
44074. C. Botnets are often used to launch DDoS attacks, with the attack coming from all the
441computers in the botnet simultaneously.
442Option A is incorrect. Phishing attacks attempt to get the user to give up information,
443click on a link, or open an attachment.
444Option B is incorrect. Adware consists of unwanted pop-up ads.
445Option D is incorrect. A Trojan horse attaches malware to a legitimate program.
44675. A. Accounts should be configured to expire. If this had occurred, then the account would
447no longer be active.
448Option B is incorrect. While properly trained users are important, that is not what caused
449this issue.
450Options C and D are incorrect. These are unrelated to an old account still being active.
45176. C. This is a classic example of the problem with default configurations.
452Option A is incorrect. Configuring the accounts is not the issue; changing default pass-
453words and settings is.
454Option B is incorrect. Yes, training users is important, but that’s not the issue in this
455scenario.
456Option D is incorrect. Patching systems is important, but that won’t change default
457settings.
45877. D. In a DLL injection, the malware attempts to inject code into the process of some
459library. This is a rather advanced attack.
460Option A is incorrect. A logic bomb executes its misdeed when some condition is met.
461Option B is incorrect. Session hijacking is taking over an authenticated session.
462Option C is incorrect. Buffer overflows are done by sending more data to a variable than it
463can hold.
46478. D. This is the definition of pointer dereferencing. It is a somewhat obscure and sophisti-
465cated attack on a target program.
466Option A is incorrect. In a DLL injection, the malware tries to inject code into the memory
467process space of a library.
468Option B is incorrect. In a buffer overflow, the attacker sends more data to a variable than
469it can hold.
470Option C is incorrect. A memory leak occurs when memory is allocated in some program-
471ming function but not deallocated. Each time the function is called, more system memory
472is used up.
47379. B. System sprawl occurs when a system grows and there are devices on the system that are
474not documented.
475Options A, C, and D are all incorrect. While these are all serious security issues, they are
476unrelated to the scenario presented.
47780. C. An intrusive scan could possibly cause some disruption of operations. For this reason,
478it should be conducted outside normal business hours.
479Option A is incorrect. A penetration test actually attempts to breach the network by
480exploiting vulnerabilities.
481Option B is incorrect. An audit is primarily a document check.
482Option D is incorrect. Both intrusive and nonintrusive vulnerability scans can be effective
483at finding vulnerabilities.
48481. D. The fact that the website is defaced in a manner related to the company’s public poli-
485cies is the definition of hacktivism.
486Options A, B, and C are incorrect. None of these account for the statements adverse to the
487company’s policies, which is why hacktivism is the real cause.
48882. C. While you might suppose that a nation-state attacker (the usual attacker behind an
489advanced persistent threat) would attack from a foreign IP address, they often use a com-
490promised address in the target country as a base for attacks.
491Options A, B, and D are all incorrect. These are actually signs of an advanced persistent
492threat.
49383. A. The terms evil twin and rogue access point both refer to fake access points that broadcast
494what appear to be legitimate SSIDs.
495Options B, C, and D are incorrect. They do not adequately explain this attack.
49684. A. The fact that the IP addresses are within your country might make you discard the
497nation-state attacker, but it is common for nation-state attackers to use compromised IP
498addresses in the target country from which to attack. The other symptoms—a sophisti-
499cated attack, over time—are hallmarks of nation-state attackers.
500Option B is incorrect. Nothing in the scenario indicates an ideological motive.
501Option C is incorrect. In fact, this attack is the antithesis of the simple attack of a script
502kiddie.
503Option D is incorrect. A lone attacker, no matter how skilled, would have difficulty main-
504taining sustained attacks over a year.
50585. A. This is the definition of a zero-day attack.
506Options B, C, and D are incorrect. These do not adequately describe a zero-day attack.
50786. C. This is the definition of DNS poisoning.
508Option A is incorrect. A backdoor provides access to the system by circumventing normal
509authentication.
510Option B is incorrect. An APT is an advanced persistent threat.
511Option D is incorrect. A Trojan horse ties a malicious program to a legitimate program.
51287. B. This is, in fact, the definition of a Trojan horse.
513Options A, C, and D are incorrect. These are all possible attacks, but do not match what is
514described in the question scenario.
51588. A. A remote access Trojan (RAT) is malware that gives the attacker remote access to the
516victim machine.
517Option B is incorrect. While a backdoor will give access, it is usually something in the sys-
518tem put there by programmers, not introduced by malware.
519Option C is incorrect. A RAT is a type of Trojan horse, but Trojan horse is more general
520than what is described in the scenario.
521Option D is incorrect. A macro virus is a virus embedded in a document.
52289. B. Cross-site request forgery sends forged requests to a website, supposedly from a
523trusted user.
524Option A is incorrect. Cross-site scripting is the injection of scripts into a website to
525exploit the users.
526Option C is incorrect. A buffer overflow tries to put more data in a variable than the vari-
527able can hold.
528Option D is incorrect. A remote-access Trojan (RAT) is malware that gives the attacker
529access to the system.
53090. C. Sparse infector viruses perform their malicious activity sporadically.
531Option A is incorrect. This does not describe an advanced persistent threat.
532Option B is incorrect. A boot sector virus infects the boot sector of the hard drive.
533Option D is incorrect. A keylogger is spyware that records keystrokes.
53491. D. This is a classic example of whaling, phishing that targets a specific individual.
535Option A is incorrect. Clickjacking is an attack that tries to trick users into clicking on
536something other than what they believe they are clicking on.
537Option B is incorrect. While all phishing uses some social engineering, whaling is the most
538accurate description of this attack.
539Option C is incorrect. Spear phishing targets a group, not a single individual.
54092. B. Large, half-open connections are the hallmark of a SYN flood.
541Option A is incorrect. These are all coming from a single IP address, so they cannot be a
542distributed denial-of-service attack.
543Option C is incorrect. A buffer overflow seeks to put more data in a variable than it is
544designed to hold.
545Option D is incorrect. ARP poisoning poisons the address resolution table of a switch.
54693. A. SQL injection places malformed SQL into text boxes.
547Option B is incorrect. Clickjacking attempts to trick the user into clicking on something
548other than what he or she intended.
549Option C is incorrect. Cross-site scripting puts scripts into text fields that will be viewed
550by other users.
551Option D is incorrect. Bluejacking is a Bluetooth attack.
55294. C. The user-selected password is always a weak link in hard drive encryption.
553Option A is incorrect. Yes, it is good system, but there is a weakness.
554Option B is incorrect. 128-bit AES is more than adequate for corporate purposes.
555Option D is incorrect. DES is outdated, and AES should be used.
55695. A. If an attacker can induce the web application to generate the memory leak, then even-
557tually the web application will consume all memory on the web server and the web server
558will freeze up.
559Option B is incorrect. Backdoors are not caused by memory leaks.
560Option C is incorrect. SQL injection places malformed SQL into text boxes.
561Option D is incorrect. A buffer overflow attempts to put more data in a variable than it
562can hold.
56396. D. This is the definition of a race condition.
564Option A is incorrect. Memory leaks occur when memory is allocated, but not
565deallocated.
566Option B is incorrect. A buffer overflow is when more data is put into a variable than it
567can hold.
568Option C is incorrect. An integer overflow occurs when an attempt is made to put an
569integer that is too large into a variable, such as trying to put a 64-bit integer into a 32-bit
570variable.
57197. B. Near-field communication (NFC) is susceptible to an attacker eavesdropping on the
572signal.
573Option A is incorrect. Tailgating is a physical attack and not affected by NFC technology.
574Options C and D are incorrect. These are both unrelated to NFC technology.
57598. B. Tailgating involves simply following a legitimate user through the door once he or she
576has opened it.
577Option A is incorrect. This is unrelated to physical security.
578Option C is incorrect. It is possible to generate a fake smartcard, but that is a very uncom-
579mon attack.
580Option D is incorrect. Again, this is possible but is very uncommon.
58199. D. This is the definition of shimming.
582Option A is incorrect. Application spoofing is not a term used in the industry.
583Options B and C are incorrect. These are both wireless attacks.
584100. D. This scenario is the definition of passing the hash.
585Option A is incorrect. A real hash was provided; it was not spoofed.
586Option B is incorrect. Evil twin is a wireless attack.
587Option C is incorrect. Shimming is inserting malicious code between an application and a
588library.
589101. B. Claiming to be from tech support is claiming authority, and the story the caller gave
590indicates urgency.
591Option A is incorrect. Yes, this caller used urgency (the virus spread) but did not attempt
592intimidation.
593Option C is incorrect. Authority and trust are closely related, and in this case urgency was
594the second major factor.
595Option D is incorrect. This caller used urgency but not intimidation.
596102. A. This is the definition of ARP poisoning.
597Option B is incorrect. In DNS poisoning domain name to IP address entries in a DNS
598server are altered.
599Option C is incorrect. This attack did not involve a man-in-the-middle.
600Option D is incorrect. A backdoor provides access to the attacker, which circumvents nor-
601mal authentication.
602103. A. This is a classic multipartite virus. It infects the boot sector, as well as an operating
603system file.
604Option B is incorrect. This infects the boot sector, but also infects an operating system file
605as well.
606Option C is incorrect. A macro virus is embedded, as a macro, into a document.
607Option D is incorrect. A polymorphic virus changes periodically.
608104. C. Bluesnarfing accesses data on the cell phone.
609Option A is incorrect. Phonejacking is not a term used in the industry.
610Option B is incorrect. Bluejacking sends unwanted text messages to the phone.
611Option D is incorrect. Evil twin is a WiFi attack.
612105. D. A rainbow table is a table of precomputed hashes.
613Option A is incorrect. A dictionary attack is a table of common words used to guess the
614password.
615Option B is incorrect. Brute force involves trying every random possibility.
616Option C is incorrect. In pass the hash, the attacker has the hash and bypasses the applica-
617tion, passing the hash directly to the backend service.
618106. C. The fact that the attack is coming from multiple sources makes this a distributed denial
619of service.
620Option A is incorrect. A Smurf attack involves sending spoofed broadcast packets to the
621target network’s router.
622Option B is incorrect. Yes, this is a denial-of-service attack, but it is distributed.
623Option D is incorrect. A SYN flood involves lots of half-open connections.
624107. A. A downgrade attack is often used against secure communications such as TLS in an
625attempt to get the user to shift to less secure modes.
626Option B is incorrect. A brute-force attack tries either all possible passwords or all possible
627cryptography keys to gain access.
628Option C is incorrect. A rainbow table is a table of precomputed hashes used to retrieve
629passwords.
630Option D is incorrect. Bluesnarfing is a Bluetooth attack on cell phones.
631108. A. In a white-box test, the tester is given extensive knowledge of the target network.
632Option B is incorrect. This is not a term used to describe testing.
633Option C is incorrect. Black-box testing involves only very minimal information being
634given to the tester.
635Option D is incorrect. A red team test simulates a particular type of attacker, such as a
636nation-state attacker, an insider, or other type of attacker.
637109. C. Social engineering is about using people skills to get information you would not other-
638wise have access to.
639Option A is incorrect. Despite the word engineering, this has nothing to do with technical
640means.
641Option B is incorrect. This would be dumpster diving.
642Option D is incorrect. Yes, phishing emails use some social engineering, but that is one
643example of social engineering, not a definition.
644110. C. Shoulder surfing involves literally looking over someone’s shoulder in a public place
645and gathering information, perhaps login passwords.
646Option A is incorrect. ARP poisoning alters the address resolution protocol tables in the
647switch.
648Option B is incorrect. Phishing is an attempt to gather information, often via email, or to
649convince a user to click a link to, and/or download, an attachment.
650Option D is incorrect. Smurf is a type of denial-of-service attack.
651111. D. The sending of spoofed broadcast messages to the target network router is a Smurf
652attack.
653Option A is incorrect. In a SYN flood, a large number of SYN packets are sent but not
654responded to. This leads to a large number of half-open connections.
655Option B is incorrect. An ICMP flood is a large amount of ICMP (such as ping) packets
656sent to the target.
657Option C is incorrect. In a buffer overflow attack, more data is sent to a variable than it
658was designed to hold.
659112. C. Cross-site scripting involves entering code (script) into a text field that will be displayed
660to other users.
661Option A is incorrect. In SQL injection, malformed SQL statements are entered into a text
662box in an attempt to circumvent the website’s security.
663Option B is incorrect. A logic bomb is software that performs its malicious activity when
664some condition is met.
665Option D is incorrect. Session hijacking involves taking over an authenticated session.
666113. A. Putting false entries into the DNS records of a DNS server is DNS poisoning.
667Option B is incorrect. A denial-of-service attack attempts to overwhelm a server or service
668and render it inaccessible to legitimate users.
669Option C is incorrect. DNS caching is a method of normal DNS operations.
670Option D is incorrect. A Smurf attack is a type of denial of service.
671114. D. IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and
672indicate the system could not get a dynamic IP address from the DHCP server. This is a
673typical symptom of DHCP starvation.
674Option A is incorrect. Smurf attacks involve sending spoofed broadcast messages to the
675target network’s router.
676Option B is incorrect. Nothing in this scenario describes a man-in-the-middle attack.
677Option C is incorrect. Nothing in this scenario indicates a distributed denial-of-service
678attack.
679115. B. Distributed denial-of-service (DDoS) attacks often use bots in a botnet to perform the
680attack.
681Option A is incorrect. Denial of service (DoS) is too broad a category and does not ade-
682quately match the scenario description.
683Option C is incorrect. A buffer overflow attempts to put more data into a variable than it
684is designed to accept.
685Option D is incorrect. A Trojan horse links a malware program to a legitimate program.
686116. B. A logic bomb will perform its malicious activity when some condition is met, often a
687date or time. This is commonly done by disgruntled exiting employees.
688Options A, C, and D are all incorrect. It is certainly possible that any of these could be
689left by an exiting employee, but logic bombs are far more common. The reason is that the
690other three would execute their malicious activity immediately, making an obvious con-
691nection to the exiting employee.
692117. C. A correct three-way handshake involves the client sending a SYN packet, the server
693responding with SYN and ACK, and the client completing the handshake with an ACK. If
694you see a large number SYN packets without the corresponding ACK, that is likely to be a
695SYN flood.
696Options A and B are incorrect. Address and port numbers have nothing to do with SYN
697flood attacks.
698Option D is incorrect. RST is not the appropriate response to a SYN, and you should not
699expect to see RSTs in response to a SYN.
700118. A. In a white-box test, the tester has full or very nearly full knowledge of the system.
701Option B is incorrect. No knowledge is a black-box test.
702Options C and D are incorrect. In any test, the tester should have permission to access the
703system.
704119. A. Passive information gathering involves using methods other than directly accessing the
705network to gather information. Social media and newsgroups are commonly used.
706Option B is incorrect. Active information gathering involves tasks such as port scanning
707that actually do connect to the target network.
708Option C is incorrect. The initial exploit is when the tester tries to gain some access to
709some aspect of the system.
710Option D is incorrect. Vulnerability scanning involves automated and semiautomated pro-
711cesses to find known vulnerabilities in a system.
712120. B. This is the definition of session hijacking.
713Option A is incorrect. Man-in-the-middle involves having some process between the two
714ends of communication in order to compromise passwords or cryptography keys.
715Option C is incorrect. A backdoor is some means for accessing a system that circumvents
716normal authentication.
717Option D is incorrect. A Smurf attack is a specific type of denial-of-service attack.
718121. B. Vulnerability scans use automated and semiautomated processes to identify known
719vulnerabilities.
720Option A is incorrect. Audits usually involve document checks.
721Options C and D are incorrect. These are both types of penetration tests.
722122. A. Near-field communication (NFC) can be susceptible to eavesdropping. Smartphones
723with NFC can be used as payment methods and should utilize biometric/pin to avoid
724information being stolen.
725Option B is incorrect. Man-in-the-middle involves having some process between the two
726ends of communication in order to compromise passwords or cryptography keys.
727Option C is incorrect. A buffer overflow attack attempts to put more data in a variable
728than the variable is designed to hold. This is improper input handling is the root cause to
729many buffer overflow.
730Option D is incorrect. A Smurf attack is a type of denial of service.
731123. A. A gray-box test involves the tester being given partial information about the network.
732Option B is incorrect. A white-box test involves the tester being given full or nearly full
733information about the target network.
734Options C and D are incorrect. Neither of these is a testing term.
735124. D. In the man-in-the-middle attack, the attacker is between the client and the server, and
736to either end, the attacker appears like the legitimate other end.
737Option A is incorrect. This does not describe any denial-of-service attack.
738Option B is incorrect. A replay attack involves resending login information.
739Option C is incorrect. Although a man-in-the-middle can be used to perform eavesdrop-
740ping, in this scenario the best answer is man-in-the-middle.
741125. A. In a man-in-the-browser attack, the malware intercepts calls from the browser to the
742system, such as system libraries.
743Option B is incorrect. Man-in-the-middle involves having some process between the two
744ends of communication in order to compromise passwords or cryptography keys.
745Option C is incorrect. In a buffer overflow attack, more data is put into a variable than the
746variable was intended to hold.
747Option D is incorrect. Session hijacking involves taking over an authenticated session.
748126. B. This is the initial exploit, which involves getting initial access to the system.
749Option A is incorrect. Vulnerability scanning is an automated process that checks for the
750presence of known vulnerabilities.
751Options C and D are incorrect. These both refer to how much information about the net-
752work the tester is given. In both black-box and white-box tests, there will still be an initial
753exploit.
754127. C. When a vendor no longer supports software, there won’t be patches for vulnerabilities
755or other issues.
756Option A is incorrect. Although this may be true, it is not a security issue.
757Option B is incorrect. Again, this may be true, but this is not the primary risk.
758Option D is incorrect. This may or may not be true.
759128. D. Placing a larger integer value into a smaller integer variable is an integer overflow.
760Option A is incorrect. Memory overflow is not a term used, and memory leak is about
761allocating memory and not deallocating it.
762Option B is incorrect. Buffer overflows usually involve arrays.
763Option C is incorrect. Variable overflow is not a term used in the industry.
764129. C. Armoring can be as simple as very trivial encryption, but any process that makes it dif-
765ficult to reverse-engineer a virus is armoring.
766Option A is incorrect. A polymorphic virus periodically changes itself.
767Option B is incorrect. A macro virus is embedded, as a macro, into a document.
768Option D is incorrect. A boot sector virus infects the boot sector of a hard drive.
769130. A. Deauthorizing users from a resource is called disassociation.
770Option B is incorrect. Session hijacking involves taking over an authenticated session.
771Option C is incorrect. In the man-in-the-middle attack, the attacker is between the client
772and the server, and to either end, the attacker appears like the legitimate other end.
773Option D is incorrect. Smurf is a type of denial-of-service attack where the attacker
774attempts to exhaust the resources and prevent users from accessing necessary systems.
775131. A. Sending fake DNS requests that are overly large is called an amplification attack. It is a
776highly specialized type of denial of service.
777Option B is incorrect. DNS poisoning seeks to put fake DNS records in a DNS server.
778Option C is incorrect. DNS spoofing is using fake DNS information.
779Option D is incorrect. The Smurf attack is a denial of service.
780132. B. In this scenario, no technical issues are mentioned—just people seeing information. So
781shoulder surfing best fits the scenario.
782Option A is incorrect. No social engineering is involved in this scenario.
783Option C is incorrect. Although a man-in-the-middle attack on the wireless access point
784(WAP) could compromise data, that’s not what is described in this scenario.
785Option D is incorrect. Cross-site request forgery is a website attack.
786133. A. Cross-site scripting is an attack on the user that is based on the user trusting the website.
787Options B, C, and D are incorrect.
788134. A. Targeting a specific group is the definition of spear phishing.
789Option B is incorrect. In the man-in-the-middle attack, the attacker is between the client
790and the server, and to either end, the attacker appears like the legitimate other end.
791Option C is incorrect. Target phishing is not an industry term.
792Option D is incorrect. Vishing is phishing via voice over IP (VoIP).
793135. A. Encryption is one method for armored viruses.
794Option B is incorrect. Ransomware encrypts files but is not encrypted itself.
795Option C is incorrect. A polymorphic virus periodically changes itself.
796Option D is incorrect. A Trojan horse combines malware with a legitimate program.
797136. D. This is the definition of a rootkit.
798Option A is incorrect. A Trojan horse combines malware with a legitimate program.
799Option B is incorrect. A logic bomb performs its malicious activity when some condition
800is met.
801Option C is incorrect. A multipartite virus infects the boot sector and a file.
802137. B. This is vishing, or using voice calls for phishing.
803Option A is incorrect. Spear phishing is targeting a small, specific group.
804Option C is incorrect. War dialing is dialing numbers hoping a computer modem answers.
805Option D is incorrect. Robocalling is used to place unsolicited telemarketing calls.
806138. A. Cross-site request forgery is an attack on the website that is based on the website trust-
807ing the user.
808Options B, C, and D are all incorrect.
809139. A. This is the definition of a multipartite virus.
810Option B is incorrect. A rootkit gets admin or root privileges.
811Option C is incorrect. Ransomware encrypts files and demands a ransom.
812Option D is incorrect. A worm is a fast-spreading virus.
813140. A. This is the definition of a worm.
814Option B is incorrect. A virus is software that self-replicates.
815Option C is incorrect. A logic bomb executes its malicious activity when some condition
816is met.
817Option D is incorrect. A Trojan horse combines malware with a legitimate program.
818141. B. Dumpster diving is the process of going through the trash to find documents.
819Option A is incorrect. Phishing is often done via email or phone, and is an attempt to elicit
820information or convince a user to click a link or open an attachment.
821Option C is incorrect. Shoulder surfing is literally looking over someone’s shoulder.
822Option D is incorrect. In the man-in-the-middle attack the attacker is between the client
823and the server, and to either end, the attacker appears like the legitimate other end.
824142. D. This is the definition of a macro virus.
825Option A is incorrect. A logic bomb executes its malicious activity when some condition
826is met.
827Option B is incorrect. A rootkit obtains administrative or root access.
828Option C is incorrect. A Trojan horse connects malware to a legitimate program.
829143. A. URL hijacking or typosquatting is done by naming a phishing URL very similar to an
830actual URL.
831Option B is incorrect. DNS poisoning would be entering fake entries into a DNS server.
832Option C is incorrect. Cross-site scripting would show as a breach of the website.
833Option D is incorrect. In the man-in-the-middle attack, the attacker is between the client
834and the server, and to either end, the attacker appears like the legitimate other end.
835144. C. The dictionary attack uses common passwords.
836Option A is incorrect. Rainbow tables are tables of precomputed hashes.
837Option B is incorrect. The birthday attack is a method for generating collisions of hashes.
838Option D is incorrect. No spoofing is indicated in this scenario.
839145. A. This is the definition of a replay attack.
840Option B is incorrect. IP spoofing is the process of faking an IP address.
841Option C is incorrect. This is not a term used in the industry.
842Option D is incorrect. Session hijacking is done by taking over an authenticated session.238
843146. D. Active reconnaissance actually connects to the network using techniques such as port
844scanning.
845Option A is incorrect. Either can be done manually or with tools.
846Option B is incorrect. Black-box and white-box refer to the amount of information the
847tester is given.
848Option C is incorrect. Attackers and testers use both types of reconnaissance.
849147. C. Vulnerability scans identify known vulnerabilities. Penetration tests actually exploit
850those vulnerabilities in order to breach the system.
851Option A is incorrect. Either insiders or outsiders can do both vulnerability scans and pen-
852etration tests.
853Option B is incorrect. Both vulnerability scans and penetration tests can use automated
854tools and manual techniques.
855Option D is incorrect. Black-box and white-box refer to the amount of information the
856tester is given.
857148. B. This is the definition of a pivot.
858Option A is incorrect. In the man-in-the-middle attack, the attacker is between the client
859and the server, and to either end, the attacker appears like the legitimate other end.
860Option C is incorrect. Shimming involves inserting code between a program and a library.
861Option D is incorrect. Vishing is phishing over the phone line, often VoIP.
862149. C. Active scanning actually connects to the target network.
863Option A is incorrect. Passive scanning does not actually connect to the target network.
864Options B and D are incorrect. Black-box and white-box refer to the amount of informa-
865tion the tester is given.
866150. D. A firewall not running is not a configuration issue.
867Options A, B, and C are all incorrect. These are all common security misconfiguration
868issues.
869
870
871+++++
872
873+++
874
875Chapter 2: Technologies and Tools
8761. D. The correct answer is stateful packet inspection (SPI). SPI looks at the entire context of
877the conversation and will stop SYN floods.
878Option A is incorrect. A packet filter examines each packet in isolation and won’t stop the
879SYN flood. A packet filter is stateless and won’t deter the SYN flood.
880Option B is incorrect. An application gateway may have SPI functionality, but its primary
881benefit is to protect against a specific application attack, such as web attacks.
882Option C is incorrect. Bastion is another name for a border firewall and does not indicate
883the process it uses.Chapter 2: Technologies and Tools
884239
8852. A. The correct answer is NAC, or Network Access Control. NAC is a network manage-
886ment solution that defines and implements a policy that enables only compliant and trusted
887endpoint devices to access network resources.
888Option B is incorrect. Stateful packet inspection (SPI) is a type of firewall.
889Option C is incorrect. IDS stands for intrusion detection system.
890Option D is incorrect. BYOD, or Bring Your Own Device, is the problem, but the solution
891described is Network Access Control (NAC).
8923. D. Transport mode is the mode wherein IPSec encrypts the data, but not the packet header.
893Option A is incorrect. Tunneling mode does encrypt the header as well as the packet data.
894Option B is incorrect. Internet Key Exchange (IKE) is used in setting up security associa-
895tions in IPSec.
896Option C is incorrect. Encapsulating Security Payload (ESP) is used for authentication and
897encryption in IPSec, whether tunneling or transport mode is used.
8984. D. When an IDS (or any security device) labels legitimate traffic as an attack, that is called
899a false positive.
900Option A is incorrect. A false negative is when an attack is mislabeled as legitimate.
901Option B is incorrect. Passive refers to how the IDS responds to suspicious activity. The
902question does not tell you if this is passive or active.
903Option C is incorrect. Active refers to how the IDS responds to suspicious activity. The
904question does not tell you if this is passive or active.
9055. D. Security Information and Event Management (SIEM) systems are designed specifically
906for log aggregation and analysis.
907Option A is incorrect. Network Access Control (NAC) scans devices to ensure they meet
908minimum network security requirements.
909Option B is incorrect. Port forwarding could be used, in conjunction with other steps, to
910aggregate logs, but it would not be the best approach.
911Option C is incorrect. An intrusion detection system (IDS) won’t aggregate other systems logs.
9126. C. A web application firewall (WAF) is designed to provide firewall protection that also
913will protect against specific web attacks.
914Option A is incorrect. An access control list (ACL) is an important security measure but
915will not provide protection against web attacks.
916Option B is incorrect. A stateful packet inspector (SPI) is a robust firewall and will stop
917attacks such as SYN floods, but it won’t provide the best protection against web attacks.
918Option D is incorrect. An IDS is a good security measure, but it won’t provide the best
919protection against web attacks.
9207. C. A site-to-site VPN is a permanent VPN connection between sites. Connecting remote
921offices is a typical site-to-site VPN implementation.
922Option A is incorrect. L2TP is a protocol for VPN and could be used for either site-to-site
923or remote-access VPNs.
924Option B is incorrect. IPSec is a protocol for VPN and could be used for either site-to-site
925or remote-access VPNs.
926Option D is incorrect. A remote-access VPN is used by an individual to remotely access
927the corporate network.
9288. D. By mapping network jacks to specific MAC addresses of machines, you can prevent a
929rogue machine from being connected.
930Option A is incorrect. Access control lists won’t prevent a rogue device from being con-
931nected to a port.
932Option B is incorrect. Intrusion detection systems won’t prevent a rogue device from being
933connected to a port.
934Option C is incorrect. If that specific jack is part of a VLAN, it would limit the attacker
935to only that VLAN, but that is certainly not as reliable or as robust a security measure as
936port security.
9379. A. An active-active cluster has all servers working, rather than keeping a duplicate server
938in reserve.
939Option B is incorrect. An active-passive cluster has, for each pair of servers, one not func-
940tioning. It simply is used in case the primary server should fail.
941Options C and D are incorrect. These are means for a cluster deciding how to route traffic
942in the cluster.
94310. A. Round-robin load balancing simply sends each new connection to the next server in the
944cluster.
945Option B is incorrect. Affinity load balancing ties specific users to specific servers in the
946cluster.
947Option C is incorrect. Weighted load balancing examines the bandwidth utilization for
948each server and sends the next connection to the server with the least current bandwidth
949utilization.
950Option D is incorrect. Rotating is not a term used in load balancing.
95111. D. The term for this is thin wireless access point.
952Option A is incorrect. Fat wireless access points have all the functionality and features the
953wireless network needs.
954Option B is incorrect. A repeater resends a signal.
955Option C is incorrect. Thick is another term for fat access point.
95612. B. Controller-based wireless access points have minimal functionality, with most func-
957tions centrally controlled.
958Option A is incorrect. A fat wireless access point has all necessary functionality contained
959in the WAP.
960Option C is incorrect. Stand-alone is synonymous with fat WAP.
961Option D is incorrect. 802.11i is the wireless security standard.
96213. B. Encapsulating Security Payload provides both integrity and encryption.
963Option A is incorrect. Authentication Header only provides integrity, not encryption.
964Option C is incorrect. Internet Key Exchange is used during the setup of IPSec to establish
965security associations.
966Option D is incorrect. The Internet Security Association and Key Management Protocol
967provides a framework for authentication and key exchange.
96814. C. ESP provides encryption and AH provides complete authentication, including the
969header, so both are needed to meet the requirements.
970Option A is incorrect. Authentication Header will provide complete packet authentication,
971including the header, but it won’t provide encryption.
972Option B is incorrect. Encapsulating Security Payload provides both integrity and encryp-
973tion but only authenticates the data, not the header.
974Option D is incorrect. Internet Key Exchange is used during the setup of IPSec to establish
975security associations.
97615. D. USB blocking will prevent anyone from plugging in a USB and taking out data.
977Option A is incorrect. An IPS would only stop exfiltration of data if it was sent over the
978network and appeared as an attack. It would not stop hand carrying out of data.
979Option B is incorrect. This is a more time-consuming option and would not be the first
980thing you implement.
981Option C is incorrect. Virtual local area networks (VLANs) won’t help with this issue.
98216. B. Secure Multipurpose Internet Mail Extensions (S/MIME) encrypts email using X.509
983certificates that are created and authenticated by a trusted third party.
984Option A is incorrect. The Internet Message Access Protocol is used for receiving email. It
985does not send email and is not natively encrypted.
986Option C is incorrect. PGP (Pretty Good Privacy) can be used to encrypt email, but it uses
987self-generated certificates that are not authenticated by a third party.
988Option D is incorrect. Simple Mail Transfer Protocol Secure is encrypted, but it is only for
989sending email, not receiving. It can also be done with S/MIME or PGP.
99017. D. Secure Shell gives a remote command-line interface that is encrypted.
991Option A is incorrect. HyperText Transport Protocol Secure is for encrypting web traffic.
992Option B is incorrect. Windows Remote Desktop Protocol is not encrypted.
993Option C is incorrect. Telnet is not encrypted.
99418. D. Earlier versions of SNMP sent all traffic in clear text. SNMP v3 sends all data
995encrypted.
996Options A, B, and C are incorrect. They are not features of SNMP v3.
99719. B. Choose Your Own Device (CYOD) allows employees to bring their own devices to
998work, but only if they are chosen from a list of approved models.
999Option A is incorrect. Bring Your Own Device (BYOD) allows employees to bring what-
1000ever model device they happen to have.
1001Option C is incorrect. Company-Owned Personally Enabled (COPE) equipment is pro-
1002vided by and owned by the company.
1003Option D is incorrect. BYOE is not a term used in the industry.
100420. C. Virtual Desktop Infrastructure does have all patch management centrally controlled.
1005Option A is incorrect. This is a benefit of VDI but not a security benefit.
1006Option B is incorrect. VDI is no more or less resistant to malware than physical desktops.
1007Option D is incorrect. Some vendors claim VDI is less susceptible to man-in-the-middle
1008attacks, but no one claims it is immune to them.
100921. C. Satellite communications are most resistant to disasters that disrupt communications.
1010Option A is incorrect. While cellular is effective and reasonably resilient, it is not as resil-
1011ient as SATCOM.
1012Option B is incorrect. WiFi can fail for any number of reasons, and a disaster is very likely
1013to affect it.
1014Option D is incorrect. If there is any disruption to the network, then VoIP will not ­function.
101522. A. The most effective protection against data loss is the ability to remotely wipe the
1016phone.
1017Option B is incorrect. Geolocation will allow you to locate the phone, but data may have
1018already been exfiltrated.
1019Option C is incorrect. A strong PIN is a good idea, but not as effective as remote wiping.
1020Option D is incorrect. This only limits how much data could be on the device to be stolen.
102123. B. Geofencing sets up geographic boundaries, beyond which a device won’t work.
1022Option A is incorrect. Geolocation provides geographic location, not geofencing.
1023Options C and D are incorrect because geofencing is not related to WiFi.
102424. B. Content management for a mobile device involves limiting what content can be placed
1025on the phone.
1026Option A is incorrect. Content management is not involved in limiting the amount of data.
1027Option C is incorrect. In the context of a mobile device, this is not content management.
1028Option D is incorrect. Digitally signing authorized content could be used in some content
1029management systems, but this is not the best definition of content management.
103025. C. The ipconfig /renew command will request a new IP from the DHCP server.
1031Option A is incorrect. There is no /request flag for ipconfig.
1032Options B and D are incorrect. Netstat has nothing to do with getting a dynamic IP
1033address. Also /request and -renew are not NETSTAT flags.
103426. D. ANT is a proprietary wireless network technology that provides low-power modes and
1035is used in WiFi settings. It has been used in sports-related technologies.
1036Option A is incorrect. WiFi uses power constantly, whether users connect or not.
1037Option B is incorrect. Cellular consumes too much power.
1038Option C is incorrect. The range of Bluetooth is too short.
103927. A. Date Execution Prevention (DEP) requires the user to authorize any executable to
1040execute. It should be noted that this is the definition Microsoft used for its functionality.
1041A more technical definition is that Data Execution Prevention is preventing software from
1042accessing restricted memory such as the operating system’s memory.
1043Option B is incorrect. Data Loss Prevention (DLP) is related to preventing exfiltration of data.
1044Most DLP solutions have the capability to control removable medias such as USB devices.
1045Option C is incorrect. Unified Threat Management (UTM) is the combining of security
1046services such as antivirus, HIDS, log monitoring, firewall, and so forth in a single device.
1047Option D is incorrect. ANT is a networking technology.
104828. D. Transport Layer Security (TLS) is used to encrypt and secure web traffic.
1049Options A and B are incorrect. L2TP and IPSec are VPN technologies and not appropriate
1050for securing web traffic.
1051Option C is incorrect. Secure Sockets Layer was the appropriate choice a long time ago,
1052but TLS is the successor to SSL and was released in 1999.
105329. A. Heuristic scanning involves scanning for anomalous behavior that might indicate an
1054attack, even if there is no known attack signature.
1055Option B is incorrect. Signature scanning can only detect known signatures, and that
1056appears to be what the college is using now.
1057Options C and D are incorrect. Neither is an IDS term.
105830. D. Lightweight Directory Access Protocol Secure (LDAPS) would at least mitigate the
1059risk. LDAP is a directory of the network (computers, users, etc.). Securing that would help
1060mitigate network enumeration.
1061Option A is incorrect. HTTPS is for secure web pages.
1062Option B is incorrect. TLS will help only if applied to a directory protocol, as it is in
1063LDAPS.
1064Option C is incorrect. A VPN won’t solve this issue.
106531. C. FTPS is File Transfer Protocol with SSL/TLS and uses digital certificates to secure file
1066transfer.
1067Option A is incorrect. File Transfer Protocol is not secure.
1068Option B is incorrect. SFTP is secure, but it uses SSH for security and does not use digital
1069certificates.
1070Option D is incorrect. Secure Copy is secure, but it uses SSH for security and does not use
1071digital certificates.
107232. C. Secure Real-Time Transport Protocol (SRTP) is used to encrypt and secure RTP. RTP is
1073the protocol for transmitting VoIP.
1074Option A is incorrect. Session Initiation Protocol is used to initiate a VoIP call but not to
1075send the VoIP data.
1076Option B is incorrect. TLS is used to secure data, but by itself it cannot secure VoIP.
1077Option D is incorrect. Secure Shell SSH is for remote terminal connection and is not used
1078in VoIP.
107933. B. A screen lock limits access to users who know the code.
1080Option A is incorrect. While device encryption is common, the screen lock code does not
1081encrypt the device.
1082Option C is incorrect. Unlike desktop operating systems, mobile devices are not designed
1083to be used by multiple users.
1084Option D is incorrect. The lock codes for screen locks have no relationship to connecting
1085to WiFi.
108634. A. Context-aware authentication does still require a username and password, but in addi-
1087tion to those criteria, it examines the user’s location, time of day they are logging in, com-
1088puter they are logging in from, what they are trying to do, and so forth.
1089Option B is incorrect. Context-aware authentication still requires a username and pass-
1090word.
1091Options C and D are incorrect. Context-aware authentication is not about digital certifi-
1092cates or tokens.
109335. C. Application management is primarily concerned with ensuring only authorized and
1094approved applications are installed on mobile devices.
1095Option A is incorrect. Not every app in the iTunes store is appropriate for business use,
1096and the iTunes store only affects Apple devices.
1097Option B is incorrect. Simply knowing what is installed is not the same thing as ensuring
1098only authorized apps are installed.
1099Option D is incorrect. Patch management can be a part of application management, but
1100the primary goal is controlling what apps get installed on a device.
110136. D. An inline IDS is actually in the traffic line (i.e., on the network segment where traffic is).
1102Option A is incorrect. An active IDS refers to one that takes action against suspected
1103attack traffic—it has nothing to do with where it is placed.
1104Option B is incorrect. IPS is another name for active IDS.
1105Option C is incorrect. Passive refers to whether or not the system acts against suspected
1106traffic, not the location of the IDS.
110737. A. Split tunneling allows a mobile user to access dissimilar security domains like a public
1108network (e.g., the Internet) and a local LAN or WAN at the same time.
1109Option B is incorrect. IPSec is the protocol for establishing and securing a VPN, rather
1110than connecting to different resources. You can use IPSec in either a split or full tunnel.
1111Option C is incorrect. A full tunnel is a dedicated tunnel to one single target.
1112Option D is incorrect. TLS is a protocol that can be used for establishing and securing a
1113VPN, rather than connecting to different resources. You can use TLS in either a split or
1114full tunnel.
111538. A. A forward proxy is a single location that provides access to a wide range of web
1116sources.
1117Option B is incorrect. A reverse proxy is usually an internal-facing proxy used as a front
1118end to control and protect access to a server on a private network.
1119Option C is incorrect. Stateful packet inspection is a type of firewall.
1120Option D is incorrect. Open proxies are usable by anyone on the Internet.
112139. A. This is the term for rummaging through the waste/trash.
1122Options B and D are incorrect. These terms, while grammatically correct, are simply not
1123the terms used in the industry.
1124Option C is incorrect. Nothing in this scenario describes social engineering.
112540. A. Affinity load balancing ties certain users or groups of users to a specific server so they
1126will be routed to that server if possible.
1127Option B is incorrect. Binding is not a term used in load balancing.
1128Option C is incorrect. Yes, load balancing is needed, but the question asks what type of
1129load balancing.
1130Option D is incorrect. Round-robin simply goes to the next available server.
113141. D. Placing the WAPs carefully so as to provide the best coverage for the company, with
1132minimum overlap outside the company, will be the best way to keep those in adjacent
1133offices from attempting to breach the WiFi. When placing WAPs for the best coverage, one
1134needs to focus on signal strength to ensure there is no gaps between WPAs.
1135Option A is incorrect. Thin versus fat WAP refers to the functionality in the WAP and
1136won’t have any effect on the ability of nearby people to breach the WAP.
1137Option B is incorrect. Geofencing is used to limit the area in which a mobile device can
1138be used.
1139Option C is incorrect. Securing the admin screen is a great idea and should be done, but it
1140won’t address the issue of nearby tenants attempting to breach the WiFi.
114142. D. Correlating the events from the servers related to the breach would be the most impor-
1142tant issue to address for the SIEM manager.
1143Option A is incorrect. Event duplication is an issue that needs to be addressed, but it is far
1144less important than correlation.
1145Option B is incorrect. Time synchronization will be important, but it is either done before
1146an incident, during setup and maintenance of the servers, or after correlation, when cor-
1147related events need to have their time synchronized.
1148Option C is incorrect. Impact assessment is important, but is not part of SIEM
1149­management.
115043. B. The total number of erroneous reports (i.e., false positives and false negatives) is the
1151biggest concern because this determines effectiveness of the system.
1152Option A is incorrect. Yes, cost is an issue, but effectiveness is the most important issue.
1153Option C is incorrect. Yes, cost is an issue, but effectiveness is the most important issue
1154and power consumption is a much less important concern.
1155Option D is incorrect. Both the management interface and the cost are important but less
1156important than efficacy.
115744. A. Access control lists are Cisco’s primary recommendation to prevent spoofing on rout-
1158ers. ACLs limit access to the router and its functionality.
1159Option B is incorrect. A login for accessing a router is often not practical because the
1160router access may be needed when a user is not present to log on.
1161Option C is incorrect. A network intrusion prevention system is a good idea, but it won’t
1162prevent spoofing.
1163Option D is incorrect. A network intrusion detection system is a good idea, but it won’t
1164prevent spoofing.
116545. A. A SYN attack is a type of flooding attack that is a denial of service. Flood guards are
1166either stand-alone or, more often, part of a firewall, and they prevent flooding attacks.
1167Option B is incorrect. DNS poisoning involves inserting fake entries into a DNS server; a
1168flood guard will do nothing to prevent that.
1169Option C is incorrect. Spoofing a MAC address does not involve any flooding.
1170Option D is incorrect. Spoofing Address Resolution Protocol is a type of MAC spoofing
1171and does not involve any flooding.
117246. A. An application proxy server is often used when the client and the server are incompat-
1173ible for direct connection with the server.
1174Option B is incorrect. Network address translation involves translating a private IP
1175address to a public IP address.
1176Option C is incorrect. Changing the server is a drastic measure. It is assumed that this
1177server is being used for some valid reason.
1178Option D is incorrect. A protocol analyzer is essentially a packet sniffer.
117947. C. Virtual IP load balancing does not take the load of each interface into account and
1180assumes all loads are essentially similar.
1181Option A is incorrect. This load balancing is not resource intensive.
1182Option B is incorrect. Most servers do support virtual IP load-balancing.
1183Option D is incorrect. Windows will also support virtual IP load-balancing.
118448. A. If Network Time Protocol (NTP) is disrupted, then the various servers that forward
1185logs to the SIEM might not have the same time. This could lead to events that actually
1186took place at the same time appearing to have occurred at different times.
1187Option B is incorrect. Event correlation is related to time synchronization, but that is a
1188secondary effect.
1189Option C is incorrect. NTP issues should not lead to any event duplication.
1190Option D is incorrect. NTP issues should not lead to events failing to be logged.
119149. A. The -n command is used to set the number of ping packets to send—in this case, 6—
1192and -l sets the size—in this case, 100 bytes.
1193Option A is incorrect. IV attacks are obscure cryptographic attacks on stream ciphers.
1194Options B, C, and D are all incorrect. This is a ping command, but these options have
1195incorrect flags.
119650. B. An insider could send out data as an email attachment.
1197Option A is incorrect. Portable devices usually connect via USB, which is blocked, and if
1198they don’t, they will likely be found on the exit search.
1199Option C is incorrect. The range of Bluetooth is 10 meters. That makes it ineffective for
1200data exfiltration.
1201Option D is incorrect. Optical media is a type of portable media.
120251. D. Phishing emails are often sent out to masses of people and a spam filter would block at
1203least some of that, thus reducing the phishing email attacks.
1204Option A is incorrect. Although email encryption is a good idea, it will do nothing to stop
1205phishing.
1206Option B is incorrect. Hardening all servers is a good security practice, but it has no
1207impact on phishing emails.
1208Option C is incorrect. Although digitally signing email is a good idea, it cannot stop phish-
1209ing or even reduce it significantly. It might mitigate phishing emails that claim to come
1210from a company employee, but it won’t impact other phishing emails.
121152. C. A TLS accelerator is a processor that handles processing, specifically processor-inten-
1212sive public-key encryption for Transport Layer Security (TLS). This should significantly
1213improve server responsiveness.
1214Option A is incorrect. Increasing RAM will have only a minimal effect on network
1215responsiveness.
1216Option B is incorrect. From the question, there is no indication that the servers were not
1217performing fine before TLS implementation, so addressing the TLS issues is the best
1218solution.
1219Option D is incorrect. Setting up clustering is a rather significant step, and not the first
1220thing that should be considered. Implementation of TLS accelerators is a better option.
122153. B. An employee could hide sensitive data in files using steganography and then exfiltrate
1222that data.
1223Option A is incorrect. Password crackers are a separate type of tool than steganography
1224tools.
1225Option C is incorrect. Very few steganography tools and methods allow you to hide net-
1226work traffic.
1227Option D is incorrect. Although it is possible to hide malware in a file via steganography,
1228this is not the greatest or most common concern.
122954. B. The netstat command displays all connections, and the -o flag shows the process that
1230owns that connection.
1231Option A is incorrect. The netstat -a command will show listening ports.
1232Option C is incorrect. The arp -a command shows the current address routing protocol
1233entries.
1234Option D is incorrect. The arp -g command is identical to arp -a.
123555. A. This is an example of a dictionary attack. The attacker uses a list of words that are
1236believed to be likely passwords.
1237Option B is incorrect. A rainbow table is a precomputed table of hashes.
1238Option C is incorrect. Brute force tries every possible random combination.
1239Option D is incorrect. Session hijacking is when the attacker takes over an authenticated
1240session.
124156. C. Netcat is a tool widely used by network administrators to establish communication
1242between two machines. Having netcat on a machine could indicate an intruder has com-
1243promised that machine and installed netcat as a backdoor, or that the employee is setting
1244up covert communication channels.
1245Option A is incorrect. Netcat is not a password cracker.
1246Option B is incorrect. Netcat is not a packet sniffer.
1247Option D is incorrect. Netcat is not a denial-of-service tool.
124857. A. The certificate revocation list designates certificates that have been revoked for some
1249reason. Those certificates should no longer be used. But if the CRL is published only once
1250per week, then a revoked certificate could potentially be used for up to a week after being
1251revoked.
1252Option B is incorrect. CRLs are not part of the certificate issuing process.
1253Option C is incorrect. Yes, it would present a possible security issue.
1254Option D is incorrect. Key generation for certificates is completely separate from CRLs.
125558. C. A clear security policy must be created that explains software licensing and the com-
1256pany processes for software licensing. Without clear policies, any other countermeasures
1257will be less effective.
1258Option A is incorrect. Although software audits are a good idea, meaningful audits can
1259take place only after good policies are in place.
1260Option B is incorrect. Scanning the network to see what is installed is a good idea, but poli-
1261cies must be established first.
1262Option D is incorrect. This may, or may not, be a step the company wishes to take. But
1263policies must be established first.
126459. B. The false rejection rate (FRR) is the rate at which authentication attempts are rejected
1265when they should have succeeded. When you are getting a high number of authorized indi-
1266viduals being denied access, that is due to an FRR that is too high.
1267Option A is incorrect. The false acceptance rate (FAR) is the rate at which people who
1268should not be authenticated are. This is certainly a concern but a different concern.
1269Option C is incorrect. The crossover error rate (CER) is the rate at which FAR and FRR
1270are equal.
1271Option D is incorrect. Equal error rate (ERR) is another name for CER.
127260. D. Unified threat management (UTM) combines multiple security services into one device.
1273It is common for a UTM to have firewall, antivirus, and IDS services all in one device.
1274Options A, B, and C are incorrect. These are all good devices, but the UTM is a better
1275choice.
127661. C. The security concept of implicit deny states that any new access account will by default
1277be denied all access. When a request is made for specific privileges for that account, then
1278the privileges are explicitly applied. This means that by default all privileges are implicitly
1279denied.
1280Option A is incorrect. Least privileges are what every account should have, but in this sce-
1281nario the accounts were all given default privileges. The concept of implicit deny is a better
1282answer.
1283Option B is incorrect. Separation of duties is used to prevent any one person from execut-
1284ing any action that might have significant security ramifications for the company.
1285Option D is incorrect. It is true that your network is only as secure as its weakest link, but
1286that is not the best description of this scenario.
128762. C. Write once, read many (WORM) storage is a type of high-capacity storage wherein
1288once the data is written to the storage, it cannot be edited. It provides both high-capacity
1289storage and secure storage, since the backups cannot be tampered with.
1290Option A is incorrect. Large-capacity external drives would need to be stored in a secure
1291place, and they can be edited and are thus not secure. You could secure one with encryp-
1292tion, but the question does not mention encrypted drives.
1293Option B is incorrect. Backup tapes are older technology. Tapes frequently have issues, and
1294data can become irretrievable.
1295Answer D is incorrect. Backup media should always be stored off-site, but there is the
1296issue that tapes can easily be damaged or corrupted, which is unacceptable for long-term
1297storage.
129863. A. An SIEM aggregates logs from multiple servers and devices. It is difficult to review so
1299many logs, and of course issues could occur when Elizabeth is away from the SIEM man-
1300agement console. Having automatic alerts is the best way to be made aware of issues that
1301require Elizabeth’s attention.
1302Option B is incorrect. Logs and events anomalies can be quite large, and having them for-
1303warded to her email is unwieldy and does not solve the problem. Elizabeth will still need
1304to read through them to be aware of any issues that require her attention.
1305Option C is incorrect. This situation is not optimal.
1306Option D is incorrect. Reviewing SIEM logs is one way that administrators become aware
1307of issues. So reviewing them only when you are already aware of an issue is not a good use
1308of SIEM.
130964. D. Tethering is usually inexpensive, and simply tethering a portable device to a desk
1310makes it difficult to steal the device. No antitheft method is foolproof, but tethering is
1311simple, cost effective, and reasonably effective.
1312Option A is incorrect. Full-disk encryption (FDE) can be a good idea and will protect the
1313data on the laptop. However, the laptop can still be stolen, the drive wiped, and the laptop
1314reused or sold.
1315Option B is incorrect. GPS tagging may allow you to locate a stolen laptop, but it is usually
1316more expensive than tethering.
1317Option C is incorrect. Geofencing just limits where the device will work—it does not pre-
1318vent theft of the device.
131965. A. Full-disk encryption (FDE) is the best way to protect data on any device. In this sce-
1320nario, the sensitive data on the tablets is the most important concern; therefore, securing
1321that data with FDE is the most important security measure to take.
1322Option B is incorrect. GPS tagging might be a good idea—it would help locate lost or sto-
1323len devices. However, it is less important than FDE.
1324Option C is incorrect. Geofencing limits where a device can be used, and it does not
1325address the issues presented in this scenario.
1326Option D is incorrect. Content management is always a good idea. But in this case, it
1327won’t address the most important security concern.
132866. A. HIDSs/HIPSs and NIDSs/NIPSs each have output that the vendor specifies. But all
1329such devices will output what protocol the traffic was, the source and destination IP
1330addresses, as well as the source and destination port. More information may be provided,
1331but this is the essential basic information all IDSs/IPSs display.
1332Option B is incorrect. Many of these devices won’t display the suspected attack type. The
1333person operating the device should recognize that a flood of SYN packets on a given port
1334is a SYN flood.
1335Option C is incorrect. Usernames and machine names may or may not be included, but IP
1336addresses will be.
1337Option D is incorrect. Usernames and machine names may or may not be included, but IP
1338addresses will be.
133967. A. The standard items in any firewall log are the source and destination IP address and
1340port of all traffic, the protocol the traffic is using, and whether that traffic was allowed or
1341denied.
1342Option B is incorrect. Firewall logs record both traffic that is allowed and traffic that is
1343denied.
1344Option C is incorrect. Many firewalls don’t record a reason the traffic was denied, but all
1345record the protocol used.
1346Option D is incorrect. Firewall logs record both traffic that is allowed and traffic that is
1347denied.
134868. A. Since 20 servers send logs to the SIEM, de-duplicating events will be important.
1349Option B is incorrect. An SIEM is a log aggregation and analysis tool. Log forwarding was
1350established before the incident.
1351Option C is incorrect. This is certainly something to do at some point, but it won’t be the
1352first action.
1353Option D is incorrect. This is certainly something to do at some point, but it won’t be the
1354first action.
135569. A. In any IDS (HIDS/HIPS; NIDS/NIPS), the sensors collect data from the network seg-
1356ment they are on and forward that information to the analyzer.
1357Option B is incorrect. A data source is any source of information for the IDS.
1358Option C is incorrect. The manager is the interface that a human operator uses to interact
1359with the NIDS/NIPS or HIDS/HIPS.
1360Option D is incorrect. The analyzer takes data sent to it from the sensors and analyzes the
1361data looking for indicators of an attack.
136270. A. An access control list (ACL) has a list of which requestors are allowed access to which
1363resources. Using an IP address to block or allow requests is a common technique.
1364Option B is incorrect. A network intrusion prevention system (NIPS) is not part of access
1365control.
1366Option C is incorrect. A network intrusion detection system (HIPS) is not part of access
1367control.
1368Option D is incorrect. Port blocking can be used to block a port on a router or switch, but
1369it is not part of access control.
137071. D. Secure Shell (SSH) uses port 22 and provides a secure, encrypted command-line inter-
1371face. Telnet uses port 23 and is not secure.
1372Option A is incorrect. Telnet uses port 23 and is not secure, but ports 20 and 21 are for
1373File Transfer Protocol (FTP).
1374Option B is incorrect. Ports 20 and 21 are for File Transfer Protocol (FTP). Port 22, SSH,
1375is what you should open.
1376Option C is incorrect. This is the opposite of the correct answer. You should block 23 and
1377allow port 22.
137872. B. A reverse proxy is a type of proxy server that retrieves resources on behalf of a client
1379from one or more servers. The sources appear to the client as if they came from the proxy
1380server. In other words, the entire outside world appears as the proxy server to the client.
1381Option A is incorrect. A forward proxy server acts as an intermediary for requests from
1382clients seeking resources from other servers.
1383Option C is incorrect. A transparent proxy is between clients and the Internet, and as the
1384name suggests, the clients are unaware. Often these are co-located with the gateway.
1385Option D is incorrect. Although firewalls and proxy servers can be co-located, they are
1386two different technologies.
138773. C. By giving the tester logins, you are allowing him to conduct a privilege scan (i.e., a scan
1388with some privileges).
1389Options A and B are incorrect. They describe the level of knowledge the tester is given of
1390the network. A privilege scan cannot be a black-box test, but it could be either white box
1391or gray box.
1392Option D is incorrect. Although this is grammatically correct, it is not the term used in the
1393industry.
139474. C. A network intrusion detection system (NIDS) will detect suspected attacks on a given
1395network segment and notify the administrator. For example, in an anomaly detection,
1396the administrator will be notified if there are any deviation from an expected pattern or
1397behavior.
1398Option A is incorrect. A host intrusion detection system (HIDS) only detects intrusions for
1399a single host.
1400Option B is incorrect. A host intrusion prevention system (HIPS) only detects intrusions on
1401a single host, and it blocks suspected intrusions.
1402Option D is incorrect. A network intrusion prevention system (NIPS) will check the entire
1403network segment, but rather than simply notify the administrator for him or her to take
1404action, the NIPS will block the suspected traffic.
140575. C. A network intrusion detection system (NIDS) will detect intrusions across a network seg-
1406ment, but it won’t block the possible attacks, thus not disrupting work due to false positives.
1407Option A is incorrect. A host intrusion detection system (HIDS) will only detect intrusions
1408for a specific host.
1409Option B is incorrect. A host intrusion prevention system (HIPS) will only detect intrusions
1410for a specific host, and will block them, so it would disrupt work due to false positives.
1411Option D is incorrect. A network intrusion prevention system (NIPS) will detect intrusions
1412across a network segment, but it will also block them, possibly disrupting workflow.
141376. A. Company-Provided Equipment provides the most security because the company owns
1414and provides the equipment to employees. This allows the company to fully control security,
1415such as preventing carrier unlocking, disable recording microphone, prevent WiFi direct and
1416WiFi ad-hoc.
1417Option B is incorrect. Choose Your Own Device (CYOD) would have the employees
1418choose any device they wish from a set of options selected by the company. But these
1419would still be employee-owned and -controlled devices.
1420Option C is incorrect. Geotagging simply allows you to locate a device.
1421Option D is incorrect. Bring Your Own Device (BYOD) allows employees to bring what-
1422ever device they have to work. This is a security concern.
142377. A. A tunneling mode is the mode wherein IPSec encrypts the entire packet, header, and
1424data. This prevents someone sniffing traffic from gathering metadata about the traffic.
1425Option B is incorrect. Authentication Header (AH) provides authentication and integrity
1426but no encryption, so it cannot be the most secure mode.
1427Option C is incorrect. Internet Key Exchange (IKE) is used in setting up security associa-
1428tions in IPSec.Chapter 2: Technologies and Tools
1429253
1430Option D is incorrect. Transport mode encrypts only the data, not the header. This allows
1431metadata about traffic to be sniffed by an attacker. Therefore, this cannot be the most
1432secure mode.
143378. D. An active-passive cluster has backup servers that are not handling any workload. They
1434are brought into action if the primary server fails. This means the backup server will not
1435have been subjected to any workload and is effectively a new machine.
1436Option A is incorrect. An active-active cluster has all servers working, with the load bal-
1437anced between them. Should a primary server fail, there is some chance the backup might
1438fail in the near future.
1439Options B and C are incorrect. Round-robin and affinity describe how connections are
1440routed in the cluster, not how failover functions.
144179. A. A fat wireless access point (WAP) is one that has all the functionality needed, such as;
1442ability to traffic forwarded between wired interfaces like a layer 2 or layer 3 switch and
1443MAC filtering, and no other servers or devices are required. In this case, since each WAP
1444might have completely different needs, a fat WAP is preferred.
1445Option B is incorrect. Thin WAPs require some server or device to offload some function-
1446ality to. Since each WAP has different needs, this would be difficult to implement with thin
1447WAPs.
1448Option C is incorrect. A repeater resends a signal.
1449Option D is incorrect. Full is not a term used in the industry.
145080. D. Pretty Good Privacy (PGP) is very appropriate for email security. It provides self-signed
1451certificates for email signing and encrypting. It is also very low cost.
1452Option A is incorrect. Simple Mail Transfer Protocol Secure (SMTPS) is encrypted, but it
1453is only for sending email, not receiving. It also can be done with S/MIME or PGP.
1454Option B is incorrect. Secure/Multi-Purpose Internet Mail Extensions (S/MIME) uses
1455X.509 certificates, which are issued by a third party, and this has a cost associated with it.
1456Option C is incorrect. Internet Message Access Protocol (IMAP) is for receiving email. It
1457does not send email; therefore, IMAP would not provide a full solution.
145881. A. Date Execution Prevention (DEP) specifically monitors programs accessing system
1459memory and prevents that. Note that the Microsoft implementation of DEP simply
1460requires the end user to authorize all program execution.
1461Option B is incorrect. Full-disk encryption (FDE) is a good idea, but it will not prevent
1462running programs from accessing system memory.
1463Option C is incorrect. Unified threat management (UTM) is the combining of security ser-
1464vices such as antivirus, HIDS, log monitoring, firewall, and so forth in a single device.
1465Option D is incorrect. An intrusion detection system (IDS) monitors traffic on the net-
1466work, not running programs on a machine.
146782. B. Real-time Transport Protocol (RTP) is used to transport VoIP and video signals, but it
1468is not encrypted. Secure Real-time Transport Protocol (SRTP) should be used.
1469Option A is incorrect. Session Initiation Protocol (SIP) is used to initiate a VoIP call but
1470not to send the VoIP data.
1471Option C is incorrect. The speed is not the issue.
1472Option D is incorrect. The speed is not the issue.
147383. A. The output shown is from nslookup, which is used to interact with the DNS server for
1474your domain.
1475Option A is incorrect. The ipconfig command will show the network configuration for
1476your network cards.
1477Option C is incorrect. The netstat -a command will show listening ports.
1478Option D is incorrect. The dig command is a DNS-related utility, but the output shown is
1479not from dig.
148084. A. Online Certificate Status Protocol (OCSP) checks the status of a certificate in real time.
1481So when the browser is about to download a certificate, it first gets a real-time update if
1482the certificate is valid or not.
1483Option B is incorrect. X.509 is the standard for certificates and does not determine when
1484they are checked for status.
1485Option C is incorrect. A certificate revocation list (CRL) does show the status of certifi-
1486cates, but they are not updated in real time.
1487Option D is incorrect. The public key infrastructure (PKI) does not determine when cer-
1488tificate status is checked.
148985. D. While most people think of content filtering in regard to filtering content you view, it
1490can also be thought of in terms of content that is sent out. Implementing content filtering
1491ensures that the problem of data exfiltration via email will be mitigated.
1492Option A is incorrect. Email encryption would actually make it easier to exfiltrate data,
1493since the data would be hidden from any analysis.
1494Option B is incorrect. USB blocking won’t affect email filtration.
1495Option C is incorrect. A network-based intrusion prevention system (NIPS) cannot stop
1496email attachments.
149786. D. Encrypting a mobile device is the best way to ensure the data on the device is secure. If
1498the device is stolen or simply misplaced, then the data cannot be retrieved.
1499Option A is incorrect. Geofencing limits the operational area of a device. But even a device
1500that is not operating can have data accessed.
1501Option B is incorrect. A screen lock is always a good idea; however, that is not as effective
1502as device encryption.
1503Option C is incorrect. GPS tagging could be used to locate the device, but it won’t prevent
1504data from being copied off the device.
150587. A. The nmap -O flag indicates that you want to guess the operating system. The -PT scan
1506means do a ping with TCP. The -T1 is a very slow scan.
1507Options B, C, and D are all incorrect. The ping scan variations all start with -P (-PT TCP
1508ping, -TS SYN ping, etc.), the -T is timing, and the options are T1 (slowest) to T5 (fastest).
150988. D. Tcpdump is a widely used packet sniffer, made for Linux but ported to Windows. It
1510works from the shell in Linux (the command line in Windows) and allows the user to
1511dump current network traffic.
1512Option A is incorrect. Ophcrack is a Windows password-cracking tool.
1513Option B is incorrect. Nmap is a port scanner, rogue system detection, and network
1514mapping tool.
1515Option C is incorrect. Wireshark is a network traffic scanner, and wireless scanner but it
1516is for Windows or Macintosh.
151789. A. The tracert command is used to trace the route to a target (the equivalent command
1518in Linux is traceroute). The -h command sets the maximum number of hops before giv-
1519ing up.
1520Option B is incorrect. The image shows a maximum of 10 hops. Without specifying the
1521maximum, tracert will perform 30 hops.
1522Option C is incorrect. This is not the output of netstat.
1523Option D is incorrect. This is not the output of nmap.
152490. A. Transport Layer Security (TLS) can be used to secure any network communication
1525(HTTP, LDAP, SMTP, etc.) and it uses digital certificates.
1526Option B is incorrect. Secure Sockets Layer (SSL) is a much older technology that has been
1527replaced by TLS. TLS was first released in 1999.
1528Option C is incorrect. You could set up an IPSec VPN, but that would have more overhead
1529than TLS, and it would not leverage the existing digital certificate infrastructure.
1530Option D is incorrect. WPA2 is for security WiFi transmissions.
153191. C. Using cloud storage means that data is placed in the cloud, and can be accessed from
1532outside the network. This presents a problem for data loss prevention (DLP) since it pro-
1533vides a convenient way to exfiltrate data from the network.
1534Option A is incorrect. There is a security hazard for DLP.
1535Option B is incorrect. Malware is unlikely from a cloud server, but it also is not a DLP
1536concern.
1537Option D is incorrect. Company security policies apply to any company asset, including
1538cloud storage.
153992. D. The DMZ is the best location for a honeypot, if the concern is outside intruders. An
1540intruder is likely to first breach the outer firewall of the DMZ. A honeypot could conceiv-
1541ably catch the intruder there and prevent him or her from going further into the network.
1542Options A, B, and C are incorrect. Certainly, you can put a honeypot anywhere, but the
1543most important area is in the DMZ.
154493. A. When backing up data, if you do not encrypt the data, then it would be possible for
1545anyone to restore the backup and have access to all data you have backed up. Not all
1546backup utilities include data encryption.
1547Options B and D are incorrect. Both of these are very good ideas and ensure data integrity,
1548but they were not mentioned as one of Sheila’s concerns.
1549Option C is incorrect. Although this is important, it is a feature that exists in all backup
1550utilities.
155194. C. Banner grabbing is a process whereby someone connects to a target web server and
1552attempts to gather information, literally grabbing the web services “banner.” This is often
1553done by telnetting into the web server. It can also be done with netcat, using an HTTP
1554request.
1555Option A is incorrect. Passive reconnaissance would not involve active connections to the
1556server.
1557Option B is incorrect. Although this is active reconnaissance, it is more accurately
1558described as banner grabbing.
1559Option D is incorrect. This scenario is not describing vulnerability scanning.
156095. B. Exploit frameworks are tools that provide a framework for finding vulnerabilities
1561and then attempting to exploit those vulnerabilities. These tools are an important part of
1562network security testing.
1563Option A is incorrect. A vulnerability scanner would only identify the vulnerabilities; it
1564would not provide a means to use the vulnerability.
1565Option C is incorrect. Metasploit is a popular exploit framework, but the question asked
1566about the class of tools, not about identifying a specific tool.
1567Option D is incorrect. Nessus is a well-known vulnerability scanner.
156896. D. US DoD data sanitization standard DoD 5220.22-M recommends an average of 7 com-
1569plete wipes to wipe data. The standard has a matrix wherein you match the sensitivity of
1570the data to a specific number of wipes, but the general rule is 7.
1571Options A, B, and C are all incorrect. Less than 7 wipes are considered inadequate to pre-
1572vent data recovery tools from recovering the data.
157397. C. Firewalls do block inbound traffic and can be configured to fine-tune that blocking.
1574However, they can and should also be configured to handle outbound traffic. This can pre-
1575vent data exfiltration and other breaches.
1576Option A is incorrect. This configuration is missing outbound rules.
1577Option B is incorrect. It is often a good idea to encrypt some traffic, but not all traffic can
1578or should be encrypted. DNS requests, for example, are not usually encrypted.
1579Option D is incorrect. Digital certificates can be a very good mechanism for authentica-
1580tion. However, not all traffic can be authenticated with a digital certificate.
158198. C. X.509 is the most common standard for digital certificates. It is relatively easy to cre-
1582ate your own self-signed certificate. However, if you use a self-signed certificate on a pub-
1583lic website, everyone visiting the website will receive a security error message from their
1584browser.
1585Option A is incorrect. You can encrypt all web traffic, and it is usually done with TLS and
1586X.509 certificates.
1587Option B is incorrect. PGP certificates are usually for email and not used for websites.
1588Option D is incorrect. This is not appropriate—he should not be using self-signed
1589certificates.
159099. C. Port 442 is used for HTTPS, HTTP encrypted via TLS. Port 22 is used for secure shell
1591(SSH), which is a secure, encrypted command-line interface often used by administrators. Port
159280 is for unencrypted HTTP traffic. Port 23 is for telnet, an insecure command-line interface.
1593Options A, B, and D are incorrect. These are not the proper ports to block or to open.
1594100. B. Steganography allows you to embed data, messages, or entire files in other files. It is
1595common to use this to embed some identifying mark that would track the owner of the
1596document and perhaps its originating location. Steganography can track confidential
1597documents.
1598Options A and D are incorrect. Encryption of any type can be used to secure a document
1599but won’t help identify a document should it be leaked.
1600Option C is incorrect. Hashes can be useful in detecting changes to a document but are
1601less useful in identifying documents and their origin.
1602101. B. Port 465 is for Simple Mail Transfer Protocol Secure (SMTPS). Port 993 is for Inter-
1603net Message Access Protocol Secure (IMAPS). Port 995 is for Post Office Protocol Secure
1604(POP3S). By allowing these ports you allow encrypted email. Port 25 is for SMTP, unen-
1605crypted. Port 110 is for POP3 unencrypted. Ports 143 (or 220) can be used for IMAP
1606unencrypted. By blocking these ports, you prevent unencrypted email traffic.
1607Options A, C, and D are incorrect. All of these have the wrong port configurations. In
1608fact, option A is the exact opposite of what you would want to implement.
1609102. A. Each of these firewalls is logging all activity, but the logs are not centralized. This
1610makes it quite difficult to monitor all logs. By integrating with an SIEM, all logs are cen-
1611tralized and Mark can get alerts for issues.
1612Options B and D are incorrect. A honeypot or honeynet might be a good idea, but neither
1613is the next logical step or part of firewall configuration.
1614Option C is incorrect. Integrating with Active Directory (AD) may or may not be a good
1615choice for Mark, but it won’t improve his firewall configuration.
1616103. C. In IPSec, tunneling mode encrypts not only the packet data but the header as well. This
1617prevents someone from determining what protocol the traffic is using, the packet sequence
1618number, or other metadata.
1619Option D is incorrect. Transport mode is the mode wherein IPSec encrypts the data but
1620not the packet header.
1621Option A is incorrect. Authentication Header is used for integrity and authentication.
1622Option B is incorrect. ESP (Encapsulating Security Payload) is used for authentication and
1623encryption in IPSec, whether tunneling or transport mode is used.
1624104. A. If an intrusion detection system is missing attacks (whether it is a NIDS or HIDS) this
1625is a false negative. The IDS is incorrectly identifying traffic as not an attack. John needs to
1626reconfigure to reduce false negatives.
1627Option B is incorrect. Port blocking is a firewall function.
1628Option C is incorrect. Stateful packet inspection (SPI) is a method of firewall operations.
1629Option D is incorrect. When an IDS (or any security device) labels legitimate traffic as an
1630attack, that is called a false positive.
1631105. D. Remote-access VPNs are used to allow users at diverse locations to remotely access
1632the network via a secure connection. Traveling employees is a typical scenario in which a
1633remote-access VPN would be used.
1634Option A is incorrect. L2TP is a protocol for VPN and could be used for either site-to-site
1635or remote-access VPNs.
1636Option B is incorrect. IPSec is a protocol for VPN and could be used for either site-to-site
1637or remote-access VPNs.
1638Option C is incorrect. A site-to-site VPN is a permanent VPN connection between sites.
1639106. A. Since employees use the Company-Owned Personally Enabled (COPE) device for per-
1640sonal use, the devices will have the employee’s personal information. This can lead to
1641personal and private data being exposed to the company.
1642Option B is incorrect. Any portable device has the chance of being used for data exfiltra-
1643tion, but COPE is no more susceptible than other configurations such as BYOD.
1644Option C is incorrect. In fact, the opposite is true. It is less likely that devices will be
1645improperly configured because the company controls configuration.
1646Option D is incorrect. There are issues with this option.
1647107. B. Application management is primarily concerned with ensuring only authorized and
1648approved applications are installed on mobile devices. This would be the next logical step to
1649perform. Control of which applications are allowed on the device is central to basic security.
1650Option A is incorrect. Geofencing may or may not even be appropriate for every company.
1651Option C is incorrect. Geolocation is useful to locating stolen devices, but it is not the next
1652step to take in security.
1653Option D is incorrect. Remote wipe can be useful should a device be lost or stolen, but it is
1654not the next step to take in security.
1655108. A. Containerization establishes a secure, isolated area of the device that is also encrypted.
1656It separates data and applications in the container from the rest of the phone. This would
1657be the best way to segregate company data from personal data on BYOD.
1658Option B is incorrect. Screen locks are fundamental to mobile device security, but they
1659won’t address this concern.
1660Option C is incorrect. SQL FDE is a good idea, but it does not segregate company from
1661personal data.
1662Option D is incorrect. Biometrics is an excellent idea for authentication but will do noth-
1663ing to address the issue in this scenario.
1664109. A. The term sideloading in general means to transfer data between two devices—more
1665specifically, with mobile devices. It most often is associated with using the sideloading to
1666install Android apps from places other than Google Play.
1667Option B is incorrect. The loading is done via some device, not via WiFi.
1668Option C is incorrect. The process of sideloading does not bypass the screen lock.
1669Option D is incorrect. Sideloading could get malware on the device, but the process of
1670sideloading involves active participation from the user.
1671110. C. Whether the device is Company-Owned and Personally Enabled (COPE) or Bring Your
1672Own Device (BYOD), any mobile device can be a USB On-the-Go (OTG) device. This
1673means the device itself serves as a mass storage USB drive, and data can be exfiltrated on
1674the device. This is a concern for data loss prevention (DLP).
1675Options A and B are incorrect. Any device can be USB OTG.
1676Option D is incorrect. You need not jailbreak a phone or tablet in order to use it as
1677USB OTG.
1678111. B. Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add
1679security to the DNS protocol by enabling DNS responses to be validated. With DNSSEC,
1680the DNS protocol is much less susceptible to certain types of attacks, particularly DNS
1681spoofing attacks.
1682Option A is incorrect. IPSec is used for VPNs and will not mitigate DNS poisoning.
1683Option C is incorrect. L2TP is used for VPNs and will not mitigate DNS poisoning.
1684Option D is incorrect. TLS can be used to encrypt transmissions over the Internet, but it is
1685not helpful in mitigating DNS poisoning.
1686112. D. Kerberos uses encrypted tickets with a time limit. Service tickets are usually limited to
1687less than 5 minutes. The Key Distribution Center, client, and services all need to have time
1688synchronized. If Network Time Protocol (NTP) is not functioning, it is possible that legiti-
1689mate tickets may appear to have expired.
1690Options A, B, and C are incorrect. None of these require time synchronization.
1691113. C. Network Address Allocation is the process of allocating network addresses. In a DHCP
1692environment, this can be done to limit how many IP addresses are requested from a single
1693network segment. For example, if a network segment has only 30 nodes, then no more
1694than 30 addresses can be allocated to that segment. This would mitigate DHCP starvation.
1695Option A is incorrect. Encrypting communications is often a good idea, but it won’t miti-
1696gate this issue.
1697Option B is incorrect. Full-disk encryption (FDE) is often a good idea but won’t mitigate
1698this issue.
1699Option D is incorrect. Just like TLS, IPSec can often be a good answer for securing com-
1700munications. But securing the transmission is not the issue in this case.
1701114. D. This is really about network address allocation. Classless Inter-Domain Routing
1702(CIDR) notation provides the number of bits that are masked for the network. Remaining
1703bits are used for nodes. To determine the size of a subnet based in CIDR notation (/N), the
1704formula is simple: [2 ^ (32 – N)] – 2. In this case, that is [2 ^ (32 – 26)] – 2 or (2 ^ 6) – 2,
1705or 64 – 2, or 62 nodes.
1706Options A, B, and C are all incorrect. They all yield subnets that are too small (/27 and
1707/29) or are needlessly large (/24)>
1708115. B. Infrastructure as a Service (IaaS) uses a third-party service and templates to provide the
1709network infrastructure in a virtualized manner, but the client company still administers
1710the network. By moving to a virtualized solution, administration is very centralized. By
1711using IaaS, Lydia will reduce costs, but she will still maintain direct control.
1712Option A is incorrect. Outsourcing will remove control of the network to a third party.
1713Option C is incorrect. Platform as a Service (PaaS) can only provide operating systems.
1714Option D is incorrect. Open source won’t help centralized administration, and the total
1715cost of ownership may not actually be less.
1716116. C. Terminal Access Controller Access Control System+ (TACACS+) is a remote access
1717protocol. It uses TCP, which is a reliable transport protocol, and it fully encrypts the mes-
1718sages. TACACS+ also supports a range of network protocols.
1719Option A is incorrect. Remote Authentication Dial-In User Service (RADIUS) uses UDP,
1720which is not a reliable transport protocol and does not support many networking protocols.
1721Option B is incorrect. Diameter (not an acronym) does support TCP, but it does not fully
1722encrypt the messages.
1723Option D is incorrect. IPSec is a VPN protocol, not a remote access and authentication
1724protocol.
1725117. C. Voice over IP (VoIP) is accomplished with at least two protocols. Session Initiation Pro-
1726tocol (SIP) is used to establish the call. Real-time Transport Protocol (RTP) is used to send
1727the actual data. These two, at a minimum, must be allowed through the firewall. If there
1728are secure calls, the Secure Real-time Transport Protocol (SRTP) would also need to be
1729allowed.
1730Option A is incorrect. RADIUS is a remote authentication protocol and Simple Network
1731Management Protocol (SNMP) is used to manage the network.
1732Option B is incorrect. TCP and UDP are types of protocol; all network protocols are either
1733TCP or UDP.
1734Option D is incorrect. SIP is needed, but RADIUS is a remote authentication protocol.
1735118. D. Classless Inter-Domain Routing (CIDR) notation provides the number of bits that are
1736masked for the network. Remaining bits are used for nodes. To determine the size of a sub-
1737net based in CIDR notation (/N), the formula is simple: [2 ^ (32 –N)] – 2. In this case, that
1738is [2 ^ (32 – 29)] – 2, or (2 ^ 3) – 2, or 8 – 2, or 6 nodes.
1739Options A, B, and C are incorrect. The most common wrong answer is C, which would be
1740the result if you forgot to subtract 2 at the end of the calculation.
1741119. C. With application blacklisting, any application that is not on the blacklist is allowed.
1742Since it is impossible to know all the malicious applications that exist in the world, this
1743means that at least some malicious applications would not be blocked. A better approach is
1744application whitelisting. In whitelisting, only those applications on the list can be installed.
1745Option A is incorrect. Blacklisting will block only a finite number of malicious applications.
1746Option B is incorrect. This approach won’t block any legitimate applications. In fact, it
1747won’t block all malicious applications.
1748Option D is incorrect. This should not have a deleterious effect on productivity.
1749120. A. Patch management software is used to roll out patches to the network. Such software
1750will also provide reports as to what machines are patched, which ones still have not been
1751patched, and any issues with applying a patch.
1752Option B is incorrect. Automatic updates should not be used on corporate networks. It is
1753always possible that a particular update will interfere with some mission-critical applica-
1754tion in the corporation. Instead patches are tested and then rolled out to the network.
1755Option C is incorrect. The issue is to get the unpatched systems patched.
1756Option D is incorrect. Scanning is possible but not as good a solution as patch management.
1757121. C. Unified Threat Management (UTM) combines multiple security services into one
1758device. In this example, we have blocking (firewall), detection (IDS), and anti-malware all
1759in one device.
1760Option A is incorrect. An IDS would only detect possible intrusions. It would not accom-
1761plish all the goals of the question.
1762Option B is incorrect. A firewall would block incoming traffic, but would not accomplish
1763the other goals in the question.
1764Option D is incorrect. An SIEM is used for log aggregation and would not accomplish any
1765of the goals of the question.
1766122. B. Data loss prevention (DLP) is a broad term encapsulating a family of technologies and
1767policies designed to prevent data from being lost. Limiting the use of unapproved USB
1768devices is one example of DLP.
1769Option A is incorrect. An intrusion detection system (IDS) would not address this issue.
1770Option C is incorrect. Content filtering limits content users can access, such as via a web
1771browser. This won’t stop them from copying documents to unapproved USB devices.
1772Option D is incorrect. A network intrusion prevention system (NIPS) won’t stop the
1773copying of documents to a USB.
1774123. Firewall C
1775HIDS A
1776SIEM B
1777NIDS D
1778124. C. When a device is jailbroken—particularly an iOS device—the device owner can then
1779install any application they wish onto the device. This can lead to unauthorized, and
1780potentially malicious, applications being installed.
1781Option A is incorrect. Jailbroken devices can still be patched.
1782Option B is incorrect. Full disk encryption will still function on jailbroken devices.
1783Option D is incorrect. Data can be exfiltrated on mobile devices, whether or not the device
1784is jailbroken.
1785125. B. Over-the-air (OTA) updates are accomplished wirelessly. This can be done over a cellu-
1786lar network, wherever the device is. Using OTA updates for the mobile devices is the most
1787efficient solution.
1788Option A is incorrect. This would work but would interrupt the employees’ normal work
1789schedules and be inefficient.
1790Option C is incorrect. Moving from Company-Owned and Personally Enabled to Bring
1791Your Own Device (BYOD) would actually make the situation worse, but doing so would
1792absolve the company of the responsibility of managing updates.
1793Option D is incorrect. Policies require a mechanism for implementation. OTA is such a
1794mechanism.
1795126. A. Remote Authentication Dial-In User Service (RADIUS) is an older authentication and
1796access control protocol, but it uses UDP. The other options mentioned do not use UDP.
1797Options B and C are incorrect. Both Diameter and TACACS+ are newer protocols, but
1798both use TCP.
1799Option D is incorrect. IPSec is a VPN protocol, not a remote authentication and access
1800control protocol.
1801127. C. Employees using tethering can be a significant security issue. However, none of the
1802technological solutions listed would solve it. Therefore, implementing (and enforcing) a
1803clear policy against tethering is the only viable option.
1804Option A is incorrect. She is not using the company wireless; she is making her phone into
1805a WAP (wireless access point).
1806Option B is incorrect. A web application firewall (WAF) protects the web server; it does
1807nothing to limit outgoing web traffic.
1808Option D is incorrect. A host intrusion prevention system (HIPS) would have a chance of
1809addressing this issue only if it was installed on the machine being tethered.
1810128. A. Many banks already implement a policy of sending a customer an SMS message
1811with an authentication code anytime someone tries to log into the bank website from an
1812unknown location. This provides a second communications channel for authenticating the
1813customer.
1814Option B is incorrect. All bank websites are already encrypted with TLS, and that does
1815not address this issue.
1816Option C is incorrect. Strong passwords are an excellent idea, but it won’t address this
1817issue.
1818Option D is incorrect. This sort of restriction would seriously impede usability of the bank
1819website.
1820129. A. Although many things can occur from running custom firmware on a device, the most
1821likely issue is that unauthorized software can be installed. This software could be mali-
1822cious software.
1823Options B and C are incorrect. It is certainly possible that these could occur, but they are
1824not the primary issues.
1825Option D is incorrect. It is a security issue.
1826130. B. Network Access Control (NAC) allows the network to enforce a level of host health
1827checks on devices before allowing it to connect. With agent NAC, a software agent is
1828installed on any device that wishes to connect to the network. That agent can do a much
1829more thorough systems health check of the BYOD.
1830Option A is incorrect. Agentless NAC can be useful but is less effective than agent NAC.
1831Options C and D are incorrect. Stronger authentication is a good security measure but
1832won’t address the issue of scanning BYOD to ensure compliance with security rules.
1833131. C. Network Access Control (NAC) performs a systems health check on devise and vali-
1834dates that the device meets minimum security standards before allowing it to connect. An
1835agent-based NAC is more thorough in scanning the device. However, that leaves an agent
1836on the visitor’s device. A dissolvable agent will delete after a period of time.
1837Option A is incorrect. A permanent NAC would have an impact on visitors’ devices.
1838Option B is incorrect. Agentless NAC would have less impact, and would also be less thor-
1839ough and thus less secure.
1840Option D is incorrect. Company-Owned Personally Enabled (COPE) devices are not pos-
1841sible for guests.
1842132. C. File integrity checkers work by storing hashes of various files. At any time, the
1843administrator can use the file integrity checker to compare the stored hash to the hash of
1844the “live” file on the network. This will detect whether any changes have been made to
1845the file.
1846Option A is incorrect. Network Access Control (NAC) is used to ensure devices connect-
1847ing to the network meet minimum security standards.
1848Option B is incorrect. A network intrusion detection system (NIDS) won’t be able to tell
1849you whether files have been altered.
1850Option D is incorrect. A vulnerability scanner only scans for known vulnerabilities.
1851133. B. An out-of-band network intrusion detection system (NIDS) places the management
1852portion on a different network segment, making detection of the NIDS more difficult.
1853Option A is incorrect. A hybrid NIDS combines a network node IDS with a host IDS.
1854Option C is incorrect. A network intrusion prevention system (NIPS) is usually quite
1855detectable, by its very nature. By blocking offending traffic, it will absolutely be noticed.
1856Option D is incorrect. A network node IDS (NNIDS) uses a network approach, but it
1857delegates the IDS functions to individual hosts.
1858134. B. An SSL decryptor is used to decrypt SSL/TLS transmission. The decryptor must have
1859the appropriate encryption keys and certificate to accomplish this. It is a good way for a
1860company to monitor outbound SSL/TLS traffic. The traffic is first decrypted before the
1861network gateway, and then re-encrypted to leave the network. This allows outbound traf-
1862fic to be analyzed.
1863Options A and C are incorrect. NIDS and NIPS cannot see the content of encrypted traffic.
1864Option D is incorrect. An SSL accelerator is used to offload some of the processing for
1865establishing an SSL/TLS tunnel.
1866135. A, C. One for the gateway and one for the call agent. From the call agent to the gateway is
1867using UDP port 2427, and if it’s from the gateway to the call agent, it uses UDP port 2727.
1868Options B and D are incorrect. 1707 is L2TP, and 1727 is PPTP.
1869136. IPSec C
1870WPA2 A
1871SSH D
1872SIP B
1873137. C. When you must support machines that cannot connect to newer, more secure WiFi
1874protocols, then put those machines on a separate WiFi network. That won’t prevent them
1875from being breached, but it will prevent that breach from exposing your entire network.
1876Option A is incorrect. A VLAN is not applicable to this scenario.
1877Option B is incorrect. Denying wireless access is not necessary.
1878Option D is incorrect. Although encrypting network traffic is often a good idea, it won’t
1879solve this problem.
1880138. A. Secure File Transfer Protocol (SFTP) is a protocol based on Secure Shell, and it pro-
1881vides directory listing, remote file deletion, and other file management abilities. It is also
1882secure.
1883Option B is incorrect. Secure Shell (SSH) provides a secure terminal connection.
1884Option C is incorrect. Secure Copy (SCP) is based on SSH and does allow file transfer. But
1885it does not support other file management capabilities.
1886Option D is incorrect. IPSec is a VPN protocol.
1887139. A. Third-party app stores are stores run by someone other than the vendor. They don’t
1888have restrictions on what apps can be placed in them. This can lead to malicious apps
1889being in the store. By only using vendor stores (iTunes, Google Play, etc.), you can be
1890assured that the apps have been scanned for malware.
1891Option B is incorrect. Vulnerability scanning is an automated process that checks for the
1892presence of known vulnerabilities.
1893Options C and D are incorrect. These both refer to how much information about the net-
1894work the tester is given. In both black-box and white-box tests, there will still be an initial
1895exploit.
1896140. C. The best way to see if passwords are crackable is to attempt to crack them. This is done
1897by using one or more well-known and reliable password crackers. If you are able to crack
1898your passwords, that demonstrates they are not adequate.
1899Option A is incorrect. Many vulnerability scanners don’t check passwords, and those that
1900do only check rudimentary requirements.
1901Option B is incorrect. The concern is that the policies may not be adequate. So, an audit
1902will only show if people are complying with the policy, not whether the policy itself is
1903adequate.
1904Option D is incorrect. Passwords are usually stored as a hash. This does not prevent tools,
1905like rainbow tables, from cracking passwords.Chapter 2: Technologies and Tools
1906265
1907141. B. Port 25 is for Simple Mail Transfer Protocol (SMTP), which is used to send email. Port
1908110 is for Post Office Protocol (POP) version 3, which is used to receive email. These two
1909ports are used for the unencrypted versions of these email protocols. So if these are being
1910used, then you will see unencrypted email credentials. The username and password will be
1911sent in clear text.
1912Option A is incorrect. Ports 80 and 443 are for website traffic.
1913Option C is incorrect. Ports 20 and 21 are for FTP traffic.
1914Option D is incorrect. Digital certificates would indicate encrypted data, and ports 25 and
1915110 are not encrypted.
1916142. B. Secure Shell (SSH) uses port 22. If there was a breach that allowed external access to
1917the SSH server, there will be traffic on port 22.
1918Option A is incorrect. Port 23 is for telnet, not SSH.
1919Option C is incorrect. SSH is encrypted, so you would not see clear-text credentials.
1920Option D is incorrect. This breach would not cause malformed credentials.
1921143. B. Push notifications are used to send out updates when they are ready. With push notifi-
1922cations, you do not wait for the user to check for an update; the update is sent as soon as it
1923is ready.
1924Option A is incorrect. Firmware Over-the-Air (OTA) updates are a good idea, but this
1925question is about custom apps, not firmware.
1926Option C is incorrect. This issue in this question is not if updates are being scheduled but
1927if they are being applied.
1928Option D is incorrect. A policy against custom firmware is a good security policy. How-
1929ever, this question is about custom apps, not firmware.
1930144. D. Rooting is a process that allows you to attain root access to the Android operating sys-
1931tem code. Rooting allows the user to do virtually anything, including modify the software
1932code on the device or install other software that normally would be blocked.
1933Option A is incorrect. Blocking third-party apps is a good idea but does not address the
1934administrative access issue.
1935Option B is incorrect. Jailbreaking is the term used for iOS devices, not Android.
1936Option C is incorrect. You would first need to get administrative access in order to install
1937custom firmware.
1938145. A. Biometrics, type III authentication, are very robust. Biometrics are based on a biological
1939part of the authorized user, so they are very difficult to fake and impossible for the user to lose.
1940Option B is incorrect. Screen locks are necessary, but they are only a rudimentary security
1941measure.
1942Option C is incorrect. In combination with the username and password, context-aware
1943authentication examines the user’s location, the time of day the user is logging in, the
1944computer that the user is logging in from, what the user is trying to do, the context, and so
1945forth. This is a very good authentication method, but biometrics can still be more effective
1946and more user-friendly.
1947Option D is incorrect. Storage segmentation is very good for separating user personal data
1948from company data, but it won’t address unauthorized access.
1949146. C. Infrared uses a wavelength of light that is not visible to humans. Since it is light, it is
1950not susceptible to EMI. It can be used over most distances, provided there is a line of sight.
1951The disadvantage is that any break in the line of sight breaks communication.
1952Option A is incorrect. Bluetooth has a range of only 10 meters.
1953Option B is incorrect. WiFi is susceptible to EMI.
1954Option D is incorrect. RF is susceptible to EMI.
1955147. D. The -sW flag for Windows is a Windows scan. The -sT is a TCP full-connect scan.
1956Those are not at all stealthy, but they are very accurate. The -sO is a protocol scan that
1957will check all protocols. The -T determines timing. Since stealth is not important, simply
1958scan as fast as you wish using -T5.
1959Option A is incorrect. The -sL just lists targets, and the /24 would scan the entire subnet,
1960not just the target.
1961Option B is incorrect. The -T1 would be very slow but stealthy. And this command lacks
1962the -sO protocol scan.
1963Option C is incorrect. This scan lacks the -sO protocol scan and scans the entire subnet
1964needlessly.
1965148. B. The arp -a command displays the Address Resolution Protocol routing table. That is
1966what is shown in the figure.
1967Options A and D are incorrect. The netstat command lists the current network
1968connections.
1969Option C is incorrect. The arp -s command adds a host to the Address Resolution
1970Protocol routing table.
1971149. A. Blacklisting blocks any sites or content specifically on the blacklist. However, it is
1972impossible to list every inappropriate site on the Internet, so some are not going to be listed
1973and thus are accessible.
1974Option B is incorrect. You could argue that this issue is due to misconfiguration, but that
1975is most likely cause.
1976Option C is incorrect. The proxy server as a whole is not the issue. It is the content filter-
1977ing that is at issue.
1978Option D is incorrect. While this is possible, it is not the most likely explanation.
1979150. C. Metasploit is a widely used exploit framework. It provides a complete suite of tools
1980that allow you to scan targets, locate vulnerabilities, and then attempt to exploit those vul-
1981nerabilities.
1982Options A, B, and D are incorrect. Although each of these describes aspects of Metasploit,
1983they are incomplete definitions.
1984151. B. Configuration compliance scanning solutions take the configuration settings that the
1985administrator provides and scans targeted devices and computers to see whether they com-
1986ply. This is an effective method for checking compliance.
1987Options A, C, and D are all incorrect. Each of these would uncover at least some configu-
1988ration compliance issues but would be less effective and/or more cumbersome than con-
1989figuration compliance scanning.
1990
1991
1992++++
1993++++
1994Chapter 3: Architecture and Design
19951. A. The correct answer is ISO 27002. ISO 27002 is an international standard for imple-
1996menting and maintaining information security systems.
1997Option B is incorrect. ISO 27017 is an international standard for cloud security.
1998Option C is incorrect. NIST 800-12 is a general security standard and it is a U.S. stan-
1999dard, not an international one.
2000Option D is incorrect. NIST 800-14 is a standard for policy development, and it is a U.S.
2001standard, not an international one.
2002
20032. A. The correct answer is the Open Web Application Security Project. It is the de facto
2004standard for web application security.
2005Option B is incorrect. The North American Electric Reliability Corporation is concerned
2006with electrical power plant security.
2007Option C is incorrect. The National Institute of Standards does not, as of this writing,
2008publish web application standards.
2009Option D is incorrect. ISA/IEC standards are for securing industrial automation and con-
2010trol systems (IACSs).
2011
20123. B. Vendor diversity gives two security benefits. The first is that there is not a single point
2013of failure should one vendor cease operations. The second benefit is that each vendor has a
2014specific methodology and algorithms used for detecting malware. If you use the same ven-
2015dor at all points where you need malware detection, any flaw or weakness in that vendor’s
2016methodology will persist across the network.
2017Option A is incorrect. Using a single vendor means that any weakness in that vendor’s
2018methodology permeates the entire network.
2019Option C is incorrect. Vendor forking is not a term in the industry.
2020Option D is incorrect. This is not a neutral act. Vendor diversity improves security.
2021
20224. D. Control diversity means utilizing different controls to mitigate the same threat. For
2023malware, the use of technical controls, such as anti-malware, is critical. But it is also
2024important to have administrative controls, such as good policies, and to ensure employees
2025are properly trained.
2026Option A is incorrect. This approach ignores training employees. Policies are only useful if
2027employees are properly trained.
2028Option B is incorrect. This approach uses only one type of control: technical controls.
2029Option C is incorrect. This approach ignores training employees. Policies are useful only
2030if employees are properly trained. Furthermore, website whitelisting can be beneficial but
2031leaves many websites unchecked, each of which could be hosting malware.268
2032
20335. A. The demilitarized zone (DMZ) is a zone between an outer firewall and an inner fire-
2034wall. It is specifically designed as a place to locate public-facing servers. The outer firewall
2035is more permissive, thus allowing public access to the servers in the DMZ. However, the
2036inner firewall is more secure, thus preventing outside access to the corporate network.
2037Option B is incorrect. An intranet is for internal web pages.
2038Option C is incorrect. Guest networks provide network access, often wireless, to guests.
2039This is not an appropriate place for any server.
2040Option D is incorrect. An extranet is a scenario wherein external partners are allowed
2041access to limited portions of the company network.
2042
20436. B. Air gapping refers to the server not being on a network. This means literally that there
2044is “air” between the server and the network. This prevents malware from infecting the
2045backup server.
2046Options A and C are incorrect. A separate VLAN or physical network segment can
2047enhance security but is not as effective as air gapping.
2048Option D is incorrect. A honeynet is a good security measure, but it won’t provide the best
2049protection against malware.
2050
20517. C. The first step in security is hardening the operating system, and one of the most
2052elementary aspects of that is turning off unneeded services. This is true regardless of the
2053operating system.
2054Options A, B, and D are incorrect. Each of these is a good security measure and should be
2055implemented. However, none of these are as fundamental as turning off unneeded services
2056and therefore would not be done first.
2057
20588. C. Administrative controls are policies and processes designed to mitigate some threat.
2059The use of policies that govern the opening of email attachments and the downloading of
2060files is an administrative control for malware.
2061Options A, B, and D are incorrect. Each of these are good steps to take, but they are all
2062technical controls, not administrative ones.
2063
20649. A. A guest network is separate from your production network; therefore, even if there
2065is some breach of that network, it won’t affect your production network. It is a common
2066security practice to establish a guest network so that guests can access the Internet, with-
2067out providing them with access to the corporate network resources.
2068Option B is incorrect. A DMZ is used to locate public-facing servers such as web servers.
2069Option C is incorrect. An intranet consists of internal web-based resources for employees.
2070Option D is incorrect. This would provide nonemployees with access to the corporate network.
2071
207210. A. Full disk encryption fully encrypts the hard drive on a computer. This is an effective
2073method for ensuring the security of data on a computer.
2074Option B is incorrect. Trusted platform modules are crypto-processors and won’t affect
2075this problem.
2076Option C is incorrect. Software-defined networking is virtualized networking and won’t
2077affect this problem.
2078Option D is incorrect. Demilitarized zones are used to segment a network and won’t affect
2079this problem.
2080
208111. A. A VPN concentrator is a hardware device used to create remote access VPNs. The
2082concentrator creates encrypted tunnel sessions between hosts, and many use two-factor
2083authentication for additional security.
2084Option B is incorrect. SSL accelerators are a method of offloading processor-intensive
2085public-key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
2086to a hardware accelerator.
2087Option C is incorrect. A demilitarized zone is a place to locate public-facing servers.
2088Option D is incorrect. Guest networks provide nonemployees with Internet access.
2089
209012. B. If a system is infected with malware, the malware will operate with the privileges of
2091the current user. If you use nonadministrative accounts, with least privileges, then the mal-
2092ware won’t be able to access administrative functionality.
2093Options A, C, and D are all incorrect. These are all good security measures, but they
2094won’t address the issue of malware accessing administrative functionality.
2095
209613. B. The network operating system is determined by the operating system running on a
2097domain controller. A network could be mostly Windows, but as long as the domain con-
2098troller is Unix, the network operating system is Unix.
2099Options A, C, and D are all correct. These items do not determine the network operating
2100system.
2101
210214. A. A Type I hypervisor is also known as a bare-metal hypervisor. It installs directly onto
2103hardware and does not require an operating system to be installed first.
2104Options B, C, and D are all incorrect. Type I hypervisors do not require a preinstalled
2105operating system.
2106
210715. D. ISO 27017 is an international standard for cloud security.
2108Option A is incorrect. NIST 800-14 describes common security principles that should be
2109addressed within security policies.
2110Option B is incorrect. NIST 800-53 organizes security measures into families of controls,
2111such as risk assessment, access control, incident response, and others.
2112Option D is incorrect. ISO 27002 recommends best practices for initiating, implementing,
2113and maintaining information security management systems (ISMSs).
2114
211516. B. A kiosk computer must be limited to only those functions that are required. It is impor-
2116tant to remove or disable any unnecessary functions, and to have the system logged in with
2117the least privileges necessary for the kiosk functionality.
2118Option A is incorrect. Although this is always a good idea, it is not the most important
2119issue for a kiosk computer.
2120Option C is incorrect. Yes, antivirus is important. However, if this machine is locked
2121down so that it only performs the specified functions, it is unlikely to get a virus.
2122Option D is incorrect. A host-based firewall is not even absolutely necessary in this sce-
2123nario, and it is certainly less important that limiting the computer’s functionality.270
2124
212517. A. The correct answer is to disable WiFi if it is not absolutely needed. Many peripheral
2126devices are WiFi enabled. If you don’t require this functionality, then disabling it is a very
2127basic and essential security measure you can take. For example, WiFi enabled MiroSD
2128cards is vulnerable to attacks.
2129Option B is incorrect. Very few peripheral devices will even have a BIOS.
2130Option C is incorrect. Encryption may be warranted for some specific peripherals, but
2131many don’t have storage that can be encrypted, and this would not be the first step one
2132takes.
2133Option D is incorrect. Many peripherals don’t have a hard drive to install antivirus on.
2134
213518. A. A DMZ provides limited access to public facing servers, for outside users, but blocks
2136outside users from accessing systems inside the LAN. It is a common practice to place web
2137servers in the DMZ.
2138Option B is incorrect. A VLAN is most often used to segment the internal network.
2139Option C is incorrect. Routers direct traffic based on IP address.
2140Option D is incorrect. A guest network allows internal users who are not employees to get
2141access to the Internet.
2142
214319. B. Physically portioning your network is the physical equivalent of a VLAN. A VLAN is
2144designed to emulate physical partitioning.
2145Option A is incorrect. Perimeter security does not segment the network.
2146Option C is incorrect. Security zones are useful, but don’t, by themselves, segment a net-
2147work. Often a network is segmented, using physical partitions or VLAN, to create security
2148zones.
2149Option D is incorrect. A firewall is meant to block certain traffic, not to segment the
2150network.
2151
215220. D. Honeypots are designed to attract a hacker by appearing to be security holes that are
2153ripe and ready for exploitation. A honeynet is a network honeypot. This security technique
2154is used to observe hackers in action while not exposing vital network resources.
2155Option A is incorrect. Active detection is not a term used in the industry.
2156Option B is incorrect. False subnet is not a term used in the industry.
2157Option C is incorrect. An intrusion detection system is used to detect activity that could
2158indicate an intrusion or attack.
2159
216021. A. Nonessential protocols provide additional areas for attack. The fact that all protocols
2161have weaknesses would be sufficient to eliminate nonessential protocols. Those nones-
2162sential protocols’ ports provide possible avenues of attack. You should always follow the
2163principle of least privilege.
2164Option B is incorrect. Any port can be secured. This is an example of security control.
2165Option C is incorrect. It is not the case that specific ports are less secure. But every port
2166that is open provides a possible mode of entry into a system.
2167Option D is incorrect. There is no additional effort to secure a port that is nonessential.
2168
216922. B. A stateful inspection firewall examines the content and context of each packet it
2170encounters. This means that an SPI firewall understands the preceding packets that
2171came from the same IP address. This makes certain attacks, like a SYN flood, almost
2172impossible.
2173Option A is incorrect. Packet filtering firewalls examine each packet, but not the context.
2174Option C is incorrect. Application layer firewalls can use SPI or simple packet filtering,
2175but their primary role is to examine application-specific issues. A classic example is a web
2176application firewall.
2177Option D is incorrect. A gateway firewall is simply a firewall at the network gateway. This
2178does not tell us whether it is packet filtering or SPI.
2179
218023. A. Whitelists are lists of approved software. Only if software appears on the whitelist can
2181it be installed.
2182Option B is incorrect. Blacklisting blocks specific applications, but it cannot account for
2183every possible malicious application.
2184Option C is incorrect. Access control lists determine who can access a resource.
2185Option D is incorrect. A host intrusion detection system (HIDS) does not prevent software
2186from being installed.
2187
218824. B. A demilitarized zone (DMZ) is a separate subnet coming off the separate router inter-
2189face. Public traffic may be allowed to pass from the external public interface to the DMZ,
2190but it won’t be allowed to pass to the interface that connects to the internal private
2191network.
2192Option A is incorrect. A guest network provides visitors with internet access.
2193Option C is incorrect. An intranet consists of internal web resources. Frequently com-
2194panies put up web pages that are accessible only from within the network for items like
2195human resources notifications, requesting vacation, and so forth.
2196Option D is incorrect. A VLAN is used to segment your internal network.
2197
219825. A. Filters prevent unauthorized packets from entering or leaving a network. Packet filters
2199are a type of firewall that blocks specified port traffic.
2200Options B and C are incorrect. A packet filter will allow some packets to enter and will
2201block others. The same goes for exiting packets: some will be allowed and others will be
2202blocked, based on the rules implemented in the firewall.
2203Option D is incorrect. Packet filtering does nothing to eliminate collisions in the network.
2204
220526. C. WiFi Protected Access 2 (WPA2) was intended to provide security that’s equivalent to
2206that on a wired network, and it implements elements of the 802.11i standard.
2207Option A is incorrect. A WAP is a wireless access point.
2208Option B is incorrect. A WPA is not as secure as WPA2.
2209Option D is incorrect. WEP is the oldest, and least secure, wireless security protocol.272
2210
221127. A. An IV attack is usually associated with the WEP wireless protocol. This is because
2212WEP uses the RC4 stream cipher with an initialization vector. However, WEP improperly
2213implements RC4 and reuses its IVs (an IV should only be used once, then discarded), mak-
2214ing it vulnerable to IV attacks.
2215Option B is incorrect. A WAP is a wireless access point, not a protocol.
2216Option C is incorrect. WPA does not use an IV; it uses TKIP.
2217Option D is incorrect. WPA2 does not use an IV; it uses AES with CBC and a MAC.
2218
221928. C. A test server should be identical to the production server. This can be used for func-
2220tional testing as well as security testing, prior to deploying the application.
2221Option A is incorrect. The production server is the live server.
2222Option B is incorrect. A development server would be one the programmers use during
2223development of a web application.
2224Option D is incorrect. Predeployment server is not a term used in the industry.
2225
222629. B. Kernel integrity subsystems are a form of integrity measurement used to detect whether
2227files have been accidentally or maliciously altered, both remotely and locally; to appraise a
2228file’s measurement against a “good” value stored as an extended attribute; and to enforce
2229local file integrity. These goals are complementary to Mandatory Access Control (MAC)
2230protections provided by Linux Security Modules.
2231Option A is incorrect. Antivirus software is used to detect malware.
2232Option C is incorrect. Kernel integrity subsystems cannot detect what programs have been
2233installed.
2234Option D is incorrect. Kernel integrity systems don’t detect changes to user accounts.
2235
223630. C. BIOS password management is the most basic security measure for the BIOS. Without
2237this fundamental step, any other steps will be far less effective.
2238Options A and B are incorrect. NIST 800-155 does list both of these as BIOS integrity
2239measures, but they are not the most fundamental measures—passwords are.
2240Option D is incorrect. Backing up the BIOS is not a common security measure, and it cer-
2241tainly would not be the most fundamental step.
2242
224331. A. The correct answer is NIST 800-82. Special Publication 800-82, Revision 2, “Guide to
2244Industrial Control System (ICS) Security,” is specific to industrial control systems. Indus-
2245trial systems include SCADA (Supervisor Control And Data Acquisition) and PLCs (pri-
2246mary logic controllers).
2247Option B is incorrect. PCI-DSS is a standard for credit card security.
2248Option C is incorrect. NIST 800-30 is the U.S. standard for conducting risk assessments.
2249Option D is incorrect. This standard recommends best practices for initiating, implement-
2250ing, and maintaining information security management systems (ISMSs).
2251
225232. B. Wearable devices have storage and thus can be used to bring in files to a network, or to
2253exfiltrate data from the network.
2254Option A is incorrect. Distractions are not a security concern, though they may be a man-
2255agement issue.
2256Options C and D are incorrect. Although either of these might be appropriate security
2257concerns to mitigate, they are not the most significant concern.
2258
225933. B. A heating, ventilation, and air conditioning system will affect availability. By maintain-
2260ing temperature and humidity, the servers in the datacenter are less likely to crash and thus
2261be more available.
2262Option A is incorrect. HVACs have no effect on data confidentiality.
2263Option C is incorrect. HVACs are not fire suppression systems.
2264Option D is incorrect. HVACs are not monitoring systems.
2265
226634. B. Maria should implement ongoing auditing of the account usage on the SCADA system.
2267This will provide a warning that someone’s account is being used when they are not actu-
2268ally using it.
2269Option A is incorrect. Host based antivirus is almost never a bad idea. But this scenario
2270did not indicate that the compromise was due to malware, so anti-malware may not
2271address the threat.
2272Option C is incorrect. Since the engineer has access to the SCADA system, a NIPS is
2273unlikely to block him from accessing the system.
2274Option D is incorrect. Full disk encryption will not mitigate this threat.
2275
227635. B. The correct answer is virtualization. By virtualizing the servers Lucy can administer
2277them all in a single location, and it is very easy to set up a new virtual server, should it be
2278needed.
2279Option A is incorrect. A cluster won’t make installing a new server any more streamlined.
2280Options C and D are incorrect. Segmenting the servers, such as with a VLAN or subnet,
2281won’t address the issues presented in this question.
2282
228336. A. A hardware security module (HSM) is the most secure way to store private keys for the
2284e-commerce server. An HSM is a physical device that safeguards and manages digital keys.
2285Option B is incorrect. Full disk encryption will protect the data on the e-commerce server,
2286but it won’t help store the key. It is also difficult to fully encrypt the e-commerce server
2287drive, since the drive will need to be in use for the e-commerce to function.
2288Option C is incorrect. A self-encrypting drive (SED) is just an automatic full disk encryp-
2289tion.
2290Option D is incorrect. Software-defined networking won’t address the issues in this sce-
2291nario.
2292
229337. B. The correct answer is to use a sandboxed environment to test the malware and deter-
2294mine its complete functionality. A sandboxed system could be an isolated virtual machine
2295or an actual physical machine that is entirely isolated from the network.
2296Option A is incorrect. Leaving the malware on a production system is never the correct
2297approach.
2298Option C is incorrect. You should test the malware to determine exactly what damage it
2299causes.
2300Option D is incorrect. A honeypot is used for trapping attackers, not for testing malware.274
2301
230238. C. You should implement a staging server so that code can be deployed to an intermediate
2303staging environment. This will allow testing of security features, as well as checking to see
2304that the code integrates with the entire system. Using third-party libraries and SDKs can
2305help reduce errors and vulnerabilities in the code.
2306Option A is incorrect. Sandboxing is used to isolate a particular environment.
2307Option B is incorrect. Virtualization will not mitigate this risk. Even if the production
2308server is virtualized, the risks are the same.
2309Option D is incorrect. Deployment policies are a good idea, but they are not the most
2310effective way to mitigate this particular risk.
2311
231239. A. A real-time operating system is a secure system used for embedded devices. RTOSs
2313were originally developed for military applications but were not available to the public.
2314Option B is incorrect. Although SCADA systems can sometimes be embedded systems, this
2315won’t address the security concerns.
2316Option C is incorrect. Full drive encryption won’t address issues with the security of the
2317operating system.
2318Option D is incorrect. A trusted platform module can be very useful for cryptographic
2319applications, but it will not address the security of the operating system.
2320
232140. C. The WPA2 standard fully implements the 802.11i security standard.
2322Options A, B, and D are incorrect. These standards are concerning bandwidth and fre-
2323quency, not security.
2324
232541. A. The encryption technology associated with WPA is TKIP.
2326Option B is incorrect. CCMP is the technology used in WPA2. It combines AES in cipher-
2327block chaining mode with a message authentication code.
2328Option C is incorrect. WEP uses RC4.
2329Option D is incorrect. WPA2 uses CCMP.
2330
233142. C. Disabling the SSID broadcast keeps it from being seen in the list of available networks,
2332but it is still possible to connect to it and use the wireless network.
2333Options A, B, and D are all incorrect. These are not accurate descriptions of what happens
2334when you disable SSID broadcast.
2335
233643. B. In the Platform as a Service (PaaS) model, the consumer has access to the infrastructure
2337to create applications and host them.
2338Option A is incorrect. Software as a Service simply supplies a particular application.
2339Option C is incorrect. Infrastructure as a Service provides entire network infrastructure.
2340Option D is incorrect. Cloud as a Service provides access to cloud storage.
2341
234244. A. With the Software as a Service (SaaS) model, the consumer has the ability to use appli-
2343cations provided by the cloud provider over the Internet. SaaS is a subscription service
2344where software is licensed on a subscription basis.
2345Answer B is incorrect. Platform as a Service provides an operating system.
2346Option C is incorrect. Infrastructure as a Service provides entire network infrastructure.
2347Option D is incorrect. Cloud as a Service provides access to cloud storage.
2348
234945. B. Elasticity is a feature of cloud computing that involves dynamically provisioning (or
2350deprovisioning) resources as needed.
2351Option A is incorrect. Multitenancy refers to the ability to host multiple different virtual-
2352ized environments.
2353Option C is incorrect. A configuration management database is used to store configuration
2354information.
2355Option D is incorrect. Sandboxing refers to the ability to isolate an environment.
2356
235746. A. Type I hypervisor implementations are known as “bare metal.”
2358Option B is incorrect. Type II hypervisors have to be installed on an underlying operating
2359system.
2360Options C and D are incorrect. These are not valid hypervisor types.
2361
236247. C. A snapshot is an image of the virtual machine at some point in time. It is standard
2363practice to periodically take a snapshot of a virtual system so that you can return that sys-
2364tem to a last known good state.
2365Option A is incorrect. Sandboxing is the process of isolating a system.
2366Option B is incorrect. The hypervisor is the mechanism whereby the virtual environment
2367interacts with the hardware.
2368Option D is incorrect. Elasticity is the ability for the system to scale.
2369
237048. D. RAID level 5 is disk striping with distributed parity. It can withstand the loss of any
2371single disk.
2372Option A is incorrect. RAID 0 is disk striping; it does not provide any fault tolerance.
2373Option B is incorrect. RAID 1 is mirroring. It does protect against the loss of a single disk
2374but not with distributed parity.
2375Option C is incorrect. RAID 3 is disk striping with dedicated parity. This means a dedi-
2376cated drive containing all the parity bits.
2377
237849. D. A Faraday cage, named after the famous physicist Michael Faraday, involves placing
2379wire mesh around an area or device to block electromagnetic signals.
2380Option A is incorrect. A VLAN can segment a network but won’t block EMI.
2381Option B is incorrect. Software-defined networking virtualizes a network but does not
2382protect against EMI.
2383Option C is incorrect. A trusted platform module is used for cryptographic applications.
2384
238550. B. The correct answer is bollards. These are large objects, often made of concrete or simi-
2386lar material, designed specifically to prevent a vehicle getting past them.
2387Option A is incorrect. Most gates can be breached with a vehicle.
2388Option C is incorrect. A security guard is a good idea, but he or she would not be able to
2389stop a vehicle from ramming the building.
2390Option D is incorrect. Security cameras will provide evidence of a crime that was commit-
2391ted, but won’t prevent the crime.
2392
239351. A. The correct answer is to attach cable locks to the computers that lock them to the table.
2394This makes it more difficult for someone to steal a computer.
2395Option B is incorrect. Full disk encryption won’t stop someone from stealing the computer.
2396Option C is incorrect. Strong passwords won’t stop someone from stealing a computer.
2397Option D is incorrect. A sign-in sheet is a good idea and may deter some thefts. But it is
2398not the best approach to stopping theft.
2399
240052. B. The correct answer is to incorporate two-factor authentication with a mantrap. By having
2401a smartcard at one door (type II authentication) and a pin number (type I authentication) at
2402the other door, Joanne will combine strong two-factor authentication with physical security.
2403Option A is incorrect. Smartcards by themselves are single-factor authentication.
2404Option C is incorrect. Video surveillance, though often a good idea, won’t help with two-
2405factor authentication.
2406Option D is incorrect. Again, the smartcard by itself is a single-factor authentication.
2407
240853. A. Baselining is the process of establishing a standard for security. A change from the
2409original baseline value is referred to as baseline deviation.
2410Option B is incorrect. Security evaluations or audits check security but don’t establish
2411security standards.
2412Option C is incorrect. Hardening is the process of securing a given system, but it does not
2413establish security standards.
2414Option D is incorrect. Normalization is the process of removing redundant entries from a
2415database.
2416
241754. B. Hardening is the process of improving the security of an operating system or application.
2418One of the primary methods of hardening an trusted OS is to eliminate unneeded protocols.
2419This is also known as creating a secure baseline that allows the OS to run safely and securely.
2420Option A is incorrect. FDE is full disk encryption.
2421Option C is incorrect. SED is self-encrypting drive.
2422Option D is incorrect. Baselining is the process of establishing security standards.
2423
242455. A. RAID 1+0 is a mirrored data set (RAID 1), which is then striped (RAID 0): a “stripe of
2425mirrors.”
2426Option B is incorrect. RAID 6 is disk striping with dual parity (distributed).
2427Option C is incorrect. RAID 0 is just striping.
2428Option D is incorrect. RAID 1 is just mirroring.
2429
2430
243156. D. Normalization is the process of removing duplication or redundant data from a data-
2432base. There are typically four levels of normalization ranging from 1N at the lowest (i.e.,
2433the most duplication) to 4N at the highest (i.e., the least duplication).
2434Option A is incorrect. Although database integrity is important, that is not what is
2435described in the question. Furthermore, integrity checking usually refers to checking the
2436integrity of files.
2437Option B is incorrect. Deprovisioning is a virtualization term for removing a virtual sys-
2438tem (server, workstation, etc.) and reclaiming those resources.
2439Option C is incorrect. Baselining involves setting security standards.C
2440
244157. C. “Whitelists” are lists of those items that are allowed (as opposed to a blacklist—things
2442that are prohibited).
2443Answer A is incorrect. Blacklists are lists of blocked items (applications or websites).
2444Options B and D are incorrect. These are not terms used in the industry.
2445
244658. C. The correct answer is to only allow signed components to be loaded in the browser.
2447Code signing verifies the originator of the component (such as an ActiveX component) and
2448thus makes malware far less likely.
2449Option A is incorrect. Although host-based anti-malware is a good idea, it is not the best
2450remedy for this specific threat.
2451Option B is incorrect. Blacklists cannot cover all sites that are infected, just the sites you
2452know about. And given that users on Hans’s network visit a lot of websites, blacklisting is
2453likely to be ineffective.
2454Option D is incorrect. If you block all active content, many websites will be completely
2455unusable.
2456
245759. D. Agile development works in cycles, each cycle producing specific deliverables. This
2458means that phases like design and development are repeated.
2459Options A and B are incorrect. The issue is not how many phases; it is the fact that in
2460waterfall when a phase is finished, there is no returning to that phase.
2461Option C is incorrect. Neither method is inherently more secure.
2462
246360. D. Security should be addressed at every stage of development. This means requirements,
2464design, implementation, verification/testing, and maintenance.
2465Options A, B, and C are incorrect. These are all only partially correct.
2466
246761. D. Stored procedures are the best way to have standardized SQL. Rather than program-
2468mers writing their own SQL commands, they simply call the stored procedures that the
2469database administrator creates.
2470Options A and B are both incorrect. Although these are good ideas, they are not as effec-
2471tive as stored procedures in addressing concerns about bad SQL commands.
2472Option C is incorrect. Agile programming is a method for developing applications rapidly
2473and won’t determine how SQL commands are created.
2474
247562. A. Proper error handling is the most fundamental item to address in application develop-
2476ment. Robust and thorough error handling will mitigate many security risks.
2477Options B, C, and D are all incorrect. Each of these is a good security measure but not the
2478most important step for Mary to take.
2479
248063. B. When virtualization reaches the point that IT can no longer effectively manage it, the
2481condition is known as VM sprawl.
2482Options A and C are incorrect. These are not the terms used in industry.
2483Option D is incorrect. VM zombie is a term for a virtual machine that is running and con-
2484suming resources but no longer has a purpose.278
2485
248664. A. VM escape is a situation wherein an attacker is able to go through the VM to interact
2487directly with the hypervisor, and potentially the host operating system. The best way to
2488prevent this is to limit the ability of the host and the VM to share resources. If possible,
2489they should not share any resources.
2490Option B is incorrect. This is one method that might mitigate the situation, but it is not the
2491most effective.
2492Options C and D are incorrect. Both of these are good security practices but would have
2493minimal effect on mitigating VM escape.
2494
249565. A. The correct answer is to implement a virtual desktop environment. If all the desktops
2496are virtualized, then from a single central location you can manage patches, configuration,
2497and software installation. This single implementation will solve all the issues mentioned in
2498the question.
2499Option B is incorrect. Strong policies are a good idea but are often difficult to enforce.
2500Option C is incorrect. Imaging workstations affects only their original configuration. It
2501won’t keep them patched or prevent rogue software from being installed.
2502Option D is incorrect. Strong patch management will address only one of the three
2503concerns.
2504
250566. C. Pre-action fire suppression is ideal for computers. The pipes have no water in them dur-
2506ing normal operations. When the temperature rises to a certain level, water fills the pipes.
2507Then if the temperature continues to rise, the fire suppression system activates. This pro-
2508vides time to stop the fire before the servers are soaked with water.
2509Option A is incorrect. Wet pipes have water in them at all times. If a pipe freezes and/or
2510bursts, then the servers will be damaged.
2511Option B is incorrect. Deluge fire suppression, as the name suggests, uses a very large
2512amount of water. This is not appropriate for computers.
2513Option D is incorrect. Halon is now banned.
2514
251567. A. The correct answer is to have a motion-activated camera that records everyone who
2516enters the server room.
2517Options B, C, and D are all incorrect. These are all good security measures but won’t
2518detect theft.
2519
252068. B. Session tokens are used to authenticate sessions. These can be effective against replay
2521attacks and session hijacking.
2522Options A, C, and D are all incorrect. Session tokens will not be effective in mitigating
2523these attacks.
2524
252569. C. Hot aisle/cold aisle is a layout design for server racks and other computing equipment
2526in a data center. The goal of a hot aisle/cold aisle configuration is to conserve energy and
2527lower cooling costs by managing airflow. An infrared camera will detect heat levels on the
2528aisles.
2529Options A, B, and D are all incorrect. Although these are issues to be concerned about in a
2530data center, the infrared camera is not an appropriate way to monitor them.Chapter 3: Architecture and Design
2531279
253270. D. A security guard is the most effective way to prevent unauthorized access to a building.
2533Options A, B, and C are all incorrect. These are all good physical security measures, but
2534they are not the most effective ways to prevent entry into a building.
253571. B. Software-defined networking makes the network very scalable. It is relatively easy to
2536add on new resources or remove unneeded resources.
2537Options A, C, and D are all incorrect. SDN does not accomplish these goals.
253872. A. The correct answer is to use an application container to isolate that application from
2539the host operating system. Applications containers provide a virtualized environment in
2540which to run an application.
2541Option B is incorrect. Moving to software-defined networking is a very involved process
2542and does not provide an efficient solution.
2543Option C is incorrect. Not only will this not separate the application from the host operat-
2544ing system; it might not solve the problem.
2545Option D is incorrect. This is not an option in this question. Mark must support the legacy
2546application.
2547
254873. D. The fence should reach within 2 inches of hard surfaces like pavement or concrete. For
2549soft dirt it should actually go into the ground.
2550Options A and B are incorrect. These are not the correct measurements.
2551Option C is incorrect. Per the standard, chain-link fence should reach within 2 inches
2552of hard surfaces like pavement or concrete. For soft dirt, it should actually go into the
2553ground.
2554
255574. A. An immutable server’s configuration cannot be changed.
2556Option B is incorrect. A virtual machine won’t stop the application or the OS from being
2557altered.
2558Option C is incorrect. This won’t prevent the OS from being altered.
2559Option D is incorrect. Segregating the application on a separate VLAN won’t address the
2560issues.
2561
256275. B. The correct answer is to have the source code for the application stored with a third-
2563party source code escrow. Should the vendor go out of business, or otherwise be unable
2564to continue to support the application, the source code escrow will supply you with the
2565source code you can then maintain yourself (or hire a new company).
2566Option A is incorrect. Detailed credit checks of vendors are a good idea, but are no guar-
2567antee against the vendor failing.
2568Option C is incorrect. If the vendor goes out of business, contractual penalties will be
2569ineffective.
2570Option D is incorrect. Even if another vendor is willing to be a backup for you, they can-
2571not effectively support the application without the source code.
2572
257376. C. The correct answer is to implement IaC. Infrastructure as Code (IaC) is the process
2574of managing and provisioning computer datacenters through machine-readable defini-
2575tion files, rather than physical hardware configuration or interactive configuration tools.
2576Whether the data center(s) use physical machines or virtual machines, this is an effective
2577way to manage the data centers.
2578Option A is incorrect. Although data center managers may be needed, that won’t necessar-
2579ily provide consistent management across the enterprise.
2580Option B is incorrect. Software-defined networking will not fix this problem.
2581Option D is incorrect. The issue is not just provisioning; it is management.
2582
258377. C. These particular web application attacks are best mitigated with proper input valida-
2584tion. Any user input should be checked for indicators of XSS or SQL injection.
2585Option A is incorrect. Error handling is always important, but it won’t mitigate these par-
2586ticular issues.
2587Option B is incorrect. Stored procedures can be a good way of ensuring SQL commands
2588are standardized, but that won’t prevent these attacks.
2589Option D is incorrect. Code signing is used for code that is downloaded from a web appli-
2590cation to the client computer. It is used to protect the client, not the web application.
2591
259278. B. Fuzzing is a technique whereby the tester intentionally enters incorrect values into input
2593fields to see how the application will handle it.
2594Option A is incorrect. Static code analysis tools simply scan the code for known issues.
2595Option C is incorrect. Baselining is the process of establishing security standards.
2596Option D is incorrect. Version control simply tracks changes in the code; it does not test
2597the code.
2598
259979. A. The waterfall method has the steps of requirements gathering, design, implementation
2600(also called coding), testing (also called verification), deployment, and maintenance.
2601Options B, C, and D are all incorrect. These are not the proper steps for the waterfall
2602method.
2603
260480. D. Both client-side and server-side validation are important, so both should be used for a
2605complete validation solution.
2606Options A and B are both incorrect since they are both incomplete.
2607Option C is incorrect. This is not a validation method.
2608
260981. A. The correct answer is to assign digital certificates to the authorized users and to use
2610these to authenticate them when logging in. This is an effective way to ensure that only
2611authorized users can access the application.
2612Options B, C, and D are all incorrect. These are each good security measures but not the
2613best way to authenticate the client and prevent unauthorized access to the application.
2614
261582. D. The correct answer is to first test patches. It is always possible that a patch might cause
2616issues for one or more current applications. This is particularly a concern with applications
2617that have a lot of interaction with the host operating system. An operating system patch 
2618can prevent the application from executing properly. But as soon as the patches are tested,
2619a phased rollout to the company should begin.
2620Option A is incorrect. Automatic patching is not recommended in corporate environments
2621because a patch could possibly interfere with one or more applications.
2622Option B is incorrect. This is a very bad idea and will lead to inconsistent patching and the
2623application of untested patches.
2624Option C is incorrect. This is only slightly better than having end users handle their own
2625patching.
2626
262783. B. In a code reuse attack, the attacker executes code that is meant for some other pur-
2628poses. In many cases this can be old code that is no longer even used (dead code), even if
2629that code is in a third-party library.
2630Option A is incorrect. A buffer overflow occurs when too much data is sent to a buffer.
2631For example, say a buffer is designed to hold 10 bytes, and it is sent 100 bytes.
2632Option C is incorrect. A denial-of-service attack is meant to make a service unavailable to
2633legitimate users.
2634Option D is incorrect. Session hijacking involves taking over an existing authenticated
2635session.
2636
263784. B. The correct answer is to turn off any remote access to such devices that is not abso-
2638lutely needed. Many peripheral devices come with SSH, telnet, or similar services. If you
2639are not using them, turn them off.
2640Option A is incorrect. Full disk encryption will improve peripheral security, and many
2641peripherals don’t have a disk to encrypt.
2642Option C is incorrect. Fuzzy testing is for applications.
2643Option D is incorrect. Not all devices are even capable of having a digital certificate
2644assigned to them.
2645
264685. C. The correct answer is to use static code analysis. Memory leaks are usually caused by
2647failure to deallocate memory that has been allocated. A static code analyzer can check to
2648see if all memory allocation commands (malloc, alloc, etc.) have a matching deallocation
2649command.
2650Option A is incorrect. Fuzzing involves entering data that is outside expected values to see
2651how the application handles it.
2652Option B is incorrect. Stress testing involves testing how a system handles extreme work-
2653loads.
2654Option D is incorrect. Normalization is a technique for deduplicating a database.
2655
265686. A. The correct answer is to use Secure Shell. This protocol is encrypted. SSH also authen-
2657ticates the user with public key cryptography.
2658Option B is incorrect. Telnet is insecure. It does not encrypt data.
2659Option C is incorrect. Remote Shell sends at least some data unencrypted and is thus
2660insecure.
2661Option D is incorrect. Simple Network Management Protocol is used to manage a network
2662and is not used for remote communications.
2663
266487. B. Software attestation is often done with digital certificates and digital signing. The soft-
2665ware proves that it is the legitimate program before being allowed to execute.
2666Option A is incorrect. Secure boot involves the system booting into a trusted configuration.
2667Option C is incorrect. Sandboxing is used to isolate an application.
2668Option D is incorrect. Trusted platform module is a cryptoprocessor, often used for key
2669management.
2670
267188. D. When two or more components are tested together, this is referred to as integration
2672testing.
2673Option A is incorrect. Unit testing is testing a single unit of code.
2674Option B is incorrect. Regression testing is testing a system after a change to ensure that
2675the change did not cause any other problems.
2676Option C is incorrect. Stress testing involves subjecting a system to extensive loads to
2677determine if it can handle them.
2678
267989. B. Intrusion prevention systems are critical for a system that needs high availability.
2680Depending on the nature of the system, it may require an HIPS, NIPS, or both.
2681Option A is incorrect. Security information and event management consolidates logs.
2682Although this can be a valuable security feature, it is not the most important in this
2683situation.
2684Option C is incorrect. Automated patch control is usually a good idea; however, it is not
2685the most important in this situation.
2686Option D is incorrect. Honeypots can be a valuable security control, but they are far less
2687important than IPS or patch control.
268890. B. System on a Chip devices are complete self-contained systems on a single chip. There-
2689fore, having their own unique cryptographic keys is the best way to implement authentica-
2690tion and security.
2691Option A is incorrect. A system on a chip is self-contained, so a TPM would not be an
2692appropriate solution.
2693Option C is incorrect. A self-encrypting drive is not relevant to system on a chip, since that
2694system does not have a “drive.”
2695Option D is incorrect. Many SoC technologies don’t use a BIOS.
269691. A. Such systems need to have all communications encrypted. As of the current date,
2697breaches of portable network devices have all involved unencrypted communications.
2698Option B is incorrect. Full disk encryption may or may not even be appropriate for such
2699devices. Many don’t have a disk to encrypt.
2700Option C is incorrect. It may not be possible to install anti-malware on many such devices.
2701Option D is incorrect. Fuzz testing is used for applications.
270292. D. The more vehicles utilize computers and have network communication capabilities, the
2703more they will be vulnerable to cyberattacks.
2704Options A, B, and C are all incorrect. These are incomplete.Chapter 3: Architecture and Design
2705283
270693. B. DevOps is a compound term: software DEVelopment and information technology
2707OPerationS. The term refers to collaboration between software developers and IT profes-
2708sionals to align software development with infrastructure issues.
2709Option A is incorrect. Integration testing refers to testing two or more components.
2710Options C and D are both incorrect. Although clear policies and employee training are
2711usually a good idea, they won’t be the best way to address Ariel’s concerns.
271294. A. All software changes must go through proper change management. That includes a
2713request for changes (RFC) that will be evaluated.
2714Option B is incorrect. Greg cannot know what effect the change might have on other
2715aspects of the system. This fix could cause additional problems.
2716Option C is incorrect. This is a better answer than B but still does not follow change con-
2717trol procedures.
2718Option D is incorrect. Simply documenting the issue does nothing to correct it.
2719
272095. C. Model verification must be completed before you can rely on the models used. It is
2721important to verify that all aspects of a simulation model are accurate. If the model has
2722any inaccurate data or settings, then the results will not be accurate.
2723Option A is incorrect. Change approval boards (CABs) are part of the change control
2724process.
2725Option B is incorrect. Although it is always a good idea to thoroughly read documenta-
2726tion, this is not the most critical issue in this scenario.
2727Option D is incorrect. Integration testing involves testing two or more components to
2728ensure they function together.
2729
273096. D. Any change to a system requires regression testing. Regression testing ensures that the
2731change made does not cause any new issues.
2732Option A is incorrect. Full disk encryption may or may not even be appropriate for such
2733devices. Many don’t have a disk to encrypt.
2734Option B is incorrect. You should have received approval from the change approval board
2735prior to making the change.
2736Option C is incorrect. Stress testing is designed to see what loads the system can handle.
2737
273897. A. Compiled code runs faster. This is because runtime code, such as Java, is compiled at
2739runtime (thus the name) and thus performance is slower.
2740Option B is incorrect. In fact, the opposite is true. Runtime code can be platform indepen-
2741dent, as with Java. Compiled code is compiled for a specific operating system.
2742Option C is incorrect. Security is not directly related to whether the code is compiled or
2743runtime. This issue has minimal impact on security.
2744Option D is incorrect. Development time is not impacted by whether the code will be com-
2745piled or runtime code.
2746
274798. C. A community cloud presents a compromise solution. Community clouds are semi-
2748private. They are not accessible to the general public but only to a small community of
2749specific entities.
2750Option A is incorrect. This would not be true.
2751Option B is incorrect. The cost of a private cloud is beyond many small companies.
2752Option D is incorrect. This is not a good answer. It ignores the company’s desire to find a
2753cloud solution.
2754
275599. B. Platform as a Service is a good solution to this problem. The programmer can access a
2756virtualized Linux machine with PaaS.
2757Options A and C are both incorrect. Although these would work, they are less efficient
2758than using PaaS.
2759Option D is incorrect. Infrastructure as a Service is used to provide networking infrastruc-
2760ture via virtualization. In this scenario, you only need an operating system.
2761
2762100. A. A cloud access security broker (CASB) is a software tool or service that sits between an orga-
2763nization’s on-premises network and a cloud provider’s infrastructure. A CASB acts as a gate-
2764keeper, allowing the organization to extend the reach of their security policies into the cloud.
2765Option B is incorrect. Integration testing is used to test two or more components to ensure
2766they integrate.
2767Option C is incorrect. Although security policies are a good idea, just having policies in
2768your company won’t affect the cloud solution.
2769Option D is incorrect. Security as a Service is a process of outsourcing certain security
2770functions.
2771
2772101. B. Stress testing is designed to test an application under workloads that are larger than
2773normal. Although this may not be adequate to test for DoS response, it is the most relevant
2774software test.
2775Option A is incorrect. Regression testing is done after a change to ensure the change did
2776not cause any other issues.
2777Option C is incorrect. Integration testing is done to see whether two or more components
2778function together.
2779Option D is incorrect. Fuzz testing is testing an application by entering nonstandard/
2780unexpected values.
2781
2782102. C. The correct answer is a public cloud. Public clouds are usually less expensive. The
2783cloud provider has a number of customers and costs are dispersed. Even individuals can
2784afford to use cloud storage with services like iCloud and Amazon Cloud.
2785Option A is incorrect. A community cloud is usually private for a small group of partners.
2786Each of the partners must share a greater part of the expense than they would with a pub-
2787lic cloud. But they retain more control over the cloud than they would with a public cloud.
2788Option B is incorrect. Private clouds are the most expensive. The company must com-
2789pletely develop and maintain the cloud resources.
2790Option D is incorrect. A hybrid deployment model is a good compromise for many situa-
2791tions, but it will be more expensive than a public cloud.
2792
2793103. D. The correct answer is continuous monitoring. There are technologies that perform con-
2794tinuous monitoring of a network. These systems can identify any issue as it is occurring, or
2795very soon thereafter.
2796Option A is incorrect. Monthly audits won’t give notice of an issue until they are con-
2797ducted, as much as a month after the issue.
2798Options B and C are incorrect. A network intrusion detection system or network intrusion
2799prevention system could certainly be part of the solution. But such systems would only
2800detect breaches, not policy violations, login issues, and so forth.
2801
2802104. B. The correct answer is to use an SSL accelerator. SSL accelerators are a method of
2803offloading processor-intensive public-key encryption for Transport Layer Security (TLS)
2804and Secure Sockets Layer (SSL) to a hardware accelerator.
2805Option A is incorrect. A VPN concentrator is a hardware device used to create remote
2806access VPNs. The concentrator creates encrypted tunnel sessions between hosts, and many
2807use two-factor authentication for additional security.
2808Option C is incorrect. Returning to smaller encryption keys would have a deleterious
2809effect on security.
2810Option D is incorrect. This may, or may not, correct the problem, but it would entail a
2811significantly greater cost and difficulty than implementing and SSL accelerator.
2812
2813105. C. Only using code that is digitally signed verifies the creator of the software. For exam-
2814ple, if a printer/MFD driver is digitally signed, this gives you confidence that it really is a
2815printer driver from the vendor it purports to be from, and not malware masquerading as a
2816printer driver.
2817Option A is incorrect. Signed software gives you a high degree of confidence that it is not
2818malware but does not provide a guarantee. For example, the infamous Flame virus was
2819signed with a compromised Microsoft digital certificate.
2820Option B is incorrect. Digital signing of software has no effect on patch management.
2821Option D is incorrect. Digitally signed software will not execute faster or slower than non-
2822signed software.
2823
2824106. B. VM sprawl refers to a situation in which the network has more virtual machines than
2825the IT staff can effectively manage.
2826Options A, C, and D are incorrect. These descriptions have nothing to do with the term
2827VM sprawl.
2828
2829107. C. Stored procedures are commonly used in many database management systems to con-
2830tain SQL statements. The database administrator, or someone designated by the DBA, cre-
2831ates the various SQL statements that are needed in that business, and then programmers
2832can simply call the stored procedures.
2833Option A is incorrect. Stored procedures are not related to dynamic linked libraries.
2834Option B is incorrect. This is close but inaccurate, because stored procedures can be called
2835by other stored procedures that are also on the server.
2836Option D is incorrect. Stored procedures are not related to middleware.
2837
2838108. D. Bollards are large barriers that are often made of strong substances like concrete. They
2839are effective in preventing a vehicle from being driven into a building.
2840Options A, B, and C are incorrect. These do not describe the purpose of a bollard.
2841
2842109. A. Electromagnetic interference could cause damage to circuitry, including the RAM or
2843CPU chips. At a minimum, it could wipe data from memory and drives.
2844Options A, B, and C are incorrect. These do not describe the effects of electromagnetic
2845inference.
2846
2847110. A. The correct answer is VM escape attacks are attacks that find some method for moving
2848from the VM to the hypervisor and then the host. The most effective way to prevent this is
2849to completely isolate the VM.
2850Option B is incorrect. Antivirus is always a good idea and may even stop some malware-
2851based VM escape attacks. But isolating the VM is more effective.
2852Option C is incorrect. Full disk encryption will have no effect since the disk must be unen-
2853crypted during operation.
2854Option D is incorrect. A trusted platform module is used for storing cryptographic keys.
2855
2856111. C. Security as a Service uses an outside company to handle security tasks. Some or even
2857all security tasks can be outsourced, including IDS/IPS management, SIEM integration,
2858and other security controls.
2859Option A is incorrect. Software-defined networking would make managing security some-
2860what easier but would itself be difficult to implement.
2861Option B is incorrect. Automating as much security activity as is practical would help alle-
2862viate the problem but would not be as effective as Security as a Service.
2863Option D is incorrect. This would mean intentionally not implementing some security
2864controls.
2865
2866112. B. Cryptographic hashes are used for integrity checking of files, network packets, and a
2867variety of other applications. Storing a cryptographic hash of the application and compar-
2868ing the application on the network to that hash will confirm (or refute) whether the appli-
2869cation has been altered in any way.
2870Options A and D are both incorrect. Network intrusion detection or network intrusion
2871prevention systems are useful, but they won’t prevent an application from being altered.
2872Option C is incorrect. Sandboxing is used to isolate an application, but it won’t detect
2873whether it has been tampered with.
2874
2875113. C. Separating the SCADA system from the main network makes it less likely that the
2876SCADA system can be affected from the main network. This includes malware as well
2877human action.
2878Option A is incorrect. Software-defined networking would make isolating the SCADA sys-
2879tem easier but would not actually isolate it.
2880Option B is incorrect. Patch management is always important, but in this case it would not
2881have prevented the issue.
2882Option D is incorrect. Encrypted data transmissions, such as TLS, would have no effect on
2883this situation.
2884
2885114. C. Authentication headers provide complete packet integrity, authenticating the packet
2886and the header.
2887Options A and B are incorrect. Authentication headers do not provide any encryption at all.
2888Option D is incorrect. Authentication headers authenticate the entire packet, not just the
2889header.
2890
2891115. D. Transport Layer Security provides a reliable method of encrypting web traffic. It sup-
2892ports mutual authentication and is considered secure.
2893Option A is incorrect. Although SSL can encrypt web traffic, TLS was created in 1999 as
2894its successor. Although many network administrators still use the term SSL, in most cases
2895today what you are using is actually TLS, not the outdated SSL.
2896Options B and C are incorrect. These are protocols for establishing a VPN, not for
2897encrypting web traffic.
2898
2899116. A. Network taps are analogous to phone taps. They are completely passive methods of
2900getting network traffic to a central location.
2901Option B is incorrect. Port mirroring would get all the traffic to the NIPS but is not completely
2902passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect
2903switch configurations can cause looping. Configuring loop detection can prevent looped ports.
2904Option C is incorrect. It is not clear that this answer would even work.
2905Option D is incorrect. This is not the assignment. Setting up an NIPS on each segment
2906would also dramatically increase administrative efforts.
2907
2908117. B. Internet key exchange is used to set up security associations on each end of the tunnel.
2909The security associations have all the settings (i.e., cryptographic algorithms, hashes, etc.)
2910for the tunnel.
2911Options A and C are incorrect. IKE is not directly involved in encrypting or authenticating.
2912Option D is incorrect. One might argue that by establishing the security associations, IKE
2913is establishing the tunnel. However, answer B is a more accurate answer.
2914
2915118. A. A DDoS mitigator is a tool or service designed specifically to respond to distributed
2916denial-of-service attacks. Such tools can both inhibit the attacking traffic and temporarily
2917increase bandwidth to prevent legitimate users from being adversely affected by the attack.
2918Option B is incorrect. Certainly, a web application firewall with stateful packet inspection
2919would help, but it is not the most effective means of addressing this threat.
2920Option C is incorrect. A network intrusion prevention system would be a good idea and would
2921mitigate this threat. However, it is not the most effective means of mitigating this threat.
2922Option D is incorrect. This would probably not help in a DDoS with attacks coming from
2923multiple sources.
2924
2925119. D. Link aggregation switches allow you to combine the bandwidth of multiple links into
2926one connection. This would allow Doug to improve bandwidth to the e-commerce server.
2927Option A is incorrect. This would reduce the impact on the rest of the network but would
2928not address the bandwidth needs of the e-commerce server.
2929Options B and C are both incorrect. Each of these would most likely address the problem,
2930but neither is cost effective.
2931
2932120. C. A correlation engine is software that is used to aggregate events and to seek out correla-
2933tions. In some cases, this is done with advanced analytic algorithms, including fuzzy logic.
2934Option A is incorrect. A network intrusion detection system would be helpful but will not
2935(by itself) necessarily correlate events.
2936Option B is incorrect. A security information event manager will certainly aggregate log
2937information but may not correlate the events.
2938Option D is incorrect. An aggregation switch simply combines bandwidth.
2939
2940121. A. The NIPS is not seeing the traffic on that network segment. By implementing port
2941mirroring, the traffic from that segment can be copied to the segment where the NIPS is
2942installed.
2943Option B is incorrect. This would work but is not the most efficient approach.
2944Option C is incorrect. Nothing in this scenario suggests that the NIPS is inadequate. It just
2945is not seeing all the traffic.
2946Option D is incorrect. This would isolate that network segment but would still not allow
2947the NIPS to analyze the traffic from that segment.
2948
2949122. C. Layer 2 Tunneling Protocol is a VPN technology that supports a wide range of remote
2950access methods, including TACACS+. L2TP also supports a range of protocols, including
2951ATM and X.25.
2952Option A is incorrect. Point-to-Point Tunneling Protocol is a VPN protocol but won’t sup-
2953port TACACS+.
2954Option B is incorrect. Remote Authentication Dial-In User Service is a remote access pro-
2955tocol, not a VPN protocol. It is an early predecessor to TACACS+.
2956Option D is incorrect. Challenge Handshake Authentication Protocol is an authentication
2957protocol, not a VPN protocol.
2958
2959123. C. Whenever any part of your business process is outsourced, you need to ensure that the
2960vendor meets or exceeds all of your security policies and procedures. Supply chain assess-
2961ment security is a critical issue.
2962Options A, B, and D are all incorrect. Each of these is something that needs to be
2963addressed, but the most important issue is the supply chain assessment security.
2964
2965124. B. Infrared can still detect at night. A burglar is likely to be in the building at dark, so
2966detecting via infrared is important.
2967Options A and C are both incorrect. It does not matter how the camera is activated
2968(motion or sound) if the area is dark the camera will not record adequate imagery.
2969Option D is incorrect. High definition is a good choice if the area is well lit.
2970125. D. A Faraday cage is a metal wire mesh designed to block electromagnetic interference.
2971Options A, B, and C are all incorrect. These are not functions of a Faraday cage.
2972
2973126. B. Smartcards can be used to allow entrance into a building. The smartcard can also store
2974information about the user, and thus the system can log who enters the building.
2975Option A is incorrect. A security guard with a sign-in sheet would function, but there are
2976many ways to subvert a sign-in sheet, and a guard can be distracted or become inattentive.
2977This makes smartcard access a better solution.
2978Option C is incorrect. Yes, a camera would record who enters but would not control
2979access. A nonemployee could enter the building.
2980Option D is incorrect. An uncontrolled/supervised sign-in sheet would not be secure.
2981
2982127. C. Certificate revocation lists are designed specifically for revoking certificates. Since
2983public keys are distributed via certificates, this is the most effective way to deauthorize a
2984public key.
2985Option A is incorrect. Simply notifying users that a key/certificate is no longer valid is not
2986effective.
2987Option B is incorrect. Deleting a certificate is not always possible and ignores the possibil-
2988ity of a duplicate of that certificate existing.
2989Option D is incorrect. The registration authority is used in creating new certificates, not in
2990revoking them.
2991
2992128. C. Type C fire extinguishers are used for electrical fires, including computer equipment
2993fires.
2994Option A is incorrect. Type A fire extinguishers are for paper and wood fires.
2995Option B is incorrect. Type B fire extinguishers are for fuel fires such as gasoline.
2996Option D is incorrect. Type D fire extinguishers are for chemical fires.
2997
2998129. C. Of the locks listed here, deadbolts are the most secure. The locking bolt goes into the
2999door frame, making it more secure.
3000Option A is incorrect. Whether a lock uses a key or combination does not change how
3001secure it is.
3002Option B is incorrect. Key-in-knob is a very common, and fairly insecure, solution.
3003Option D is incorrect. Padlocks can be cut off with common bolt cutters.
3004
3005130. B. Forty percent to 60 percent is considered ideal humidity. High humidity can cause cor-
3006rosion, and low humidity can cause electrostatic discharge.
3007Options A, C, and D are all incorrect. These are not the proper humidity values.
3008
3009131. A. False acceptance rate is the rate at which the system incorrectly allows in someone it
3010should not. This is clearly a significant concern.
3011Option B is incorrect. Any error is a concern, but the false rejection rate is less trouble-
3012some than the false acceptance rate.
3013Option C is incorrect. The cross-over error rate is when the FAR and FRR become equal.
3014This actually indicates a consistent operation of the biometric system.
3015Option D is incorrect. The equal error rate is another name for cross-over error rate.290
3016
3017132. C. Physical locks must always fail open, which is also called fail safe. The safety of
3018employees must take precedence over the safety of property. If the lock does not fail open,
3019then employees could be trapped in the building.
3020Options A, B, and D are incorrect. Fail secure is the usual term, but it also means fail
3021closed or fail locked. This puts lives at danger. In the case of fire, power will fail, and then
3022the doors would fail locked, trapping people in the building.
3023
3024133. B. Protected cabling will secure the cable and prevent anyone from eavesdropping. These
3025systems, also called protected distribution systems, use a variety of safeguards so that clas-
3026sified information can be sent unencrypted.
3027Option A is incorrect. Cat 7 will improve bandwidth, not security.
3028Option C is incorrect. This is not even a practical solution. To place a Faraday cage around
3029all cable would require extensive rework of the building(s).
3030Option D is incorrect. That is not a viable option. The scenario indicates that Donald
3031needs to send classified data.
3032
3033134. A. A secure cabinet is tamper proof and provides a good place to store anything you are
3034trying to physically protect.
3035Option B is incorrect. This would then require you to store the key used to encrypt the
3036thumb drive, thus continuing the problem.
3037Option C is incorrect. It is actually a good practice to store BitLocker keys on removable
3038media, provided that media is safeguarded.
3039Option D is incorrect. Desk drawers are not secure and can easily be broken into.
3040
3041135. D. RAID 6, disk striping with dual parity, uses a minimum of four disks with distributed
3042parity bits. RAID 6 can handle up to two disks failing.
3043Option A is incorrect. RAID 1+0 is disk striping with mirroring.
3044Option B is incorrect. RAID 3, disk striping with dedicated parity, can only handle one
3045disk failing.
3046Option C is incorrect. RAID 5, disk striping with distributed parity, can only handle one
3047disk failing.
3048
3049136. D. The correct answer is to use a master image that is properly configured and to create
3050all workstations from that image. This is a standard way large corporations configure
3051systems.
3052Option A is incorrect. Many things cannot be configured by a single configuration file, so
3053this option simply would not work.
3054Option B is incorrect. Policies are always a good idea, but this would not ensure that all
3055systems are properly configured.
3056Option C is incorrect. The operating system and applications are only a part of configura-
3057tion. This solution would not fully configure the workstations.
3058
3059137. B. There is now a serious security issue on the web server. The primary concern must be
3060to correct this. Rolling back to the last known good state will immediately correct the
3061problem; then Mike can investigate to find the cause.
3062Option A is incorrect. This would be too slow, and in the interim the flaw would be on the
3063live website.
3064Options C and D are both incorrect. These would be the slowest solutions and thus leave
3065the security flaw in place for an unacceptable amount of time.
3066
3067138. D. A firewall has two types of rules. One type is to allow specific traffic on a given port.
3068The other type of rule is to deny traffic. What is shown here is a typical firewall rule.
3069Options A, B, and C are incorrect. The rule shown is clearly a firewall rule.
3070139. A. A web proxy can be used to block certain websites. It is common practice for network
3071administrators to block either individual sites or general classes of sites (like job-hunting
3072sites).
3073Option B is incorrect. Network address translation is used to translate the private IP
3074addresses of internal computers to public IP addresses.
3075Option C is incorrect. A firewall can block traffic on a given port or using a particular
3076protocol, but generally they are not able to block specific websites.
3077Option D is incorrect. Network intrusion prevention systems identify and block attacks.
3078They cannot prevent users from visiting specific websites.
3079
3080140. D. Load balancing the cluster will prevent any single server from being overloaded. And if
3081a given server is offline, other servers can take on its workload.
3082Option A is incorrect. A VPN concentrator, as the name suggests, is used to initiate VPNs.
3083Option B is incorrect. Aggregate switching can shunt more bandwidth to the servers but
3084won’t mitigate the threat of one or more servers being offline.
3085Option C is incorrect. SSL accelerators are a method of offloading processor-intensive
3086public-key encryption for Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
3087to a hardware accelerator.
3088
3089141. D. Failure to release memory you have allocated can lead to a memory leak. Therefore, if
3090you are using a programming language like C++ that allows you to allocate memory, make
3091certain you deallocate that memory as soon as you are finished using it.
3092Options A and C are incorrect. Both of these are good programming practices. However,
3093failure to follow them just leads to wasteful use of memory; it does not lead to a security
3094problem like a memory leak.
3095Option B is incorrect. Although this is a good idea to prevent buffer overflows, it is not a
3096memory management issue.
3097
3098142. A. Off-premises clouds are always less expensive and require less changes to the existing
3099infrastructure. That is true for public, private, or community clouds.
3100Option B is incorrect. An on-premises cloud is always the most expensive solution and
3101has a tremendous impact on the existing IT infrastructure. Few companies opt for this
3102approach.
3103Option C is incorrect. A hybrid solution is better than on-premises but not as good as off-
3104premises.
3105Option D is incorrect. It need not be a community cloud. An off-premises public cloud or
3106even a private cloud would fulfill the requirements.
3107
3108143. B. The correct answer is to encrypt all the web traffic to this application using Transport Layer
3109Security (TLS). This is one of the most fundamental security steps to take with any website.
3110Option A is incorrect. A web application firewall is probably a good idea, but it is not the
3111most important thing for Ryan to implement.
3112Options C and D are incorrect. Either a network intrusion detection service or network
3113intrusion prevent service may be a good idea, but those should be considered after TLS is
3114configured.
3115
3116144. C. This is commonly called obfuscation. Many years ago (i.e., late 1990s) it was thought
3117of as a weak security measure. Today it can only be thought of as a possible security flaw
3118and should not be used.
3119Options A, B, and D are all incorrect. These are not accurate descriptions of what is being
3120done in this scenario.
3121
3122145. A. Agile programming was developed specifically to speed up development time. Although
3123it is not appropriate for all projects, it has become quite popular.
3124Option B is incorrect. Usually the opposite occurs, and Agile programming leads to less
3125documentation.
3126Option C is incorrect. You could argue that if done properly, the many cycles of Agile pro-
3127gramming, each with repeated design, lead to more focus on design. But this is not always
3128the case, and it is not the reason companies consider Agile.
3129Option D is incorrect. You could argue that if done properly, that the many cycles of Agile
3130programming, each with repeated testing, lead to more focus on testing. But this is not
3131always the case, and it is not the reason companies consider Agile.
3132
3133146. D. The most important issue is that the camera itself is tamper proof and that the data
3134stored is tamper proof. Wireless security cameras are an example of home automation and
3135is one of the driving factors behind the IoT movement.
3136Options A, B, and C are all incorrect. These are important considerations, and you should
3137consider all three of these. But the most important issue is the security of the camera and
3138the video storage.
3139
3140147. A. A monitor displays data, and it is possible others can see that data. For example, travel-
3141ing employees with laptops may inadvertently disclose data on their monitor that someone
3142else can see. For this reason, screen filters are recommended for laptops.
3143Option B is incorrect. This may be theoretically possible but has not been reported to have actu-
3144ally ever occurred. And even if it should be encountered, it is not the primary security issue.
3145Option C is incorrect. Although the monitor displays login screens, it is not where the
3146actual authentication processing occurs.
3147Option D is incorrect. Old CRT monitors were very susceptible to this issue. For modern
3148monitors, screen burn is very unlikely to occur. If it is a concern, it is certainly not the pri-
3149mary concern.
3150
3151148. B. Just like desktops, laptops, and servers, patch management is a fundamental security
3152issue and must be addressed. Many malware outbreaks and other breaches can be pre-
3153vented by simply having good patch management.
3154Options A, C, and D are all incorrect. Each of these is a good idea and should at least be
3155considered. However, they apply only to specific security issues, primarily how to handle
3156lost or stolen mobile devices. Patch management affects all mobile devices, even if the
3157device is never lost or stolen, and is thus more important.
3158
3159149. A. Phishing depends on deceiving the user. The only true protection against that is proper
3160user training. There are some technologies that can reduce the chance of phishing emails
3161getting through, but none can stop all phishing emails. The best protection is user training
3162Option B is incorrect. Network intrusion prevention systems are usually not effective
3163against phishing emails.
3164Options C and D are incorrect. Both of these should block at least some phishing emails.
3165But no filter can block all phishing emails; therefore, user training is the most important
3166security measure against phishing.
3167
3168150. D. Regulatory requirements are enforced by law. You must implement these; therefore,
3169they are the most important.
3170Options A, B, and C are incorrect. Each is very important, and you should implement all
3171three. But they are less important than regulatory requirements.
3172
3173++++
3174++++
3175
3176Chapter 4: Identity and Access
3177Management
31781. B. Type II authentication is something you have. A smartcard is a physical item that you
3179have. Though more sophisticated than a key, ultimately it is still just something you have.
3180Option A is incorrect. Type I is something you know, such as a password or pin.
3181Option C is incorrect. Type III is something you are, such as biometrics.
3182Option D is incorrect. Strong authentication uses at least two different types, such as Type
3183I and Type II.
31842. A. The correct answer is that Kerberos uses various tickets, each with a time limit. The
3185service tickets are typically only good for 5 minutes or less. This means that if NTP is fail-
3186ing, valid tickets may appear to be expired.
3187Options B, C, and D are incorrect. None of these are likely to have any significant effect
3188due to NTP failure.
31893. C. The correct answer is that Challenge Handshake Authentication Protocol (CHAP)
3190periodically has the client reauthenticate. This is transparent to the user, but specifically is
3191done to prevent session hijacking.
3192Option A is incorrect. Password Authentication Protocol is actually quite old and does not
3193reauthenticate. In fact, it even sends the password in clear text, so it should not be used
3194any longer.
3195Option B is incorrect. SPAP (Shiva Password Authentication Protocol) adds password
3196encryption to PAP but does not reauthenticate.
3197Option D is incorrect. OAUTH is used in web authentication and does not reauthenticate.
31984. C. Type III authentication is biometrics. Anything based on biology, or “something you
3199are,” is type III.
3200Option A is incorrect. Type I is something you know, such as a password or pin.
3201Option B is incorrect. Type II is something you have, such as a card or key.
3202Option D is incorrect. Strong authentication uses at least two different types, such as Type
3203I and Type II.
32045. D. A service account is the most appropriate in this scenario. Service accounts are given
3205the least privileges the service needs and are used by the service, without the need for a
3206human user.
3207Option A is incorrect. You could assign a user account, but that is not as good a solution
3208as using a service account.
3209Option B is incorrect. A guest account would never be a good idea for a service. Guest
3210accounts are typically too limited. It’s common practice to disable default accounts such as
3211the Guest account.
3212Option C is incorrect. An admin account would give too many privileges to the service and
3213violate the principle of least privileges.
32146. A. Shibboleth is a middleware solution for authentication and identity management that
3215uses SAML (Security Assertions Markup Language) and works over the Internet.
3216Option B is incorrect. OAUTH (Open Authorization) allows an end user’s account infor-
3217mation to be used by third-party services, without exposing the user’s password.
3218Option C is incorrect. Shiva Password Authentication Protocol (SPAP) is an older authenti-
3219cation method that simply encrypted the username and password in transit.
3220Option D is incorrect. Challenge Handshake Authentication Protocol (CHAP) periodically
3221re-authenticates the user.
32227. D. NTLM (NT Lan Manager) was the method used in Windows for many years. It was even-
3223tually replaced by NTLM v2 for many years, and Microsoft networks now use Kerberos.
3224Option A is incorrect. Password Authentication Protocol (PAP) is a very old authentication
3225protocol that sent username and password in clear text.
3226Option B is incorrect. Challenge Handshake Authentication Protocol (CHAP) periodically
3227re-authenticates the user.
3228Answer C is incorrect. Open Authorization (OAUTH) allows an end user’s account infor-
3229mation to be used by third-party services, without exposing the user’s password.Chapter 4: Identity and Access Management
3230295
32318. A. Mandatory Access Control (MAC) is the correct solution. It will not allow lower privi-
3232lege users to even see the data at a higher privilege level.
3233Option B is incorrect. Discretionary Access Control (DAC) has each data owner configure
3234his or her own security.
3235Option C is incorrect. Role- Based Access Control (RBAC) could be configured to meet the
3236needs, but is not the best solution for these requirements.
3237Answer D is incorrect. Security Assertions Markup Language (SAML) is not an access
3238control model.
32399. D. Lightweight Directory Access Protocol Secure (LDAPS) will use TLS to protect the
3240LDAP information, thus mitigating the risk of an attacker gathering information about
3241network resources.
3242Option A is incorrect. LDAP (Lightweight Directory Access Protocol) contains informa-
3243tion about network resources, which is what Clarice is trying to protect.
3244Option B is incorrect. Transport Layer Security (TLS) is used to secure data, but TLS
3245alone can secure any transmission. Therefore, it needs to be combined with the data you
3246are securing.
3247Option C is incorrect. Simple Network Management Protocol (SNMP) does have informa-
3248tion about network resources, but not as much information as LDAP. Also, all networks
3249have LDAP, but not all networks have SNMP.
325010. B. Kerberos does not send the users password across the network. When the user’s name is
3251sent to the authentication service, the service retrieves the hash of the user’s password from
3252the database, and then uses that as a key to encrypt data to be sent back to the user. The
3253user’s machine takes the password that the user entered, hashes it, and then uses that as a
3254key to decrypt what was sent back by the server.
3255Option A is incorrect. CHAP sends the user’s password encrypted.
3256Option C is incorrect. RBAC is an access control model, not an authentication protocol.
3257Option D is incorrect. Type II authentication is something you have, such as a key or card.
325811. C. OAUTH (Open Authorization) is an open standard for token-based authentication and
3259authorization on the Internet and allows an end user’s account information to be used by
3260third-party services, without exposing the user’s password.
3261Option B is incorrect. Kerberos is a network authentication protocol and not used for cross
3262domain/service authentication.
3263Option B is incorrect. Security Assertion Markup Language (SAML) is an XML-based,
3264open-standard data format for exchanging authentication and authorization data between
3265parties.
3266Option D is incorrect. OpenID is an authentication service often done by a third party,
3267and it can be used to sign into any website that accepts OpenID. It would be possible for
3268this to work, but only with websites that support OpenID, so it is not as good a solution as
3269OAUTH.296
3270Appendix
3271â– 
3272Answers to Practice Tests
327312. A. Remote Authentication Dial-In User Service (RADIUS) is a protocol specifically
3274designed for remotely accessing a network.
3275Option B is incorrect. Kerberos could be used to authenticate these users, but by itself can-
3276not connect them.
3277Option C is incorrect. CHAP could be used to authenticate these users, but by itself can-
3278not connect them.
3279Option D is incorrect. OpenID is an authentication service often done by a third party,
3280and it can be used to sign into any website that accepts OpenID. It is not used for remotely
3281accessing a network.
328213. B. NTLM is an older Windows authentication protocol. Microsoft no longer recommends
3283it except for certain specific situations. One of those is attempting to authenticate to a
3284server that is not part of the domain.
3285Option A is incorrect. Kerberos is used in Windows domains, but cannot be used to
3286authenticate to a server not in the domain. Microsoft, recommends using NTLM for this
3287purpose.
3288Option C is incorrect. OpenID is an authentication service often done by a third party,
3289and it can be used to sign into any website that accepts OpenID.
3290Option D is incorrect. CHAP is not specifically used for Windows, and while it might be
3291used in this scenario, NTLM is the recommendation of Microsoft.
329214. A. The correct answer is that OpenID is an authentication service often done by a third
3293party, and it can be used to sign into any website that accepts OpenID.
3294Option B is incorrect. Kerberos is a network authentication protocol for use within a
3295domain.
3296Option C is incorrect. NTLM is an older Windows authentication protocol.
3297Option D is incorrect. Shibboleth is a single sign-on system, but it works with federated
3298systems.
329915. A. Cross-over Error Rate (CER), also sometimes called Equal Error Rate (EER), is the
3300point at which false rejection and false acceptance are the same.
3301Options B, C, and D are incorrect. These are not correct terms for this situation.
330216. D. A Time-based One-time Password (TOTP), can only be used once and is only valid for
3303a brief period of time after issues. Users can request a password reset and a TOTP can be
3304sent to some alternate communications, such as a text message to their phone.
3305Option A is incorrect. Many users won’t have the equipment to support facial recognition.
3306Option B is incorrect. Not all users will have Digital certificates.
3307Option C is incorrect. Role Based Access Control won’t solve this problem.
330817. C. IEEE 802.1x port-based network access control (PNAC) is a network authentication
3309protocol that can integrate with RADIUS for remote access, and can use digital certificates
3310to authenticate clients.
3311Option A is incorrect. CHAP does not use digital certificates.
3312Option B is incorrect. 802.11i is the IEEE wireless security standard.Chapter 4: Identity and Access Management
3313297
3314Option D is incorrect. OAuth (Open Authorization) is an open standard for token-based
3315authentication and authorization on the Internet and allows an end user’s account infor-
3316mation to be used by third-party services, without exposing the user’s password.
331718. D. A Database Activity Monitoring and Prevention (DAMP) system would be the most
3318effective of the choices given. These systems work like an IPS, but specifically for data-
3319bases.
3320Option A is incorrect. Attribute-Based Access Control (ABAC) can be a powerful way to
3321control access in any system. However, DAMP is specifically designed for databases, so it
3322would be the best choice in this scenario.
3323Option B is incorrect. A Time-based One-time Password (TOTP) is not for regular use, as
3324each user would need a new password each time they need to access the database.
3325Option C is incorrect. A Host-Based Intrusion Detection System (HIDS) doesn’t prevent
3326access; it simply records anomalous behavior.
332719. A. Attribute Based Access Control (ABAC) looks at a group of attributes, in addition to
3328the login username and password, to make decisions about whether or not to grant access.
3329One of the attributes examined is the location of the person. Since the users in this com-
3330pany travel frequently, they will often be at new locations, and that might cause ABAC to
3331reject their logins.
3332Option B is incorrect. Wrong passwords can certainly prevent login, but are not specific to
3333ABAC.
3334Option C is incorrect. ABAC does not prevent remote access.
3335Option D is incorrect. A firewall can be configured to allow, or prohibit, any traffic you
3336wish.
333720. B. Personal Identity Verification is a standardized FIPS 201 (Federal Information Process-
3338ing Standard Publication 201) for use with federal employees.
3339Option A is incorrect. Common Access Cards (CACs) are for U.S. Military personnel.
3340Option C is incorrect. Near Field Communication (NFC) cards might be used, but PIV
3341cards are more appropriate for DoD contractors.
3342Answer D is incorrect. Smartcard is a generic term. Both PIV and CAC are smartcards.
334321. B. Single Sign-On (SSO) is designed specifically to address this risk. Users have only a
3344single logon to remember; thus, they have no need to write down the password.
3345Option A is incorrect. OAuth (Open Authorization) is an open standard for token-based
3346authentication and authorization on the Internet. It does not eliminate the use or need for
3347multiple passwords.
3348Option C is incorrect. OpenID is a third-party authentication service but does not elimi-
3349nate the use or need for multiple passwords.
3350Option D is incorrect. Kerberos is an authentication service but does not eliminate the use
3351or need for multiple passwords.298
3352Appendix
3353â– 
3354Answers to Practice Tests
335522. D. Rule-Based Access Control applies a set of rules to an access request. Based on the
3356application of the rules, the user may be given access to a specific resource that they were
3357not explicitly granted permission to.
3358Options A, B, and C are all incorrect. None of these could give a user access unless that
3359user has already been explicitly given said access.
336023. A. The False Acceptance Rate (FAR) indicates how often the system will accept an invalid
3361login. This is a measure of the mistakes a biometric system makes, and the lower the rate,
3362the better.
3363Options B, C, and D are all incorrect. These are all inaccurate.
336424. B. Tokens are physical devices that often contain cryptographic data for authentication.
3365They can store digital certificates for use with authentication.
3366Option A is incorrect. OAuth (Open Authorization) is an open standard for token-based
3367authentication and authorization on the Internet. The user still must remember a
3368password.
3369Option C is incorrect. OpenID is a third-party authentication service; the user still must
3370remember a password.
3371Option D is incorrect. Role-Based Access Control and Rule-Based Access Control (which
3372both use the acronym RBAC) are access control models.
337325. D. Least privileges is the most fundamental concept in establishing accounts. Each user
3374should only have just enough privileges to do his or her job. This also applies to service
3375accounts.
3376Options A, B, and C are all incorrect. Each of these is something you would consider, but
3377none are as important as least privileges.
337826. A. Restricting each faculty account so that it is only usable when that particular faculty
3379member is typically on campus will prevent someone from logging in with that account
3380after hours, even if he or she has the password.
3381Option B is incorrect. Usage auditing may detect misuse of accounts, but will not
3382prevent it.
3383Option C is incorrect. Longer passwords are effective security, but they are not the most
3384effective answer to this question.
3385Answer D is incorrect. Credential management is always a good idea, but won’t address
3386this specific issue.
338727. A. A permissions audit will find what permissions each user has and compare that to his
3388or her job requirements. Permission audits should be conducted periodically.
3389Option B is incorrect. Job rotation, while beneficial for other security reasons, will actu-
3390ally exacerbate this problem.
3391Option C is incorrect. It is impractical to forbid anyone from ever changing job roles.
3392Option D is incorrect. Separation of duties would have no impact on this issue.Chapter 4: Identity and Access Management
3393299
339428. C. Password complexity requires that passwords have a mixture of uppercase letters, low-
3395ercase letters, numbers, and special characters. This would be the best approach to correct
3396the problem described in the question.
3397Option A is incorrect. Longer passwords are a good security measure, but will not correct
3398the issue presented here.
3399Option B is incorrect. Changing passwords is a good security measure, but won’t make
3400those passwords any stronger.
3401Option D is incorrect. Single Sign-On (SSO) will have no effect on the strength of pass-
3402words.
340329. B. TACACS+ (Terminal Access Controller Access Control System plus) uses TCP rather
3404than UDP, and is therefore more reliable. It also supports a wide range of protocols.
3405Option A is incorrect. RADIUS uses UDP, an unreliable protocol, and does not support
3406many protocols.
3407Option C is incorrect. NTLM is the Windows authentication protocol.
3408Option D is incorrect. CHAP is an authentication protocol, not a remote access protocol.
340930. C. HMAC-based One-Time Password (HOTP) is a one-time password that is used by the
3410Initiative for Open Authentication.
3411Option A is incorrect. CHAP is an authentication protocol but is not a one-time password.
3412Option B is incorrect. A Time-based One-time Password (TOTP) algorithm does work
3413with Initiative for Open Authentication, but it is time limited. The password must be used
3414within a short time of being issued.
3415Option D is incorrect. Attribute-Based Access Control (ABAC) is a method for controlling
3416access to your system.
341731. D. The original TACACS defined in RFC 1492 can use either UDP or TCP.
3418Option A is incorrect. RADIUS uses only UDP.
3419Option B is incorrect. DIAMETER uses only TCP.
3420Option C is incorrect. TACACS+ uses only TCP.
342132. B. Voice recognition systems have to be trained to recognize the voices of authorized
3422users, and that training takes time.
3423Option A is incorrect. Minor and normal changes to a person’s voice will not prevent voice
3424recognition from recognizing the user.
3425Options C and D are incorrect. Voice recognition does not have a false negative or false
3426positive rate that is particularly higher than other biometrics.
342733. A. The correct answer is that facial recognition is among the most expensive biometrics to
3428implement.
3429Option B is incorrect. They cannot be fooled easily. Adding glasses, changing hair color,
3430or even gaining or losing some weight, will not prevent most facial recognition systems
3431from functioning properly.
3432Option C is incorrect. Facial recognition systems actually have very low false positive rates.
3433Option D is incorrect. Most of these systems only need a few seconds.300
3434Appendix
3435â– 
3436Answers to Practice Tests
343734. D. Rainbow table attacks are best mitigated by longer passwords. Generating rainbow
3438tables are computationally intensive, and longer passwords (over 14 characters) cannot be
3439cracked by most rainbow tables.
3440Options A, B, and C are incorrect. These are all password issues that should be addressed,
3441but they have no impact on rainbow tables.
344235. A. Disabling the account will leave all resources intact, including history and logs, but
3443will render the account unusable.
3444Option B is incorrect. At some point, the account will be deleted, but not immediately.
3445Deleting the account could render some resources inaccessible.
3446Option C is incorrect. Changing the account password is effective, but not as effective as
3447disabling the account. It is always possible for any password to be compromised.
3448Option D is incorrect. This is a very significant security violation.
344936. C. Biometric security is any security based on a user’s physical characteristics.
3450Option A is incorrect. CHAP is an authentication protocol.
3451Option B is incorrect. Multi-factor authentication is authentication using at least one of
3452two categories of authentication. That might include biometrics, but might not.
3453Option D is incorrect. A token is a physical item you have that is used for authentication.
345437. B. TACACS uses TCP and UDP 49.
3455Option A is incorrect. IMAP4 uses TCP 143.
3456Option C is incorrect. SSL uses port TCP 443 for web communications.
3457Option D is incorrect. DNS queries use UDP 53.
345838. B. Mandatory access control (MAC) is based on documented security levels associated
3459with the information being accessed.
3460Option A is incorrect. Role-Based Access Control (RBAC) is based on the role the user is
3461placed in.
3462Option C is incorrect. Discretionary Access Control (DAC) lets the data owner set access
3463control.
3464Option D is incorrect. BBC is not an access control model.
346539. B. All accounts should have just enough privileges to execute their job functions. This is
3466referred to as least privileges.
3467Option A is incorrect. Separation of duties means that no one person can perform all the
3468steps of a critical task.
3469Option C is incorrect. Transitive trust is when party A trusts party B and B trusts party C;
3470therefore, A trusts C.
3471Option D is incorrect. Account management is a general set of guidelines for managing
3472accounts.Chapter 4: Identity and Access Management
3473301
347440. A. Discretionary Access Control (DAC) allows data owners to assign permissions.
3475Option B is incorrect. Role-Based Access Control (RBAC) assigns access based on the role
3476the user is in.
3477Option C is incorrect. Mandatory Access Control (MAC) is stricter.
3478Option D is incorrect. Attribute-Based Access Control (ABAC) considers various attributes
3479such as location, time, computer, etc. in addition to username and password.
348041. D. Secure lightweight directory access protocol uses port 636 by default.
3481Option A is incorrect. DNS uses port 53.
3482Option B is incorrect. LDAP (without security) uses 389.
3483Option C is incorrect. Secure HTTP uses port 443.
348442. B. Role-Based Access Control (RBAC) grants permissions on the user’s position within the
3485organization.
3486Option A is incorrect. Mandatory Access Control uses security classifications to grant
3487permissions.
3488Option D is incorrect. Discretionary Access Control (DAC) allows data owners to set
3489permissions.
3490Option D is incorrect. Attribute-Based Access Control (ABAC) considers various attributes
3491such as location, time, computer, etc. in addition to username and password.
349243. D. Dual-factor authentication requires at least one authentication method from at least
3493two categories. The categories are: Type I, which is something you know; Type II, which
3494is something you have; and Type III, which is something you are. Option D is correct
3495because it names authentication methods from two different categories: Type III (iris scan)
3496and Type I (password).
3497Option A is incorrect. Both of these are type I.
3498Option B is incorrect. These are not authentication methods.
3499Option C is incorrect. These are not authentication methods.
350044. D. The Key Distribution Center (KDC) issues tickets. The tickets are generated by the
3501ticket-granting service, which is usually part of the KDC.
3502Option A is incorrect. The authentication service simply authenticates the user.
3503Option B is incorrect. X.509 certificates and certificate authorities are not part of Kerberos.
3504Option C is incorrect. The ticket-granting service does generate the ticket, but the KDC
3505issues it.
350645. B. Two-factor authentication requires at least one authentication method from at least
3507two categories. The categories are: Type I, which is something you know; Type II, which
3508is something you have; and Type III, which is something you are. The question has two
3509types: Type III (something you are) and Type I (something you know).
3510Option A is incorrect. A token is something you have (type II).
3511Option C is incorrect. Kerberos is not related to this question.
3512Option D is incorrect. Biometrics is something you are (type III).302
3513Appendix
3514â– 
3515Answers to Practice Tests
351646. A. Digital certificates use the X.509 standard (or the PGP standard) and allow the user to
3517digitally sign authentication requests.
3518Option B is incorrect. OAUTH allows an end user’s account information to be used by
3519third-party services, without exposing the user’s password. It does not use digital certifi-
3520cates or support digital signing.
3521Option C is incorrect. Kerberos does not use digital certificates nor does it support digi-
3522tally signing.
3523Option D is incorrect. Smartcards can contain digital certificates, but don’t necessarily
3524have them.
352547. C. SAML (Security Assertion Markup Language) is an Extensible Markup Language
3526(XML) framework for creating and exchanging security information between partners
3527online. The integrity of users is the weakness in the SAML identity chain. To mitigate this
3528risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS.
3529Option A is incorrect. LDAP (Lightweight Directory Access Protocol) is a protocol that
3530enables a user to locate individuals and other resources such as files and devices in a network.
3531Option B is incorrect. TACACS+ is a protocol that is used to control access into networks.
3532TACACS+ provides authentication and authorization in addition to accounting of access
3533requests against a central database.
3534Option D is incorrect. Transitive trust is a two-way relationship that is automatically cre-
3535ated between a parent and a child domain in a Microsoft Active Directory forest. It shares
3536resources with its parent domain by default and enables an authenticated user to access
3537resources in both the child and parent domain.
353848. C. A permissions audit will tell Greg exactly what the current situation is. He must know
3539what is occurring now, in order to address any weaknesses.
3540Option A is incorrect. Minimum password length is a good idea, but he first needs to
3541know the current situation.
3542Option B is incorrect. Password lockout is a good idea, but he first needs to know the cur-
3543rent situation.
3544Option D is incorrect. It’s important to ensure least privileges, but Greg must first conduct
3545a permissions audit in order to determine if this principle is being adhered to or not.
354649. D. An essential part of account maintenance is checking all accounts to ensure there are
3547no active accounts for employees who are no longer with the company.
3548Option A is incorrect. Two-factor authentication is always preferred, but is not part of
3549account maintenance.
3550Option B is incorrect. Time-of-day restrictions are optional. If they are implemented, then
3551that would be a part of account maintenance, but option D is a better answer because it is
3552always a part of account maintenance.
3553Option C is incorrect. Onboarding is critical (as is offboarding), but is not generally con-
3554sidered a part of account maintenance.
355550. C. Location-based policies can be used to prevent any login that is not from within the physical
3556network. In this scenario, since no employees work remotely, such a policy would be practical.
3557And it would prevent an attacker from using an employee’s login from outside the network.
3558Option A is incorrect. Kerberos is an effective authentication protocol, but if the attacker
3559has the user’s login credentials, Kerberos cannot prevent them from logging in.Chapter 4: Identity and Access Management
3560303
3561Option B is incorrect. Time-based One-Time Passwords (TOTPs) are not practical for
3562daily use.
3563Option D is incorrect. Group-based access control would do nothing to prevent an
3564attacker who had the credentials of a legitimate user.
356551. B. If the system maintains a password history, that would prevent any user from reusing
3566an old password. Common password histories can be up to 24 passwords.
3567Option A is incorrect. Password complexity is always preferred, but is not part of account
3568maintenance.
3569Options A and C are incorrect. Password length and complexity are very important but
3570would not mitigate this issue.
3571Option D is incorrect. The password age indicates how frequently a password must be
3572changed, and does not affect password reuse.
357352. A. Auditing and reviewing how users actually utilize their account permissions would be
3574the best way to determine if there is any inappropriate use. A classic example would be a
3575bank loan officer. By the nature of their job, they have access to loan documents. But they
3576should not be accessing loan documents for loans they are not servicing.
3577Option B is incorrect. The issue in this case is not permissions, because the users require
3578permission to access the data. The issue is how the users are using their permissions.
3579Option C is incorrect. Usage auditing and permissions auditing are both part of account
3580maintenance, but answer A is directly addressing the issue in this question.
3581Option D is incorrect. This is not a policy issue.
358253. B. A scenario such as guest WiFi access does not provide the logins with any access to cor-
3583porate resources. The people logging in merely get to access the Internet. This poses very
3584limited security risk to the corporate network, and thus is often done with a common or
3585shared account.
3586Option A is incorrect. Tech support personnel generally have significant access to corpo-
3587rate network resources.
3588Option C is incorrect. While this is a relatively low access scenario, it is still important to
3589know which specific student is logging on and accessing what resources.
3590Option D is incorrect. Any level of access to corporate resources should have its own indi-
3591vidual login account.
359254. B. While password length is important, it is not part of password complexity.
3593Options A, C, and D are all incorrect. These are all part of password complexity. Pass-
3594word complexity means passwords contain uppercase letters, lowercase letters, numbers,
3595and symbols.
359655. A. Credential management is expressly designed for this, and it is explicitly for federated
3597identities. In fact, Microsoft has a credential management API that programmers can use
3598to implement this.
3599Option B is incorrect. OAUTH allows an end user’s account information to be used by
3600third-party services, without exposing the user’s password and is used for services, not
3601federated identities. Even the service being logged onto won’t know the password.304
3602Appendix
3603â– 
3604Answers to Practice Tests
3605Option C is incorrect. Kerberos is a network/domain authentication protocol.
3606Option D is incorrect. Shibboleth is a middleware solution for authentication and identity
3607management that uses SAML (Security Assertion Mark-up Language) and works over the
3608Internet.
360956. B. A formal password recovery process is needed. This allows users the possibility of
3610recovering forgotten passwords.
3611Option A is incorrect. This might work (or it may not) but would have a negative impact
3612on security.
3613Option C is incorrect. This might work (or it may not) but would have a negative impact
3614on security.
3615Option D is incorrect. This might work (or it may not) but would have a negative impact
3616on security.
361757. D. Password expiration would mean that even if the exiting employee’s login is not dis-
3618abled, the password will simply expire without anyone having to take any action.
3619Option A is incorrect. Password complexity won’t address this issue. That would simply
3620make a password harder to guess.
3621Option B is incorrect. Offboarding would help in this situation and should be imple-
3622mented. But password expiration would occur automatically, even if offboarding proce-
3623dures are not followed. That is why password expiration is a better answer.
3624Option C is incorrect. Onboarding involves bringing a new employee into the team, not
3625the process of exiting an employee.
362658. D. 802.1x is the IEEE standard for port-based Network Access Control. This protocol is
3627frequently used to authenticate devices.
3628Option A is incorrect. Challenge handshake authentication protocol is an authentication
3629protocol, but not the best choice for device authentication.
3630Option B is incorrect. Kerberos is an authentication protocol, but not the best choice for
3631device authentication.
3632Option C is incorrect. 802.11i is the WiFi security standard, and is fully implemented in
3633WPA2. It is not a device authentication procedure.
363459. C. Multi-factor authentication uses at least one authentication method from at least two of
3635the three categories. For example, a password (Type I: something you know) and a swipe card
3636(Type II: something you have). Multi-factor authentication is the strongest authentication.
3637Options A, B, and D are all incorrect. Each of these is a good method of authentication,
3638but they all are simply one single factor.
363960. B. Lightweight Directory Access Protocol (LDAP) is often described as a phone book for
3640your network. It lists all the network resources. Various attacks on LDAP can give the
3641attacker a very thorough inventory of your network. Furthermore, an attacker can remove
3642an item from LDAP and thus render it inaccessible. LDAP can be secured with TLS, and
3643thus become LDAPS (LDAP Secure).
3644Option A is incorrect. Simple Network Management Protocol (SNMP) would give an
3645attacker a great deal of information about your network, but not all. Also, it would not
3646allow the attacker to make resources unavailable.Chapter 4: Identity and Access Management
3647305
3648Option C is incorrect. Hyper Text Transfer Protocol (HTTP) is used for web pages.
3649Option D is incorrect. Dynamic Host Configuration Protocol (DHCP) is used to dynami-
3650cally assign IP addresses.
365161. C. Password Authentication Protocol (PAP) is a very old protocol that sent username and
3652password in clear text. This should no longer be used.
3653Options A, B, and D are all correct; however, these are not the most significant issues with
3654PAP.
365562. A. With larger organizations, group-based is usually the most effective. Users are placed
3656in groups (student, faculty, IT staff, support staff, administration, etc.), and permissions
3657are managed for the group.
3658Option B is incorrect. Location-based would not help manage the large number of users.
3659Option C is incorrect. MAC is very secure, but requires granular account management
3660that is impractical with such a large group.
3661Option D is incorrect. DAC would simply not be secure enough for most situations.
366263. A. Periodic recertification of accounts is critical. The recertification process verifies that
3663the account holder still requires the permissions they have been granted.
3664Option B is incorrect. Usage auditing could be done to support recertification, but is not as
3665important as the recertification process.
3666Option C is incorrect. Standard naming conventions would not help.
3667Option D is incorrect. Account recovery won’t help in managing permissions.
366864. D. While you should use standard naming conventions, the names of accounts should not
3669reflect the actual account role.
3670Options A, B, and C are all incorrect. Each of these clearly indicates the role of the
3671account holder.
367265. B. Access control to files and directories is the most fundamental aspect of file system
3673security. This includes selecting the correct access control methodology (MAC, DAC,
3674RBAC).
3675Option A is incorrect. Encryption is a very good technique for file system security, but is
3676not the most fundamental.
3677Option C is incorrect. Auditing is definitely recommended for file system security, but is
3678not the most fundamental activity.
3679Option D is incorrect. RAID provides fault tolerance, which is certainly necessary for
3680servers, but is not the most fundamental form of file system security.
368166. B. While there are multiple issues with this account, the password length is the most sig-
3682nificant. Shorter passwords are inherently insecure.
3683Option A is incorrect. Even for a low security account, these parameters are too insecure.
3684Options C and D are both incorrect. Both of these are issues, but the short password
3685length is the most significant. If the password were complex and long (perhaps over
368614 characters), then the lack of password history and the password age would be less
3687serious issues.306
3688Appendix
3689â– 
3690Answers to Practice Tests
369167. C. Disabling all accounts for the exiting user should happen immediately.
3692Options A and B are both incorrect. While each of these might be done, they would not be
3693done before disabling of accounts.
3694Option D is incorrect. You should not delete the accounts. That might render some data
3695(logs, files, etc.) inaccessible. Simply disable the account.
369668. D. TACACS+ can use TCP or UDP, though it is more common to use TCP. It should also
3697be noted that TACACS+ is not backward compatible.
3698Options A, B, and C are all incorrect. These do not accurately describe TACACS v
3699TACACS+.
370069. D. CHAP uses a hash, often MD5 for authentication, as does MS-CHAPv2. However,
3701MS-CHAPv2 provides for mutual authentication, whereas CHAP only provides authenti-
3702cating the client to the server.
3703Options A and C are incorrect. Neither one of these uses AES.
3704Option B is incorrect. CHAP does not provide mutual authentication, MS-CHAPv2 does.
370570. B. With a challenge response token, the system will encrypt some value (often a random
3706number) with the user’s public key. If the user’s token has the correct private key, it can
3707decrypt the value that the system sent, and confirm that.
3708Option A is incorrect. An asynchronous password token generates a one-time password
3709without the use of a clock.
3710Option C is incorrect. TOTP is a time synchronized one-time password.
3711Option D is incorrect. A static password token simply contains a password.
371271. D. Discretionary Access Control (DAC) is based on the Trusted Computer System Evalua-
3713tion Criteria (TCSEC). The data owner has control over the access control.
3714Options A, B, and C are all incorrect. These models are not based on TCSEC.
371572. B. While all of these features are important to security, the Encrypted File System (EFS)
3716allows a person to easily encrypt any file or folder. This is important to file systems security.
3717Option A is incorrect. Password policies are important, but not as important to file system
3718security as being able to encrypt files and folders.
3719Option C is incorrect. Account lockout, like password policies, is important. But EFS is
3720more central to file system security.
3721Option D is incorrect. User account control prevents unauthorized applications from run-
3722ning, which is important. But it’s not as central to file system security as EFS.
372373. D. Access control is the most important issue for database security. It is critical that the
3724principle of least privileges is adhered to and that each database user only has access to the
3725data necessary to do his or her job.
3726Option A is incorrect. Password policies are important, but are less important than access
3727control.
3728Option B is incorrect. Anti-virus is always important. But database servers are not usually
3729used for web surfing or email, thus two common means of getting a virus removed. This
3730means anti-virus is less important than access control.Chapter 4: Identity and Access Management
3731307
3732Option C is incorrect. Encrypting files is not as important to database security as access
3733control. The files must be decrypted for access; therefore, access control is more important.
373474. C. Recertification is a means for checking permissions. It essentially involves conducting
3735certification of accounts, as if they were new. This can be done to audit permissions.
3736Option A is incorrect. While usage auditing is related to permissions auditing, they are not
3737the same topic.
3738Option B is incorrect. Recertification is not part of onboarding.
3739Option D is incorrect. Credential management is important, but is not part of
3740re-certification.
374175. A. While there are security concerns with password managers, they can provide a method
3742for storing large numbers of passwords so that users don’t have to remember them all.
3743Option B is incorrect. Using shorter passwords would compromise security.
3744Option C is incorrect. OAUTH allows an end user’s account information to be used by
3745third-party services, without exposing the user’s password. It won’t reduce the number of
3746passwords one has to remember.
3747Option D is incorrect. Kerberos is an excellent authentication protocol, but will not reduce
3748the number of passwords one must remember.
374976. C. Accounts should lock out after a small number of login attempts. Three is a common
3750number of attempts before the account is locked out. This prevents someone from just
3751attempting random guesses.
3752Option A is incorrect. Password aging will force users to change their passwords, but
3753won’t affect password guessing.
3754Option B is incorrect. Longer passwords would be harder to guess, but this is not as effec-
3755tive as account lockout policies.
3756Option D is incorrect. Account usage auditing won’t have any effect on this issue.
375777. A. Security Assertion Markup Language (SAML) is an XML-based, open-standard for-
3758mat for exchanging authentication and authorization data between parties.
3759Option B is incorrect. OAUTH allows an end user’s account information to be used by
3760third-party services, without exposing the user’s password.
3761Option C is incorrect. RADIUS is a remote access protocol.
3762Option D is incorrect. NTLM is how Windows hashes passwords.
376378. B. Authentication is the process that validates an identity. When a user provides their cre-
3764dentials (username and password), it is compared to those on file in a database on a local
3765operating system or within an authentication server.
3766Option A is incorrect. Identification is the process of presenting information such as user-
3767name that claims an identity.
3768Option C is incorrect. Authorization is the process of granting a user permission to do
3769something.
3770Option D is incorrect. Accounting is the process of logging session and usage information.
3771This can include the amount of time a user has used a resource or the amount of data the
3772user has sent or received during their session.308
3773Appendix
3774â– 
3775Answers to Practice Tests
377679. B. Mandatory Access Control (MAC) is a type of access control that enforces authoriza-
3777tion rules by the operating system. Users cannot override authentication or access control
3778policies.
3779Option A is incorrect. Discretionary Access Control (DAC) does not have centralized con-
3780trol of authorization, and users can override authentication and access control policies.
3781Option C is incorrect. Role-Based Access Control (RBAC) provides access control based
3782on the group the user is placed in.
3783Option D is incorrect. Attribute-Based Access Control (ABAC) looks at a set of environ-
3784mental attributes to determine access.
378580. D. The cross-over error rate or (CER) is also sometimes called the equal error rate (EER)
3786and is the point at which the false acceptance and false rejection rates are the same.
3787Options A, B, and C are all incorrect. None of these accurately describes the CER.
378881. A. Challenge Handshake Authentication Protocol (CHAP) was designed specifically for
3789this purpose. It periodically reauthenticates, thus preventing session hijacking.
3790Options B and C are incorrect. Neither of these prevents session hijacking.
3791Option D is incorrect. RADIUS is a protocol for remote access, not authentication.
379282. C. OpenID connect works with the Oauth 2.0 protocol and supports multiple clients
3793including web-based and mobile clients. OpenID connect also supports REST.
3794Option A is incorrect. Shibboleth is a middleware solution for authentication and identity
3795management that uses SAML (Security Assertion Mark-up Language) and works over the
3796internet.
3797Option C is incorrect. RADIUS is a remote access protocol.
3798Option D is incorrect. OAUTH allows an end user’s account information to be used by
3799third-party services, without exposing the user’s password.
380083. B. Proximity cards only need to be very close to the card reader to work properly.
3801Option A is incorrect. Smartcards can include proximity cards, but don’t have to. Put
3802another way, there are smartcards that don’t work based on proximity and have to be
3803inserted or swiped.
3804Option C is incorrect. Tokens don’t have a hands-free option.
3805Option D is incorrect. Clearly a fingerprint scanner is not hands free.
380684. D. Federated identities introduce transitive trust. A login account can be used across mul-
3807tiple business entities, thus creating an implied trust relationship between them. The secu-
3808rity of any of the federated identities is impacted by the security of the others.
3809Option A is incorrect. Kerberos can be configured to work with federated identities via
3810remote ticket granting servers.
3811Options B and C are incorrect. The use of federated identities has no impact on whether or
3812not least privileges is being obeyed or if good password management is being practiced.Chapter 5: Risk Management
3813309
381485. C. Type II authentication is something you have. A smartcard is an item that the person
3815has.
3816Option A is incorrect. Passwords are something you know, type I.
3817Option C is incorrect. Retinal scans, and all biometrics, are something you are, type III.
3818Option D is incorrect. These are still passwords, and thus type I.
381986. A. A TPM (Trusted Platform Module) can be used in authentication. These are computer
3820chips, and thus hardware-based access control.
3821Option B is incorrect. While one could argue that all hardware has at least firmware oper-
3822ating it, software-based access control is not a good description of this scenario.
3823Option C is incorrect. TPMs may use digital certificates, but this question did not specify
3824that this particular TPM did or did not use digital certificates.
3825Option D is incorrect. While grammatically correct, this is not a term used in the industry.
3826Chapter 5: Risk Management
38271. C. Adverse actions are administrative actions that are placed against employees. These
3828actions include letters of reprimand, leave with or without pay, or termination. Along with
3829these actions the policy should include actions such as disabling user accounts and revok-
3830ing privileges, such as access to facilities to prevent data from being compromised. When
3831an employee has been placed with administrative actions, the company shouldn’t worry
3832about vindictive actions they will take against the company.
3833Option A is incorrect. Mandatory vacation policy is used by companies to detect fraud by
3834having a second person, familiar with the duties, help discover any illicit activities.
3835Option B is incorrect. Exit interviews give the company an opportunity to find problems
3836within departments. They also allow HR to identify any knowledge that is about to be
3837lost, such as information the employee knows that is not written down anywhere.
3838Option D is incorrect. Onboarding is the process of adding an employee to a company’s
3839identity and access management system.
38402. C. Change management is the process of documenting all changes made to a company’s
3841network and computers. Avoiding making changes at the same time makes tracking any
3842problems that can occur much simpler.
3843Option A is incorrect. Due diligence is the process of investigation and verification of the
3844accuracy of a particular act.
3845Option B is incorrect. Acceptable use is a policy stating what a user may or may not have
3846access to on a company’s network or the Internet.
3847Option D is incorrect. Due care is the effort made by a reasonable party to avoid harm to
3848another. It is the level of judgment, care, determination, and activity a person would rea-
3849sonably expect to do under certain conditions.310
3850Appendix
3851â– 
3852Answers to Practice Tests
38533. A. The main reason to avoid penetration tests is answer A. It’s advised to perform vulner-
3854ability test often rather than penetration tests. Pentests can cause disruption to businesses.
3855This is the main focus of the question.
3856Options B, C, and D are incorrect. These options are positive reasons why penetration
3857testing should be performed.
38584. A. Acceptable use policy is a document stating what a user may or may not have access to
3859on a company’s network or the Internet.
3860Option B is incorrect. Clean desk policy ensures that all sensitive/confidential documents
3861are removed from an end-user workstation and locked up when the documents are not in
3862use.
3863Option C is incorrect. Mandatory vacation policy is used by companies to detect fraud by
3864having a second person, familiar with the duties, help discover any illicit activities.
3865Option D is incorrect. Job rotation is a policy that describes the practice of moving
3866employees between different tasks to promote experience and variety.
38675. D. Encrypting the backup data before storing it off-site ensures data confidentiality.
3868Option A is incorrect. Generating file hashes will ensure integrity; files have not changed
3869or been tampered with.
3870Option B is incorrect. Scanning the backup data for viruses is a task that’s performed
3871before the data is restored.
3872Option C is incorrect. Chain of custody refers to the chronological documentation showing the
3873custody, control, transfer, analysis, and disposition of physical or electronic evidence.
38746. C. A hot site contains all of the alternate computer and telecommunication equipment
3875needed in a disaster. Testing this environment is simple.
3876Option A is incorrect. A warm site is harder to test because it contains the equipment but
3877no employees and company data.
3878Option B is incorrect. A cold site is the hardest to test because it includes a basic room
3879with limited equipment.
3880Option D is incorrect. A medium site is not something referred to as a recovery site.
38817. B. Switches forwards data only to the devices that need to receive it, so when capturing
3882network traffic the computer will see only broadcast and multicast packets along with
3883traffic being sent and received to the connected computer.
3884Option A is incorrect. Ethernet switches in an isolated broadcast domain will send broad-
3885cast packets to all computers that are part of the domain. The entire switch can be a
3886broadcast domain or a certain number of ports can be grouped into a VLAN (virtual local
3887area network).
3888Option C is incorrect. Promiscuous mode enabled on the NIC will capture all traffic
3889within the network, but this was not the problem in this scenario.
3890Option D is incorrect. Promiscuous mode disabled on the NIC will not capture all traffic
3891within the network but will only broadcast and multicast packets along with traffic being
3892sent and received from the computer. The scenario focused on the Ethernet switch, not the
3893laptop’s NIC.Chapter 5: Risk Management
3894311
38958. A. A snapshot is the state of a system at a particular point in time. It’s also known as a
3896system image and is not a step in the incident response process.
3897Options B, C, and D are incorrect. Preparation, recovery, and containment are steps of the
3898incident response process.
38999. B. Technical controls are used to restrict data access and operating system components,
3900security applications, network devices, and encryption techniques. Logical controls use
3901authentication mechanisms.
3902Option A is incorrect. Access controls can be part of technical controls; however, it is not
3903a term that is synonymous with technical controls.
3904Option C is incorrect. Detective controls detect intrusion as it happens and uncovers a
3905violation.
3906Option D is incorrect. Preventive controls avoid a security breach or an interruption of
3907critical services before they can happen.
390810. A. Companies will use mandatory vacations policies to detect fraud by having a second
3909person, familiar with the duties, help discover any illicit activities.
3910Option B is incorrect. Clean desk policy ensures that all sensitive/confidential documents are
3911removed from an end user workstation and locked up when the documents are not in use.
3912Option C is incorrect. A nondisclosure agreement (NDA) protects sensitive and intellectual
3913data from getting into the wrong hands.
3914Option D is incorrect. Continuing education is the process of training adult learners in a
3915broad list of post-secondary learning activities and programs. Companies will use continu-
3916ing education in training their employees on the new threats and also reiterating current
3917policies and their importance.
391811. A. Privacy impact assessment (PIA) is a measurement of how a company can keep private
3919information safe while the company is in possession of PII.
3920Option B is incorrect. Business impact analysis (BIA) determines the potential effects of an
3921interruption to a company’s operations as a result of a disaster or emergency.
3922Option C is incorrect. Recovery time objective (RTO) is the duration of time in which a
3923company’s process must be restored after a disaster.
3924Option D is incorrect. A single point-of-failure (SPF) is a component that will stop the
3925entire operations of a system to work if it fails.
392612. B. A business continuity plan is a policy that describes and approves the company’s overall
3927business continuity strategy. This also includes identifying critical systems to protect.
3928Option A is incorrect. A disaster recovery plan (DRP) is a policy that describes and
3929approves the company’s disaster recovery strategy. This plan will help the company recover
3930from an incident with minimal loss of time and money.
3931Option C is incorrect. An IT contingency plan is a component of the BCP. It specifies alter-
3932nate IT procedures for a company to switch over to when it’s faced with a disruption of
3933service leading to a disaster for the company.
3934Option D is incorrect. A succession plan ensures all key company personnel have at least
3935one designated backup who can perform the critical functions when required.312
3936Appendix
3937â– 
3938Answers to Practice Tests
393913. B. Locking cabinets and drawers is the best solution because the employee would be the
3940only one with a key.
3941Option A is incorrect. Multiple people may have keys to a department door lock.
3942Option C is incorrect. A proximity card is a contactless smartcard that is held near an
3943electronic reader to grant access to a particular area.
3944Option D is incorrect. Onboarding is the process of adding an employee to a company’s
3945identity and access management system.
394614. D. The tabletop exercise test is considered a cost-effective and efficient way to identify
3947areas of overlaps in a plan before implementing a test.
3948Option A is incorrect. An after-action report examines a response to an incident or exer-
3949cise and identifies its strengths that will be maintained and built on. Also, it helps recog-
3950nize potential areas of improvement.
3951Option B is incorrect. Failover is the continuous ability to automatically and flawlessly
3952switch to a highly reliable backup. This can be activated in a redundant manner or in a
3953standby operating mode should the primary server fail. The main purpose of failover is to
3954provide availability of data or service to a user.
3955Option C is incorrect. The eradication process involves removing and restoring affected
3956systems by reimaging the system’s hard drive and installing patches.
395715. C. Fingerprints are considered PHI (Protected Health Information), according to HIPPA
3958rules.
3959Options A, B, and D are incorrect. These are classified as PII (Personally Identifiable Infor-
3960mation), according to the NIST.
396116. D. Quantitative risk assessment is the process of assigning numerical values to the prob-
3962ability an event will occur and what the impact of the event will have.
3963Option A is incorrect. Change management is the process of managing configuration
3964changes made to a network.
3965Option B is incorrect. Vulnerability assessment attempts to identify, quantify, and rank the
3966weaknesses in a system.
3967Option C is incorrect. Qualitative risk assessment is the process of ranking which risk
3968poses the most danger such as low, medium, and high.
396917. B. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive
3970consequences of a damaging event. It also attempts to minimize vulnerabilities that can
3971pose a threat.
3972Option A is incorrect. Risk transfer is the act of moving the risk to hosted providers who
3973assume the responsibility for recovery and restoration or by acquiring insurance to cover
3974the costs emerging from a risk.
3975Option C is incorrect. Risk acceptance is a strategy of recognizing, identifying, and
3976accepting a risk that is sufficiently unlikely or has limited impact that a corrective control
3977is not warranted.
3978Option D is incorrect. Risk mitigation is when a company implements controls to reduce
3979vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.Chapter 5: Risk Management
3980313
398118. D. A memorandum of understanding (MOU) is a type of agreement that is usually not
3982legally binding. This agreement is intended to be mutually beneficial without involving
3983courts or money.
3984Option A is incorrect. A SLA (service level agreement) defines the level of service the cus-
3985tomer expects from the service provider. The level of service definitions should be specific
3986and measurable in each area.
3987Option B is incorrect. A BPA (business partnership agreement) is a legal agreement
3988between partners. It establishes the terms, conditions, and expectations of the relationship
3989between the partners.
3990Option C is incorrect. An ISA (interconnection security agreement) is an agreement
3991that specifies the technical and security requirements of the interconnection between
3992organizations.
399319. B. A SLA (service level agreement) defines the level of service the customer expects from
3994the service provider. The level of service definitions should be specific and measurable in
3995each area.
3996Option A is incorrect. A MOU (memorandum of understanding) is a legal document that
3997describes a mutual agreement between parties.
3998Option C is incorrect. An ISA (interconnection security agreement) is an agreement
3999that specifies the technical and security requirements of the interconnection between
4000organizations.
4001Option D is incorrect. A BPA (business partnership agreement) is a legal agreement
4002between partners. It establishes the terms, conditions, and expectations of the relationship
4003between the partners.
400420. A. The single loss expectancy (SLE) is the product of the value ($16,000) and the exposure
4005factor (.35), or $5,600.
4006Options B, C, and D are incorrect. These values do not represent the single loss
4007expectancy.
400821. C. Antivirus is an example of a corrective control. A corrective control is designed to
4009correct a situation.
4010Option A is incorrect. An IDS (intrusion detection system) is a detective control because it
4011detects security breaches.
4012Option B is incorrect. An audit log is a detective control because it detects security
4013breaches.
4014Option D is incorrect. A router is a preventive control because it prevents security breaches
4015with access control lists.
401622. A, C. A deterrent control is used to warn a potential attacker not to attack. Lighting
4017added to the perimeter and warning signs such as a “no trespassing” sign are deterrent
4018controls.
4019Options B and D are incorrect. These are examples of detective controls. A detective
4020control is designed to uncover a violation.314
4021Appendix
4022â– 
4023Answers to Practice Tests
402423. D. Testing and training are preventative administrative controls. Administrative controls
4025dictate how security policies should be executed to accomplish the company’s security goals.
4026Option A is incorrect. Detective technical control uncovers a violation through technology.
4027Option B is incorrect. Preventive technical control attempts to stop a violation through
4028technology.
4029Option C is incorrect. Detective administrative control uncovers a violation through poli-
4030cies, procedures, and guidelines.
403124. D. Eradication is the next step after containment.
4032Options A, B, and C are incorrect. The correct steps of the incident response process are
4033preparation, identification, containment, eradication, recovery, and lessons learned.
403425. A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is
4035sufficiently unlikely or has limited impact that a corrective control is not warranted.
4036Option B is incorrect. Risk transfer is the act of moving the risk to hosted providers who
4037assume the responsibility for recovery and restoration or by acquiring insurance to cover
4038the costs emerging from a risk.
4039Option C is incorrect. Risk avoidance is the removal of the vulnerability that can increase
4040a particular risk so that it is avoided altogether.
4041Option D is incorrect. Risk mitigation is when a company implements controls to reduce
4042vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
404326. A. Taking screenshots gives an investigator a useful way to collect information on a
4044computer screen. Screenshots can be acquired in many ways and allow the investigator to
4045reproduce what happened on the screen.
4046Option B is incorrect. The identification phase is part of an incident response process and
4047deals with the discovery and determination of whether a deviation from normal operations
4048within a company was an incident.
4049Option C is incorrect. The tabletop exercise test is considered a cost-effective and efficient
4050way to identify areas of overlaps in a plan before implementing a test.
4051Option D is incorrect. Generating file hashes will ensure integrity and ensure that files
4052have not changed or been tampered with.
405327. B. Storing backup data at an alternate site in another city will help protect the data if
4054there were a complete disaster at the primary location. Storing backups outside of the
4055original location is known as off-site backups. Also, the distance associated with an off-
4056site backup can be a logistics challenge.
4057Option A is incorrect. Storing backup data at an alternate location within the city may not
4058be good if the area has to be evacuated.
4059Option C is incorrect. Storing backup data in a safe at the company’s site may not be good
4060should the primary location become completely destroyed.
4061Option D is incorrect. Storing backup data at an employee’s home is never a good idea.
406228. C. Identifying systems that are considered a single point of failure is not a purpose of PTA.
4063Options A, B, and D are incorrect. Privacy threshold analysis (PTA) can determine
4064whether a program or system has privacy implications and whether additional privacy
4065compliance documentation is required such as a privacy impact assessment (PIA).Chapter 5: Risk Management
4066315
406729. C. Purging removes all the data from a hard drive and the data cannot be rebuilt.
4068Option A is incorrect. Destruction wouldn’t help the company sell the hard drive at the
4069computer sale.
4070Option B is incorrect. Shredding wouldn’t help the company sell the hard drive at the com-
4071puter sale because it physically destroys the hard drive.
4072Option D is incorrect. Formatting isn’t good enough to remove data because it can be
4073recovered by third-party software. Formatting moves the pointer to the location the data
4074resides.
407530. B. An acceptable use policy describes the limits and guidelines for users to make use of an
4076organization’s physical and intellectual resources. This includes allowing or limiting the
4077use of personal email during work hours.
4078Option A is incorrect. A service level agreement (SLA) defines the level of service the cus-
4079tomer expects from the service provider. The level of service definitions should be specific
4080and measurable in each area.
4081Option C is incorrect. An incident response plan provides instructions for detecting,
4082responding to, and limiting the effects of an information security event.
4083Option D is incorrect. Chain of custody refers to the chronological documentation show-
4084ing the custody, control, transfer, analysis, and disposition of physical or electronic evi-
4085dence.
408631. C. After identifying the malware incident, the next step you would perform based on the
4087incident response process is to contain the malware to further study the incident and pre-
4088vent it from spreading across the network.
4089Option A is incorrect. Recovery is performed after eradicating the malware.
4090Option B is incorrect. Eradicating the malware is performed after you have contained the
4091malware.
4092Option D is incorrect. Identification has been performed when you discovered the
4093malware.
409432. A. Onboarding is the process of adding an employee to a company’s identity and access
4095management system.
4096Option B is incorrect. Offboarding is the process of removing an employee from the
4097company’s identity and access management system.
4098Option C is incorrect. Adverse action is an official personnel action that is taken for
4099disciplinary reasons.
4100Option D is incorrect. Job rotation gives individuals the ability to see various parts of the
4101organization and how it operates. It also eliminates the need for a company to rely on one
4102individual for security expertise should the employee become disgruntled and decide to
4103harm the company. Recovering from a disgruntled employee’s attack is easier when mul-
4104tiple employees understand the company’s security posture.316
4105Appendix
4106â– 
4107Answers to Practice Tests
410833. D. An interconnection security agreement (ISA) is an agreement that specifies technical
4109and security requirements for planning, establishing, maintaining, and disconnecting a
4110secure connection between at least two companies.
4111Option A is incorrect. A business partners agreement (BPA) is a written agreement that
4112details what the relationship will be between business partners. This agreement will
4113include the partner’s obligations toward the partnership. A BPA can help settle conflicts
4114that arise within the partnership.
4115Option B is incorrect. A memorandum of understanding (MOU) is an agreement of under-
4116standing between two or more parties signifying their purpose to work together toward a
4117common goal. A MOU is less formal than an SLA and will not include monetary penalties.
4118Option C is incorrect. A service level agreement (SLA) is an agreement between a company
4119and a vendor that specifies performance expectations. Minimum uptime and maximum
4120downtime levels are included in an SLA. Also included is a monetary penalty should the
4121vendor not be able to meet the agreed expectations.
412234. A. A clean desk policy ensures that all sensitive/confidential documents are removed from
4123an end-user workstation and locked up when the documents are not in use.
4124Option B is incorrect. Background checks are performed when a potential employee is con-
4125sidered for hire.
4126Option C is incorrect. Continuing education is the process of training adult learners in a
4127broad list of postsecondary learning activities and programs. Companies will use continu-
4128ing education in training their employees on the new threats and also reiterating current
4129policies and their importance.
4130Option D is incorrect. Job rotation policy is the practice of moving employees between dif-
4131ferent tasks to promote experience and variety.
413235. A. As users register for an account, they enter letters and numbers they are given on the
4133web page before they can register. This is an example of a deterrent control as it prevents
4134bots from registering and proves this is a real person.
4135Option B is incorrect. Detective controls detect intrusion as it happens and uncovers a violation.
4136Option C is incorrect. A compensating control is used to satisfy a requirement for a secu-
4137rity measure that is too difficult or impractical to implement at the current time.
4138Option D is incorrect. Degaussing is a method of removing data from a magnetic storage
4139media by changing the magnetic field.
414036. D. Parking policy generally outlines parking provisions for employees and visitors. This
4141includes the criteria and procedures for allocating parking spaces for employees.
4142Option A is incorrect. An acceptable use policy describes the limits and guidelines for
4143users to make use of an organization’s physical and intellectual resources. This includes
4144allowing or limiting the use of personal email during work hours.
4145Option B is incorrect. Social media policy defines how employees should use social
4146media networks and applications such as Facebook, Twitter, LinkedIn, and others. It can
4147adversely affect a company’s reputation.
4148Option C is incorrect. Password policy defines the complexity of creating passwords. It
4149should also define weak passwords and how users should protect password safety.Chapter 5: Risk Management
4150317
415137. C. Proprietary data is a form of confidential information, and if the information is
4152revealed, it can have severe effects on the company’s competitive edge.
4153Option A is incorrect. High is a generic label assigned to data internally that represents the
4154amount of risk being exposed outside the company.
4155Option B is incorrect. The top-secret label is often used within governmental systems
4156where data and access may be granted or denied based on assigned categories.
4157Option D is incorrect. Low is a generic label assigned to data internally that represents the
4158amount of risk being exposed outside the company.
415938. B. Provide security user awareness training to all employees regarding the risk of using per-
4160sonal email through company computers. The ability to access personal email is a security risk
4161because the company is unable to filter emails through the company’s Exchange server.
4162Option A is incorrect. The company is unable to encrypt user’s email messages through
4163services such as Yahoo Mail and Gmail. The encryption is performed by the company pro-
4164viding the email service.
4165Option C is incorrect. Providing every user with their own device to access their personal email
4166is not the best option as the next step. While employees use these devices within the company’s
4167network, the company doesn’t have full control of what emails are entering the network.
4168Option D is incorrect. The company may have some control of personal emails routing
4169through the company’s Exchange server, but this is not the best next step after creating
4170and approving the email use policy. The purpose of the email use policy is to limit the
4171use of personal email because the company doesn’t have full control of what emails the
4172employees are allowing into the network.
417339. C. Antivirus software is used to protect computer systems from malware and is not a
4174physical security control.
4175Options A, B, and D are incorrect. Physical controls are security measures put in place to
4176reduce the risk of harm coming to a physical property. This includes protection of person-
4177nel, hardware, software, networks, and data from physical actions and events that could
4178cause damage or loss.
417940. B. A disaster recovery plan (DRP) is a plan that helps a company recover from an incident
4180with minimal loss of time and money. It prioritizes critical computer systems.
4181Option A is incorrect. A single point of failure is a weakness in the design, or configura-
4182tion of a system in which one fault or malfunction will cause the whole system to halt
4183operating and would not be found within a DRP.
4184Option C is incorrect. Exposure factor would be found within a risk assessment.
4185Option D is incorrect. Asset value would be found within a risk assessment.
418641. A. Quantitative risk assessment is the process of assigning numerical values to the prob-
4187ability an event will occur and what the impact of the event will have.
4188Option B is incorrect. Qualitative risk assessment is the process of ranking which risk
4189poses the most danger such as low, medium, and high.
4190Option C is incorrect. Business impact analysis is used to evaluate the possible effect a
4191business can suffer should an interruption to critical system operations occur. This inter-
4192ruption could be as a result of an accident, emergency, or disaster.318
4193Appendix
4194â– 
4195Answers to Practice Tests
4196Option D is incorrect. Threat assessment is a process of identifying and categorizing dif-
4197ferent threats such as, environmental and manmade. It also attempts to identify the poten-
4198tial impact from the threats.
419942. D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting
4200into the wrong hands.
4201Options A, B, and C are incorrect. An NDA is a legal contract between the company and
4202third-party vendor to not disclose information per the agreement. Sending encrypted data
4203can still be decrypted by the third-party vendor if they have the appropriate certificate but
4204does not restrict access to the data. Violating an NDA would constitute unauthorized data
4205sharing, and a violation of privileged user role-based awareness training has nothing to do
4206with sharing proprietary information.
420743. A and C. FTP (File Transport Protocol) uses port 21 and Telnet uses port 23. These proto-
4208cols are considered weak and are not recommended for use. They are susceptible to eaves-
4209dropping.
4210Option B is incorrect. SMTP (Simple Mail Transport Protocol) uses port 25.
4211Option D is incorrect. DNS (Domain Name System) uses port 53.
421244. A. Incremental backups are the quickest backup method but the slowest method to
4213restore. Incremental backup backs up all new files and any files that have changed since
4214the last full backup or incremental backup. To restore from incremental backups, you will
4215need the full backup and every incremental backup in order.
4216Option B is incorrect. Differential backup backs up all new files and any files that have
4217changed since the last full backup. To restore from differential backups, you will need the
4218full backup and the most recent differential backup.
4219Option C is incorrect. Full backup backs up all the files each time the backup runs.
4220Option D is incorrect. A snapshot is the state of a system at a particular point in time. It’s
4221also known as a system image.
422245. C. Data labeling policy includes how data is labeled such as confidential, private, or public.
4223It should also include how the data is handled and disposed of for all classifications of data.
4224Before data can be disposed of, you will need to destroy it with a data sanitization tool.
4225Option A is incorrect. Degaussing is a method of removing data from a magnetic storage
4226media by changing the magnetic field.
4227Option B is incorrect. An acceptable use policy describes the limits and guidelines for users
4228to make use of an organization’s physical and intellectual resources. This includes allow-
4229ing or limiting the use of personal email during work hours.
4230Option D is incorrect. Wiping, also known as overwriting, will replace the data with all
4231zeros to prevent data from being recovered by third-party software.
423246. D. A single point of failure is a weakness in the design or configuration of a system in
4233which one fault or malfunction will cause the whole system to halt operating.
4234Option A is incorrect. Failover is the continuous ability to automatically and flawlessly
4235switch to a highly reliable backup.
4236Option B is incorrect. A cluster ensures the availability of critical services by using a group
4237of computers instead of a single computer.Chapter 5: Risk Management
4238319
4239Option C is incorrect. Load-balancing divides the amount of work a computer can do
4240between two or more computers. This allows more work to be completed in the same
4241amount of time.
424247. A. Detective controls detect intrusion as it happens and uncovers a violation.
4243Option B is incorrect. A guard is an example of a preventive control. Preventive controls
4244stop an action from happening.
4245Option C is incorrect. A firewall is an example of a technical control. Technical controls are
4246applied through technology and may be deterrent, preventive, detective, or compensating.
4247Option D is incorrect. An IPS (intrusion prevention system) is an example of a technical
4248control. Technical controls are applied through technology and may be a deterrent, preven-
4249tive, detective, or compensating.
425048. D. An ISA (interconnection security agreement) is an agreement that specifies the techni-
4251cal and security requirements of the interconnection between organizations.
4252Option A is incorrect. A memorandum of understanding (MOU) is a type of agreement
4253that is usually not legally binding. This agreement is intended to be mutually beneficial
4254without involving courts or money.
4255Option B is incorrect. A BPA (business partnership agreement) is a legal agreement
4256between partners. It establishes the terms, conditions, and expectations of the relationship
4257between the partners.
4258Option C is incorrect. An SLA (service level agreement) defines the level of service the cus-
4259tomer expects from the service provider. The level of service definitions should be specific
4260and measurable in each area.
426149. C. Sharing of profits and losses and the addition or removal of a partner are typically included
4262in a BPA (business partner agreement). Also included are the responsibilities of each partner.
4263Option A is incorrect. Expectations between parties such as a company and an Internet
4264service provider are typically found in a service level agreement. Expectations include the
4265level of performance given during the contractual service.
4266Option B is incorrect. A service level agreement will provide a clear means of determining
4267whether a specific function or service has been provided according to the agreed-upon level
4268of performance.
4269Option D is incorrect. Security requirements associated with interconnecting IT systems
4270are typically found in an interconnection security agreement.
427150. C. A continuity of operations plan focuses on restoring critical business functions after an
4272outage to an alternate site. The plan will determine if a company can continue its opera-
4273tions during the outage.
4274Option A is incorrect. BIA (business impact analysis) is performed before the creation of
4275business continuity plans, and BIAs are not tested.
4276Option B is incorrect. A succession plan ensures all key company personnel have at least
4277one designated backup who can perform the critical functions when required.
4278Option D is incorrect. A service level agreement (SLA) defines the level of service the cus-
4279tomer expects from the service provider. The level of service definitions should be specific
4280and measurable in each area.320
4281Appendix
4282â– 
4283Answers to Practice Tests
428451. D. System owner is a type of employee who would receive role-based training on how best
4285to manage a particular system.
4286Option A is incorrect. Users are generally the front-line employees and would receive gen-
4287eral security awareness training.
4288Option B is incorrect. Privileged users would receive training on how best to handle addi-
4289tional network and system access.
4290Option C is incorrect. Executive users would receive training on how to spot targeted attacks.
429152. A. A vulnerability scanner attempts to identify weaknesses in a system.
4292Option B is incorrect. A protocol analyzer used with a promiscuous mode NIC can cap-
4293ture all network traffic.
4294Option C is incorrect. A port scanner identifies open ports on a server or host.
4295Option D is incorrect. Password crackers can be used to check for easily crackable pass-
4296words. Vulnerability scanners can provide more data about computer security such as
4297open ports and weak passwords.
429853. C. Recovery process brings affected systems back into the company’s production environ-
4299ment carefully to avoid leading to another incident.
4300Option A is incorrect. The lessons learned process is the most critical phase because it
4301is the phase in which you complete any documentation that may be beneficial in future
4302incidents. Documentation should include information such as when the problem was first
4303detected and by whom, how the problem was contained and eradicated, the work that was
4304performed during the recovery, and areas that may need improvement.
4305Option B is incorrect. The preparation process prepares a company’s team to be ready to
4306handle an incident at a moment’s notice.
4307Option D is incorrect. The containment process is designed to minimize the damage and
4308prevent any further damage from happening.
430954. D. Chain of custody refers to the chronological documentation showing the custody, con-
4310trol, transfer, analysis, and disposition of physical or electronic evidence.
4311Option A is incorrect. Incident handling is a guide that explains the process and proce-
4312dures of how to handle particular incidents.
4313Option B is incorrect. Legal hold is a written directive issued by attorneys ordering clients
4314to preserve pertinent evidence in an anticipated litigation, audit, or government investiga-
4315tion. This evidence can include paper documents and electronically stored information.
4316Option C is incorrect. Order of volatility represents the order in which you should collect
4317evidence. In general terms, evidence should be collected starting with the most volatile and
4318moving to the least volatile. Volatile means data is not permanent.
431955. D. The first response from the incident response should be identification. The malware
4320needs to be identified as well as the computers.
4321Option A is incorrect. The containment process is designed to minimize the damage and
4322prevent any further damage from happening.
4323Option B is incorrect. The eradication process involves removing and restoring affected
4324systems by reimaging the system’s hard drive and installing patches.Chapter 5: Risk Management
4325321
4326Option C is incorrect. The lessons learned process is the most critical phase because it
4327is the phase in which you complete any documentation that may be beneficial in future
4328incidents. Documentation should include information such as when the problem was first
4329detected and by whom, how the problem was contained and eradicated, the work that was
4330performed during the recovery, and areas that may need improvement.
433156. A, D. Custodians maintain access to data as well as the integrity.
4332Options B and C are incorrect. CEO and sales executives are not normally responsible for
4333maintaining access to and integrity of the data.
433457. D. A backup generator is a compensating control—an alternate control that replaces the
4335original control when it cannot be used due to limitations of the environment.
4336Option A is incorrect. A firewall is considered a preventive control.
4337Option B is incorrect. A security guard is considered a physical control.
4338Option C is incorrect. An IDS (intrusion detection system) is considered a detective
4339control.
434058. A. Preventive controls stop an action from happening—in this scenario, preventing an
4341unauthorized user from gaining access to the network when the user steps away.
4342Option B is incorrect. A corrective control is designed to correct a situation.
4343Option C is incorrect. A deterrent control is used to deter a security breach.
4344Option D is incorrect. A detective control is designed to uncover a violation.
434559. B. PHI (protected health information) is any data that refers to health status, delivery of
4346health care, or payment for health care that is gathered by a health care provider and can
4347be linked to an individual according to U.S. law.
4348Option A is incorrect. AES (Advanced Encryption Standard) is a symmetrical 128-bit
4349block encryption system.
4350Option C is incorrect. PII (Personally Identifiable Information) is information that can be
4351used on its own or with other information to identify an individual.
4352Option D is incorrect. TLS (Transport Layer Security) is a protocol that encrypts data over
4353a computer network.
435460. C. Job rotation allows individuals to see various parts of the organization and how it
4355operates. It also eliminates the need for a company to rely on one individual for security
4356expertise should the employee become disgruntled and decide to harm the company.
4357Recovering from a disgruntled employee’s attack is easier when multiple employees under-
4358stand the company’s security posture.
4359Option A is incorrect. Separation of duties is the concept of having more than one person
4360required to complete a task.
4361Option B is incorrect. Mandatory vacation policy is used by companies to detect fraud by
4362having a second person, familiar with the duties, help discover any illicit activities.
4363Option D is incorrect. Onboarding is the process of adding an employee to a company’s
4364identity and access management system.322
4365Appendix
4366â– 
4367Answers to Practice Tests
436861. B and C. Backup tapes should not be stored near power sources such as CRT monitors
4369and speakers. These devices can cause the tapes to be degaussed.
4370Option A is incorrect. A workstation has no chance of degaussing backup tapes.
4371Option D is incorrect. An LCD screen has no chance of degaussing backup tapes.
437262. A. The eradication process involves removing and restoring affected systems by reimaging
4373the system’s hard drive and installing patches.
4374Option B is incorrect. The preparation process prepares a company’s team to be ready to
4375handle an incident at a moment’s notice.
4376Option C is incorrect. The purpose of the containment process is to minimize the damage
4377and prevent any further damage from happening.
4378Option D is incorrect. The recovery process brings affected systems back into the com-
4379pany’s production environment carefully to avoid leading to another incident.
438063. D. A unified threat management (UTM) appliance is a single console a security adminis-
4381trator can monitor and manage easily. This could create a single point of failure.
4382Options A, B, and C are incorrect. With a UTM, each protection can be performed simul-
4383taneously. This UTM can centralize various security techniques into a single appliance. It
4384is also tied to one vendor and allows for a single, streamlined function.
438564. C. Unauthorized access of a network through a firewall by a threat actor is considered an
4386external threat.
4387Options A, B, and D are incorrect. Each of the threats are considered internal because they
4388can compromise a company’s network from within.
438965. A and B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occur-
4390rence) and the SLE (single loss expectancy) and is mathematically expressed as ALE =
4391ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically
4392expressed as SLE = AV (asset value) × EF (exposure factor).
4393Options C and D are incorrect. Training expenses and man-hour expenses are valid IT
4394forensic budget items.
439566. C. Capturing the system image involves making an exact image of the drive so that it can
4396be referenced later in the investigation.
4397Option A is incorrect. Chain of custody offers assurances that evidence has been pre-
4398served, protected, and handled correctly after it has been collected. Documents show who
4399handled the evidence and when they handled it.
4400Option B is incorrect. Order of volatility represents the order in which you should collect
4401evidence. In general terms, evidence should be collected starting with the most volatile and
4402moving to the least volatile. Volatile means data is not permanent.
4403Option D is incorrect. Taking screenshots gives an investigator a useful way to collect
4404information on a computer screen. This will allow the investigator to reproduce what hap-
4405pened on the screen.Chapter 5: Risk Management
4406323
440767. A. Risk is defined as the likelihood of occurrence of a threat and the corresponding loss
4408potential. Risk is the probability of a threat actor to exploit vulnerability. The purpose of
4409system hardening is to remove as many security risks as possible. Hardening is typically per-
4410formed by disabling all nonessential software programs and utilities from the workstation.
4411Option B is incorrect. The threat agent is the component that exploits a vulnerability.
4412Option C is incorrect. The exposure factor is the percentage or portion of the asset that
4413will be lost or destroyed when exposed to a threat.
4414Option D is incorrect. Risk mitigation is when a company implements controls to reduce
4415vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
441668. B. Lessons learned documentation is a phase of the incident response process.
4417Options A, C, and D are incorrect. These elements should be included in the preparation
4418phase.
441969. C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and
4420they impose a contractual obligation on employees to maintain the confidentiality of infor-
4421mation. Disclosure of information can lead to legal ramifications and penalties. NDAs
4422cannot ensure a decrease in security breaches.
4423Option A is incorrect. Job rotation policy is the practice of moving employees between dif-
4424ferent tasks to promote experience and variety.
4425Option B is incorrect. Separation of duties is the concept of having more than one person
4426required to complete a task.
4427Option D is incorrect. Mandatory vacation policy is used by companies to detect fraud by
4428having a second person, familiar with the duties, help discover any illicit activities.
442970. C. Security policy defines how to secure physical and information technology assets.
4430This document should be continuously updated as technology and employee requirements
4431change.
4432Option A is incorrect. Account policy enforcement regulates the security parameters of
4433who can and cannot access a system.
4434Option B is incorrect. Change management is the process of managing configuration
4435changes made to a network.
4436Option D is incorrect. Risk assessment identifies the dangers that could negatively impact
4437a company’s ability to conduct business.
443871. C. A differential backup copies files that have changed since the last full backup.
4439Option A is incorrect. A partial backup is when only portions of files changed are
4440backed up.
4441Option B is incorrect. A full backup is when all files are copied to a storage media.
4442Option D is incorrect. Backing up only the files that have changed since the last full or
4443incremental backup is considered an incremental backup.324
4444Appendix
4445â– 
4446Answers to Practice Tests
444772. B. Lessons learned process is the most critical phase because it is the phase to complete
4448any documentation that may be beneficial in future incidents. Documentation should
4449include information such as when the problem was first detected and by whom, how the
4450problem was contained and eradicated, the work that was performed during the recovery,
4451and areas that may need improvement.
4452Option A is incorrect. The preparation process prepares a company’s team to be ready to
4453handle an incident at a moment’s notice.
4454Option C is incorrect. The containment process is designed to minimize the damage and
4455prevent any further damage from happening.
4456Option D is incorrect. The recovery process brings affected systems back into the com-
4457pany’s production environment carefully to avoid leading to another incident.
445873. B and C. Penetration and vulnerability testing can help identify risk. Before a tester per-
4459forms these tests, they should receive written authorization.
4460Option A is incorrect. Quantitative risk assessment is the process of assigning numerical
4461values to the probability an event will occur and what the impact of the event will have.
4462Option D is incorrect. Qualitative risk assessment is the process of ranking which risk
4463poses the most danger using measures such as low, medium, and high.
446474. C. Shredding is the process of reducing the size of objects so the information is no longer
4465usable. Other practices includes burning, pulping, and pulverizing.
4466Option A is incorrect. Degaussing is a method of removing data from a magnetic storage
4467media by changing the magnetic field.
4468Option B is incorrect. Capturing the system image involves making an exact image of the
4469drive so that it can be referenced later in the investigation.
4470Option D is incorrect. Wiping, also known as overwriting, will replace the data with all
4471zeros to prevent data from being recovered by third-party software.
447275. C. SFTP (secure FTP) encrypts data that is transmitted over the network.
4473Option A is incorrect. Telnet is a command-line utility for accessing remote computers and
4474does not provide any security features.
4475Option B is incorrect. FTP (File Transport Protocol) sends data in clear text and can easily
4476be viewed over the network.
4477Option D is incorrect. SMTP (Simple Mail Transfer Protocol) sends and receives emails
4478and does not provide any security features.
447976. C. Zackary will need four backups to restore the server if it crashes on Thursday after-
4480noon. The four backups are Sunday evening full backup, Monday evening incremental
4481backup, Tuesday evening incremental backup, and Wednesday evening incremental
4482backup. Incremental backups require the full backup and all the incremental backups in
4483order.
4484Options A, B, and D are incorrect. Incremental backups require the full backup and all the
4485incremental backups in order.Chapter 5: Risk Management
4486325
448777. A. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive
4488consequences of a damaging event. It also attempts to minimize vulnerabilities that can
4489pose a threat.
4490Option B is incorrect. The risk register is a document, also known as a risk log, created at
4491the beginning of a project to track issues and address any problems as they arise.
4492Option C is incorrect. Risk acceptance is a strategy of recognizing, identifying, and
4493accepting a risk that is sufficiently unlikely or has limited impact that a corrective control
4494is not warranted.
4495Option D is incorrect. Risk mitigation is when a company implements controls to reduce
4496vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
449778. C. A hot site, also known as an alternate processing site, contains all of the alternate com-
4498puter and telecommunication equipment needed in a disaster. Testing this environment is
4499simple.
4500Option A is incorrect. A cold site is the hardest to test because it includes a basic room
4501with limited equipment.
4502Option B is incorrect. A warm site is harder to test because it contains only the equipment
4503and no employees or company data.
4504Option D is incorrect. A differential site is not a valid term.
450579. D. Systems should be restored within four hours with a minimum loss of one day’s worth
4506of data. RTO is the amount of time within which a process must be restored after a disas-
4507ter to meet business continuity. It defines how much time it takes to recover after notifica-
4508tion of process disruption. RPO specifies the allowable data loss. It is the amount of time
4509that can pass during an interruption before the quantity of data lost during that period
4510surpasses business continuity planning’s maximum acceptable threshold.
4511Options A, B, and C are incorrect. These restorations do not fall within the description of
4512the plan.
451380. A. This statement refers to the data retention policy.
4514Option B is incorrect. This statement refers to the clean desk policy.
4515Option C is incorrect. This statement refers to the change management policy.
4516Option D is incorrect. This statement refers to the memorandum of understanding (MOU)
4517policy.
451881. B and D. Companies can lose a large amount of income in a short period of downtime.
4519Companies can have business contracts that state a minimum amount of downtime can
4520occur if a disaster occurs. These reasons can be used to support the reason for a warm site
4521because the warm site relies on backups to recover from a disaster.
4522Option A is incorrect. A company losing a small amount of income during a long period of
4523downtime may not support the cost of a warm site.
4524Option C is incorrect. A company can bring a cold site online within 72 hours and resume
4525business services. This would not support the cost of a warm site.326
4526Appendix
4527â– 
4528Answers to Practice Tests
452982. A and D. Confidentiality allows authorized users to gain access to sensitive and protected
4530data. Integrity ensures that the data hasn’t been altered and is protected from unauthor-
4531ized modification.
4532Option B is incorrect. Safety is a common goal of security that includes providing protec-
4533tion to personnel and other assets.
4534Option C is incorrect. Availability means information is always going to be something a
4535user can access.
453683. B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence)
4537and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO ×
4538SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed
4539as SLE = AV (asset value) × EF (exposure factor).
454084. A and D. The correct answer is life and property. Both of these impact scenarios include
4541examples of severe weather events.
4542Option B is incorrect. A reputation impact scenario includes price gouging during natural
4543disasters and response time for addressing information disclosure.
4544Option C is incorrect. Salary is not an impact scenario.
454585. A. RPO (recovery point objective) specifies the allowable data loss. It is the amount of
4546time that can pass during an interruption before the quantity of data lost during that
4547period surpasses business continuity planning’s maximum acceptable threshold.
4548Option B is incorrect. A single point of failure is a weakness in the design, or configuration
4549of a system in which one fault or malfunction will cause the whole system to stop operat-
4550ing.
4551Option C is incorrect. MTTR (mean time to repair) is the average time it takes for a failed
4552device or component to be repaired or replaced.
4553Option D is incorrect. MTBF (mean time between failures) is a measurement to show how
4554reliable a hardware component is.
455586. A and D. Preventive controls are proactive and are used to avoid a security breach or an
4556interruption of critical services before they can happen.
4557Options B and C are incorrect. Security cameras and door alarms are examples of detec-
4558tive control. Detective controls detect intrusion as it happens and uncovers a violation.
455987. C. Risk transfer is the act of moving the risk to hosted providers who assume the respon-
4560sibility for recovery and restoration or by acquiring insurance to cover the costs emerging
4561from a risk.
4562Option A is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accept-
4563ing a risk that is sufficiently unlikely or has such limited impact that a corrective control is
4564not warranted.
4565Option B is incorrect. Risk mitigation is when a company implements controls to reduce
4566vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
4567Option D is incorrect. Risk avoidance is the removal of the vulnerability that can increase
4568a particular risk so that it is avoided altogether.Chapter 5: Risk Management
4569327
457088. C. The correct answer is property. Physical damage to a building and the company’s com-
4571puter equipment can be caused by intentional man-made attacks.
4572Option A is incorrect. Life impact endangers the lives of employees and customers.
4573Option B is incorrect. Reputation impact could impact the image the company has in its
4574community.
4575Option D is incorrect. Safety impact jeopardizes the safety of employees and customers.
457689. A. A business impact analysis (BIA) helps identify the risks that would affect business
4577operations such as finance impact. The will help a company recover from a disaster.
4578Option B is incorrect. Return on investment (ROI) is used to assess the efficiency of an
4579investment. ROI measures the amount of return on an investment to the investment’s cost.
4580Option C is incorrect. Recovery time objective (RTO) is the duration of time in which a
4581company’s process must be restored after a disaster.
4582Option D is incorrect. Life impact endangers the lives of employees and customers.
458390. D. A preventive control is used to avoid a security breach or an interruption of critical ser-
4584vices before they can happen.
4585Option A is incorrect. Administrative controls are defined through policies, procedures,
4586and guidelines.
4587Option B is incorrect. A compensating control is used to satisfy a requirement for a secu-
4588rity measure that is too difficult or impractical to implement at the current time.
4589Option C is incorrect. A deterrent control is used to deter a security breach.
459091. A. Technical controls are applied through technology and may be deterrent, preventive,
4591detective, or compensating. They include hardware or software solutions using access con-
4592trol in accordance with established security policies.
4593Option B is incorrect. Administrative controls are defined through policies, procedures,
4594and guidelines.
4595Option C is incorrect. HTTPS is a communications protocol used to secure communica-
4596tion over a computer network used on the Internet.
4597Option D is incorrect. Integrity ensures that the data hasn’t been altered and is protected
4598from unauthorized modification.
459992. C. Mean time between failures (MTBF) is a measurement to show how reliable a hard-
4600ware component is.
4601Option A is incorrect. MTTR (mean time to repair) is the average time it takes for a failed
4602device or component to be repaired or replaced.
4603Option B is incorrect. RPO (recovery point objective) is the period of time a company can
4604tolerate lost data being unrecoverable between backups.
4605Option D is incorrect. ALE (annual loss expectancy) is the sum of the annual rate of
4606occurrence and the single loss expectancy.328
4607Appendix
4608â– 
4609Answers to Practice Tests
461093. C. Single point of failure is a single weakness that can bring an entire system down and
4611prevent it from working.
4612Option A is incorrect. Cloud computing allows the delivery of hosted service over the
4613Internet.
4614Option B is incorrect. Load-balancing divides the amount of work a computer can do
4615between two or more computers. This allows more work to be completed in the same
4616amount of time.
4617Option D is incorrect. Virtualization allows the creation of virtual resources such as a
4618server operating system. Multiple operating systems can run on one machine by sharing
4619the resources such as RAM, hard drive, and CPU.
462094. D. A pop-up blocker program can help prevent pop-ups from displaying in a user’s web
4621browser. Pop-ups can contain adware or spyware.
4622Option A is incorrect. Antivirus software can help prevent the spreading of malware such
4623as worms and Trojans.
4624Option B is incorrect. Antispam software can help reduce the amount of junk email in a
4625user’s inbox.
4626Option C is incorrect. Spyware gathers personal information and computer usage habits
4627without the user’s knowledge.
462895. A and C. Taking hashes of the hard drive will preserve the evidence. If the hash has not
4629been changed, the data hasn’t changed. Capturing the system image involves making an
4630exact image of the drive so that it can be referenced later in the investigation.
4631Option B is incorrect. Taking screenshots gives an investigator a useful way to collect
4632information on a computer screen. This will allow the investigator to reproduce what hap-
4633pened on the screen.
4634Option D is incorrect. Order of volatility represents the order in which you should collect
4635evidence. In general terms, evidence should be collected starting with the most volatile and
4636moving to the least volatile. Volatile means data is not permanent.
463796. B. A Computer Incident Response Team (CIRT) includes personnel who promptly and
4638correctly handle incidents so that they can be quickly contained, investigated, and recov-
4639ered from.
4640Options A, C, and D are incorrect. These statements are not considered a CIRT.
464197. C. The account lockout threshold setting defines the number of failed sign-in attempts
4642that will cause a user account to be locked. This policy best mitigates brute-force password
4643attacks.
4644Option A is incorrect. Password complexity is a series of guidelines that a password
4645adheres to three of the four categories: uppercase letter, lowercase letter, numbers, and
4646symbols.
4647Option B is incorrect. Password hints help users remember their passwords.
4648Option D is incorrect. Password history determines the number of unique new passwords
4649a user can use before an old password can be reused.Chapter 5: Risk Management
4650329
465198. A. Random access memory (RAM) data is lost when the device is powered off. Therefore,
4652RAM must be properly collected first.
4653Option B is incorrect. A USB flash drive will maintain its data when the power is removed.
4654Option C is incorrect. A hard disk will maintain its data when the power is removed.
4655Option D is incorrect. A swap file is an extension of memory and is stored on the hard
4656disk, so it is less volatile than RAM.
465799. A. A standard operating procedure (SOP) is a document that details the processes that
4658a company will have in place to ensure that routine operations are delivered consistently
4659every time. Guidelines and enforcement are items that are included in a SOP.
4660Option B is incorrect. Order of volatility represents the order in which you should collect
4661evidence. In general terms, evidence should be collected starting with the most volatile and
4662moving to the least volatile. Volatile means data is not permanent.
4663Option C is incorrect. Penetration assessment is a simulated attack authorized on a net-
4664work system that searches for security weaknesses that may potentially gain access to the
4665network’s features and data.
4666Option D is incorrect. A vulnerability assessment identifies, quantifies, and prioritizes vul-
4667nerabilities in a network system.
4668100. B. Determining if the suspect is guilty is determined by the legal system and is not part of
4669the basic concept of computer forensics.
4670Options A, C, and D are incorrect. Other valid basic concepts include capture video and
4671active logging. These options are valid basic concepts of computer forensics.
4672101. C. A warm site is harder to test because it contains only the equipment and no employees
4673or company data.
4674Option A is incorrect. A hot site contains all of the alternate computer and telecommuni-
4675cation equipment needed in a disaster. Testing this environment is simple.
4676Option B is incorrect. A cold site is the hardest to test because it includes a basic room
4677with limited equipment.
4678Option D is incorrect. Load-balancing divides the amount of work a computer can do
4679between two or more computers. This allows more work to be completed in the same
4680amount of time. Distributive allocation handles the assignment of jobs across the servers.
4681102. D. Digital evidence for forensic review must first be collected from the most volatile (not
4682permanent) locations such as RAM and swap files. A swap file is a location on a hard disk
4683drive used as the virtual memory extension of a computer’s RAM. A hard disk drive is the
4684next least volatile, then DVD-R. Some digital evidence can be gathered by using a live boot
4685media.
4686Options A, B, and C are incorrect. RAM is more volatile than swap files and hard disk
4687drives. Swap files are more volatile than DVD-R.330
4688Appendix
4689â– 
4690Answers to Practice Tests
4691103. A, B, and C. The lessons learned process is the most critical phase because it is the phase
4692in which you complete any documentation that may be beneficial in future incidents. Doc-
4693umentation should include information such as when the problem was first detected and by
4694whom, how the problem was contained and eradicated, the work that was performed dur-
4695ing the recovery, and areas that may need improvement.
4696Option D is incorrect. The preparation process prepares a company’s team to be ready to
4697handle an incident at a moment’s notice.
4698104. B. The identification phase deals with the discovery and determination of whether a devia-
4699tion from normal operations within a company is an incident. This phase requires a person
4700to collect events from various sources and report the incident as soon as possible.
4701Option A is incorrect. The preparation process prepares a company’s team to be ready to
4702handle an incident at a moment’s notice.
4703Option C is incorrect. The containment process is designed to minimize the damage and
4704prevent any further damage from happening.
4705Option D is incorrect. Eradication is a phase of the incident response process that removes
4706and restores affected systems by reimaging the system’s hard drive and installing patches.
4707105. D. Encrypting PII ensures confidentiality.
4708Option A is incorrect. Hashing PII only ensures integrity.
4709Option B is incorrect. A digital signature provides nonrepudiation.
4710Option C is incorrect. RAID (redundant array of independent disks) ensures higher avail-
4711ability for a disk subsystem.
4712106. C. Change management ensures that proper procedures are followed when configuration
4713changes are made to a network.
4714Options A, B, and D are incorrect. These statements do not define change management.
4715107. C. The preparation phase of the incident response process prepares a company’s team
4716to be ready to handle an incident at a moment’s notice. During this step, a company may
4717identify incidents that can be prevented or mitigated.
4718Option A is incorrect. The containment process is designed to minimize the damage and
4719avoid any further damage from happening.
4720Option B is incorrect. The eradication phase involves removing and restoring affected sys-
4721tems by reimaging the system’s hard drive and installing patches.
4722Option D is incorrect. The lessons learned process is the most critical phase because it
4723is the phase in which you complete any documentation that may be beneficial in future
4724incidents. Documentation should include information such as when the problem was first
4725detected and by whom, how the problem was contained and eradicated, the work that was
4726performed during the recovery, and areas that may need improvement.
4727108. A and D. Quantitative risk analysis requires complex calculations and is more time-­
4728consuming.
4729Options B and C are incorrect. These statements describe qualitative risk analysis, not
4730quantitative risk analysis.Chapter 5: Risk Management
4731331
4732109. B and C. Cold sites require a large amount of time to bring online after a disaster. They
4733are not easily available for testing as other alternatives.
4734Option A is incorrect. Cold sites are inexpensive and require no daily administration time.
4735This is an advantage to using a cold site.
4736Option D is incorrect. Cold sites do not require daily administration time to ensure the site
4737is ready within a maximum tolerable downtime. This is an advantage to using a cold site.
4738110. B. Personally identifiable information (PII) is personal information that can be used to
4739identify an individual. Protecting PII is important because if an attacker gains PII, they
4740can use it for financial gain at the expense of the individual.
4741Option A is incorrect. Password policy defines the complexity of creating passwords. It
4742should also define weak passwords and how users should protect password safety.
4743Option C is incorrect. Chain of custody refers to the chronological documentation show-
4744ing the custody, control, transfer, analysis, and disposition of physical or electronic evi-
4745dence.
4746Option D is incorrect. Detective controls detect intrusion as it happens and uncover a vio-
4747lation.
4748111. A. Wiping a drive can remove sensitive data. Disposal of hard drives can be done with
4749shredding. Storage includes types of devices and configurations of data safety. Retention
4750can be required for legal and compliance reasons.
4751Options B, C, and D are incorrect. Virtualization and onboarding do not apply to data
4752policies.
4753112. D. Record time offset is used to validate the date and time stamps of digital forensic evi-
4754dence.
4755Option A is incorrect. Order of volatility represents the order in which you should collect
4756evidence. In general terms, evidence should be collected starting with the most volatile and
4757moving to the least volatile. Volatile means data is not permanent.
4758Option B is incorrect. Chain of custody refers to the chronological documentation showing
4759the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
4760Option C is incorrect. Eradication is the process of removing and restoring affected sys-
4761tems by reimaging the system’s hard drive and installing patches.
4762113. D. Risk transfer is the act of moving the risk to hosted providers who assume the respon-
4763sibility for recovery and restoration or by acquiring insurance to cover the costs emerging
4764from a risk.
4765Option A is incorrect. Risk mitigation is when a company implements controls to reduce
4766vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
4767Option B is incorrect. Risk acceptance is a strategy of recognizing, identifying, and accept-
4768ing a risk that is sufficiently unlikely or has such limited impact that a corrective control is
4769not warranted.
4770Option C is incorrect. Risk avoidance is the removal of the vulnerability that can increase
4771a particular risk so that it is avoided altogether.332
4772Appendix
4773â– 
4774Answers to Practice Tests
4775114. D. An incremental backup backs up all new files and any files that have changed since the
4776last full backup or incremental backup. Incremental backups clear the archive bit.
4777Option A is incorrect. A full backup backs up all the files each time the backup runs.
4778Option B is incorrect. A compressed full backup backs up all the files in a compressed format.
4779Option C is incorrect. A differential backup backs up all new files and any files that have
4780changed since the last full backup. Differential backups do not clear the archive bit.
4781115. B. Each breach cost the company $60,000 per year and over the course of 5 years, the
4782total amount will total $300,000. Transferring the risk will help save money for the com-
4783pany because the third-party vendor’s solution will cost $250,000.
4784Option A is incorrect. Accepting the risk will cost the company $50,000.
4785Option C is incorrect. Avoiding the risk is not engaging in the service at all, which may be
4786the effective solution but often not possible due to the company’s requirements.
4787Option D is incorrect. Mitigating the risk is reducing the engagement of the service, and
4788the company may not be able to reduce the system.
4789116. C. Approving and executing changes to ensure maximum security and availability of a
4790company’s IT services is considered change management. A business impact analysis (BIA)
4791identifies a company’s risk and determines the effect on ongoing, mission-critical opera-
4792tions and processes.
4793Options A, B, and D are incorrect. These are considered guidelines when performing a
4794BIA.
4795117. B. Failover is the continuous ability to automatically and flawlessly switch to a highly reli-
4796able backup. This can be activated in a redundant manner or in a standby operating mode
4797should the primary server fail. The main purpose of failover is to provide availability of
4798data or service to a user.
4799Option A is incorrect. Integrity ensures the data hasn’t been altered and is protected from
4800unauthorized modification.
4801Option C is incorrect. Authentication is the process of certifying and confirming a user’s
4802identity.
4803Option D is incorrect. Confidentiality allows authorized users to gain access to sensitive
4804and protected data.
4805118. B and C. An alternate business practice is a temporary substitute for normal business
4806activities. When the power is out, the salespeople can use their cell phones to continue to
4807sell and write the orders on a sheet of paper. Once the power is restored, the salespeople
4808can enter the orders into the system without compromising business activities.
4809Option A is incorrect. Having the salespeople go home until the power is restored is not
4810an example of an alternate business practice. The company may not know how long the
4811power will be out, and this could lead to lost business opportunities.
4812Option D is incorrect. The company’s fax machine will not operate if the company’s power
4813is out.Chapter 5: Risk Management
4814333
4815119. D. A custodian configures data protection based on security policies.
4816Option A is incorrect. The local community bank is the data owner, not Leigh Ann.
4817Option B is incorrect. Leigh Ann is a network administrator, not a user.
4818Option C is incorrect. Power user is not a standard security role in the industry.
4819120. A. Formatting is not a recommended method. Formatting removes the pointer to the loca-
4820tion of the data on the storage media but does not ensure the data is removed.
4821Option B is incorrect. Shredding physically destroys the storage media in a way data can-
4822not be retrieved.
4823Option C is incorrect. Wiping, also known as overwriting, will replace the data with all
4824zeros to prevent data from being recovered by third-party software.
4825Option D is incorrect. Degaussing is a method of removing data from a magnetic storage
4826media by changing the magnetic field.
4827121. B and C. Encrypting the backup data before it is stored off-site ensures confidentiality.
4828To avoid data tampering and ensure data integrity, a different employee should review the
4829backup logs.
4830Option A is incorrect. Using SSL (Secure Socket Layer) encrypts the data transmitting
4831across the network, not the data that is stored off-site.
4832Option D is incorrect. The employee performing the backup doesn’t need to be a member
4833of the Administrators group. The employee should be a member of the Backup Operators
4834group.
4835122. C. A protocol analyzer used with a promiscuous mode NIC can capture all network traffic.
4836Option A is incorrect. A port scanner identifies open ports on a server or host.
4837Option B is incorrect. A vulnerability scanner attempts to identify weaknesses in a system.
4838Option D is incorrect. A network intrusion detection system (NIDS) analyzes incoming
4839network traffic.
4840123. A. The correct answer is an Internet acceptable use policy. Leigh Ann will be using the
4841company’s equipment to access the Internet, so she should read and sign this policy.
4842Option B is incorrect. An audit policy defines the requirements and parameters for risk
4843assessment and audits of the organization’s information and resources.
4844Option C is incorrect. A password policy defines the standards for creating complex pass-
4845words such as an uppercase letter, lowercase letter, number, and symbol.
4846Option D is incorrect. A privacy policy defines what information will be shared with third
4847parties. This information includes company and customer information.
4848124. D. Active-passive is a configuration that involves two load-balancers. Traffic is sent to the
4849primary node, and the secondary node will be in listening mode. When too much traffic is
4850sent to the main server, the second server will handle some of the requests. This will pre-
4851vent a single point of failure.
4852Option A is incorrect. In an active-active configuration, each server will handle the service
4853requested by the user. This will distribute the load to each server.334
4854Appendix
4855â– 
4856Answers to Practice Tests
4857Option B is incorrect. Active Directory is a directory service Microsoft developed for the
4858Windows domain network. It stores information about network components.
4859Option C is incorrect. Round-robin configuration sends traffic to the first node, then the
4860second node, then the third node, and then back to the first node. This configuration is not
4861related to fault tolerance.
4862125. C. A clean desk policy ensures that all sensitive/confidential documents are removed from
4863an end-user workstation and locked up when the documents are not in use.
4864Option A is incorrect. Job rotation is the practice of rotating employees that are assigned
4865jobs within their employment to promote flexibility and keep employees interested in their
4866jobs.
4867Option B is incorrect. A data owner has administrative control and can be designated as
4868accountable and responsible for a particular set of data.
4869Option D is incorrect. Separation of duties is the concept of having more than one person
4870required to complete a task.
4871126. D. Chain of custody offers assurances that evidence has been preserved, protected, and
4872handled correctly after it has been collected. Documents show who handled the evidence
4873and when they handled it.
4874Option A is incorrect. Delegating evidence to your manager is a task performed when
4875gathering forensic evidence. Chain of custody is preserving evidence, also referred to as
4876legal hold.
4877Option B is incorrect. Capturing system image is making an exact copy of the hard disk to
4878further investigate. This does not define chain of custody.
4879Option C is incorrect. Capturing memory contents is defined as order of volatility.
4880127. B. Gray-box testing uncovers any application vulnerabilities within the internal structure,
4881devices, and components of a software application. During gray-box testing, limited infor-
4882mation regarding the internal devices and structure is given to the testing team.
4883Option A is incorrect. During white-box testing, complete information regarding the inter-
4884nal devices and structure is given to the testing team.
4885Option C is incorrect. During black-box testing, very little or no information regarding the
4886internal devices and structure is given to the testing team.
4887Option D is incorrect. Clear-box testing is also known as white-box testing.
4888128. B and C. A personnel hiring policy and separation of duties are administrative controls.
4889Administrative controls are defined through policies, procedures, and guidelines.
4890Options A and D are incorrect. Firewall rules and IPSs are considered technical controls.
4891129. A and D. An alternate business practice is a temporary substitute for normal business
4892activities. Having employees write down customers’ orders is a substitute for the point-of-
4893sale system. Having employees work from another bank location means that the employees
4894can continue using the computer system and phones to assist customers.
4895Options B and C are incorrect. These are not examples of substitutes for normal business
4896activities.Chapter 5: Risk Management
4897335
4898130. A and C. Personally identifiable information (PII) is personal information that can be used
4899to identify an individual. PII must be carefully handled and distributed to prevent ID theft
4900and fraud. Personal electronic devices, in a BYOD environment, should be protected and
4901secured because these devices can be used for personal and business purposes.
4902Option B is incorrect. A MOU (memorandum of understanding) is a legal document that
4903describes a mutual agreement between parties.
4904Option D is incorrect. A nondisclosure agreement (NDA) protects sensitive and intellec-
4905tual data from getting into the wrong hands.
4906131. C. An after-action report examines a response to an incident or exercise and identifies its
4907strengths that will be maintained and built on. Also, it helps recognize potential areas of
4908improvement.
4909Option A is incorrect. An MOU (memorandum of understanding) is a legal document that
4910describes a mutual agreement between parties.
4911Option B is incorrect. An SLA (service level agreement) defines the level of service the cus-
4912tomer expects from the service provider. The level of service definitions should be specific
4913and measurable in each area.
4914Option D is incorrect. A nondisclosure agreement (NDA) protects sensitive and intellec-
4915tual data from getting into the wrong hands.
4916132. B. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is
4917sufficiently unlikely or has such limited impact that a corrective control is not warranted.
4918Option A is incorrect. Risk mitigation is when a company implements controls to reduce
4919vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.
4920Option C is incorrect. Risk avoidance is the removal of the vulnerability that can increase
4921a particular risk so that it is avoided altogether.
4922Option D is incorrect. Risk transfer is the act of moving the risk to hosted providers who
4923assume the responsibility for recovery and restoration or by acquiring insurance to cover
4924the costs emerging from a risk.
4925133. A. Data owners assign labels such as top secret to data.
4926Option B is incorrect. Custodians assign security controls to data.
4927Option C is incorrect. A privacy officer ensures that companies comply with privacy laws
4928and regulations.
4929Option D is incorrect. System administrators are responsible for the overall functioning of
4930the IT system.
4931134. C. Employees can leak a company’s confidential information. Exposing a company’s
4932information could put the company’s security position at risk because hackers can use this
4933information to gain unauthorized access to the company.
4934Option A is incorrect. Gaining access to a computer’s MAC address is not relevant to
4935social media network risk.
4936Option B is incorrect. Gaining access to a computer’s IP address is not relevant to social
4937media network risk.336
4938Appendix
4939â– 
4940Answers to Practice Tests
4941Option D is incorrect. Employees can easily express their concerns about a company in
4942general. This is not relevant to social media network risk as long as the employee doesn’t
4943reveal any confidential information.
4944135. B. A snapshot is the state of a system at a particular point in time. Snapshots offer consid-
4945erably easier and faster backups than any traditional backup system can.
4946Options A, C, D and are incorrect. Each of these backup concepts will take longer to
4947restore the original OS settings should a problem occur with the installed patches.
4948136. C. To test the integrity of backed-up data, restore part of the backup.
4949Option A is incorrect. Reviewing written procedures will not ensure that the data has
4950been backed up properly. The procedures only show you how and when the backup should
4951occur.
4952Option B is incorrect. You use software to recover deleted files after you restore from a
4953backup.
4954Option D is incorrect. Conducting another backup only ensures that the backup proce-
4955dures are correct and properly working.
4956137. C. Separation of duties is the concept of having more than one person required to com-
4957plete a task.
4958Option A is incorrect. A background check is a process that is performed when a potential
4959employee is considered for hire.
4960Option B is incorrect. Job rotation allows individuals to see various parts of the organiza-
4961tion and how it operates. It also eliminates the need for a company to rely on one individ-
4962ual for security expertise should the employee become disgruntled and decide to harm the
4963company. Recovering from a disgruntled employee’s attack is easier when multiple employ-
4964ees understand the company’s security posture.
4965Option D is incorrect. Collusion is an agreement between two or more parties to defraud a
4966person of his or her rights or to obtain something that is prohibited by law.
4967138. D. Safety is a common goal of security that includes providing protection for personnel
4968and other assets.
4969Option A is incorrect. Confidentiality allows authorized users to gain access to sensitive
4970and protected data.
4971Option B is incorrect. Integrity ensures that the data hasn’t been altered and is protected
4972from unauthorized modification.
4973Option C is incorrect. Availability means that information is always going to be something
4974a user can access.
4975139. D. Nessus is considered a vulnerability scanner. It attempts to identify weaknesses in a
4976system.
4977Options A, B, and C are incorrect. These tools are used for cracking passwords.Chapter 5: Risk Management
4978337
4979140. B. ALE (annual loss expectancy) = SLE (single loss expectancy) × ARO (annualized rate
4980of occurrence). SLE equals $750,000 (2,500 records × $300), and ARO equals 5%, so
4981$750,000 times 5% equals $37,500.
4982Options A, C, and D are incorrect. Based on the calculation of ALE, the answer is $37,500.
4983141. C. A parallel test can test certain systems to confirm their operation at alternate sites.
4984Compare the results of the test to the results of the original system to confirm that the
4985alternate site operates as close to normal as possible.
4986Option A is incorrect. A cutover test will shut down the main system and everything will
4987fail over to the backup systems.
4988Option B is incorrect. A walkthrough test reviews the plan to confirm that all the steps are
4989included.
4990Option D is incorrect. A simulation test performs a practice run of the disaster recovery
4991plan for a given scenario.
4992142. C. RPO (recovery point objective) specifies the allowable data loss. It is the amount of
4993time that can pass during an interruption before the quantity of data lost during that
4994period surpasses business continuity planning’s maximum acceptable threshold.
4995Option A is incorrect. MTBF (mean time between failures) is the rating on a device or
4996component that predicts the expected time between failures.
4997Option B is incorrect. MTTR (mean time to repair) is the average time it takes for a failed
4998device or component to be repaired or replaced.
4999Option D is incorrect. ARO (annual rate of occurrence) is the ratio of an estimated possi-
5000bility that a threat will take place within a one-year time frame.
5001143. B. A corrective control is designed to correct a situation.
5002Option A is incorrect. Detective controls detect intrusion as it happens and uncover a
5003violation.
5004Option C is incorrect. A preventive control is used to avoid a security breach or an inter-
5005ruption of critical services before they can happen.
5006Option D is incorrect. A deterrent control is used to deter a security breach.
5007144. A. A snapshot is the state of a system at a particular point in time. It’s also known as a
5008system image and is not a step in the incident response process.
5009Options B, C, and D are incorrect. Preparation, recovery, and containment are steps of the
5010incident response process.
5011145. B. Shredding documents can prevent physical threats such as theft of the documents or
5012obtaining information from the documents.
5013Option A is incorrect. Shoulder surfing is using direct observation techniques, such as
5014looking over someone’s shoulder, to obtain information.
5015Option C is incorrect. Adware are ads that are delivered through pop-up windows or bars
5016that appear on the program’s user interface.
5017Option D is incorrect. Spyware is software that is installed on a system without the end user’s
5018knowledge and is used for innocuous reasons. It is sometimes referred to as tracking software.338
5019Appendix
5020â– 
5021Answers to Practice Tests
5022146. D. A data retention policy states how data should be stored based on various types; such
5023as storage location, amount of time the data should be retained, and the type of storage
5024medium should be used.
5025Option A is incorrect. A clean desk policy ensures that all sensitive/confidential documents
5026are removed from an end-user workstation and locked up when the documents are not in
5027use.
5028Option B is incorrect. An acceptable use policy describes the limits and guidelines for users
5029to make use of an organization’s physical and intellectual resources. This includes allow-
5030ing or limiting the use of personal email during work hours.
5031Option C is incorrect. A security policy defines how to secure physical and information
5032technology assets. This document should be continuously updated as technology and
5033employee requirements change.
5034147. C. Onboarding is the process of adding an employee to a company’s identity and access
5035management system.
5036Option A is incorrect. Offboarding is the process of removing an employee from the com-
5037pany’s identity and access management system.
5038Option B is incorrect. A system owner is an individual who is in charge of physically
5039securing one or more systems and can include patching and updating operating systems.
5040Option D is incorrect. An Executive User is a group that users are assigned to along with
5041the least privilege policy.
5042148. A, C, and D. The correct answer is standard, procedure, and guideline. A standard defines
5043how to measure the level of adherence to the policy. A procedure contains the step-by-step
5044instructions for implementing components of the policy. A guideline is a suggestion, rec-
5045ommendation, or best practices for how to meet the policy standard.
5046Option B is incorrect. Privacy is a policy that defines standards for disclosing company
5047information to third parties.
5048149. A. Chain of custody refers to the chronological documentation showing the custody, con-
5049trol, transfer, analysis, and disposition of physical or electronic evidence.
5050Option B is incorrect. Order of volatility represents the order in which you should collect
5051evidence. In general terms, evidence should be collected starting with the most volatile and
5052moving to the least volatile. Volatile means data is not permanent.
5053Option C is incorrect. Preparation is a phase of the incident response process that prepares
5054a company’s team to be ready to handle an incident at a moment’s notice.
5055Option D is incorrect. Eradication is a phase of the incident response process that removes
5056and restores affected systems by reimaging the system’s hard drive and installing patches.
5057150. C and D. The correct answers are asset estimation and rating potential threats. Qualita-
5058tive risk analysis measures the probability of risks that will hinder normal business opera-
5059tions and rate them relative to one another. Assets that are protected from risks must have
5060assigned value to determine whether the cost of risk mitigation is justified.
5061Options A and B are incorrect. ARO (annual rate of occurrence) and SLE (single loss
5062expectancy) are used to calculate the ALE (annual loss expectancy) by multiplying ARO
5063by SLE.Chapter 6: Cryptography and PKI
5064339
5065Chapter 6: Cryptography and PKI
50661. A. A digital signature is a one-way hash and encrypted with the private key. The public
5067key is used to decrypt the hash and validate the integrity of the digital signature. Digital
5068signatures supports non-repudiation; where the sender can not refute sending the message.
5069Option B is incorrect. TLS (Transport Layer Security) creates a secure connection by
5070using symmetric cryptography based on a shared secret. The same key encrypts and
5071decrypts the data.
5072Option C is incorrect. Digital signatures are created with the private key.
5073Option D is incorrect. TLS creates a secure connection by using symmetric cryptography
5074based on a shared secret. The same key encrypts and decrypts the data.
50752. D. A revoked certificate is no longer valid for the intended purpose, and a new key pair
5076and certificate will need to be generated.
5077Option A is incorrect. The certificate cannot be renewed after its expiration date.
5078Option B is incorrect. A self-signed certificate will generate errors within the client’s web
5079browser and should not be used as a replacement since the self-signed certificate is not
5080from a trusted certificate authority.
5081Option C is incorrect. Key escrow is a cryptographic key exchange process in which a key
5082is stored by a third party. Should the original user’s key be lost or compromised, the stored
5083key can be used to decrypt encrypted material, allowing restoration of the original mate-
5084rial to its unencrypted state. This scenario didn’t state the key was lost but rather that the
5085certificate had expired.
50863. B. Digital signatures are created by using the user’s or computer’s private key that is acces-
5087sible only to that user or computer. Nonrepudiation is the assurance that someone cannot
5088deny something.
5089Option A is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses
5090the same key to encrypt and decrypt data.
5091Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5092have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5093tion date and should not be trusted.
5094Option D is incorrect. An asymmetric algorithm, also known as public key cryptography,
5095uses public and private keys to encrypt and decrypt data.
50964. B. WiFi Alliance, a nonprofit organization that promotes WiFi technology, recommends a
5097passphrase be at least eight characters long and include a mixture of upper- and lowercase
5098letters and symbols.
5099Options A, C, and D are incorrect.
51005. A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked
5101by the issuing certificate authority (CA) before their scheduled expiration date and should
5102not be trusted.
5103Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key
5104is stored by a third party. Should the original user’s key be lost or compromised, the stored340
5105Appendix
5106â– 
5107Answers to Practice Tests
5108key can be used to decrypt encrypted material, allowing restoration of the original mate-
5109rial to its unencrypted state.
5110Option C is incorrect. Nonrepudiation is a method of guaranteeing a message transmission
5111between parties by a digital signature.
5112Option D is incorrect. A recovery agent is a user who is permitted to decrypt another
5113user’s data in case of emergency or in special situations.
51146. A and D. DES and 3DES are symmetric-key block ciphers using a 64-bit block size.
5115Option B is incorrect. SHA is a hashing algorithm and is used for integrity.
5116Option C is incorrect. MD5 is a hashing algorithm and is used for integrity.
51177. D. You would need the supplicant. The authenticator, an AP or wireless controller, sends
5118authentication messages between the supplicant and authentication server.
5119Option A is incorrect. Network access control (NAC) increases the security of a proprietary
5120network by restricting access to devices that do not comply with a defined security policy.
5121Option B is incorrect. The authentication server is the RADIUS server and is responsible
5122for authenticating users wanting to connect to the network.
5123Option C is incorrect. The authenticator is the client that authenticates against the
5124RADIUS server using an EAP method configured on the RADIUS server.
51258. D. ECC (elliptic curve cryptography) is an asymmetric algorithm that uses smaller keys
5126and has the same level of strength compared to longer key length asymmetric algorithm.
5127Option A is incorrect. Blowfish is a symmetric algorithm that uses the same key to encrypt
5128and decrypt data.
5129Option B is incorrect. RSA uses a longer key length than ECC.
5130Option C is incorrect. DHE uses a longer key length than ECC.
51319. B. Initialization vectors (IVs) are random values that are used with algorithms to ensure
5132patterns are not created during the encryption process. IVs are used with keys and are not
5133encrypted when being sent to the destination.
5134Option A is incorrect. A one-time pad is an encryption method and uses a pad with ran-
5135dom values that are XORed against the message to produce ciphertext. One-time pad is at
5136least as long as the message itself and is used once and then discarded. This technology is
5137not addressed in this scenario.
5138Option C is incorrect. Stream ciphers encrypt data one bit at a time. This concept is not
5139addressed in this scenario.
5140Option D is incorrect. Block ciphers encrypts data one block, or fixed block, at a time.
5141This concept is not addressed in this scenario.
514210. D. An open wireless network does not require a user to enter credentials for access.
5143Option A is incorrect. An IV (initialization vector) is an arbitrary number that is used with
5144a secret key for data encryption.
5145Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b.
5146It is designed to provide a level of security for a WLAN.
5147Option C is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
5148and improved on WEP.Chapter 6: Cryptography and PKI
5149341
515011. C. RSA is an asymmetric algorithm and should be discontinued.
5151Options A, B, and D are incorrect. AES, RC4, and Twofish are symmetric algorithms.
515212. B. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a cer-
5153tificate authority about the revocation status of a given certificate. It validates certificates
5154by returning responses such as “good,” “revoked,” and “unknown.”
5155Option A is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5156have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5157tion date and should not be trusted.
5158Option C is incorrect. An RA (registered authority) is used to verify requests for certifi-
5159cates and forwards responses to the CA.
5160Option D is incorrect. PKI (public key infrastructure) is an entire system of hardware,
5161software, policies and procedures, and people. PKI creates, distributes, manages, stores,
5162and revokes certificates. OCSP is part of the PKI.
516313. B and D. 3DES and Blowfish are a symmetric-key block cipher. 3DES and Blowfish use a
5164block size of 64 bits.
5165Option A is incorrect. MD5 is a hashing algorithm and is used for integrity.
5166Option C is incorrect. RC4 is a stream cipher and uses key sizes of 40 to 2048 bits.
516714. C. DES (Data Encryption Standard) is a 56-bit key and is superseded by 3DES. DES is
5168considered to be insurance for many applications.
5169Option A is incorrect. Blowfish has a 64-bit block size and a variable key length up to
5170448 bits.
5171Option B is incorrect. AES (Advanced Encryption Standard) is a newer and stronger
5172encryption standard and is capable of using 128-bit, 192-bit, and 256-bit keys.
5173Option D is incorrect. SHA is a hashing algorithm.
517415. B. WEP uses the encryption protocol RC4 and is considered insecure.
5175Options A, C, and D are incorrect. WEP does not use the RC6, AES, or DES encryption
5176protocol.
517716. A. Key stretching increases the strength of stored passwords and protects passwords from
5178brute-force attacks and rainbow table attacks.
5179Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key
5180is stored by a third party. Should the original user’s key be lost or compromised, the stored
5181key can be used to decrypt encrypted material, allowing restoration of the original mate-
5182rial to its unencrypted state.
5183Option C is incorrect. Key strength is the length of the key that is being used to encrypt
5184the data. According to NIST guidance, the use of keys that provide less than 112 bits of
5185security strength for key agreement is disallowed.
5186Option D is incorrect. ECC (elliptic curve cryptography) is an asymmetric algorithm that
5187uses smaller keys and has the same level of strength compared to longer key length asym-
5188metric algorithm.342
5189Appendix
5190â– 
5191Answers to Practice Tests
519217. B. Complex passwords of 16 or more ASCII characters are considered strong. Passwords
5193should follow the complexity rule of having three of the four following items: lowercase
5194letter, uppercase letter, number, and special character.
5195Option A is incorrect. This password is too common and can be easily guessed.
5196Option C is incorrect. This password isn’t following the complexity rule and it has only six
5197ASCII characters, which can easily be guessed through the use of brute force.
5198Option D is incorrect. This password is commonly found in the dictionary and can be sus-
5199ceptible to a dictionary attack.
520018. A. WPA2 Enterprise uses an authentication server such as a RADIUS server to control
5201access to a WLAN.
5202Option B is incorrect. WPA2 Personal does not use an authentication server. It uses a pass-
5203phrase that is entered into the SOHO router.
5204Option C is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and
5205is used in WPA. TKIP replaced WEP in WLAN devices.
5206Option D is incorrect. WEP does not use an authentication server. Users enter a passphrase
5207to connect to the SOHO router.
520819. B. Block ciphers encrypt data one block, or fixed block, at a time. Cryptographic service
5209provider, a cryptographic module, performs block and stream cryptography algorithms.
5210Option A is incorrect. Stream ciphers encrypt data one bit at a time.
5211Option C is incorrect. An asymmetric algorithm, also known as public key cryptography,
5212uses public and private keys to encrypt and decrypt data.
5213Option D is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses
5214the same key to encrypt and decrypt data.
521520. B. Twofish is a symmetric block cipher that replaced Blowfish.
5216Option A is incorrect. RSA is an asymmetric algorithm.
5217Option C is incorrect. MD5 is a hashing algorithm.
5218Option D is incorrect. PBKDF2 is a key stretching algorithm.
521921. B. In a certification hierarchy, the root CA certifies the intermediate CA and can issue cer-
5220tificates to users, computers, or services.
5221Option A is incorrect. A registered authority (RA) is used to verify requests for certificates
5222and forwards responses to the CA.
5223Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5224have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5225tion date and should not be trusted.
5226Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to
5227a CA for the purpose of applying for a digital identity certificate.Chapter 6: Cryptography and PKI
5228343
522922. B. EAP-TLS is a remote access authentication protocol that supports the use of smartcards.
5230Option A is incorrect. PEAP is an encapsulating protocol that uses a certificate on
5231the authentication server and a certificate on the client. It supports password-based
5232authentication.
5233Option C is incorrect. CHAP authenticates by using PPP servers to validate the identity of
5234remote clients. It supports password-based authentication.
5235Option D is incorrect. MS-CHAPv2 is Microsoft’s version of CHAP and is used as an
5236authentication option with RADIUS. It supports password-based authentication.
523723. D. Digital signatures are created by using the user’s or computer’s private key that is acces-
5238sible only to that user or computer. Nonrepudiation is the assurance that someone cannot
5239deny something.
5240Option A is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and
5241is used in WPA. TKIP replaced WEP in WLAN devices.
5242Option B is incorrect. An intermediate certificate authority sits between the root certificate
5243authority and the end entity to better secure the root certificate authority. Intermediate
5244certificate authorities can also help a large organization handle large requests for
5245certifications.
5246Option C is incorrect. A public key is held by the certificate authority and is available for
5247anyone to use to encrypt data or verify a user’s digital signature.
524824. D. EAP-TTLS determines how user authentication will perform during phase 2. The
5249user authentication may be a legacy protocol such as PAP, CHAP, MS-CHAP, or MS-
5250CHAPV2.
5251Options A, B, and C are incorrect. PEAP, EAP-FAST, and EAP-TLS create a TLS tunnel to
5252protect the supplicant credentials but do not support legacy authentication protocols.
525325. C and D. RSA is an asymmetric algorithm (also known as public key cryptography) that
5254uses a public and a private key to encrypt and decrypt data during transmissions. ECC
5255(elliptical curve cryptography) is based on elliptic curve theory that uses points on a curve
5256to define more efficient public and private keys.
5257Option A is incorrect. RC4 is a symmetric algorithm and uses one key to encrypt and
5258decrypt data.
5259Option B is incorrect. DES is a symmetric algorithm and uses one key to encrypt and
5260decrypt data.
526126. A. Substitution ROT13 replaces a letter with the 13th letter after it in the alphabet.
5262Option B is incorrect. Transposition scrambles data by reordering the plain text in some
5263certain way.
5264Option C is incorrect. Diffusion is a change in the plain text resulting in multiple changes
5265that are spread out throughout the ciphertext.
5266Option D is incorrect. Confusion encryption is a method that uses a relationship between
5267the plain text and the key that is so complicated the plain text can’t be altered and the key
5268can’t be determined by a threat actor.344
5269Appendix
5270â– 
5271Answers to Practice Tests
527227. C. With asymmetric algorithms, every user must have at least one pair of keys (private
5273and public). The two keys are mathematically related. If a message is encrypted with one
5274key, the other key is required to decrypt the message. The formula to determine the num-
5275ber of keys needed is N × 2, where N is the number of people.
5276Option A is incorrect. This is the number of keys needed in a symmetric key cryptosystem.
5277Each pair of users who are exchanging data must have two instances of the same key. The for-
5278mula for calculating the number of symmetric keys needed is: N (N–1) / 2 = number of keys.
5279Option B is incorrect. Each user in a public key infrastructure requires at least one pair of
5280keys (private and public). The formula for determining the number of keys that are needed
5281is N × 2.
5282Option D is incorrect. This total is derived from N (N–1), which is part of the formula for
5283calculating the number of symmetric keys needed.
528428. B. A symmetric algorithm, also known as a secret key algorithm, uses the same key to
5285encrypt and decrypt data.
5286Option A is incorrect. An asymmetric algorithm, also known as public key cryptography,
5287uses public and private keys to encrypt and decrypt data.
5288Option C is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5289ters into a fixed-length value or key also known as a hash value. Hashes ensure the integ-
5290rity of data or messages.
5291Option D is incorrect. Steganography is a process of hiding data within data. This tech-
5292nique can be applied to images, video files, or audio files.
529329. D. RSA is an asymmetric algorithm (also known as public key cryptography) that uses a
5294public and a private key to encrypt and decrypt data during transmissions.
5295Options A, B, and C are incorrect. Twofish, 3DES, and RC4 are symmetric algorithms.
5296Also known as a secret key algorithm, a symmetric algorithm uses the same key to encrypt
5297and decrypt data.
529830. A. Full-disk encryption on data-at-rest will help protect the inactive data should the stor-
5299age device be stolen. The thief would not be able to read the data.
5300Option B is incorrect. Implementing biometrics will control who enters the location. An
5301unauthorized user can tailgate and obtain the storage device and read the data-at-rest.
5302Option C is incorrect. Implementing a host-based intrusion detection system is designed to
5303alert you when an attack occurs on a network but does not protect the data-at-rest if the
5304storage device is stolen.
5305Option D is incorrect. Implementing a host-based intrusion prevention system is designed
5306to prevent an attack on a network but does not protect the data-at-rest if the storage device
5307is stolen.
530831. A. EAP-FAST is for situations where strong password policy cannot be enforced and
5309certificates are not used. EAP-FAST consists of three phases: EAP-FAST authentication,
5310establishment of a secure tunnel, and client authentication.
5311Options B, C, and D are incorrect. These EAP types do not use a three-phase phase.Chapter 6: Cryptography and PKI
5312345
531332. A. DES is a symmetric encryption standard that uses a key length of 56 bits.
5314Option B is incorrect.
5315Option C is incorrect. AES uses a block length of 128 bits and key lengths of 128, 192, or
5316256 bits.
5317Option D is incorrect. WPS is a network security standard that allows home users to easily
5318add new devices to an existing wireless network without entering long passphrases.
531933. B. Hashing is a one-way encryption that transforms a string of characters into a fixed-
5320length value or key, also known as a hash value. Hashes ensure the integrity of data or
5321messages.
5322Option A is incorrect. Steganography is a process of hiding data within data, also known
5323as security through obscurity. This technique can be applied to images, video files, or
5324audio files.
5325Option C is incorrect. A collision occurs when a hashing algorithm creates the same hash
5326from two different messages.
5327Option D is incorrect. An IV (initialization vector) is an arbitrary number that is used with
5328a secret key for data encryption. IV makes it more difficult for hackers to break a cipher.
532934. B. SSL (Secure Socket Layer) uses public key encryption. When a client accesses a secured
5330website, it will generate a session key and encrypt it with the server’s public key. The ses-
5331sion key is decrypted with the server’s private key, and the session key is used to encrypt
5332and decrypt data sent back and forth.
5333Option A is incorrect. The server’s private key is held privately by the server and is used
5334only to decrypt data the client encrypted with the server’s public key.
5335Option C is incorrect. The server doesn’t create the session key as the client is accessing the
5336secured website.
5337Option D is incorrect. The server doesn’t create the session key as the client is accessing
5338the secured website. The server’s public key is used to encrypt the session key created by
5339the client.
534035. C. EAP-TLS requires both client and server to have certificates. The authentication is
5341mutual where the server authenticates to the client and the client authenticates to the
5342server.
5343Options A, B, and D are incorrect. The other EAP types may use client certificates but
5344they are not required.
534536. A. PGP (Pretty Good Privacy) or GPG (GNU Privacy Guard) provides a low-cost or open
5346source alternative solution that allows users to encrypt their outgoing emails.
5347Option B is incorrect. WPA2 is a security standard that secures computers connected to a
5348WiFi network.
5349Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5350have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5351tion date and should not be trusted.
5352Option D is incorrect. EAP-TLS is a remote access authentication protocol that supports
5353the use of smartcards.346
5354Appendix
5355â– 
5356Answers to Practice Tests
535737. C. SHA-1 is a hashing algorithm that produces a 160-bit digest.
5358Option A is incorrect. MD5 is a hashing algorithm that produces a 128-bit digest.
5359Option B is incorrect. RC4 is a symmetric algorithm and encrypts data.
5360Option D is incorrect. AES is a symmetric algorithm and encrypts data.
536138. A. Wildcard certificates allow the company to secure an unlimited number of subdomain
5362certificates on a domain name from a third party.
5363Option B is incorrect. Object identifiers (OIDs) identify an object or entity. OIDs are used
5364in X.509 certificates to name almost every object type.
5365Option C is incorrect. Key escrow is a cryptographic key exchange process in which a key
5366is stored by a third party. Should the original user’s key be lost or compromised, the stored
5367key can be used to decrypt encrypted material, allowing restoration of the original mate-
5368rial to its unencrypted state.
5369Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be
5370used to query a certificate authority about the revocation status of a given certificate. An
5371OCSP response contains signed assertions that a certificate is not revoked.
537239. B and D. EAP and IEEE 802.1x are authentication protocols that transfer authentication
5373data between two devices.
5374Option A is incorrect. WPS (WiFi Protected Setup) is a network security standard that
5375allows home users to easily add new devices to an existing wireless network without enter-
5376ing long passphrases.
5377Option C is incorrect. IPSec is a framework of open standards that ensures communica-
5378tions are private and secure over IP networks.
537940. A. Digital signatures are created by using the user’s or computer’s private key that is acces-
5380sible only to that user or computer. Nonrepudiation is the assurance that someone cannot
5381deny something.
5382Option B is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5383ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5384rity of data or messages.
5385Option C is incorrect. Steganography is a process of hiding data within data. This tech-
5386nique can be applied to images, video files, or audio files.
5387Option D is incorrect. Perfect forward secrecy is a way to ensure the safety of session keys
5388from future abuse by threat actors.
538941. D. Hashing is a one-way encryption that transforms a string of characters into a fixed-
5390length value or key, also known as a hash value. Hashes ensure the integrity of data or
5391messages.
5392Option A is incorrect. Key escrow is a cryptographic key exchange process in which a key
5393is stored by a third party. Should the original user’s key be lost or compromised, the stored
5394key can be used to decrypt encrypted material, allowing restoration of the original mate-
5395rial to its unencrypted state.
5396Option B is incorrect. File backup allows the data to be available in case the original files
5397are deleted or become corrupted.Chapter 6: Cryptography and PKI
5398347
5399Option C is incorrect. Encryption is the process of using an algorithm to change plain text
5400data into unreadable information to protect it from unauthorized users. The main purpose
5401of encryption is to protect the confidentiality of digital data stored on a computer system
5402or transmitted via a network.
540342. D. RADIUS is a client-server protocol that enables remote access servers to communicate with
5404a central server to authenticate users. RADIUS uses symmetric encryption for security.
5405Option A is incorrect. TACACS+ is a Cisco proprietary authentication protocol and is
5406used to securely access Cisco devices.
5407Option B is incorrect. XTACACS is a Cisco proprietary authentication protocol that
5408replaced TACACS and was used to securely access Cisco devices.
5409Option C is incorrect. Kerberos is a protocol for authenticating service requests between
5410trusted hosts across an untrusted network such as the Internet.
541143. A. Encryption provides confidentiality because the data is scrambled and cannot be read
5412by an unauthorized user. Symmetric encryption uses one key to encrypt, and decrypting
5413data with one key is considered fast.
5414Option B is incorrect. Nonrepudiation is a method of guaranteeing a message transmission
5415between parties by a digital signature.
5416Option C is incorrect. Steganography is a process of hiding data within data. This tech-
5417nique can be applied to images, video files, or audio files.
5418Option D is incorrect. A collision occurs when a hashing algorithm creates the same hash
5419from two different messages.
542044. B. Steganography is a process of hiding data within data. This technique can be applied to
5421images, video files, or audio files.
5422Option A is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5423ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5424rity of data or messages.
5425Option C is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses
5426the same key to encrypt and decrypt data.
5427Option D is incorrect. An asymmetric algorithm, also known as public key cryptography,
5428uses public and private keys to encrypt and decrypt data.
542945. A. Enable perfect forward secrecy (PFS) at the main office and branch office end of the
5430VPN. Perfect forward secrecy is a way to ensure the safety of session keys from future
5431abuse by threat actors.
5432Options B, C, and D are incorrect. You should enable PFS at both ends of the VPN since
5433PFS depends on asymmetric encryption and ensures the session key created from the public
5434and private keys will not be compromised if one of the private keys is compromised.
543546. B. WPS is a network security standard that allows home users to easily add new devices to
5436an existing wireless network without entering long passphrases. Users enter a PIN to allow
5437the device to connect after pressing the WPS button on the SOHO router.
5438Options A, C, and D are incorrect. WEP and WPA have passphrases, not PINs, that are
5439entered. Bluetooth PINs are used to set up devices to communicate via Bluetooth, not with
5440a SOHO router.348
5441Appendix
5442â– 
5443Answers to Practice Tests
544447. A and B. Digital signatures provide three core benefits: authentication, integrity, and non-
5445repudiation.
5446Option C is incorrect. A digital signature is a one-way hash and encrypted with the private
5447key. A digital signature does not encrypt data.
5448Option D is incorrect. A digital signature is used for authentication, integrity, and nonre-
5449pudiation—not to securely exchange keys.
545048. C and D. PBKDF2 applies a pseudo-random function such as a HMAC to the password
5451along with a salt value and produces a derived key. PBKDF2 is designed to protect against
5452brute-force attacks. BCRYPT is a password-hashing function derived from the Blowfish
5453cipher. It adds a salt value to protect against rainbow table attacks.
5454Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, that
5455replaces a letter with the 13th letter after it in the alphabet. ROT13 is not recommended in
5456this scenario due to patterns it creates.
5457Option B is incorrect. MD5 is a hashing algorithm that transforms a string of characters
5458into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of
5459data or messages. MD5 is considered weak and is not recommended.
546049. A. Users are receiving the error because the website certificate has expired. The user can
5461continue accessing the website, but the error will state the user could be accessing an
5462untrusted site.
5463Option B is incorrect. The scenario states that users are receiving an error when they
5464access the company’s website. Users are not logging into the company’s website, so any
5465username and password issue would not fit in this scenario.
5466Option C is incorrect. If the domain had expired, the users would receive a page stating
5467that the website domain is unavailable. Domain name expiration does not relate to this
5468scenario.
5469Option D is incorrect. If the network was unavailable, the users would not be able to
5470access the company’s website whether or not the certificate was expired. The users would
5471possibly not be able to access other resources.
547250. A. In asymmetric encryption, sometimes referred to as public key encryption, the private
5473key is used to decrypt an encrypted file.
5474Option B is incorrect. A public key is used to encrypt a file.
5475Option C is incorrect. A message digest is created to check the integrity of a file to ensure
5476it hasn’t changed.
5477Option D is incorrect. Ciphertext is plain text that has been encrypted.
547851. A. A threat actor can spoof a device’s MAC address and bypass 802.1x authentication.
5479Using 802.1x with client certificates or tunneled authentication can help prevent this
5480attack.
5481Option B is incorrect. ARP poisoning is an attack where a threat actor sends spoofed ARP
5482messages over a LAN.
5483Option C is incorrect. Ping of death is a denial-of-service attack in which a threat actor
5484sends a larger IP packet than allowed by the IP protocol. The IP packet is broken down
5485into smaller segments, which would cause the system to crash.Chapter 6: Cryptography and PKI
5486349
5487Option D is incorrect. The Xmas attack is a specifically crafted TCP packet that turns on
5488flags to scan the system and determine what operating system it’s using.
548952. A, C, and D. A one-time pad must be delivered by a secure method and properly guarded
5490at each destination. The pad must be used one time only to avoid introducing patterns,
5491and it must be made up of truly random values. Today’s computer systems have pseudo-
5492random-number generators, which are seeded by an initial value from some component
5493within the computer system.
5494Option B is incorrect. The one-time pad must be at least as long as the message. If the pad
5495is not as long as the message, it will need to be reused to be the same length as the mes-
5496sage. This could introduce patterns and make it easy to crack.
549753. C. In asymmetric encryption, sometimes referred to as public key encryption, the private
5498key is used to decrypt an encrypted file.
5499Option A is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5500ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5501rity of data or messages.
5502Option B is incorrect. Symmetric encryption uses the same key to encrypt and decrypt the
5503data.
5504Option D is incorrect. Key escrow is a cryptographic key exchange process in which a key
5505is stored by a third party. Should the original user’s key be lost or compromised, the stored
5506key can be used to decrypt encrypted material, allowing restoration of the original mate-
5507rial to its unencrypted state.
550854. B and D. To sign the data for nonrepudiation purposes, the sender uses their private key
5509and when encrypting the data, the sender uses the receiver’s public key.
5510Option A is incorrect. The receiver’s private key is kept private by the receiver.
5511Option C is incorrect. The sender’s public key is used to encrypt data that is being sent to
5512the sender and decrypted by its private key.
551355. D. Symmetric encryption uses the same key to encrypt and decrypt data, so the key must
5514be sent to the receiver in a secure manner. If a person were to get the key somewhere in the
5515middle, they would be able to decrypt the information and read the data or inject it with
5516malware.
5517Options A, B, C are incorrect. These statements describe asymmetric encryption.
551856. B. Key escrow is a security measure where cryptographic keys are held in escrow by a
5519third party and under normal circumstances, the key should not be released to someone
5520other than the sender or receiver without proper authorization.
5521Option A is incorrect. A CSR (certificate signing request) is a request an applicant sends to
5522a CA for the purpose of applying for a digital identity certificate.
5523Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5524have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5525tion date and should not be trusted.
5526Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic
5527documents that verify a digital entity’s identity on the Internet or computer network.350
5528Appendix
5529â– 
5530Answers to Practice Tests
553157. B. ECC (elliptical curve cryptography) is based on elliptic curve theory that uses points on
5532a curve to define more efficient public and private keys.
5533Option A is incorrect. Obfuscation is the action of making something difficult to read and
5534understand.
5535Option C is incorrect. Stream ciphers encrypt data one bit at a time.
5536Option D is incorrect. Block ciphers encrypt data one block, or fixed block, at a time.
553758. B. WPA2 CCMP replaced TKIP and is a more advanced encryption standard. CCMP pro-
5538vides data confidentiality and authentication.
5539Option A is incorrect. WEP is a security standard for wireless networks and devices but is
5540not as secure as WPA.
5541Option C is incorrect. Enabling MAC filtering by allowing or prohibiting a MAC address
5542is not a secure option since threat actors can spoof MAC addresses.
5543Option D is incorrect. Disabling SSID broadcast will not help better secure the network
5544since threat actors can use tools to sniff hidden SSIDs.
554559. D. RC4 is an example of a stream cipher that encrypts data one bit at a time.
5546Options A, B, and C are incorrect. AES, DES, and 3DES are examples of block ciphers
5547that encrypt data one fixed block of data at a time.
554860. A and B. DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman
5549Ephemeral) are commonly used with TLS to provide perfect forward secrecy.
5550Option C is incorrect. RSA is an asymmetric algorithm (also known as public key cryptog-
5551raphy) that uses a public and a private key to encrypt and decrypt data during transmis-
5552sions.
5553Option D is incorrect. SHA is a hashing algorithm and is used for integrity.
555461. D. A symmetric key system uses the same key to encrypt and decrypt data during the
5555transport.
5556Options A, B, and C are incorrect. These statements refer to an asymmetric key system,
5557where it uses two keys to encrypt and decrypt data and creates digital signatures for non-
5558repudiation purposes.
555962. B. AES is a subset of the Rijndael cipher developed by Vincent Rijmen and Joan Daemen.
5560Rijndael is a family of ciphers with different key and block sizes.
5561Option A is incorrect. TKIP uses RC4. RC4 was designed by Ron Rivest of RSA Security.
5562Option C is incorrect. DES is a block cipher and is unrelated to Rijndael.
5563Option D is incorrect. 3DES is a block cipher and is unrelated to Rijndael.
556463. A. Digital signatures are created with the sender’s private key and verified by the sender’s
5565public key.
5566Answers B, C, and D are incorrect. Katelyn is sending the digital signature created by her
5567private key and Zackary verifies the digital signature by obtaining Katelyn’s public key.Chapter 6: Cryptography and PKI
5568351
556964. B. MD5 is a hashing algorithm that transforms a string of characters into a fixed-length
5570value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
5571Options A, C, and D are incorrect. 3DES, AES, and Blowfish are symmetric algorithms.
5572Also known as a secret key algorithm, a symmetric algorithm uses the same key to encrypt
5573and decrypt data.
557465. A. AES is a symmetric encryption that supports key sizes of 128, 192, and 256 bits.
5575Option B is incorrect. DES is a symmetric encryption that supports a key size of 56 bits.
5576Option C is incorrect. RSA is an asymmetric encryption.
5577Option D is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and
5578supports a key size of 128 bits.
557966. A and C. The structure of an X.509 digital signature includes a serial number and public
5580key of the user or device.
5581Option B is incorrect. A default gateway is an access point that a device uses to send data
5582to a device in another network or to the Internet.
5583Option D is incorrect. A session key is a symmetric key that uses the same key for encryp-
5584tion and decryption.
558567. A and D. The authentication server and supplicant mutually authenticate with each other.
5586This helps prevent rogue devices from connecting to the network.
5587Option B is incorrect. A certificate authority (CA) is a trusted entity that issues electronic
5588documents that verify a digital entity’s identity on the Internet or computer network.
5589Option C is incorrect. A domain controller (DC) is a server computer within a Windows
5590domain that responds to requests such as logging in or checking permissions.
559168. C. Confusion encryption is a method that uses a relationship between the plain text and
5592the key that is so complicated the plain text can’t be altered and the key can’t be deter-
5593mined by a threat actor.
5594Option A is incorrect. This method defines substitution.
5595Option B is incorrect. This method defines transposition.
5596Option D is incorrect. This method defines diffusion.
559769. C. Key escrow is a database of stored keys that can be retrieved should the original user’s
5598key be lost or compromised. The stored key can be used to decrypt encrypted material,
5599allowing restoration of the original material to its unencrypted state.
5600Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic
5601documents that verify a digital entity’s identity on the Internet or computer network.
5602Option B is incorrect. A certificate revocation list (CRL) is a list of digital certificates that
5603have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5604tion date and should not be trusted.
5605Option D is incorrect. CER is a certificate file extension for an SSL certificate and is used
5606by web servers to help confirm the identity and security of the site a user is visiting.352
5607Appendix
5608â– 
5609Answers to Practice Tests
561070. D. The private key is used to encrypt the signature of an email, and the sender’s public key
5611is used to decrypt the signature and verify the hash value.
5612Option A is incorrect. CER is a certificate file extension for an SSL certificate and is used
5613by web servers to help confirm the identity and security of the site a user is visiting.
5614Option B is incorrect. The public key is used to decrypt the signature to verify the sender.
5615Option C is incorrect. The shared key is used in a symmetric algorithm and should not be
5616used to encrypt and decrypt a signature of an email.
561771. C. 802.11i is an amendment to the original IEEE 802.11 and is implemented as WPA2.
5618The amendment deprecated WEP.
5619Option A is incorrect. A NIC (network interface card) enables a device to network with
5620other devices.
5621Option B is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
5622and improved on WEP.
5623Option D is incorrect. TKIP is a wrapper that wraps around existing WEP encryption and
5624is used in WPA. TKIP replaced WEP in WLAN devices.
562572. A. WPA (WiFi Protected Access) is a security standard that replaced and improved on
5626WEP and is designed to work with older wireless clients.
5627Option B is incorrect. WPA2 implements the 802.11i standard completely but does not
5628support the use of older wireless cards.
5629Option C is incorrect. WEP is a security standard for wireless networks and devices but is
5630not as secure as WPA.
5631Option D is incorrect. An IV (initialization vector) is an arbitrary number that is used with
5632a secret key for data encryption.
563373. D. RSA is a public key encryption algorithm that can both encrypt and authenticate
5634messages.
5635Option A is incorrect. Diffie-Hellman encrypts data only and is used to exchange keys.
5636Option B is incorrect. MD5 is a cryptography hashing function that transforms a string of
5637characters into a fixed-length value.
5638Option C is incorrect. SHA is a cryptography hashing function that transforms a string of
5639characters into a fixed-length value.
564074. C. ECC (elliptical curve cryptography) uses less processing power and works best in
5641devices such as wireless devices and cellular phones. ECC generates keys faster than other
5642asymmetric algorithms. Determining the correct set of security and resource constraints is
5643an important beginning step when planning a cryptographic implementation.
5644Options A, B, and D are incorrect. 3DES, DES, and AES are not used in mobile devices
5645because they use more computing power to generate cryptographic keys than ECC. It’s
5646important that there be high resiliency in cryptography, or the ability to resume normal
5647operations after an external disruption.Chapter 6: Cryptography and PKI
5648353
564975. C. Public key cryptography is also known as asymmetric cryptography. Public key cryp-
5650tography is one piece of the PKI (public key infrastructure).
5651Option A is incorrect. Public key cryptography is also known as asymmetric cryptogra-
5652phy and PKI (public key infrastructure) is an entire system of hardware, software, poli-
5653cies and procedures, and people. PKI creates, distributes, manages, stores, and revokes
5654certificates.
5655Option B is incorrect. Public key cryptography uses two keys to encrypt and decrypt
5656the data, also known as asymmetric encryption. PKI (public key infrastructure) is not
5657known as an asymmetric encryption (using two keys to encrypt and decrypt data) but
5658rather as an entire system that creates, distributes, manages, stores, and revokes cer-
5659tificates.
5660Option D is incorrect. Public key cryptography can provide authentication and nonrepu-
5661diation, but PKI (public key infrastructure) cannot provide confidentiality and integrity.
5662PKI can use algorithms that can provide these security services.
566376. B. A CRL (certificate revocation list) is a list of digital certificates that have been revoked
5664by the issuing certificate authority (CA) before their scheduled expiration date and should
5665not be trusted.
5666Option A is incorrect. A certificate authority (CA) is a trusted entity that issues electronic
5667documents that verify a digital entity’s identity on the Internet or computer network.
5668Option C is incorrect. A registered authority (RA) is used to verify requests for certificates
5669and forwards responses to the CA.
5670Option D is incorrect. A certificate signing request (CSR) is a request an applicant sends to
5671a CA for the purpose of applying for a digital identity certificate.
567277. A and D. Most small office, home office (SOHO) networks use WPS and WPA2-Personal.
5673WPS is a network security standard that allows home users to easily add new devices to an
5674existing wireless network without entering long passphrases. WPA2-Personal uses a pass-
5675phrase that is entered into the SOHO router.
5676Options B and C are incorrect. WPA-Enterprise and WPA2-Enterprise, also known as
5677802.1x, use a RADIUS server for authentication purposes.
567878. A. A trust model is a collection of rules that informs applications as to how to decide the
5679validity of a digital certificate.
5680Option B is incorrect. Key escrow is a security measure where cryptographic keys are
5681held in escrow by a third party, and under normal circumstances, the key should not be
5682released to someone other than the sender or receiver without proper authorization.
5683Option C is incorrect. PKI (public key infrastructure) is an entire system of hardware, soft-
5684ware, policies and procedures, and people. PKI creates, distributes, manages, stores, and
5685revokes certificates.
5686Option D is incorrect. A registered authority (RA) is used to verify requests for certificates
5687and forwards responses to the CA.354
5688Appendix
5689â– 
5690Answers to Practice Tests
569179. A. EAP-TLS uses the concepts of public key infrastructure (PKI). It eliminates the need for
5692a shared secret between the client and the server. Digital certificates are used instead.
5693Options B, C, and D are incorrect. These EAP types do not use PKI.
569480. B and C. Security used in SOHO environments is PSK (preshared key) authentication.
5695WPA-Personal and WPA2-Personal use the PSK authentication method.
5696Options A and D are incorrect. WPA-Enterprise and WPA2-Enterprise, also known as
5697802.1x, use a RADIUS server for authentication purposes.
569881. D. A captive portal is a web page where the user must view and agree to the terms before
5699access to the network is granted. They are typically used by business centers, airports,
5700hotels, and coffee shops.
5701Option A is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b.
5702It is designed to provide a level of security for a WLAN.
5703Option B is incorrect. Key stretching increases the strength of stored passwords and pro-
5704tects passwords from brute-force attacks and rainbow table attacks.
5705Option C is incorrect. MAC filtering is a technique that allows or prohibits MAC addresses
5706to access a network. It is not a secure option since threat actors can spoof MAC addresses.
570782. A and D. Elliptic curve cryptosystem (ECC) differs from other asymmetric algorithms due
5708to its efficiency. ECC uses less processing power and works best in low power devices such
5709as wireless devices and cellular phones. ECC generates keys faster than other asymmetric
5710algorithms.
5711Option B is incorrect. ECC is not the only asymmetric algorithm that provides digital sig-
5712natures, secure key distribution, and encryption.
5713Option C is incorrect. ECC uses less processing power than other asymmetric algorithms.
571483. B. IV (initialization vector) is an arbitrary number that is used with a secret key for data
5715encryption. IV makes it more difficult for hackers to break a cipher.
5716Option A is incorrect. Diffusion is a property of cryptography that makes cryptanalysis
5717hard. A change of a single character of the input will change many characters of the output.
5718Option C is incorrect. A session key is a symmetric key that uses the same key for encryp-
5719tion and decryption.
5720Option D is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5721ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5722rity of data or messages.
572384. D. 802.1x enhances security within a WLAN by providing an authentication framework.
5724Users are authenticated by a central authority before they are allowed within the network.
5725Option A is incorrect. An HIDS (host intrusion detection system) is a security manage-
5726ment for networks and computers. It gathers information within the network or computer
5727and identifies potential threats.
5728Option B is incorrect. UTM (unified threat management) is a network appliance that pro-
5729vides firewall, intrusion detection, anti-malware, spam, and content filtering in one inte-
5730grated device.
5731Option C is incorrect. A VLAN allows network administrators to partition a switch
5732within their network to provide security without having multiple switches.Chapter 6: Cryptography and PKI
5733355
573485. B. The data can be decrypted with a recovery agent if the company configured one before.
5735If there is no recovery agent, the encrypted file will be unrecoverable.
5736Option A is incorrect. The backup user account does not have the ability to recover the
5737files that were encrypted by the other user.
5738Option C is incorrect. The encrypted file cannot be recovered by re-creating the user’s
5739account. The new user account will have a different SID even though the name is the same,
5740and it will not be able to access the files.
5741Option D is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5742have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5743tion date and should not be trusted.
574486. B. A symmetric algorithm, also known as a secret key algorithm, uses the same key to
5745encrypt and decrypt data.
5746Option A is incorrect. An asymmetric algorithm, also known as public key cryptography,
5747uses two keys (a public and private key) to encrypt and decrypt data.
5748Option C is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5749ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5750rity of data or messages.
5751Option D is incorrect. Steganography is a process of hiding data within data. This tech-
5752nique can be applied to images, video files, or audio files.
575387. A. WPA2 CCMP replaced TKIP and is a more advanced encryption standard. CCMP pro-
5754vides data confidentiality and authentication.
5755Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b.
5756It is designed to provide the least security for a WLAN.
5757Option C is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
5758and improved on WEP. WPA is less secure than WPA2.
5759Option D is incorrect. TKIP is an older encryption protocol introduced with WPA to
5760replace the insecure WEP encryption. TKIP is considered deprecated and should not be
5761used.
576288. D. A collision occurs when a hashing algorithm creates the same hash from two different
5763messages.
5764Option A is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm.
5765Option B is incorrect. MD5 (Message Digest 5) is a hashing algorithm.
5766Option C is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5767ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5768rity of data or messages.
576989. A. EAP-TLS is a remote access authentication protocol that supports the use of smart-
5770cards or user and computer certificates, also known as machine certificates, to authenticate
5771wireless access clients. EAP-TLS can use tunnels for encryption by use of TLS.
5772Option B is incorrect. EAP-FAST is designed to increase the speed of reauthentication
5773when a user roams from one AP to another. It authenticates the user over an encrypted
5774TLS tunnel but uses a shared secret key.356
5775Appendix
5776â– 
5777Answers to Practice Tests
5778Option C is incorrect. PEAP is an encapsulating protocol that uses a certificate on the
5779authentication server and a certificate on the client. It supports password-based authentica-
5780tion but does not use TLS for encryption.
5781Option D is incorrect. EAP is a framework for authentication in a WLAN and point-to-
5782point connections. EAP defines message formats and doesn’t use tunnels for encryption.
578390. B. A self-signed certificate will display an error in the browser stating the site is not trusted
5784because the self-signed certificate is not from a trusted certificate authority.
5785Option A is incorrect. The web browser needing an update will not display an error mes-
5786sage that the site certificate is invalid and the site is not trusted.
5787Option C is incorrect. A web proxy blocking the connection would not allow the site to
5788load and display a message regarding the invalid certificate.
5789Option D is incorrect. If the web server was unavailable, the user would not be able to
5790receive any information about the status of the certificate.
579191. A. A CSR (certificate signing request) is a request an applicant sends to a CA for the pur-
5792pose of applying for a digital identity certificate.
5793Option B is incorrect. Key escrow is a cryptographic key exchange process in which a key
5794is stored by a third party. Should the original user’s key be lost or compromised, the stored
5795key can be used to decrypt encrypted material, allowing restoration of the original mate-
5796rial to its unencrypted state.
5797Option C is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
5798have been revoked by the issuing certificate authority (CA) before their scheduled expira-
5799tion date and should not be trusted.
5800Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be
5801used to query a certificate authority about the revocation status of a given certificate. It
5802validates certificates by returning responses such as “good,” “revoked,” and “unknown.”
580392. B. Asymmetric encryption is also known as public key cryptography and uses public and
5804private keys to exchange a session key between two parties. It offers key management by
5805administering the life cycle of cryptographic keys and protecting them from loss or misuse.
5806Option A is incorrect. Obfuscation is the action of making something difficult to read and
5807understand.
5808Option C is incorrect. Symmetric encryption, also known as a secret key algorithm, uses
5809the same key to encrypt and decrypt data.
5810Option D is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5811ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
5812rity of data or messages.
581393. A. Diffie-Hellman is used to establish a shared secret between two users and is primarily
5814used as a method of exchanging cryptography keys.
5815Option B is incorrect. HMAC is known as a message authentication code and is used for
5816integrity.
5817Option C is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, that
5818replaces a letter with the 13th letter after it in the alphabet.
5819Option D is incorrect. RC4 is an example of a stream cipher that encrypts data one bit at a
5820time.Chapter 6: Cryptography and PKI
5821357
582294. D. RC4 is a stream cipher used for encrypting and decrypting data, but there are known
5823weaknesses and using it is not recommended.
5824Option A is incorrect. MD5 is a hashing algorithm used to verify integrity.
5825Option B is incorrect. HMAC is known as a message authentication code and it is used for
5826integrity.
5827Option C is incorrect. Kerberos is a protocol for authenticating service requests between
5828trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to
5829provide mutual authentication.
583095. A. 3DES is a symmetric algorithm used to encrypt data by applying the DES cipher algo-
5831rithm three times to the data.
5832Options B, C, and D are incorrect. AES, Twofish, and Blowfish do not repeat the encryp-
5833tion process with additional keys.
583496. B. Digital signatures are created by using the user’s or computer’s private key that is acces-
5835sible only to that user or computer. Nonrepudiation is the assurance that someone cannot
5836deny something.
5837Option A is incorrect. Encryption is the process of using an algorithm to change plain text
5838data into unreadable information to protect it from unauthorized users. The main purpose
5839of encryption is to protect the confidentiality of digital data stored on a computer system
5840or transmitted via a network.
5841Option C is incorrect. A collision occurs when a hashing algorithm creates the same hash
5842from two different messages.
5843Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic
5844documents that verify a digital entity’s identity on the Internet or computer network.
584597. C. With a single number appended to the company name, the preshared key can be easily
5846guessed. A secure preshared key is at least eight ASCII characters in length and follows the
5847complexity rule.
5848Option A is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
5849and improved on WEP. Replacing WEP with WPA is not secure enough as the preshared
5850key must follow the complexity rule and be at least eight ASCII characters in length.
5851Option B is incorrect. The preshared key must be at least eight ASCII characters in length
5852and follow the complexity rule.
5853Option D is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
5854and improved on WEP.
585598. A. A CRL (certificate revocation list) is a list of digital certificates that have been revoked
5856by the issuing certificate authority (CA) before their scheduled expiration date and should
5857not be trusted.
5858Option B is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be
5859used to query a certificate authority about the revocation status of a given certificate. An
5860OCSP response contains signed assertions that a certificate is not revoked.358
5861Appendix
5862â– 
5863Answers to Practice Tests
5864Option C is incorrect. Key escrow is a security measure where cryptographic keys are held
5865in escrow by a third party and under normal circumstances, the key should not be released
5866to someone other than the sender or receiver without proper authorization.
5867Option D is incorrect. A CA (certificate authority) is a trusted entity that issues electronic
5868documents that verify a digital entity’s identity on the Internet or computer network.
586999. A, C, and D. The WiFi Protected Setup protocols define the following devices in a net-
5870work. A registrar is the device with the authority to issue or revoke access to the network.
5871The enrollee is a client device that is seeking to join the wireless network. The AP (access
5872point) functions as a proxy between the registrar and the enrollee.
5873Option B is incorrect. A supplicant is the client that authenticates against the RADIUS
5874server using an EAP method configured on the RADIUS server.
5875100. D. WPA2-Enterprise will implement AES and require an authentication infrastructure with
5876an authentication server (RADIUS) and an authenticator. WPA2-Enterprise provides better
5877protection of critically important information with BYOD (Bring Your Own Device).
5878Option A is incorrect. WEP is the weakest security protocol. WEP does not support AES
5879or RADIUS.
5880Option B is incorrect. WPA does not support AES or RADIUS.
5881Option C is incorrect. WPA2-Personal supports AES but requires a preshared key pass-
5882phrase to be entered on each device connecting to the network. This leads to shared pass-
5883words and doesn’t control which device connects.
5884101. D. Data-at-rest is all data that is inactive and physically stored in a physical digital form
5885such as nonvolatile memory.
5886Option A is incorrect. Data-in-transit is data that flows over the public or private network.
5887Option B is incorrect. Data-over-the-network is not defined as the three states of digital data.
5888Option C is incorrect. Data-in-use is all data that is active and stored in volatile memory
5889such as RAM, CPU caches, or CPU registers.
5890102. B. RADIUS is a client-server protocol that enables remote access servers to communicate
5891with a central server to authenticate users. RADIUS uses symmetric encryption for secu-
5892rity, and messages are sent as UDP.
5893Option A is incorrect. TACACS+ is a Cisco proprietary authentication protocol and is
5894used to securely access Cisco devices. TACACS+ uses TCP to send messages.
5895Option C is incorrect. LDAP (Lightweight Directory Access Protocol) is a software proto-
5896col to help locate individuals and other resources within a network.
5897Option D is incorrect. Kerberos is a protocol for authenticating service requests between
5898trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to
5899provide mutual authentication.
5900103. C. Should a hard drive be stolen, the data will not be able to be read as the data is scram-
5901bled, or encrypted, and can be read only by the corresponding key.
5902Option A and D are incorrect Encrypting data-at-rest will not help a user decrypt their
5903data should they lose their password.
5904Option B is incorrect. Encrypting data-at-rest will not help verify the integrity of the data.
5905Hashing is designed to verify the integrity of data.Chapter 6: Cryptography and PKI
5906359
5907104. C. Using AES with CCMP incorporates two cryptographic techniques that provide a more
5908secure protocol between a mobile client and the access point.
5909Option A is incorrect. RC4 is an example of a stream cipher that encrypts data one bit at a
5910time and is not used along with CCMP.
5911Option B is incorrect. DES is a symmetric encryption that supports a key size of 56 bits
5912and is not used along with CCMP.
5913Option D is incorrect. 3DES is a symmetric algorithm that is used to encrypt data by applying
5914the DES cipher algorithm three times to the data and is not used along with CCMP.
5915105. A. MD5 produces a 128-bit message digest regardless of the length of the input text.
5916Option B is incorrect. RIPEMD produces a 128-, 160-, 256-, and 320-bit message digest.
5917RIPEMD was not often seen in practical implementations.
5918Option C is incorrect. SHA-1 produces a 160-bit message digest regardless of the length of
5919the input text.
5920Option D is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm
5921used for encryption and not considered a hashing algorithm.
5922106. D. A birthday attack can be used to find hash collisions. It’s based off the birthday para-
5923dox stating there is a 50 percent chance of someone sharing your birthday with at least
592423 people in the room.
5925Option A is incorrect. A Xmas attack is a specifically crafted TCP packet that turns on
5926flags to scan the system and determine what operating system it’s using.
5927Option B is incorrect. A denial of service (DoS) is a an attack that prevents legitimate users
5928from accessing services or resources within a network.
5929Option C is incorrect. A logic bomb is a piece of code intentionally inserted into a soft-
5930ware system that will set off a malicious function when specified conditions are met.
5931107. D. PKCS #12 is a file that contains both the private key and the X.509 certificate and can
5932be installed by the user on servers or workstations. X.509 certificates can be a wildcard
5933certificate for multiple entities under a single fully qualified domain name.
5934Option A is incorrect. PKCS #1 defines the mathematical properties and format of RSA
5935public and private keys.
5936Option B is incorrect. PKCS #3 is a cryptographic protocol that allows two parties to
5937jointly establish a shared key over an insecure network such as the Internet.
5938Option C is incorrect. PKCS #7 is used to sign and/or encrypt messages within a PKI (pub-
5939lic key infrastructure).
5940108. B and D. Stream ciphers is a low latency operation that encrypt data one bit at a time, and
5941block ciphers encrypt data one block, or fixed block, at a time.
5942Option A is incorrect. Stream ciphers do not encrypt data one block at a time.
5943Option C is incorrect. Block ciphers do not encrypt data one bit at a time.360
5944Appendix
5945â– 
5946Answers to Practice Tests
5947109. A, B, and D. 3DES is a symmetric key block cipher that applies the DES cipher algorithm
5948three times to each data block. 3DES has three keying options. First, all three keys are
5949independent, so 3 × 56 = 168-bit key length. Second, key 1 and key 2 are independent and
5950the third key is the same as the first key, so 2 × 56 = 112-bit key length. Third, all three
5951keys are identical, so 1 × 56 = 56-bit key length.
5952Option C is incorrect. With three keying options, 3DES has effective key sizes of 56, 128,
5953and 168 bits.
5954110. C. A symmetric algorithm, also known as a secret key algorithm, uses the same key to
5955encrypt and decrypt data.
5956Option A is incorrect. Steganography is the process of hiding data within data. This tech-
5957nique can be applied to images, video files, or audio files.
5958Option B is incorrect. An asymmetric algorithm, also known as public key cryptography,
5959uses public and private keys to encrypt and decrypt data.
5960Option D is incorrect. Hashing is a one-way encryption that transforms a string of charac-
5961ters into a fixed-length value or key, also known as a hash value, by using a mathematical
5962function, not a key. Hashes ensure the integrity of data or messages.
5963111. D. Revoked certificates are stored on a CRL (certificate revocation list). The CA continu-
5964ously pushes out CRL values to clients to ensure they have the updated CRL. OCSP (Online
5965Certificate Status Protocol) performs this work automatically in the background and returns
5966a response such as “good,” “revoked,” and “unknown.” OCSP uses a process called stapling
5967to reduce communication from the user to the CA to check the validity of a certificate.
5968Option A is incorrect. OCSP does not submit revoked certificates to the CRL. The CA is
5969responsible for creating, distributing, and maintaining certificates and revoking the certifi-
5970cates when necessary as part of this process.
5971Option B is incorrect. OCSP is a more streamlined approach as it works in the background
5972and checks a central CRL to see if a certificate has been revoked.
5973Option C is incorrect. OCSP, not the CRL, performs real-time validation of a certificate.
5974112. D. A one-time pad is a stream cipher that encrypts the plain text with a secret random key
5975that is the same length as the plain text. The encryption algorithm is the XOR operation.
5976Option A is incorrect. ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) is commonly
5977used with TLS to provide perfect forward secrecy.
5978Option B is incorrect. PBKDF2 is a key stretching algorithm. Key stretching makes a pos-
5979sibly weak key, typically a password or passphrase, more secure against a brute-force
5980attack by increasing the time it takes to test each possible key.
5981Option C is incorrect. Obfuscation is the action of making something difficult to read and
5982understand.
5983113. A. A stream cipher encrypts one plain text digit at a time with the corresponding digit of
5984the keystream. Stream ciphers provide the same type of protection as one-time pads do.
5985Option B is incorrect. RSA is an asymmetric algorithm and uses a different type of math-
5986ematics to encrypt the data.
5987Option C is incorrect. AES is a symmetric block cipher, and the message is divided into
5988blocks of bits and then encrypted one block at a time.
5989Option D is incorrect. DES is a symmetric block cipher, and the message is divided into
5990blocks of bits and then encrypted one block at a time.Chapter 6: Cryptography and PKI
5991361
5992114. C. Whole-disk encryption, such as BitLocker on a Windows OS, will protect the contents
5993of a laptop if it is lost or stolen. If the thief were to take the hard drive out of the laptop
5994and try reading the content, they would be unsuccessful.
5995Option A is incorrect. WPS (WiFi Protected Setup) is a network security standard that
5996allows home users to easily add new devices to an existing wireless network without enter-
5997ing long passphrases.
5998Option B is incorrect. A BIOS password would prevent an unauthorized user from booting
5999to the OS and possibly reading the data content. A BIOS password does not protect the
6000data should the hard drive be removed and accessed.
6001Option D is incorrect. A cable lock is a security device designed to deter theft of a laptop.
6002A cable lock does not protect the data from being accessed.
6003115. D. Steganography is a process of hiding data within data. This technique can be applied to
6004images, video files, or audio files.
6005Option A is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm
6006used to encrypt data. The question stated that you didn’t have a way of encrypting the
6007message.
6008Option B is incorrect. A collision occurs when a hashing algorithm creates the same hash
6009from two different messages.
6010Option C is incorrect. RSA is an asymmetric algorithm used to encrypt data. The question
6011stated that you didn’t have a way of encrypting the message.
6012116. B. CBC (Cipher Block Chaining) mode uses feedback information to ensure the current
6013block ciphertext differs from other blocks even if the same data is being encrypted.
6014Option A is incorrect. ECB (Electronic Code Book) encrypts each data block individually.
6015Repetitive data can result in the same ciphertext.
6016Option C is incorrect. GCM (Galois/Counter Mode) encrypts data and checks integrity.
6017Option D is incorrect. CTM (counter mode), also abbreviated as CTR, is similar to CBC
6018except it does not use a random number and does not chain the blocks.
6019117. B. Secure ciphers can be reverse engineered, but hashes cannot be reversed when reverse
6020engineered attempting to re-create a data file. Hashing is a one-way encryption that is used
6021for integrity purposes.
6022Options A, C, and D are incorrect. These statements are incorrect about the difference
6023between a secure cipher and a secure hash. A secure hash creates the same size for any
6024input size.
6025118. D. PFX (personal information exchange) files are typically used with Windows OSs that
6026include digital certificates and are used for authentication processes involved in determin-
6027ing if a user or device can access certain files.
6028Option A is incorrect. DER (distinguished encoding rules) is a binary form of PEM certifi-
6029cate and is typically used in Java platform.
6030Option B is incorrect. AES is an asymmetric encryption algorithm.
6031Option C is incorrect. PEM (privacy-enhanced electronic mail) is a certificate format used
6032for securing email using public key cryptography. PEM became an IETF proposed stan-
6033dard; it was never widely developed or used.362
6034Appendix
6035â– 
6036Answers to Practice Tests
6037119. D. A session key is another name for an ephemeral key. An ephemeral key includes a pri-
6038vate and public key, and systems use this key pair for a single session and then discard it.
6039Option A is incorrect. A PKI private key is held by the owner of the key pair to decrypt
6040data or to create a digital signature.
6041Option B is incorrect. MD5 is a hashing algorithm that transforms a string of characters
6042into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of
6043data or messages.
6044Option C is incorrect. A PKI public key is held by the certificate authority and is available
6045for anyone to use to encrypt data or verify a user’s digital signature.
6046120. B. Steganography is a process of hiding data within data. This technique can be applied to
6047images, video files, or audio files.
6048Option A is incorrect. Hashing is used to test integrity.
6049Option C is incorrect. Encryption is the process of using an algorithm to change plain text
6050data into unreadable information to protect it from unauthorized users.
6051Option D is incorrect. Hashing is a one-way encryption that transforms a string of charac-
6052ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
6053rity of data or messages.
6054121. A. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data
6055that uses the least amount of CPU usage.
6056Option B is incorrect. SHA-1 is a hashing algorithm that transforms a string of characters
6057into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of
6058data or messages.
6059Option C is incorrect. MD5 is a hashing algorithm that transforms a string of characters
6060into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of
6061data or messages.
6062Option D is incorrect. 3DES is a symmetric algorithm used to encrypt data by applying the
6063DES cipher algorithm three times to the data, and it uses a lot of CPU resources.
6064122. B. RADIUS is a client-server protocol that enables remote access servers to communicate
6065with a central server to authenticate users. RADIUS uses symmetric encryption for security.
6066Option A is incorrect. RADIUS does not use asymmetric encryption. Asymmetric encryp-
6067tion uses a key pair, and RADIUS uses the same key to encrypt and decrypt information.
6068Option C is incorrect. Elliptic curve cryptography is a public key encryption based on the
6069elliptic curve equation rather than large prime numbers.
6070Option D is incorrect. RSA is a public key encryption and includes hardware and software
6071tokens.
6072123. A. WPA (WiFi Protected Access) is a security standard that replaced and improved on
6073WEP. WPA is less secure than WPA2.
6074Option B is incorrect. WPA2 provides message authenticity and integrity verification by
6075the use of the AES algorithm and is stronger and more reliable than WPA.Chapter 6: Cryptography and PKI
6076363
6077Option C is incorrect. EAP-TLS is a remote access authentication protocol that supports
6078the use of smartcards. EAP-TLS is more secure than WPA.
6079Option D is incorrect. PEAP is an encapsulating protocol that uses a certificate on
6080the authentication server and a certificate on the client. It supports password-based
6081authentication.
6082124. D. RADIUS is a networking protocol that provides centralized AAA for users connecting
6083and using a network service. EAP-TLS offers a good deal of security with the use of TLS
6084and uses PKI to secure communication to the RADIUS authentication server.
6085Option A is incorrect. Kerberos is a protocol for authenticating service requests between
6086trusted hosts across an untrusted network such as the Internet. Kerberos uses tickets to
6087provide mutual authentication.
6088Option B is incorrect. LDAP (Lightweight Directory Access Protocol) is a software proto-
6089col to help locate individuals and other resources within a network.
6090Option C is incorrect. SAML (Security Assertion Markup Language) is an open-standard
6091data format centered on XML. It supports the exchange of authentication and authoriza-
6092tion details between systems, services, and devices. It does not authenticate and log con-
6093nections from wireless users.
6094125. D. 802.1x enhances security within a WLAN by providing an authentication framework.
6095Users are authenticated by a central authority before they are allowed within the network.
6096Option A is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
6097and improved on WEP and is designed to work with older wireless clients, but it does not
6098transverse traffic from a wireless network to an internal network.
6099Option B is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b
6100but does not transverse traffic from a wireless network to an internal network.
6101Option C is incorrect. A load-balancer improves the workload by distributing traffic across
6102multiple computer resources such as servers.
6103126. D. SHA-1 is a hashing algorithm that creates message digests and is used for integrity.
6104Options A, B, and C are incorrect. They are symmetric algorithms used for encryption.
6105127. C. Block ciphers encrypt data one block, or fixed block, at a time.
6106Option A is incorrect. Stream ciphers encrypt data one bit at a time.
6107Option B is incorrect. Hashing is a one-way encryption that transforms a string of charac-
6108ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
6109rity of data or messages.
6110Option D is incorrect. Obfuscation is the action of making something difficult to read and
6111understand.
6112128. B and D. MD5 and SHA are considered cryptography hashing functions that transform a
6113string of characters into a fixed-length value.
6114Options A and C are incorrect. They are symmetric encryption algorithms.364
6115Appendix
6116â– 
6117Answers to Practice Tests
6118129. B. Data-at-rest is all data that is inactive and physically stored in a physical digital form
6119such as nonvolatile memory. If the device the data is stored on is stolen, the unauthorized
6120person will not be able to read the data due to the encryption.
6121Option A is incorrect. SSL is designed to protect data in transit.
6122Option C is incorrect. Hashing is a one-way encryption that transforms a string of characters
6123into a fixed-length value or key, also known as a hash value. Hashes ensure the integrity of
6124data or messages.
6125Option D is incorrect. TLS is the successor to SSL and is designed to protect data in transit.
6126130. A and B. USB flash drives and smartcards can carry a token and store keys for authentica-
6127tion to systems. They are often used in a multifactor authentication situation.
6128Option C is incorrect. A PCI expansion card is internal to a PC and normally doesn’t store
6129keys for authentication purposes.
6130Option D is incorrect. A cipher lock is a programmable lock used for controlling access to
6131a secure area.
6132131. B. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt data
6133that is fast and secure.
6134Option A is incorrect. SHA-256 is a hashing algorithm not used to encrypt data but rather
6135to verify the integrity of the data.
6136Option C is incorrect. RSA is an asymmetric algorithm that is considered slow when
6137encrypting data.
6138Option D is incorrect. MD5 is a hashing algorithm not used to encrypt data but rather to
6139verify the integrity of the data.
6140132. C. OCSP (Online Certificate Status Protocol) is a protocol that can be used to query a
6141certificate authority about the revocation status of a given certificate. OCSP can prepack-
6142age a list of revoked certificates and distribute them through browser updates and can be
6143checked if there is an Internet outage.
6144Option A is incorrect. Key escrow is a security measure in which cryptographic keys are
6145held in escrow by a third party, and under normal circumstances, the key should not be
6146released to someone other than the sender or receiver without proper authorization.
6147Option B is incorrect. A recovery agent is a user who is permitted to decrypt another user’s
6148data in case of emergency or in special situations.
6149Option D is incorrect. A CSR (certificate signing request) is a request an applicant sends to
6150a CA for the purpose of applying for a digital identity certificate. A CSR can be generated
6151for code signing purposes.
6152133. D. PKI (public key infrastructure) is an entire system of hardware, software, policies and
6153procedures, and people. PKI creates, distributes, manages, stores, and revokes certificates.
6154A trust model is used to set up trust between CAs. A certificate has a subject alternative
6155name (SAN) for machines (fully qualified domain names) or users (user principal name).
6156Option A is incorrect. ROT13 is a substitution cipher, also known as a Caesar cipher, and
6157it replaces a letter with the 13th letter after it in the alphabet.
6158Option B is incorrect. PGP (Pretty Good Privacy) is a method used for encrypting and
6159decrypting digital files and communications over the Internet. It also provides data and file
6160integrity services by digitally signing messages.Chapter 6: Cryptography and PKI
6161365
6162Option C is incorrect. WPA2 is a security standard that secures computers connected to a
6163WiFi network.
6164134. A and B. A threat actor can create an eavesdropping and a man-in-the-middle attack.
6165Eavesdropping with a private key can allow the threat actor to see data in clear text. A
6166man-in-the-middle attack can allow the threat actor to modify the data transmitting to the
6167server, such as adding malware to the data.
6168Option C is incorrect. Social engineering is exploiting a person’s trust to give up confiden-
6169tial information.
6170Option D is incorrect. A brute-force attack is used to obtain information such as a user
6171password or personal identification number (PIN) by use of a trial-and-error method.
6172135. B. Hashing is a one-way encryption that transforms a string of characters into a fixed-length
6173value or key, also known as a hash value. Hashes ensure the integrity of data or messages.
6174Option A is incorrect. A symmetric algorithm, also known as a secret key algorithm, uses
6175the same key to encrypt and decrypt data.
6176Option C is incorrect. Asymmetric encryption is also known as public key cryptography,
6177and it uses public and private keys to exchange a session key between two parties.
6178Option D is incorrect. PKI (public key infrastructure) is an entire system of hardware,
6179software, policies and procedures, and people. PKI creates, distributes, manages, stores,
6180and revokes certificates.
6181136. A. A CA (certificate authority) is a trusted entity that creates and digitally signs certifi-
6182cates so the receiver can verify the certificate came from that specific CA.
6183Option B is incorrect. The RA (registered authority) does not digitally sign the certificate;
6184the CA (certificate authority) performs this action.
6185Option C is incorrect. The RA (registered authority) performs the certification registration
6186duties. The RA identifies the individual requesting a certificate and initiates the certification
6187process with the CA on behalf of the individuals. The CA creates and signs the certificate.
6188Option D is incorrect. The CA (certificate authority) creates and digitally signs the certifi-
6189cate. The RA (registered authority) performs the certification registration duties.
6190137. C. A digital signature is a hash value (message digest) that is encrypted with the sender’s
6191private key. The receiver performs a hashing function on the message and decrypts the
6192sent hash value with the sender’s public key and compares the two hash values. If the hash
6193values are the same, the message actually came from the sender. This is performed by DSA
6194(digital signature algorithm) and allows traceability to the person signing the message
6195through the use of their private key.
6196Option A is incorrect. The sender will encrypt a hash value (message digest) with its
6197own private key, not the receiver’s public key. The receiver’s public key is not part of the
6198process.
6199Option B is incorrect. The sender encrypts the hash value (message digest) with its own
6200private key, not the receiver’s private key. The receiver’s private key is always kept private
6201by the owner.
6202Option D is incorrect. The receiver uses the sender’s public key to decrypt the hash value
6203(message digest) and compares the hash value produced by the receiver to verify that the
6204message came from the sender.366
6205Appendix
6206â– 
6207Answers to Practice Tests
6208138. A. AES (Advanced Encryption Standard) is a symmetric algorithm used to encrypt large
6209amounts of data (bulk).
6210Option B is incorrect. Asymmetric algorithms are used to encrypt a small amount of data.
6211Option C is incorrect. A key escrow is a database of stored keys that can be recovered
6212should the original user’s key be lost or compromised.
6213Option D is incorrect. A CRL (certificate revocation list) is a list of digital certificates that
6214have been revoked by the issuing certificate authority (CA) before their scheduled expira-
6215tion date and should not be trusted.
6216139. A. PEAP is a protocol that encapsulates the EAP within a TLS tunnel.
6217Option B is incorrect. SSL was superseded by TLS and is considered not as secure as TLS.
6218Option C is incorrect. AES (Advanced Encryption Standard) is a symmetric algorithm
6219used to encrypt data.
6220Option D is incorrect. SHA is a hashing algorithm and is used for integrity. SHA is used
6221with SSL, and HMAC is used with TLS.
6222140. C. The AES-CCMP encryption algorithm used in the 802.11i security protocol uses the
6223AES block cipher and limits the key length to 128 bits. AES-CCMP makes it difficult for
6224an eavesdropper to spot patterns.
6225Options A, B, and D are incorrect. AES-CCMP is restricted to a key length of 128 bits.
6226141. C and D. Message Integrity Code (MIC) is a security improvement for WEP encryption
6227within wireless networks. TKIP and CCMP use MIC, which provides an integrity check
6228on the data packet.
6229Options A and B are incorrect. They are encryption algorithms and are not concerned
6230with message integrity.
6231142. A and C. Preshared passphrases can be obtained from a threat actor by the use of social
6232engineering skills and connect to the AP. WPA-Personal uses TKIP encryption, which is
6233considered a weak option.
6234Option B is incorrect. WPA-Personal uses a preshared passphrase that is entered in the AP
6235and each device that wants to connect to the network.
6236Option D is incorrect. WPA-Enterprise uses a RADIUS server, not WPA-Personal.
6237143. B. A root certificate is a public key certificate that identifies the root CA (certificate
6238authority). Digital certificates are verified using a chain of trust (certificate chaining) and
6239the trust anchor for the certificate is the root certificate authority (CA).
6240Option A is incorrect. A root certificate has an expiration date, also known as the validity
6241period.
6242Option C is incorrect. A root certificate contains information about the CA (certificate
6243authority), not the user.
6244Option D is incorrect. A root certificate is able to authorize subordinate CAs to issue cer-
6245tificates on its behalf.Chapter 6: Cryptography and PKI
6246367
6247144. B and C. Public and private keys work with each other to encrypt and decrypt data. If the
6248data is encrypted with the receiver’s public key, the receiver decrypts the data with their
6249private key.
6250Option A is incorrect. Public and private keys are not isolated from each other. If you
6251encrypt data with one key, the other key is used to decrypt the data.
6252Option D is incorrect. Data that is encrypted with the private key will be decrypted with
6253the corresponding public key. The private key is designed to be held privately by the owner
6254and not shared.
6255145. A and C. .p12 and .pfx are filename extensions for PKCS #12 files.
6256Option B is incorrect. KEY is used for both private and public PKCS #8 keys.
6257Option D is incorrect. p7b is a filename extension for PKCS #7 and is used to sign and/or
6258encrypt messages under a PKI. It also provides a syntax for disseminating certificates.
6259146. C and D. PGP and GPG use a web of trust to establish the authenticity of the binding
6260between a public key and its owner.
6261Option A is incorrect. RC4 is a symmetric algorithm and does not use the web of trust
6262concept.
6263Option B is incorrect. AES is a symmetric algorithm and does not use the web of trust
6264concept.
6265147. A. A symmetric algorithm, sometimes called a secret key algorithm, uses the same key to
6266encrypt and decrypt data and is typically used to encrypt data-at-rest.
6267Option B is incorrect. An asymmetric algorithm, also known as public key cryptogra-
6268phy, uses public and private keys to encrypt and decrypt data and is typically not used to
6269encrypt data-at-rest.
6270Option C is incorrect. Stream ciphers encrypt data one bit at a time.
6271Option D is incorrect. Hashing is a one-way encryption that transforms a string of charac-
6272ters into a fixed-length value or key, also known as a hash value. Hashes ensure the integ-
6273rity of data or messages.
6274148. C. A registered authority (RA) is used to verify requests for certificates and forwards
6275responses to the CA.
6276Option A is incorrect. A root CA is the top of the hierarchy and certifies intermediate CAs
6277to issue certificates to users, computers, or services.
6278Option B is incorrect. An intermediate CA is certified by the root CA and can issue certifi-
6279cates to users, computers, or services.
6280Option D is incorrect. OCSP (Online Certificate Status Protocol) is a protocol that can be
6281used to query a certificate authority about the revocation status of a given certificate. It
6282validates certificates by returning responses such as “good,” “revoked,” and “unknown.”368
6283Appendix
6284â– 
6285Answers to Practice Tests
6286149. C. WPA2 is a security standard that secures computers connected to the 802.11n WiFi
6287network. It provides the strongest available encryption for wireless networks.
6288Option A is incorrect. WEP (Wired Equivalent Privacy) is a security standard for 802.11b.
6289It is designed to provide a level of security for a WLAN.
6290Option B is incorrect. WPA (WiFi Protected Access) is a security standard that replaced
6291and improved on WEP. WPA is not as secure as WPA2.
6292Option D is incorrect. WPS (WiFi Protected Setup) is a network security standard that
6293allows home users to easily add new devices to an existing wireless network without enter-
6294ing long passphrases. WPS is known to have vulnerabilities and is not recommended.
6295150. C. AES-256 can encrypt data quickly and securely with a USB flash drive.
6296Option A is incorrect. 3DES is an encryption algorithm but is not effective for sending
6297information in a highly secure manner and quickly to a USB flash drive.
6298Options B and D are incorrect. They are examples of hash algorithms used to verify the
6299integrity of the data.
6300Chapter 7: Practice Test
63011. C. A virtual LAN (VLAN) is designed to allow network administrators to segment net-
6302works within a LAN. Each network will not be able to see traffic assigned to other systems
6303within other VLANs within the same LAN.
6304Option A is incorrect. Media access control (MAC) is a unique identification number on a
6305network device. This is also known as a physical address.
6306Option B is incorrect. Network Address Translation (NAT) is a function in a router that
6307translates the private IP address to the public IP address and vice versa. A NAT will hide
6308the private IP address from the Internet world and is also a solution for the limited IPv4
6309addresses available.
6310Option D is incorrect. A demilitarized zone (DMZ) is designed to protect the internal net-
6311work but allow access to resources from the Internet. This provides an additional layer of
6312protection to the LAN.
63132. C. Passive reconnaissance is an attempt to obtain information about a computer system
6314and networks without actively engaging with the system.
6315Option A is incorrect. Escalation of privilege attack allows an attacker to gain elevated
6316access to the network due to programming errors or design flaws.
6317Option B is incorrect. Active reconnaissance is a type of network attack where the attacker
6318engages with the targeted system. The attacker can use a port scanner to gather informa-
6319tion about any vulnerable ports.
6320Option D is incorrect. Black-box testing can simulate a realistic scenario as the tester
6321examines the functionality of a network without peering into the internal workings. Since
6322the network administrator is an employee, he or she will have information about the inter-
6323nal structures of the network.Chapter 7: Practice Test
6324369
63253. C. A personal identity verification (PIV) card contains the necessary data for the card-
6326holder to be allowed to enter federal facilities.
6327Option A is incorrect. A proximity card is a contactless smartcard that is held near an
6328electronic reader to grant access to a particular area.
6329Option B is incorrect. Time-Based One-Time Password (TOTP) is a temporary passcode
6330that is generated for the use of authenticating to a computer system, and the passcode is
6331valid for only a certain amount of time—for example, 30 seconds.
6332Option D is incorrect. HMAC-Based One-Time Password (HOTP) is a temporary pass-
6333code that is generated for the use of authenticating to a computer system; the passcode is
6334valid until it is used by the user.
63354. D. A Network Access Control (NAC) enforces security policies and manages access to a
6336network. It enables compliant, authenticated, and trusted devices to enter the network and
6337access resources. If the device isn’t compliant, it will either be denied access or have limited
6338access until the device becomes compliant.
6339Option A is incorrect. Network Address Translation (NAT) is a function in a router that
6340translates the private IP address to the public IP address and vice versa. A NAT will hide
6341the private IP address from the Internet world and is also a solution for the limited IPv4
6342addresses available.
6343Option B is incorrect. A host intrusion prevention system (HIPS) is used to monitor a cli-
6344ent computer for malicious activity and performs an action based on an implemented rule.
6345Option C is incorrect. A demilitarized zone (DMZ) is designed to protect the internal net-
6346work but allow access to resources from the Internet. This provides an additional layer of
6347protection to the LAN.
63485. A. A mantrap is a physical security access control that contains two sets of doors. When
6349the first set of doors is closed, the second set opens. This access control prevents unauthor-
6350ized access to a secure area.
6351Option B is incorrect. A Faraday cage is a metallic enclosure that prevents an electromag-
6352netic field from escaping from a device such as a smartphone. The emitting of electromag-
6353netic fields can allow an attacker to capture sensitive data.
6354Option C is incorrect. An airgap is the practice of isolating a computer or network to pre-
6355vent it from connecting to external connections.
6356Option D is incorrect. Cable locks are used to prevent theft of computer equipment at the
6357office or on the go.
63586. B. A dematerialized zone (DMZ) separates the local area network (LAN) from untrusted
6359networks such as the Internet. Resources that are placed in the DMZ are accessible from
6360the Internet and protect resources located in the LAN.
6361Option A is incorrect. A honeynet is a collection of honeypots. A honeypot is a system that
6362is set up with vulnerabilities to entice an attacker so as to view their activity and methods
6363for research purposes.
6364Option C is incorrect. A proxy server sends requests on behalf of the client. Proxy servers
6365mask the client’s public IP address and can cache frequently requested websites to reduce
6366bandwidth and improve the client’s response times.
6367Option D is incorrect. An intranet is a private network found within a company accessed
6368from within the LAN.370
6369Appendix
6370â– 
6371Answers to Practice Tests
63727. D. A load-balancer will distribute and manage network traffic across several servers to
6373increase performance.
6374Option A is incorrect. A VPN concentrator is a router device that manages a large amount
6375of VPN tunnels.
6376Option B is incorrect. A network intrusion prevention system (NIPS) is used to monitor a
6377network for malicious activity and performs an action based on an implemented rule.
6378Option C is incorrect. Security incident and event management (SIEM) identifies, moni-
6379tors, records, and analyzes any security event or incident in real time.
63808. A. A security guard is a major role in all layers of security. A guard can execute many
6381functions such as patrolling checkpoints, overseeing electronic access control, replying to
6382alarms, and examining video surveillance.
6383Options B, C, and D are incorrect. Implementing these technologies is not as useful as
6384employing a security guard.
63859. A. A zero-day attack takes advantage of a security vulnerability on the same day the vul-
6386nerability becomes known. Attackers may find vulnerabilities before the company discov-
6387ers it.
6388Option B is incorrect. Cross-site scripting enables attackers to insert client-side script into
6389a webpage that other users can view.
6390Option C is incorrect. Address Resolution Protocol (ARP) poisoning occurs when an
6391attacker changes the MAC address on the target’s ARP cache to steal sensitive data and
6392cause a denial of service.
6393Option D is incorrect. Domain hijacking occurs when an attacker uses a domain for their
6394own purpose. Attackers can collect data about visitors.
639510. B. Electromagnetic interference (EMI) will disrupt the operation of an electronic device
6396when it is in the area of an electromagnetic field.
6397Option A is incorrect. A demilitarized zone (DMZ) is designed to protect the internal net-
6398work but allow access to resources from the Internet. This provides an additional layer of
6399protection to the LAN.
6400Option C is incorrect. A Basic Input/Output System (BIOS) manages the data between the
6401computer’s OS and the attached devices and peripherals such as the video display adapter,
6402network interface card, wireless keyboard, and mouse.
6403Option D is incorrect. A Trusted Platform Module (TPM) is a specialized chip that stores
6404RSA encryption keys that is specific to the operating system for hardware authentication.
640511. C. A VPN concentrator is a device that creates a remote access or site-to-site VPN connec-
6406tion. A VPN concentrator is used when a company has a large number of VPN tunnels.
6407Option A is incorrect. A router determines the best route to pass a packet to its
6408destination.
6409Option B is incorrect. A proxy server sends requests on behalf of the client. Proxy servers
6410mask the client’s public IP address and can cache frequently requested websites to reduce
6411bandwidth and improve clients’ response times.
6412Option D is incorrect. A firewall uses rules to control incoming and outgoing traffic in a
6413network. Firewalls can be either hardware or software.Chapter 7: Practice Test
6414371
641512. B. A key escrow is a location in where keys can be gained by authorized users to decrypt
6416encrypted data.
6417Option A is incorrect. A certificate revocation list (CRL) is a list of certificates that were
6418revoked by a CA before their expiration date. The certificates listed in the CRL should not
6419be considered trusted.
6420Option C is incorrect. A trust model allows the encryption keys to be trusted; the names
6421associated with the keys are the names associated with the person or entity.
6422Option D is incorrect. An intermediate certificate authority (CA) issues certificates to
6423verify a digital device within a network or on the Internet.
642413. B. Availability would be the biggest concern because the computers would not operate
6425properly if the HVAC system does not work properly. Should the HVAC system not cool
6426the server room adequately, the computers would not operate and become unavailable to
6427their users.
6428Option A is incorrect. Confidentiality allows authorized users to gain access to sensitive
6429and protected data.
6430Option C is incorrect. Integrity ensures that the data hasn’t been altered and is protected
6431from unauthorized modification.
6432Option D is incorrect. An airgap is the practice of isolating a computer or network to pre-
6433vent it from connecting to external connections.
643414. B. The correct answer is that the SSID broadcast is disabled. Disabling the SSID, the user
6435must enter the SSID to attempt to connect the wireless access point.
6436Option A is incorrect. MAC filtering is the act of defining a list of devices that are permit-
6437ted or prohibited on your WiFi network.
6438Option C is incorrect. The antenna type and placement will not prevent users from view-
6439ing the wireless SSID. The antenna type determines if the signal transmits in a 360-degree
6440direction (omnidirectional) or in a direction between 80 and 120 degrees (directional).
6441Option D is incorrect. The band selection will not prevent users from viewing the
6442wireless SSID. The band selection references the channel the wireless access point uses.
6443In a 2.4 GHz spectrum, using channels near each other will stop the data from being
6444received or sent.
644515. B. Time-of-day restrictions are a form of logical access control where specific applications
6446or systems are restricted access outside of specific hours.
6447Option A is incorrect. Job rotation is the practice of rotating employees who are assigned
6448jobs within their employment to promote flexibility and keep employees interested in their
6449jobs.
6450Option C is incorrect. Least privilege gives users the lowest level of rights so they can do
6451their job to limit the potential chance of security breach.
6452Option D is incorrect. A location-based policy uses a device’s location data to control
6453features such as disabling a smartphone’s camera in a sensitive area.372
6454Appendix
6455â– 
6456Answers to Practice Tests
645716. A, D, F. 3DES, RC4, and Twofish are known as symmetric algorithms. They use the same
6458key to encrypt and decrypt data.
6459Options B and C are incorrect. ECDHE and RSA are known as asymmetric algorithms.
6460They use private and public keys to encrypt and decrypt data.
6461Option E is incorrect. SHA is known as a hashing algorithm. Hashing transforms a string
6462of characters into a key that represents the original string. This is also known as a one-way
6463encryption because the hash cannot be decrypted to reveal the original string.
646417. D. The correct answer is looking for weak passwords. A password-cracking tool can
6465potentially discover users who are currently using weak passwords.
6466Options A, B, and C are incorrect. A password cracking program will not discover any
6467strong passwords. It will not inform you if users are following the password complexity
6468policy and minimum password length policy.
646918. A. White-box testing refers to the process of testing a network with all information
6470known about the network or layout.
6471Option B is incorrect. Black-box testing refers to the process of testing a network without
6472any information known about the network or layout.
6473Option C is incorrect. Gray-box testing refers to the process of testing a network with
6474some information known about the network or layout.
6475Option D is incorrect. Purple box is not a term referred to in a penetration test.
647619. A. Remote Authentication Dial-In User Service (RADIUS) enables remote access servers to
6477communicate with a central server. This central server is used to authenticate and autho-
6478rize users to access network services and resources.
6479Option B is incorrect. TACACS+ is a protocol developed by Cisco and uses TCP for
6480authentication, authorization, and accounting services.
6481Option C is incorrect. Kerberos is an authentication protocol that uses tickets to allow
6482access to resources within the network.
6483Option D is incorrect. OAUTH is an authorization protocol that allows a third-party
6484application to obtain users’ data without sharing login credentials.
648520. B, D. The correct answers are mitigating buffer overflow attacks and cross-site scripts
6486(XSS) vulnerabilities. A buffer overflow attack occurs when a program attempts to place
6487more data in a buffer (memory) than it can hold. This action can corrupt data, crash the
6488program, or execute malicious code. XSS vulnerabilities are found in web applications and
6489are executed by injecting malicious code to gather users’ information.
6490Option B is incorrect. Shoulder surfing is a social engineering attack in which the attacker
6491gathers personal information through direct observation such as looking over a person’s
6492shoulder.
6493Option D is incorrect. Address Resolution Protocol (ARP) poisoning is caused by an
6494attacker sending spoofed ARP messages onto a local network. This allows the attacker to
6495monitor data passing through the network.Chapter 7: Practice Test
6496373
649721. A. The correct answer is something you do. This is an example of picture password. A
6498user selects a photo of their choice and record gestures over it. Each gesture can be a line,
6499a circle, or a dot, executed in an exact order. The user will repeat the gestures to log into
6500their Windows account.
6501Option B is incorrect. Something you know is a knowledge factor such as a user knowing
6502their username and password.
6503Option C is incorrect. Something you have is a possession factor such as a user possessing
6504a smartcard or a security token.
6505Option D is incorrect. Something you are is an inherence biometric factor such as a user’s
6506fingerprint.
650722. D. Account lockout prevents the hacker from accessing the user’s account by guessing a
6508username and password. It also locks the account for a determined amount of time or until
6509an administrator has unlocked the account.
6510Option A is incorrect. Password complexity enforces the rule of inclusion of three of the
6511four following character sets: lowercase letters, uppercase letters, numerals, and special
6512characters. Password complexity will not lock out a hacker from potentially guessing a
6513username and password.
6514Option B is incorrect. Account disablement is implemented when an employee has left a
6515company, whether temporarily or permanently. Account disablement makes a user account
6516no longer usable. This action is performed by an administrator within the company.
6517Option C is incorrect. Password length determines the minimum amount of alphanumeric
6518characters a password must have. This will not lock out a hacker from potentially guessing
6519a username and password.
652023. C. DNS Security Extensions (DNSSEC) protect against attackers hijacking the DNS pro-
6521cess and taking control of the session. DNSSEC digitally signs data so that the user can be
6522assured the data is valid.
6523Option A is incorrect. Secure Socket Layer (SSL) is a protocol that secures connections
6524between network clients and servers over an insecure network.
6525Option B is incorrect. Secure Shell (SSH) is a protocol that provides an administrator with
6526a secure connection to a remote computer.
6527Option D is incorrect. Transport Layer Security (TLS) is a protocol that provides data integrity
6528between two applications communicating. TLS is a successor to SSL and is more secure.
652924. B. Dumpster diving is an attack performed by searching through trash for sensitive infor-
6530mation that could be used to perform an attack on a company’s network.
6531Option A is incorrect. Tailgating, often referred to as piggybacking, is a physical security
6532violation where an unauthorized person follows an authorized person (an employee) into a
6533secure area.
6534Option C is incorrect. Shoulder surfing is the ability to obtain information by looking
6535over a person’s shoulder. Information that can be obtained includes personal identification
6536numbers, usernames, passwords, and other confidential information.
6537Option D is incorrect. A nan-in-the-middle attack is where an attacker captures and
6538replays network data between two parties without their knowledge.374
6539Appendix
6540â– 
6541Answers to Practice Tests
654225. D. Advanced Encryption Standard (AES) uses key sizes that are 128, 192, and 256 bits.
6543Option A is incorrect. Data Encryption Standard (DES) uses a key size of 64 bits.
6544Option B is incorrect. Hash-Based Message Authentication Code (HMAC) uses a crypto-
6545graphic key for messages authentication in conjunction with a hash function.
6546Option C is incorrect. MD5 is a 128-bit hashing algorithm.
654726. C. The correct answer is penetration testing authorization. This authorization’s goal is to
6548protect the security auditor performing the work against likely attacks.
6549Option A is incorrect. Vulnerability testing authorization protects the security auditor
6550from identifying and quantifying security vulnerabilities in a company’s network. The
6551question stated a simulated attack and this is referred to as penetration testing.
6552Option B is incorrect. Transferring risk to a third party allows the third party to manage
6553specific types of risk, thus reducing the company’s cost.
6554Option D is incorrect. Change management is the process of managing configuration
6555changes made to a network.
655627. C. Cloud computing is based on the concept of a hosted service provided over the Internet.
6557Companies can have access to power processing and power storage rather than burdening
6558the cost of creating and hosting their own system.
6559Option A is incorrect. Sandboxing is the concept of isolating a computing environment,
6560such as a software developer testing new programming code.
6561Option B is incorrect. A demilitarized zone (DMZ) is designed to protect the internal net-
6562work but allow access to resources from the Internet. This provides an additional layer of
6563protection to the LAN.
6564Option D is incorrect. Data loss prevention (DLP) prevents sensitive data from leaving a
6565company’s network through scanning.
656628. C. A zero-day attack takes advantage of a security vulnerability on the same day the vul-
6567nerability becomes known. Attackers may find vulnerabilities before the company discov-
6568ers it.
6569Option A is incorrect. A buffer overflow attack occurs when a program attempts to place
6570more data in a buffer (memory) than it can hold. This action can corrupt data, crash the
6571program, or execute malicious code.
6572Option B is incorrect. Session hijacking is a method in which an attacker takes over a web
6573user’s session by capturing the session ID and impersonating the authorized user. This
6574allows the attacker to do whatever the authorized user can do on the network
6575Option D is incorrect. A distributed denial of service (DDoS) occurs when an attacker
6576uses a large number of hosts to flood a server with packets, causing the server to crash and
6577become unavailable.
657829. C, D. Wired Equivalent Privacy (WEP) and WiFi Protected Access (WPA) are security
6579protocols for WLANs. They are known to have vulnerabilities and are prone to attacks.
6580Options A and B are incorrect. WPA2 Personal and WPA2 Enterprise are considered
6581stronger choices when encrypting data between the device and the wireless access point
6582(WAP). WPA2 Enterprise uses IEEE 802.1x authentication, and WPA2 Personal uses pre-
6583shared keys (PSK) and is designed for home use.Chapter 7: Practice Test
6584375
658530. D. Patch management consists of collecting, testing, and installing patches to a computer
6586within a local network.
6587Option A is incorrect. Sandboxing is the concept of isolating a computing environment,
6588such as a software developer testing new programming code.
6589Option B is incorrect. In an ad hoc network, devices are connected and communicating
6590with each other directly.
6591Option C is incorrect. Virtualization allows the creation of virtual resources such as a
6592server operating system. Multiple operating systems can run on one machine by sharing
6593resources such as RAM, hard drives, and CPU.
659431. A. FTPS (File Transfer Protocol Secure) is an extension to FTP (File Transfer Protocol)
6595with added support for Transport Layer Security (TLS) and Secure Socket Layer (SSL)
6596security technology.
6597Option B is incorrect. Secure File Transfer Protocol (SFTP) uses SSH to transfer files to
6598remote systems and requires the client to authenticate to the remote server.
6599Option C is incorrect. Secure Shell is a protocol that provides an administrator with a
6600secure connection to a remote computer.
6601Option D is incorrect. Lightweight Directory Access Protocol Secure (LDAPS) uses SSL
6602(Secure Socket Layer) to securely access and maintain directory information over an IP
6603network.
660432. B. PIA (privacy impact assessment) is a tool used to collect personally identifiable infor-
6605mation (PII). It states what is collected and how the information will be maintained and
6606how it will be protected.
6607Option A is incorrect. BIA (business impact analysis) is used to evaluate the possible effect
6608a business can suffer should an interruption to critical system operations occur. This inter-
6609ruption could be as a result of an accident, emergency, or disaster.
6610Option C is incorrect. RTO (recovery time objective) is the amount of time it takes to
6611resume normal business operations after an event.
6612Option D is incorrect. MTBF (mean time between failures) is the rating on a device or
6613component that predicts the expected time between failures.
661433. D. The correct answer is quantitative. Specific dollar values are used to prioritize risk.
6615This is why ALE (annual loss expectancy) is classified as quantitative risk analysis.
6616Option A is incorrect. Qualitative risk analysis involves a ranking scale to rate risk rather
6617than specific figures.
6618Option B is incorrect. ROI (return on investment) cannot be calculated before a risk analy-
6619sis is completed.
6620Option C is incorrect. SLE (single loss expectancy) is related to risk management and risk
6621assessment and is the expected monetary loss for each risk that occurs.
662234. D. Companies will use mandatory vacations policy to detect fraud by having a second per-
6623son who is familiar with the duties help discover any illicit activities.
6624Option A is incorrect. Companies usually don’t want many of their employees out at the
6625same time. This will cause a shortage in a particular area and could compromise the secu-
6626rity posture of the company.376
6627Appendix
6628â– 
6629Answers to Practice Tests
6630Option B is incorrect. Companies have a policy of “use or lose” vacation time if not taken
6631by the end of the calendar year. Mandatory vacations policy isn’t the tool used to ensure
6632employees are taking the correct amount of days off. This is usually maintained by the HR
6633department.
6634Option C is incorrect. Companies do want their employees to be recharged to properly
6635conduct their duties, but from a security standpoint, this isn’t the best answer.
663635. D. Typosquatting is used by attackers by redirecting web traffic to another website the
6637attacker maintains. The attacker achieves this by purchasing a misspelled URL and creat-
6638ing a website similar to the original. The attacker can then try to sell products or install
6639malware on a user’s computer.
6640Option A is incorrect. Session hijacking is a method by which an attacker takes over a web
6641user’s session by capturing the session ID and impersonating the authorized user. This
6642allows the attacker to do whatever the authorized user can do on the network.
6643Option B is incorrect. Cross-site scripting enables attackers to insert client-side script into
6644a webpage that other users can view.
6645Option C is incorrect. Replay attack occurs when legitimate network transmission is cap-
6646tured by an attacker and then is maliciously retransmitted to trick the receiver into unau-
6647thorized operations.
664836. D. A Trusted Platform Module (TPM) should be enabled because it is a specialized chip,
6649also known as a hardware root of trust, that stores RSA encryption keys that are specific
6650to the operating system for hardware authentication.
6651Option A is incorrect. Redundant Array of Independent Disks (RAID) provides redun-
6652dancy by storing the same data in different places on multiple hard disks. If a hard drive
6653fails, this would help protect the loss of data.
6654Option B is incorrect. Universal Serial Bus (USB) is an interface that allows an add-on
6655device to connect to a computer.
6656Option C is incorrect. Hardware Security Module (HSM) is a physical device that man-
6657ages digital keys for authentication, encryption, and decryption.
665837. C. Black-box testing refers to the process of testing a network without any information
6659known about the network or layout.
6660Option A is incorrect. White-box testing refers to the process of testing a network with all
6661information known about the network or layout.
6662Option B is incorrect. Red box is not a term referred to as a penetration test.
6663Option D is incorrect. Gray-box testing refers to the process of testing a network with
6664some information known about the network or layout.
666538. B. Tailgating, often referred to as piggybacking, is a physical security violation where an
6666unauthorized person follows an authorized person (an employee) into a secure area.
6667Option A is incorrect. Shoulder surfing is the ability to obtain information by looking over
6668a person’s shoulder. Information that can be obtained is personal identification numbers,
6669usernames, passwords, and other confidential information.Chapter 7: Practice Test
6670377
6671Option C is incorrect. Vishing is a type of social engineering attack that tries to trick a
6672person into disclosing secure information over the phone or a Voice over IP (VoIP) call.
6673Option D is incorrect. Dumpster diving is performed by searching through trash for sensi-
6674tive information that could be used to perform an attack on a company’s network.
667539. A. Implicit deny is placed at the bottom of the list. If traffic goes through the ACL list of
6676rules and isn’t explicitly denied or allowed, implicit deny will deny the traffic as it is the
6677last rule. In other words, if traffic is not explicitly allowed within an access list, then by
6678default it is denied.
6679Option B is incorrect. Port security allows an administrator to prohibit or permit devices
6680based on their MAC address by configuring individual physical switch ports.
6681Option C is incorrect. A flood guard helps prevent denial-of-service (DoS) attacks by stop-
6682ping a large amount of traffic on a network in an attempt to stop a service of a device.
6683Option D is incorrect. Signal strength is the power of electric field transmitted by an
6684antenna. The lower the strength, the shorter the distance devices can connect to a wireless
6685access point.
668640. D. ARP poisoning is an attack created by an attacker by sending spoofed Address Resolu-
6687tion Protocol (ARP) messages onto a local network. This allows the attacker to monitor
6688data passing through the network.
6689Option A is incorrect. DNS poisoning is an attack where the attacker modifies the DNS server
6690records to redirect a user to another website that can contain different types of malware.
6691Option B is incorrect. Injection is a computer attack where the attacker enters malicious
6692code in an application and the malicious code is passed to the backend database.
6693Option C is incorrect. Impersonation is a form of social engineering where an attack
6694impersonates another person, such as a repair technician, to access a secured area.
669541. D. A Trojan is malware that is disguised as a legitimate program and can allow hackers to
6696gain access to a user’s system.
6697Option A is incorrect. A keylogger is a program that records every keystroke from the user
6698and sends them to the hacker.
6699Option B is incorrect. A worm is a self-replicating malware that spreads to other comput-
6700ers in the network. It is designed to consume network bandwidth.
6701Option C is incorrect. Ransomware is malware that prevents and limits users from access-
6702ing their computer. This is achieved by locking the system’s screen or encrypting the user’s
6703files unless a ransom is paid.
670442. B. MTTR (mean time to repair) is the average time it takes for a failed device or compo-
6705nent to be repaired or replaced.
6706Option A is incorrect. RTO (recovery time objective) is the amount of time it takes to
6707resume normal business operations after an event.
6708Option C is incorrect. MTBF (mean time between failures) is the rating on a device or
6709component that predicts the expected time between failures.
6710Option D is incorrect. RPO (recovery point objective) is the period of time a company can
6711tolerate lost data being unrecoverable between backups.378
6712Appendix
6713â– 
6714Answers to Practice Tests
671543. B. The correct answer is life. Natural disasters and intentional man-made attacks can
6716jeopardize the lives of employees. These attacks could include severe weather events, arson
6717and other fires, and terrorist attacks.
6718Option A is incorrect. This type of impact could jeopardize the personal safety of employ-
6719ees and customers.
6720Option C is incorrect. This type of impact could cause monetary damages to a company,
6721not jeopardize the life of employees and customers.
6722Option D is incorrect. This type of impact could negatively impact the image the company
6723has in its community.
672444. B. A script kiddie is an immature hacker with little knowledge about exploits. The typi-
6725cal script kiddie will use existing and well-known techniques and scripts to search for and
6726exploit weaknesses in a computer system.
6727Answer A is incorrect. Man-in-the-middle is an attack option; an attacker captures and
6728replays network data between two parties without their knowledge.
6729Option C is incorrect. White-hat hackers attempt to break into a protected network. The
6730skills are used to improve security of a network by revealing vulnerabilities and mitigating
6731them before malicious attackers discover them.
6732Option D is incorrect. A hacktivist performs hacktivism. This is the act of hacking into a
6733computer system for a politically or socially motivated purpose.
673445. B. The correct answer is users. The company’s standard employees are their first line of
6735defense. Users receive general cybersecurity awareness training.
6736Option A is incorrect. Based on the user’s job role in the organization, different titles will
6737receive different types of training. Data owners usually receive training on how to manage
6738sensitive information.
6739Option C is incorrect. System administrators usually receive training on how to configure
6740and maintain certain systems.
6741Option D is incorrect. System owners usually receive training on how to manage certain
6742systems.
674346. B. Full-disk encryption will protect the data that is not currently being accessed should
6744the hard drive be compromised. Full-disk encryption will prevent an unauthorized indi-
6745vidual from reading the data on the hard drive.
6746Option A is incorrect. Biometrics will not protect data stored on a storage device not in
6747use, as an attacker can steal the storage device and retrieve the clear text data without the
6748need of biometric authentication.
6749Option C is incorrect. A host intrusion prevention system (HIPS) is used to monitor a cli-
6750ent computer for malicious activity and performs an action based on an implemented rule.
6751This will not protect data stored on a storage device should it be stolen.
6752Option D is incorrect. A host intrusion detection system (HIDS) is used to monitor a client
6753computer for malicious activity. An HIDS would not protect the data if the storage device
6754is stolen.Chapter 7: Practice Test
6755379
675647. B. Qualitative risk analysis uses descriptions and words to measure the amount of impact
6757of risk. A weakness of qualitative risk analysis involves sometimes subjective and untest-
6758able methodology.
6759Options A, C, and D are incorrect. These statements describe quantitative risk analysis.
676048. A. A stateful firewall distinguishes valid packets for different types of connections. Pack-
6761ets that match a known active connection will be allowed to pass through the firewall.
6762Option B is incorrect. A stateless firewall evaluates current packets and does not keep
6763track of the state of network connections.
6764Option C is incorrect. An application firewall scans, monitors, and controls network
6765access and operations to and by an application or service. It makes it possible to control
6766and manage the processes of an application or service from an external network to an
6767internal network.
6768Option D is incorrect. A packet filter firewall controls access to a network by watching
6769outgoing and incoming packets. Based on the source and destination IP addresses, proto-
6770cols, and ports, the firewall will allow or deny access to desired network.
677149. A, C. The correct answers are fingerprint and home address. This data is often used to
6772distinguish an individual identity as per the personally identifiable information definition
6773used by NIST.
6774Option B is incorrect. The MAC address is used to identify a device that connects to a net-
6775work. Anyone can use a particular device without being personally identified.
6776Option D is incorrect. Gender alone is less often used to characterize an individual’s iden-
6777tity. When combined with a standalone PII element, gender can be used to identify an
6778individual.
677950. B. The correct answer is to remotely wipe the mobile device. This action will prevent sen-
6780sitive data from being accessed by an unauthorized person.
6781Option A is incorrect. Push notification is a message that pops up on a mobile device. It
6782can provide convenience and value to app users. Users can receive important information
6783ranging from sports scores, new updates, flight status, to weather reports.
6784Option C is incorrect. Screen lock requires the user to perform a specific action and will
6785not be able to lock the screen if they don’t have possession of the mobile device.
6786Option D is incorrect. Geofencing defines a virtual boundary in a geographical area and
6787can generate alerts based on defined coordinates of the geographical area.
678851. B. The correct answer is full and differential. Full backup is considered the most basic
6789type as it copies all of the files. Differential backup copies all the files that have changed
6790since the last full backup.
6791Option A is incorrect. Full backup is considered the most basic type because it copies all
6792of the files. Incremental backup copies only the files that have changed since the last full or
6793incremental backup.
6794Option C is incorrect. Snapshots copy the entire architectural instance of a system. This
6795process is also referred to as image backup.
6796Option D is incorrect. Full backup is considered the most basic type because it copies all of
6797the files.380
6798Appendix
6799â– 
6800Answers to Practice Tests
680152. A. An IPv6 address is a 128-bit address that uses hexadecimal values (0–9 and A–F).
6802Option B is incorrect. IPv4 is a 32-bit address that uses decimal values between 0 and 255.
6803Option C is incorrect. A MAC address is a physical address of a device that connects to a
6804network. It is made up of six pairs of hexadecimal values.
6805Option D is incorrect. Automatic Private IP Addressing is a self-assigning address when no
6806DHCP server is available or any other automatic method for assigning IP addresses.
680753. D. Bluejacking is the act of sending unsolicited messages from one Bluetooth device to
6808another Bluetooth device such as smartphones, tablets, and laptop computers.
6809Option A is incorrect. Jamming can compromise a wireless network denying service to
6810authorized users by overwhelming frequencies of illegitimate traffic.
6811Option B is incorrect. Bluesnarfing is the theft of information from a Bluetooth enabled
6812device through a Bluetooth connection.
6813Option C is incorrect. Brute force is a trial and error method that involves guessing all
6814possible passwords and passphrases until the correct one is discovered.
681554. A. RSA is an asymmetric algorithm that uses private and public keys to encrypt and
6816decrypt data.
6817Option B is incorrect. Data Encryption Standard (DES) is a symmetric key algorithm that
6818uses the same key to encrypt and decrypt data.
6819Option C is incorrect. MD5 is a 128-bit hashing algorithm.
6820Option D is incorrect. SHA is known as a hashing algorithm. Hashing transforms a string
6821of characters into a key that represents the original string. This is also known as a one-way
6822encryption because the hash cannot be decrypted to reveal the original string.
682355. A. Automatically encrypting outgoing emails will protect the company’s sensitive email
6824that may contain personally identifiable information. Should the email be intercepted, the
6825attacker wouldn’t be able to read the information contained in the email.
6826Options B and D are incorrect. Monitoring all outgoing and incoming emails will not
6827protect the company’s sensitive information. When the administrator receives a notice the
6828email was compromised, it’s too late.
6829Option C is incorrect. Automatically encrypting incoming emails doesn’t help secure the
6830company’s sensitive information since this information is leaving the network, not entering
6831the network.
683256. B. Clean desk policy ensures that all sensitive/confidential documents are removed from
6833an end-user workstation and locked up when the documents are not in use.
6834Option A is incorrect. Separation of duties is a concept of having more than one person
6835required to complete a task.
6836Option C is incorrect. A job rotation policy is the practice of moving employees between
6837different tasks to promote experience and variety.
6838Option D is incorrect. A privacy policy is a policy that describes the ways a party gathers,
6839uses, discloses, and manages a customer’s or client’s data.Chapter 7: Practice Test
6840381
684157. A. The screen lock option can be enabled to prevent an unauthorized person from viewing
6842the data on a device should the owner leave it unattended. This option can be configured
6843to enable within seconds to minutes if device is unattended.
6844Option B is incorrect. Push notification is a message that pops up on a mobile device. It
6845can provide convenience and value to app users. Users can receive important information
6846ranging from sports scores, new updates, flight status, to weather reports.
6847Option C is incorrect. Remote wipe is an action that will prevent sensitive data from being
6848accessed by an unauthorized person by resetting the device to its default state.
6849Option D is incorrect. Full device encryption encodes all of the user’s data on a mobile
6850device by using an encrypted key.
685158. A. Biometrics are a person’s physical characteristics, such as a fingerprint, retina, hand
6852geometry, and voice.
6853Option B is incorrect. A proximity card is a contactless smartcard that is held near an elec-
6854tronic reader to grant access to a particular area.
6855Option C is incorrect. Least privilege gives users the lowest level of rights so they can do
6856their job to limit the potential chance of security breach.
6857Option D is incorrect. Group Policy is used by network administrators in a Microsoft
6858Active Directory to implement certain configurations for users and computers.
685959. A. A virtual private network (VPN) creates an encrypted connection between a remote cli-
6860ent and a private network over an insecure network such as the Internet.
6861Option B is incorrect. Wireless LAN (WLAN) allows a mobile user to connect to a local
6862area network (LAN) using the 802.11 wireless standard.
6863Option C is incorrect. Network Address Translation (NAT) is a function in a router that
6864translates the private IP address to the public IP address, and vice versa. A NAT will hide
6865the private IP address from the Internet world and also is a solution for the limited IPv4
6866addresses available.
6867Option D is incorrect. Ad hoc is composed of devices connected and communicating with
6868each other directly.
686960. B. A cross-site request forgery attack occurs when an attacker tricks a user into perform-
6870ing unwanted actions on a website the user is currently authenticated to.
6871Option A is incorrect. A replay attack occurs when legitimate network transmission is
6872captured by an attacker and then is maliciously retransmitted to trick the receiver into
6873unauthorized operations.
6874Option C is incorrect. Cross-site scripting enables attackers to insert client-side script into
6875a webpage that other users can view.
6876Option D is incorrect. Buffer overflow attack occurs when a program attempts to place
6877more data in buffer (memory) than it can hold. This action can corrupt data, crash the
6878program, or execute malicious code.382
6879Appendix
6880â– 
6881Answers to Practice Tests
688261. C. The correct answer is mandatory access control (MAC). Access is controlled by com-
6883paring security labels with security clearances such as Confidential, Secret, and Top
6884Secret.
6885Option A is incorrect. Role-based access control (RBAC) controls access based on the roles
6886the users have within the system and on rules stating the access that is allowed for the
6887users in a given role.
6888Option B is incorrect. Discretionary access control (DAC) controls access based on the
6889object’s owner policy.
6890Option D is incorrect. Attribute-based access control (ABAC) controls access on three
6891types of attributes: the user attributes, current environmental conditions, and accessed
6892application or system attributes.
689362. B. Virtualization allows the creation of virtual resources such as a server operating sys-
6894tem. Multiple operating systems can run on one machine by sharing the resources such as
6895RAM, hard drive, and CPU.
6896Option A is incorrect. Infrastructure as a Service (IaaS) is a cloud computing concept that
6897provides computing resources over the Internet.
6898Option C is incorrect. Software as a Service (SaaS) is a concept that distributes software to
6899customers over the Internet.
6900Option D is incorrect. A public cloud is a cloud computing model that provides service to
6901the public over the Internet.
690263. A, C. MD5 and SHA have known cases of collisions.
6903Options B, D, and E are incorrect. There are no known collisions with AES, SHA-256,
6904and RSA.
690564. C. An extranet will give customers, vendors, suppliers, and other business access to a
6906controlled private network while preventing them from accessing the company’s entire
6907network.
6908Option A is incorrect. An intranet is a private network found within a company accessed
6909from within the LAN.
6910Option B is incorrect. The Internet is a global network of computers and devices that can
6911communicate with anyone or any device anywhere in the world.
6912Option D is incorrect. A honeynet is a collection of honeypots. A honeypot is a system that
6913is set up with vulnerabilities to entice an attacker so as to view their activity and methods
6914for research purposes.
691565. D. A property return form properly records all equipment, keys, and badges that must be
6916surrendered to the company when the employee leaves the company.
6917Option A is incorrect. Job rotation is a policy that describes the practice of moving
6918employees between different tasks to promote experience and variety.
6919Option B is incorrect. An NDA (nondisclosure agreement) protects sensitive and intellec-
6920tual data from getting into the wrong hands.
6921Option C is incorrect. Background checks is a process that is performed when a potential
6922employee is considered for hire.Chapter 7: Practice Test
6923383
692466. D. Password Authentication Protocol (PAP) is an authentication protocol that sends the
6925username and password as plain text to the authentication server.
6926Option A is incorrect. TACACS+ is a protocol developed by Cisco and uses TCP for
6927authentication, authorization, and accounting services.
6928Option B is incorrect. Challenge-Handshake Authentication Protocol (CHAP) validates
6929the identity of remote clients using a three-way handshake.
6930Option C is incorrect. NTLM authenticates the client and server using a challenge-
6931response process that is made up of three messages.
693267. B, D. BCRYPT and PBKDF2 use key stretching to reduce brute-force attacks against vul-
6933nerabilities of encrypted keys. Both are considered password hashing functions.
6934Option A is incorrect. ROT13 is an encrypting method by replacing each letter of the
6935alphabet with the corresponding letter of the second half of the alphabet. A becomes N, B
6936becomes O, and so on.
6937Option C is incorrect. RIPEMD is a cryptographic hashing function based on MD4 and
6938does not offer adequate protection.
693968. C. The correct answer is to reduce the signal strength for indoor coverage only. This
6940action will prevent potential attackers from accessing the wireless access point and possi-
6941bly compromising the users currently connected. Having the signal limited inside the busi-
6942ness will help determine who is possibly connected.
6943Option A is incorrect. The antenna type determines if the signal transmits in a 360-degree
6944direction (omnidirectional) or in a direction between 80 and 120 degrees (directional).
6945Option B is incorrect. Disabling the SSID broadcast will prevent the users from seeing the
6946wireless access point (WAP). The users would be required to enter the name of the WAP
6947and this will not prevent the signal from extending into the parking lot.
6948Option D is incorrect. Enabling MAC filtering will not prevent the signal from extending
6949into the parking lot. MAC filtering controls who is permitted or prohibited on the net-
6950work.
695169. D. Least privilege gives users the lowest level of rights so they can do their job to limit the
6952potential chance of security breach.
6953Option A is incorrect. Job rotation is the practice of rotating employees who are assigned
6954jobs within their employment to promote flexibility and keep employees interested in their
6955jobs.
6956Option B is incorrect. Time-of-day restriction is a form of logical access control where spe-
6957cific applications or systems are restricted access outside of specific hours.
6958Option C is incorrect. Separation of duties is a control where error and fraud are prevented
6959by having at least two employees responsible for separate parts of a task.
696070. D. Hashing transforms a string of characters into a key that represents the original string.
6961When the string of characters is transformed and compared to the original hash, it will
6962identify whether the string has been modified.
6963Option A is incorrect. Key stretching is a technique to make a weak key stronger against
6964brute-force attacks and increase the time the attacker must spend to guess the result.384
6965Appendix
6966â– 
6967Answers to Practice Tests
6968Option B is incorrect. Steganography is the practice of hiding a message such as a file
6969within a picture.
6970Option C is incorrect. Key exchange is the practice of exchanging cryptographic keys
6971between two parties.
697271. C. A certificate revocation list (CRL) is a list of certificates that were revoked by a CA
6973before their expiration date. The certificates listed in the CRL should not be considered
6974trusted.
6975Option A is incorrect. An intermediate certificate authority (CA) issues certificates to
6976verify a digital device within a network or on the Internet.
6977Option B is incorrect. A certificate signing request (CSR) is an encrypted message sent to a
6978CA and validates the information that the CA requires in order to issue certificates.
6979Option D is incorrect. Key escrow is a location in where keys can be gained by authorized
6980users to decrypt encrypted data.
698172. C. The user is using an intimidation tactic to get the employee to take action quickly.
6982Sometimes intimidation tactics can be combined with other principles such as urgency.
6983Option A is incorrect. Scarcity is a tactic that gets people to make quick decisions without
6984thinking through the decision. An example is when people are often encouraged to take
6985action when they think there is a limited supply of a product.
6986Option B is incorrect. Consensus is a tactic to get people to like what other people like.
6987Option D is incorrect. Authority is a tactic to get people to comply when a person of
6988authority says to do so. The user is not in an authoritative position. The user is calling on
6989behalf of his manager.
699073. B, C. The correct answers are full-device encryption and screen locks. Full-device encryp-
6991tion encodes all the user’s data on a mobile device by using an encrypted key, and enabling
6992screen lock prevents an unauthorized person from viewing the data on a device should the
6993owner leave it unattended.
6994Option A is incorrect. Geofencing defines a virtual boundary in a geographical area and
6995can generate alerts based on defined coordinates of the geographical area.
6996Option D is incorrect. Push notification is a message that pops up on a mobile device. It
6997can provide convenience and value to app users. Users can receive important information
6998ranging from sports scores, new updates, flight status, to weather reports.
699974. B. The correct answer is ifconfig. This command is used on a Linux OS to obtain a
7000MAC address of the computer for which the OS is installed.
7001Option A is incorrect. The ipconfig command is used on a Windows OS to obtain a
7002MAC address of the computer for which the OS is installed.
7003Option C is incorrect. tracert is a Windows command used to trace the pathway a packet
7004takes on an IP network from the source to the destination.
7005Option D is incorrect. ping is a command used to test the connectivity between two
7006devices. ping uses an ICMP to receive an echo reply to know if the device is currently
7007running.Chapter 7: Practice Test
7008385
700975. D. Account expiration policy will prevent the contracts from attempting to access the
7010network after they leave. The provisioning team can set a date when the contract is set
7011to leave, and the user will not be able to have access to systems within the company’s
7012network.
7013Option A is incorrect. Account disablement requires an administrator to manually disable
7014the account. Should the administrator set a policy for failed logon attempts, this would
7015disable the account. If the contractor can sign in without failed attempts, the disablement
7016policy will not go into effect.
7017Option B is incorrect. Account lockout policy is set if there are failed attempts to log into
7018the system. If the contractor can sign in without failed attempts, the lockout policy will
7019not go into effect.
7020Option C is incorrect. Enforce password history is a policy that requires users to use a
7021certain number of unique passwords before they can reuse a password. This policy will not
7022help prevent contractors from accessing the company’s network.
702376. A. Password complexity is a rule that demands inclusion of three of the four following
7024character sets: lowercase letters, uppercase letters, numerals, and special characters.
7025Option B is incorrect. Password length determines the minimum amount of alphanumeric
7026characters a password must have. This will not lock out a hacker from potentially guessing
7027a username and password.
7028Option C is incorrect. Password history determines the number of new passwords a user
7029must use before an old password can be used again.
7030Option D is incorrect. Group Policy is used by network administrators in a Microsoft
7031Active Directory to implement certain configurations for users and computers.
703277. D. CYOD (Choose Your Own Device) allows an employee to choose from a limited num-
7033ber of devices. The business can also limit the usage of the device to work activities only.
7034Option A is incorrect. Data loss prevention (DLP) prevents sensitive data from leaving a
7035company’s network by method of scanning.
7036Option B is incorrect. Company-owned, personally enabled (COPE) allows companies
7037to provide employees with devices. The company maintains ownership of these devices,
7038and frequently monitors and controls their activity to a larger scale. With COPE devices,
7039employees can access social media sites, email, and personal calls.
7040Option C is incorrect. Bring Your Own Device (BYOD) allows an employee to use their
7041own personal device, such as a smartphone or laptop, and connect to the company’s
7042network.
704378. C. Multifactor authentication requires more than one method of authentication from inde-
7044pendent credentials: something you know, something you have, and something you are.
7045Option A is incorrect. Identification is used to identify a user within the system. It allows
7046each user to distinguish itself from other users.
7047Option B is incorrect. Single authentication is one method of authentication from indepen-
7048dent credentials: something you know, something you have, and something you are.386
7049Appendix
7050â– 
7051Answers to Practice Tests
7052Option D is incorrect. Transitive trust is a two-way relationship that is created between
7053parent and child domains in a Microsoft Active Directory forest. When a child domain is
7054created, it will share the resources with its parent domain automatically. This allows an
7055authenticated user to access resources in both the child and parent domains.
705679. B, D. The correct answers are email address and fingerprint. Personally identifiable informa-
7057tion (PII) is any information that can be used to distinguish or trace an individual’s identity.
7058Options A and C are incorrect. Date of birth and race cannot identify an individual on its
7059own because those items are considered general information.
706080. A. The correct answer is a false positive. When legitimate data enters a system and the
7061host intrusion prevention system (HIPS) mistakenly marks it as malicious, it is referred to
7062as a false positive.
7063Option B is incorrect. False negative is the opposite of false positive, where an HIPS allows
7064malicious data into your network by marking it as legitimate activity.
7065Option C is incorrect. A credentialed vulnerability scan consists of a scanning computer
7066with an account on the computer being scanned so that the scanner can perform a deeper
7067check for problems not seen from the network.
7068Option D is incorrect. A noncredentialed vulnerability scan provides a quick view of vul-
7069nerabilities by looking at network services that are exposed by the host.
707081. D. The correct answer is SNMPv3. Simple Network Management Protocol (SNMP) col-
7071lects and organizes information about managed devices on an IP network. SNMPv3 is the
7072newest version and its primary feature is enhanced security.
7073Option A is incorrect. Secure Shell (SSH) allows users to securely log on to a remote com-
7074puter and perform the same actions as though they were at the local computer.
7075Option B is incorrect. SNMP is the original version and doesn’t provide security.
7076Option C is incorrect. Simple Mail Transfer Protocol (SMTP) is the standard protocol for
7077email communication over the Internet.
707882. A. A Time-Based One-Time Password (TOTP) is a temporary passcode that is generated
7079for the use of authenticating to a computer system and the passcode is valid for a certain
7080amount of time—for example, 30 seconds.
7081Option B is incorrect. An HMAC-Based One-Time Password (HOTP) is a temporary pass-
7082code that is generated for the use of authenticating to a computer system and the passcode
7083valid until it is used by the user.
7084Option C is incorrect. A smartcard is a hardware token, usually the size of a credit card,
7085with an embedded chip that connects to a reader.
7086Option D is incorrect. A proximity card is a contactless smartcard that is held near an
7087electronic reader to grant access to a particular area.
708883. C. Kerberos is an authentication protocol that uses tickets to allow access to resources
7089within the network.
7090Option A is incorrect. Remote Authentication Dial-In User Service (RADIUS) enables
7091remote access servers to communicate with a central server. This central server is used to
7092authenticate and authorize users to access network services and resources.Chapter 7: Practice Test
7093387
7094Option B is incorrect. TACACS+ is a protocol developed by Cisco and uses TCP for
7095authentication, authorization, and accounting services.
7096Option D is incorrect. Security Assertion Markup Language (SAML) is an XML standard
7097that allows a user to log in once to an affiliate website and that supports Single Sign-On
7098(SSO) authentication.
709984. C. The correct answer is C. This is not a vulnerability, because most systems will not
7100automatically shut down when they have reached their end-of-life period.
7101Options A, B, and D are incorrect. These are a vulnerability to end-of-life systems. When
7102a system reaches its end-of-life period, attackers can exploit it since the company will no
7103longer support the system by, for example, sending patches to further protect it.
710485. B, C. A worm self-replicates itself over the network to consume bandwidth and a virus
7105needs to be attached to a file to be replicated over the network.
7106Options A and D are incorrect. A worm is a stand-alone malware that does not need to copy
7107itself to a file. A virus requires a file to be attached and requires someone to knowingly or
7108unknowingly spread the malware without the knowledge or permission of the user.
710986. B. An evil twin is a fake access point that looks like a legitimate one. The attacker will
7110use the same network name and transmit beacons to get a user to connect. This allows the
7111attacker to gain personal information without the end user knowing.
7112Option A is incorrect. A rogue access point is a wireless access point that has been
7113installed on a network without the user’s knowledge. It receives beacons transmitted by
7114legitimate access points within the company.
7115Option C is incorrect. Bluejacking is the act of sending unsolicited messages from one
7116Bluetooth device to another Bluetooth device, such as smartphones, tablets, and laptop
7117computers.
7118Option D is incorrect. Bluesnarfing is the theft of information from a Bluetooth-enabled
7119device through a Bluetooth connection.
712087. A. WPA2 with CCMP provides data confidentiality and authentication. CCMP uses a
7121128-bit key, which is considered secured against attacks.
7122Option B is incorrect. Wired Equivalent Privacy (WEP) is a security protocol for WLANs
7123and is known to have vulnerabilities that make it prone to attacks.
7124Option C is incorrect. WPA with CCMP does not exist. WPA adopted protocol TKIP.
7125Option D is incorrect. WiFi Protected Setup (WPS) uses an 8-digit PIN and is vulnerable
7126to a brute-force attack.
712788. C. Business impact analysis (BIA) usually identifies costs linked to failures. These costs
7128may include equipment replacement, salaries paid to employees to catch up with loss of
7129work, and loss of profits.
7130Option A is incorrect. A security audit tests how effective security policies are in helping
7131protect company’s assets, such as performing security vulnerability scans.
7132Option B is incorrect. Asset identification identifies system assets based on known infor-
7133mation about the asset. The policy usually describes the purpose of the asset and methods
7134for identifying assets.388
7135Appendix
7136â– 
7137Answers to Practice Tests
7138Option D is incorrect. A disaster recovery plan (DRP) is a document that describes the
7139steps for responding to an unplanned incident. Tony’s job is to determine what result
7140would occur should the SQL server go down. A DRP is a plan when a system component
7141actually fails.
714289. A. Cloud storage offers protection from cyberattacks since the data is backed up. Should
7143the data become corrupted, the hospital can recover the data from cloud storage.
7144Option B is incorrect. Wiping is the action of making data that is stored on a mobile
7145device inaccessible.
7146Option C is incorrect. A security incident and event management (SIEM) identifies, moni-
7147tors, records, and analyzes any security event or incident in real time.
7148Option D is incorrect. Supervisory Control and Data Acquisition (SCADA) is used in
7149power plants to gather and analyze data information in real time from a remote location
7150to control the equipment.
715190. A. A logic bomb is a malicious code that is inserted intentionally and designed to execute
7152under certain circumstances. It is designed to display a false message, delete or corrupt
7153data, or have other unwanted effects.
7154Option B is incorrect. A Remote Access Trojan (RAT) is a malware program that allows
7155administrative control over a system via a back door.
7156Option C is incorrect. Spyware is installed on a computer system without the user’s knowl-
7157edge. This is considered tracking software, and it can collect keystrokes and use cookies to
7158track website the user visits.
7159Option D is incorrect. Ransomware is malware that prevents and limits users from access-
7160ing their computer. This is achieved by locking the system’s screen or encrypting the user’s
7161files unless a ransom is paid.
716291. A. A hacktivist’s purpose is to perform hacktivism. This is the act of hacking into a com-
7163puter system for a politically or socially motivated purpose.
7164Option B is incorrect. An insider is someone who threatens a company’s security from
7165within the company.
7166Option C is incorrect. A script kiddie is an immature hacker. The typical script kiddie will
7167use existing and well-known techniques and scripts to search for and exploit weaknesses
7168in a computer system.
7169Option D is incorrect. An evil twin is a rouge wireless access point that impersonates an
7170authentic WiFi access point. The purpose of an evil twin is to have the user connect to the
7171rouge access point to collect their personal information without the user’s knowledge.
717292. C. Vishing is a type of social engineering attack that tries to trick a person into disclosing
7173secure information over the phone or a Voice over IP (VoIP) call.
7174Option A is incorrect. Whaling is a form of phishing attack designed to target the head of
7175a company.
7176Option B is incorrect. Phishing is the practice of sending emails claiming to be from a
7177reputable company to individuals in order to persuade them to disclose their personal
7178information by clicking a fraudulent link.
7179Option D is incorrect. Spear phishing is a form of phishing attack designed to target indi-
7180viduals to disclose confidential information.Chapter 7: Practice Test
7181389
718293. A, D, E. The correct answers are third-party app store, rooting, and sideloading. Restrict-
7183ing these options will increase the security of a device. Third-party app stores can carry
7184apps that may contain malware. Companies will allow certain apps to be downloaded.
7185Rooting is the process of gaining privileged control over a device. For a user with root
7186access, anything is possible, such as installing new applications, uninstalling system appli-
7187cations, and revoking existing permissions. Sideloading is installing applications on a
7188mobile device without using an official distributed scheme.
7189Option B is incorrect. Biometrics is a person’s physical characteristics, such as a finger-
7190print, retina, hand geometry, and voice.
7191Option C is incorrect. Content management systems are used to create and manage digital
7192content for enterprises and web content.
719394. A, C. The correct answers are IPSec and SSL. IPSec protects IP packets that are
7194exchanged between the remote network and an IPSec gateway, which is located on the
7195edge of a private network. Secure Socket Layer (SSL) usually supplies a secure access to a
7196single application.
7197Option B is incorrect. Data Encryption Standard (DES) is a deprecated symmetric-key
7198data encryption method.
7199Option D is incorrect. Secure File Transfer Protocol (SFTP) uses SSH to transfer files to a
7200remote systems and requires the client to authenticate to the remote server.
720195. D. Public Key Infrastructure (PKI) distributes and identifies public keys to users and com-
7202puters securely over a network. It also verifies the identity of the owner of the public key.
7203Option A is incorrect. WiFi Protected Access (WPA) is a security protocol for WLANs.
7204They are known to have vulnerabilities and are prone to attacks.
7205Option B is incorrect. Object identifiers are unique numeric value to identify an object to
7206avoid conflicts with another object when different directories are combined.
7207Option C is incorrect. PFX is a file extension for an encrypted security file that stores
7208secure certificates that are used for authentication.
720996. D. Transitive trust is a two-way relationship that is created between parent and child
7210domains in a Microsoft Active Directory forest. When a child domain is created, it will
7211share the resources with its parent domain automatically. This allows an authenticated
7212user to access resources in both the child and parent domains.
7213Option A is incorrect. Multifactor authentication requires more than one method of
7214authentication from independent credentials: something you know, something you have,
7215and something you are.
7216Option B is incorrect. Federation refers to a group of network providers that agree on a
7217standard of operation in a collective manner.
7218Option C is incorrect. Single sign-on (SSO) is the ability to permit a user to use one set of
7219credentials to log in and access multiple resources.
722097. C. Identification is used to identify a user within the system. It allows each user to distin-
7221guish itself from other users.
7222Option A is incorrect. Authorization determines the user’s privilege or access level to a
7223resource such as computer programs, files and data.
7224Option B is incorrect. Authentication confirms a user’s identity from the credentials provided.390
7225Appendix
7226â– 
7227Answers to Practice Tests
7228Option D is incorrect. Accounting is the process of tracking a user’s activities within a net-
7229work. These activities include services accessed, amount of data accessed or transferred,
7230and login for authentication and authorization.
723198. B. Steganography is the practice of hiding a message such as a file within a picture.
7232Option A is incorrect. Data sanitization is the act of permanently removing data stored on
7233a memory device.
7234Option C is incorrect. Tracert is a Window’s command-line utility that displays the route
7235between your computer and the specified destination through Internet.
7236Option D is incorrect. Network mapping discovers and displays the physical and virtual
7237connectivity within a network.
723899. B, D. The correct answers are static ARP entries and port security. Static ARP entry is the
7239process of assigning a MAC address to an IP address to prevent an attacker from poison-
7240ing the cache. Disabling unused physical ports will prevent an attacker from plugging in
7241their laptop and performing an ARP poisoning.
7242Option A is incorrect. An antivirus is designed to prevent, detect, and remove malware
7243infections from a user’s computer.
7244Option C is incorrect. Patching management is the process of collecting, testing, and
7245installing patches to computers in a local network.
7246100. D. Implicit deny is placed at the bottom of the list. If traffic goes through the ACL list of
7247rules and isn’t explicitly denied or allowed, implicit deny will deny the traffic as it is the
7248last rule. In other words, if traffic is not explicitly allowed within an access list, then by
7249default it is denied.
7250Option A is incorrect. USB blocking is the act of prohibiting a user from inserting a USB
7251device and possibly transferring files from a PC or infecting a network with malware from
7252the USB device.
7253Option B is incorrect. Time synchronization ensures all devices have the same time. This
7254is important since all aspects of managing, securing, and debugging networks are deter-
7255mined when events happen.
7256Option C is incorrect. MAC filtering is the act of defining a list of devices that are permit-
7257ted or prohibited on your WiFi network.