Security+_Questions

1. John is analyzing strange behavior on computers in his network. He believes there is mal-
ware on the machines. The symptoms include strange behavior that persists, even if he
boots the machine to a Linux Live CD. What is the most likely cause?
A. Ransomware
B. Boot sector virus
C. Rootkit
D. Key logger
2. Ahmed is a sales manager with a major insurance company. He has received an email that
is encouraging him to click on a link and fill out a survey. He is suspicious of the email,
but it does mention a major insurance association, and that makes him think it might be
legitimate. Which of the following best describes this attack?
A. Phishing
B. Social engineering
C. Spear phishing
D. Trojan horse
3. You are a security administrator for a medium-sized bank. You have discovered a piece of
software on your bank’s database server that is not supposed to be there. It appears that
the software will begin deleting database files if a specific employee is terminated. What
best describes this?
A. Worm
B. Logic bomb
C. Trojan horse
D. Rootkit
4. You are responsible for incident response at Acme bank. The Acme bank website has been
attacked. The attacker used the login screen, but rather than enter login credentials, he or
she entered some odd text: ' or '1' = '1. What is the best description for this attack?
A. Cross-site scripting
B. Cross-site request forgery
C. SQL injection
D. ARP poisoning
5. Juanita is a network administrator for a small accounting firm. The users on her network
are complaining of slow connectivity. When she examines the firewall logs, she observes a
large number of half-open connections. What best describes this attack?
A. DDoS
B. SYN flood
C. Buffer overflow
D. ARP poisoning
6. Frank is deeply concerned about attacks to his company’s e-commerce server. He is par
ticularly worried about cross-site scripting and SQL injection. Which of the following
would best defend against these two specific attacks?
A. Encrypted web traffic
B. Filtering user input
C. A firewall
D. An IDS
7. You are responsible for network security at Acme Company. Users have been reporting
that personal data is being stolen when using the wireless network. They all insist they
only connect to the corporate wireless access point (WAP). However, logs for the WAP
show that these users have not connected to it. Which of the following could best explain
this situation?
A. Session hijacking
B. Clickjacking
C. Rogue access point
D. Bluejacking
8. What type of attack depends on the attacker entering JavaScript into a text area that is
intended for users to enter text that will be viewed by other users?
A. SQL injection
B. Clickjacking
C. Cross-site scripting
D. Bluejacking
9. A sales manager at your company is complaining about slow performance on his com-
puter. When you thoroughly investigate the issue, you find spyware on his computer. He
insists that the only thing he has downloaded recently was a freeware stock trading appli-
cation. What would best explain this situation?
A. Logic bomb
B. Trojan horse
C. Rootkit
D. Macro virus
10. Your company outsourced development of an accounting application to a local program-
ming firm. After three months of using the product, one of your accountants accidently
discovers a way to log in and bypass all security and authentication. What best describes
this?
A. Logic bomb
B. Trojan horse
C. Backdoor
D. Rootkit
11. Teresa is the security manager for a mid-sized insurance company. She receives a call
from law enforcement, telling her that some computers on her network participated in a
massive denial-of-service (DoS) attack. Teresa is certain that none of the employees at her
company would be involved in a cybercrime. What would best explain this scenario?
A. It is a result of social engineering.
B. The machines all have backdoors.
C. The machines are bots.
D. The machines are infected with crypto-viruses.
12. Mike is a network administrator with a small financial services company. He has received
a popup window that states his files are now encrypted and he must pay .5 bitcoins to get
them decrypted. He tries to check the files in question, but their extensions have changed,
and he cannot open them. What best describes this situation?
A. Mike’s machine has a rootkit.
B. Mike’s machine has ransomware.
C. Mike’s machine has a logic bomb.
D. Mike’s machine has been the target of whaling.
13. Terrance is examining logs for the company e-commerce web server. He discovers a num-
ber of redirects that cannot be explained. After carefully examining the website, he finds
some attacker performed a watering hole attack by placing JavaScript in the website and is
redirecting users to a phishing website. Which of the following techniques would be best
at preventing this in the future?
A. An SPI firewall
B. An active IDS/IPS
C. Checking buffer boundaries
D. Checking user input
14. What type of attack is based on sending more data to a target variable than the data can
actually hold?
A. Bluesnarfing
B. Buffer overflow
C. Bluejacking
D. DDoS
15. You have been asked to test your company network for security issues. The specific test
you are conducting involves primarily using automated and semiautomated tools to look
for known vulnerabilities with the various systems on your network. Which of the follow-
ing best describes this type of test?
A. Vulnerability scan
B. Penetration test
C. Security audit
D. Security test
16. Jared discovers that attackers have breached his WiFi network. They have gained access
via the wireless access point (WAP) administrative panel, and have logged on with the
credentials the WAP shipped with. What best describes this issue?
A. Default configuration
B. Race conditions
C. Failure to patch
D. Weak encryption
17. Joanne is concerned about social engineering. She is particularly concerned that this tech-
nique could be used by an attacker to obtain information about the network, including
possibly even passwords. What countermeasure would be most effective in combating
social engineering?
A. SPI firewall
B. An IPS
C. User training
D. Strong policies
18. You are responsible for incident response at a mid-sized bank. You have discovered that
someone was able to successfully breach your network and steal data from your database
server. All servers are configured to forward logs to a central logging server. However,
when you examine that central log, there are no entries after 2:13 a.m. two days ago. You
check the servers, and they are sending logs to the right server, but they are not getting
there. Which of the following would be most likely to explain this?
A. Your log server has a backdoor.
B. Your log server has been hit with a buffer overflow attack.
C. Your switches have been hit with ARP poisoning.
D. Your IDS is malfunctioning and blocking log transmissions.
19. Coleen is the web security administrator for an online auction website. A small number
of users are complaining that when they visit the website and log in, they are told the ser-
vice is down and to try again later. Coleen checks and she can visit the site without any
problem, even from computers outside the network. She also checks the web server log
and there is no record of those users ever connecting. Which of the following might best
explain this?
A. Typosquatting
B. SQL injection
C. Cross-site scripting
D. Cross-site request forgery
20. Mahmoud is responsible for managing security at a large university. He has just per-
formed a threat analysis for the network, and based on past incidents and studies of
similar networks, he has determined that the most prevalent threat to his network is
low-skilled attackers who wish to breach the system, simply to prove they can or for
some low-level crime, such as changing a grade. Which term best describes this type of
attacker?
A. Hacktivist
B. Amateur
C. Insider
D. Script kiddie
21. Which of the following best describes a collection of computers that have been compro-
mised and are being controlled from one central point?
A. Zombienet
B. Botnet
C. Nullnet
D. Attacknet
22. John is conducting a penetration test of a client’s network. He is currently gathering infor-
mation from sources such as archive.org, netcraft.com, social media, and information
websites. What best describes this stage?
A. Active reconnaissance
B. Passive reconnaissance
C. Initial exploitation
D. Pivot
23. One of the salespeople in your company reports that his computer is behaving sluggishly.
You check but don’t see any obvious malware. However, in his temp folder you find JPEGs
that look like screenshots of his desktop. Which of the following is the most likely cause?
A. He is stealing data from the company.
B. There is a backdoor on his computer.
C. There is spyware on his computer.
D. He needs to update his Windows.
24. What type of attack is based on entering fake entries into a target networks domain name
server?
A. DNS poisoning
B. ARP poisoning
C. Bluesnarfing
D. Bluejacking
25. Frank has been asked to conduct a penetration test of a small bookkeeping firm. For the
test, he has only been given the company name, the domain name for their website, and
the IP address of their gateway router. What best describes this type of test?
A. White-box test
B. External test
C. Black-box test
D. Threat test
26. You work for a security company that performs penetration testing for clients. You are
conducting a test of an e-commerce company. You discover that after compromising the
web server, you can use the web server to launch a second attack into the company’s inter-
nal network. What best describes this?
A. Internal attack
B. White-box testing
C. Black-box testing
D. A pivot
27. While investigating a malware outbreak on your company network, you discover some-
thing very odd. There is a file that has the same name as a Windows system DLL, and
even has the same API interface, but handles input very differently, in a manner to help
compromise the system, and it appears that applications have been attaching to this file,
rather than the real system DLL. What best describes this?
A. Shimming
B. Trojan horse
C. Backdoor
D. Refactoring
28. Your company has hired a penetration testing firm to test the network. For the test, you
have given the company details on operating systems you use, applications you run, and
network devices. What best describes this type of test?
A. White-box test
B. External test
C. Black-box test
D. Threat test
29. Frank is a network administrator for a small college. He discovers that several machines
on his network are infected with malware. That malware is sending a flood of packets to
a target external to the network. What best describes this attack?
A. SYN flood
B. DDoS
C. Botnet
D. Backdoor
30. John is a salesman for an automobile company. He recently downloaded a program
from an unknown website, and now his client files have their file extensions changed,
and he cannot open them. He has received a popup window that states his files are now
encrypted and he must pay .5 bitcoins to get them decrypted. What has happened?
A. His machine has a rootkit.
B. His machine has a logic bomb.
C. His machine has a boot sector virus.
D. His machine has ransomware.
31. When phishing attacks are so focused that they target a specific individual, they are called
what?
A. Spear phishing
B. Targeted phishing
C. Phishing
D. Whaling
32. You are concerned about a wide range of attacks that could affect your company’s web
server. You have recently read about an attack wherein the attacker sends more data to the
target than the target is expecting. If done properly, this could cause the target to crash.
What would best prevent this type of attack?
A. An SPI firewall
B. An active IDS/IPS
C. Checking buffer boundaries
D. Checking user input
33. You work for a large retail company that processes credit card purchases. You have been
asked to test your company network for security issues. The specific test you are conduct-
ing involves primarily checking policies, documentation, and past incident reports. Which
of the following best describes this type of test?
A. Vulnerability scan
B. Penetration test
C. Security audit
D. Security test
34. Maria is a salesperson with your company. After a recent sales trip, she discovers that
many of her logins have been compromised. You carefully scan her laptop and cannot find
any sign of any malware. You do notice that she had recently connected to a public WiFi
at a coffee shop, and it is only since that connection that she noticed her logins had been
compromised. What would most likely explain what has occurred?
A. She connected to a rogue AP.
B. She downloaded a Trojan horse.
C. She downloaded spyware.
D. She is the victim of a buffer overflow attack.
35. You are the manager for network operations at your company. One of the accountants
sees you in the hall and thanks you for your team keeping his antivirus software up to
date. When you ask him what he means, he mentions that one of your staff, named Mike,
called him and remotely connected to update the antivirus. You don’t have an employee
named Mike. What has occurred?
A. IP spoofing
B. MAC spoofing
C. Man-in-the-middle attack
D. Social engineering
36. You are a security administrator for a bank. You are very interested in detecting any
breaches or even attempted breaches of your network, including those from internal per-
sonnel. But you don’t want false positives to disrupt work. Which of the following devices
would be the best choice in this scenario?
A. IPS
B. WAF
C. SIEM
D. IDS
37. One of your users cannot recall the password for their laptop. You want to recover that
password for them. You intend to use a tool/technique that is popular with hackers, and
it consists of searching tables of precomputed hashes to recover the password. What best
describes this?
A. Rainbow table
B. Backdoor
C. Social engineering
D. Dictionary attack
38. You have noticed that when in a crowded area, you sometimes get a stream of unwanted
text messages. The messages end when you leave the area. What describes this attack?
A. Bluejacking
B. Bluesnarfing
C. Evil twin
D. Rogue access point
39. Someone has been rummaging through your company’s trash bins seeking to find docu-
ments, diagrams, or other sensitive information that has been thrown out. What is this
called?
A. Dumpster diving
B. Trash diving
C. Social engineering
D. Trash engineering
40. You have noticed that when in a crowded area, data from your cell phone is stolen. Later
investigation shows a Bluetooth connection to your phone, one that you cannot explain.
What describes this attack?
A. Bluejacking
B. Bluesnarfing
C. Evil twin
D. RAT
41. Louis is investigating a malware incident on one of the computers on his network. He
has discovered unknown software that seems to be opening a port, allowing someone to
remotely connect to the computer. This software seems to have been installed at the same
time as a small shareware application. Which of the following best describes this malware?
A. RAT
B. Backdoor
C. Logic bomb
D. Rootkit
42. This is a common security issue that is extremely hard to control in large environments.
It occurs when a user has more computer rights, permissions, and privileges than what is
required for the tasks the user needs to perform. What best describes this scenario?
A. Excessive rights
B. Excessive access
C. Excessive permissions
D. Excessive privileges
43. Jared is responsible for network security at his company. He has discovered behavior on
one computer that certainly appears to be a virus. He has even identified a file he thinks
might be the virus. However, using three separate antivirus programs, he finds that none
can detect the file. Which of the following is most likely to be occurring?
A. The computer has a RAT.
B. The computer has a zero-day exploit.
C. The computer has a logic bomb.
D. The computer has a rootkit.
44. There are some computers on your network that use Windows XP. They have to stay on
Windows XP due to a specific application they are running. That application won’t run on
newer operating systems. What security concerns does this situation give you?
A. No special concerns; this is normal.
B. The machines cannot be patched; XP is no longer supported.
C. The machines cannot coordinate with an SIEM since XP won’t support that.
D. The machines are more vulnerable to DoS attacks.
45. Farès has discovered that attackers have breached his wireless network. They seem to have
used a brute-force attack on the WiFi-protected setup PIN to exploit the WAP and recover
the WPA2 password. What is this attack called?
A. Evil twin
B. Rogue WAP
C. IV attack
D. WPS Attack
46. Your wireless network has been breached. It appears the attacker modified a portion of
data used with the stream cipher and utilized this to expose wirelessly encrypted data.
What is this attack called?
A. Evil twin
B. Rogue WAP
C. IV attack
D. WPS Attack
47. John is concerned about disgruntled employees stealing company documents and exfiltrat-
ing them from the network. He is looking for a solution that will detect likely exfiltration
and block it. What type of system is John looking for?
A. IPS
B. SIEM
C. Honeypot
D. Firewall
48. Some users on your network use Acme Bank for their personal banking. Those users have
all recently been the victim of an attack, wherein they visited a fake Acme Bank website
and their logins were compromised. They all visited the bank website from your network,
and all of them insist they typed in the correct URL. What is the most likely explanation
for this situation?
A. Trojan horse
B. IP spoofing
C. Clickjacking
D. DNS poisoning
49. Users are complaining that they cannot connect to the wireless network. You discover
that the WAPs are being subjected to a wireless attack designed to block their WiFi signals.
Which of the following is the best label for this attack?
A. IV attack
B. Jamming
C. WPS attack
D. Botnet
50. What type of attack involves users clicking on something different on a website than what
they intended to click on?
A. Clickjacking
B. Bluesnarfing
C. Bluejacking
D. Evil twin
51. What type of attack exploits the trust that a website has for an authenticated user to
attack that website by spoofing requests from the trusted user?
A. Cross-site scripting
B. Cross-site request forgery
C. Bluejacking
D. Evil twin
52. John is a network administrator for Acme Company. He has discovered that someone
has registered a domain name that is spelled just one letter different than his company’s
domain. The website with the misspelled URL is a phishing site. What best describes this
attack?
A. Session hijacking
B. Cross-site request forgery
C. Typosquatting
D. Clickjacking
53. Frank has discovered that someone was able to get information from his smartphone
using a Bluetooth connection. The attacker was able to get his contact list and some
emails he had received. What is this type of attack called?
A. Bluesnarfing
B. Session hijacking
C. Backdoor attack
D. CSRF
54. Juanita is a network administrator for Acme Company. Some users complain that they
keep getting dropped from the network. When Juanita checks the logs for the wireless
access point (WAP), she finds that a deauthentication packet has been sent to the WAP
from the users’ IP addresses. What seems to be happening here?
A. Problem with users’ WiFi configuration
B. Disassociation attack
C. Session hijacking
D. Backdoor attack
55. John has discovered that an attacker is trying to get network passwords by using software
that attempts a number of passwords from a list of common passwords. What type of
attack is this?
A. Dictionary
B. Rainbow table
C. Brute force
D. Session hijacking
56. You are a network security administrator for a bank. You discover that an attacker has
exploited a flaw in OpenSSL and forced some connections to move to a weak cipher suite
version of TLS, which the attacker could breach. What type of attack was this?
A. Disassociation attack
B. Downgrade attack
C. Session hijacking
D. Brute force
57. When an attacker tries to find an input value that will produce the same hash as a pass-
word, what type of attack is this?
A. Rainbow table
B. Brute force
C. Session hijacking
D. Collision attack
58. Farès is the network security administrator for a company that creates advanced routers
and switches. He has discovered that his company’s networks have been subjected to a
series of advanced attacks over a period of time. What best describes this attack?
A. DDoS
B. Brute force
C. APT
D. Disassociation attack
59. You are responsible for incident response at Acme Company. One of your jobs is to
attempt to attribute attacks to a specific type of attacker. Which of the following would
not be one of the attributes you consider in attributing the attack?
A. Level of sophistication
B. Resources/funding
C. Intent/motivation
D. Amount of data stolen
60. John is running an IDS on his network. Users sometimes report that the IDS flags legiti-
mate traffic as an attack. What describes this?
A. False positive
B. False negative
C. False trigger
D. False flag
61. You are performing a penetration test of your company’s network. As part of the test, you
will be given a login with minimal access and will attempt to gain administrative access
with this account. What is this called?
A. Privilege escalation
B. Session hijacking
C. Root grabbing
D. Climbing
62. Mary has discovered that a web application used by her company does not always handle
multithreading properly, particularly when multiple threads access the same variable.
This could allow an attacker who discovered this vulnerability to exploit it and crash the
server. What type of error has Mary discovered?
A. Buffer overflow
B. Logic bomb
C. Race conditions
D. Improper error handling
63. An attacker is trying to get access to your network. He is sending users on your network
a link to a freeware stock-monitoring program. However, that stock-monitoring program
has attached to it software that will give the attacker access to any machine that it is
installed on. What type of attack is this?
A. Rootkit
B. Trojan horse
C. Spyware
D. Boot sector virus
64. Acme Company uses its own internal certificate server for all internal encryption.
However, their certificate authority only publishes a CRL once per week. Does this
pose a danger, and if so what?
A. Yes, this means a revoked certificate could be used for up to seven days.
B. No, this is standard for all certificate authorities.
C. Yes, this means it would be easy to fake a certificate.
D. No, since this is being used only internally.
65. When a program has variables, especially arrays, and does not check the boundary values
before inputting data, what attack is the program vulnerable to?
A. XSS
B. CRSF
C. Buffer overflow
D. Logic bomb
66. Which of the following best describes malware that will execute some malicious activity
when a particular condition is met (i.e., if condition is met, then execute)?
A. Boot sector virus
B. Logic bomb
C. Buffer overflow
D. Sparse infector virus
67. Gerald is a network administrator for Acme Company. Users are reporting odd behavior
on their computers. He believes this may be due to malware, but the behavior is different
on different computers. What might best explain this?
A. It is not malware, but hardware failure.
B. It is a boot sector virus.
C. It is a macro virus.
D. It is a polymorphic virus.
68. Teresa is a security officer at ACME Inc. She has discovered an attack where the attacker
sent multiple broadcast messages to the network routers, spoofing an IP address of one of
the network servers. This caused the network to send a flood of packets to that server and
it is no longer responding. What is this attack called?
A. Smurf attack
B. DDoS attack
C. TCP hijacking attack
D. TCP SYN flood attack
69. Which type of virus is able to alter its own code to avoid being detected by antivirus soft-
ware?
A. Boot sector
B. Hoax
C. Polymorphic
D. Stealth
70. Gerald is a network administrator for a small financial services company. Users are
reporting odd behavior that appears to be caused by a virus on their machines. After iso-
lating the machines that he believes are infected, Gerald analyzes them. He finds that all
the infected machines received an email purporting to be from accounting, with an Excel
spreadsheet, and the users opened the spreadsheet. What is the most likely issue on these
machines?
A. A macro virus
B. A boot sector virus
C. A Trojan horse
D. A RAT
71. Fred is on the incident response team for a major insurance company. His specialty is
malware analysis. He is studying a file that is suspected of being a virus that infected the
company network last month. The file seems to intermittently have bursts of malicious
activity, interspersed with periods of being dormant. What best describes this malware?
A. A macro virus
B. A logic bomb
C. A sparse infector virus
D. A polymorphic virus
72. What is the term used to describe a virus that can infect both program files and boot
sectors?
A. Polymorphic
B. Multipartite
C. Stealth
D. Multiple encrypting
73. Your company has hired an outside security firm to perform various tests of your net-
work. During the vulnerability scan you will provide that company with logins for vari-
ous systems (i.e., database server, application server, web server, etc.) to aid in their scan.
What best describes this?
A. A white-box test
B. A gray-box test
C. A privileged scan
D. An authenticated user scan
74. Which of the following is commonly used in a distributed denial of service (DDoS) attack?
A. Phishing
B. Adware
C. Botnet
D. Trojan
75. You are investigating a recent breach at Acme Company. You discover that the attacker
used an old account of someone no longer at the company. The account was still active.
Which of the following best describes what caused this vulnerability to exist?
A. Improperly configured accounts
B. Untrained users
C. Using default configuration
D. Failure to patch systems
76. Juan is responsible for incident response at a large financial institution. He discovers that
the company WiFi has been breached. The attacker used the same login credentials that
ship with the wireless access point (WAP). The attacker was able to use those credentials
21
to access the WAP administrative console and make changes. Which of the following best
describes what caused this vulnerability to exist?
A. Improperly configured accounts
B. Untrained users
C. Using default configuration
D. Failure to patch systems
77. Elizabeth is investigating a network breach at her company. She discovers a program that
was able to execute code within the address space of another process by using the target
process to load a specific library. What best describes this attack?
A. Logic bomb
B. Session hijacking
C. Buffer overflow
D. DLL injection
78. Zackary is a malware investigator with a cybersecurity firm. He is investigating malware
that is able to compromise a target program by finding null references in the target pro-
gram and dereferencing them, causing an exception to be generated. What best describes
this type of attack?
A. DLL injection
B. Buffer overflow
C. Memory leak
D. Pointer dereference
79. Frank has just taken over as CIO of a mid-sized insurance company. One of the first
things he does is order a thorough inventory of all network equipment. He discovers two
routers that are not documented. He is concerned that if they are not documented, they
might not be securely configured, tested, and safe. What best describes this situation?
A. Poor user training
B. System sprawl
C. Failure to patch systems
D. Default configuration
80. What is the primary difference between an intrusive and a nonintrusive vulnerability
scan?
A. An intrusive scan is a penetration test.
B. A nonintrusive scan is just a document check.
C. An intrusive scan could potentially disrupt operations.
D. A nonintrusive scan won’t find most vulnerabilities.
81. Daryl is investigating a recent breach of his company’s web server. The attacker used
sophisticated techniques and then defaced the website, leaving messages that were
denouncing the company’s public policies. He and his team are trying to determine the
type of actor who most likely committed the breach. Based on the information provided,
who was the most likely threat actor?
A. A script
B. A nation-state
C. Organized crime
D. Hacktivists
82. When investigating breaches and attempting to attribute them to specific threat actors,
which of the following is not one of the indicators of an APT?
A. Long-term access to the target
B. Sophisticated attacks
C. The attack comes from a foreign IP address.
D. The attack is sustained over time.
83. What type of attack uses a second wireless access point (WAP) that broadcasts the same
SSID as a legitimate access point, in an attempt to get users to connect to the attacker’s
WAP?
A. Evil twin
B. IP spoofing
C. Trojan horse
D. MAC spoofing
84. You are investigating a breach of a large technical company. You discover that there have
been several different attacks over a period of a year. The attacks were sustained, each
lasting several weeks of continuous attack. The attacks were somewhat sophisticated and
originated from a variety of IP addresses, but all the IP addresses are within your country.
Which threat actor would you most suspect of being involved in this attack?
A. Nation-state
B. Hacktivist
C. Script kiddie
D. A lone highly skilled hacker
85. Which of the following best describes a zero-day vulnerability?
A. A vulnerability that has been known to the vendor for zero days
B. A vulnerability that has not yet been breached
C. A vulnerability that can be quickly exploited (i.e., in zero days)
D. A vulnerability that will give the attacker brief access (i.e., zero days)
86. You have discovered that there are entries in your network’s domain name server that
point legitimate domains to unknown and potentially harmful IP addresses. What best
describes this type of attack?
A. A backdoor
B. An APT
C. DNS poisoning
D. A Trojan horse
87. What best describes an attack that attaches some malware to a legitimate program so that
when the user installs the legitimate program, they inadvertently install the malware?
A. Backdoor
B. Trojan horse
C. RAT
D. Polymorphic virus
88. Which of the following best describes software that will provide the attacker with remote
access to the victim’s machine, but that is wrapped with a legitimate program in an
attempt to trick the victim into installing it?
A. RAT
B. Backdoor
C. Trojan horse
D. Macro virus
89. Which of the following is an attack that seeks to attack a website, based on the website’s
trust of an authenticated user?
A. XSS
B. CSRF
C. Buffer overflow
D. RAT
90. John is analyzing what he believes is a malware outbreak on his network. Many users
report their machines are behaving strangely. The anomalous behavior seems to occur
sporadically and John cannot find a pattern. What is the most likely cause?
A. APT
B. Boot sector virus
C. Sparse infector virus
D. Key logger
91. Farès is the CISO of a bank. He has received an email that is encouraging him to click on
a link and fill out a survey. Being security conscious, he normally does not click on links.
However, this email calls him by name and claims to be a follow-up to a recent conference
he attended. Which of the following best describes this attack?
A. Clickjacking
B. Social engineering
C. Spear phishing
D. Whaling
92. You are responsible for technical support at your company. Users are all complaining of
very slow Internet connectivity. When you examine the firewall, you find a large num-
ber of incoming connections that are not completed, all packets coming from a single IP
address. What best describes this attack?
A. DDoS
B. SYN flood
C. Buffer overflow
D. ARP poisoning
93. An attacker is trying to get malformed queries sent to the backend database to circumvent
the web page’s security. What type of attack depends on the attacker entering text into
text boxes on a web page that is not normal text, but rather odd-looking commands that
are designed to be inserted into database queries?
A. SQL injection
B. Clickjacking
C. Cross-site scripting
D. Bluejacking
94. Tyrell is responsible for selecting cryptographic products for his company. The company
wants to encrypt the drives of all laptops. The product they have selected uses 128-bit
AES encryption for full disk encryption, and users select a password to decrypt the drive.
What, if any, would be the major weakness in this system?
A. None; this is a good system.
B. The 128-bit AES key is too short.
C. The passwords users select are the weak link.
D. The AES algorithm is the problem; they should use DES.
95. Valerie is responsible for security testing applications in her company. She has discovered
that a web application, under certain conditions, can generate a memory leak. What, type
of attack would this leave the application vulnerable to?
A. DoS
B. Backdoor
C. SQL injection
D. Buffer overflow
96. When a multithreaded application does not properly handle various threads accessing a
common value, what flaw is this?
A. Memory leak
B. Buffer overflow
C. Integer overflow
D. Race condition
97. Acme Company is using smart cards that use near-field communication (NFC) rather than
needing to be swiped. This is meant to make physical access to secure areas more secure.
What vulnerability might this also create?
A. Tailgating
B. Eavesdropping
C. IP spoofing
D. Race conditions
98. John is responsible for physical security at a large manufacturing plant. Employees all use
a smart card in order to open the front door and enter the facility. Which of the following
is a common way attackers would circumvent this system?
A. Phishing
B. Tailgating
C. Spoofing the smart card
D. RFID spoofing
99. Which of the following is the term for an attack wherein malware inserts itself as a
library, such as a DLL, between an application and the real system library the application
is attempting to communicate with?
A. Application spoofing
B. Jamming
C. Evil twin
D. Shimming
100. You are responsible for incident response at Acme Corporation. You have discovered that
someone has been able to circumvent the Windows authentication process for a specific
network application. It appears that the attacker took the stored hash of the password and
sent it directly to the backend authentication service, bypassing the application. What type
of attack is this?
A. Hash spoofing
B. Evil twin
C. Shimming
D. Pass the hash
101. A user in your company reports that she received a call from someone claiming to be from
the company technical support team. The caller stated that there was a virus spreading
through the company and he needed immediate access to the employee’s computer to stop
it from being infected. What social-engineering principles did the caller use to try to trick
the employee?
A. Urgency and intimidation
B. Urgency and authority
C. Authority and trust
D. Intimidation and authority
102. Ahmed has discovered that someone has manipulated tables in one of the company’s
switches. The manipulation has changed the tables so that data destined for one specific
MAC address will now be routed elsewhere. What type of attack is this?
A. ARP poisoning
B. DNS poisoning
C. Man-in-the-middle
D. Backdoor
103. You are investigating incidents at Acme Corporation and have discovered malware on sev-
eral machines. It appears that this malware infects system files in the Windows/System32/
directory and also affects the boot sector. What type of malware is this?
A. Multipartite
B. Boot sector
C. Macro virus
D. Polymorphic virus
104. What type of attack uses Bluetooth to access the data from a cell phone when in range?
A. Phonejacking
B. Bluejacking
C. Bluesnarfing
D. Evil twin
105. An attacker is using a table of precomputed hashes in order to try to get a Windows pass-
word. What type of technique is being used?
A. Dictionary
B. Brute force
C. Pass the hash
D. Rainbow table
106. Carlos works in incident response for a mid-sized bank. Users inform him that internal
network connections are fine, but connecting to the outside world is very slow. Carlos
reviews logs on the external firewall and discovers tens of thousands of ICMP packets
coming from a wide range of different IP addresses. What type of attack is occurring?
A. Smurf
B. DoS
C. DDoS
D. SYN flood
107. What type of attack is it when the attacker attempts to get the victim’s communication to
abandon a high-quality/secure mode in favor of a lower-quality/less secure mode?
A. Downgrade
B. Brute force
C. Rainbow table
D. Bluesnarfing
108. What type of penetration test is being done when the tester is given extensive knowledge
of the target network?
A. White-box
B. Full disclosure
C. Black-box
D. Red team
109. Your company is instituting a new security awareness program. You are responsible for
educating end users on a variety of threats, including social engineering. Which of the fol-
lowing best defines social engineering?
A. Illegal copying of software
B. Gathering information from discarded manuals and printouts
C. Using people skills to obtain proprietary information
D. Phishing emails
110. Which of the following attacks can be caused by a user being unaware of their physical
surroundings?
A. ARP poisoning
B. Phishing
C. Shoulder surfing
D. Smurf attack
111. Francine is a network administrator for Acme Corporation. She has noticed that one of
the servers is now unreachable. After carefully reviewing various logs, she discovers that a
large number of broadcast packets were sent to the network router, spoofing the server’s IP
address. What type of attack is this?
A. SYN flood
B. ICMP flood
C. Buffer overflow
D. Smurf attack
112. An attacker enters code into a text box on a website. That text box is used for product
reviews. The attacker wants his code to execute the next time a visitor visits that page.
What is this attack called?
A. SQL injection
B. Logic bomb
C. Cross-site scripting
D. Session hijacking
113. A user is redirected to a different website when the user requests the DNS record
www.xyz.com. Which of the following is this an example of?
A. DNS poisoning
B. DoS
C. DNS caching
D. Smurf attack
114. Tom is the network administrator for a small accounting firm. As soon as he comes in to
work, users report to him that they cannot connect to the network. After investigating,
Tom discovers that none of the workstations can connect to the network and all have an
IP address in the form of 169.254.x.x. What has occurred?
A. Smurf attack
B. Man-in-the-middle attack
C. DDoS
D. DHCP starvation
115. Which of the following would most likely use a group of bots to stop a web server from
accepting new requests?
A. DoS
B. DDoS
C. Buffer overflow
D. Trojan horse
116. Which of the following would a former employee most likely plant on a server before leav-
ing to cause disruption to the network?
A. Worm
B. Logic bomb
C. Trojan
D. Virus
117. A SYN flood is a DoS attack in which an attacker deliberately violates the three-way
handshake and opens a large number of half-open TCP connections. The signature of a
SYN flood attack is:
A. The source and destination address having the same value
B. The source and destination port numbers having the same value
C. A large number of SYN packets appearing on a network without the corresponding
ACK packets
D. A large number of SYN packets appearing on a network with the corresponding
reply RST
118. What does white-box testing mean?
A. The tester has full knowledge of the environment.
B. The tester has no knowledge of the environment.
C. The tester has permission to access the system.
D. The tester has no permission to access the system.
119. Ahmed has been hired to perform a penetration test of Acme Corporation. He begins by
looking at IP address ranges owned by the company and details of domain name registra-
tion. He also visits social media and newsgroups to see if they contain any sensitive infor-
mation or have any technical details online. Within the context of penetration-examining
methodology, what phase is Ahmed conducting?
A. Passive information gathering
B. Active information gathering
C. Initial exploitation
D. Vulnerability scanning
120. Mary works for a large insurance company, on their cybersecurity team. She is investigat-
ing a recent incident and discovers that a server was breached using an authorized user’s
account. After investigating the incident further, Mary believes that the authorized user
logged on, and then someone else took over their session. What best describes this attack?
A. Man-in-the-middle
B. Session hijacking
C. Backdoor
D. Smurf attack
121. Which of the following type of testing utilizes an automated process of proactively identi-
fying vulnerabilities of the computing systems present on a network?
A. Security audit
B. Vulnerability scanning
C. White-box test
D. Black-box test
122. What type of attack is an NFC most susceptible to?
A. Eavesdropping
B. Man-in-the-middle
C. Buffer overflow
D. Smurf attack
123. John has been asked to do a penetration test of a company. He has been given general
information but no details about the network. What kind of test is this?
A. Gray-box
B. White-box
C. Partial
D. Masked
124. Under which type of attack does an attacker’s system appear to be the server to the real
client and appear to be the client to the real server?
A. Denial of service
B. Replay
C. Eavesdropping
D. Man-in-the-middle
125. You are a security administrator for Acme Corporation. You have discovered malware on
some of your company’s machines. This malware seems to intercept calls from the web
browser to libraries, and then manipulates the browser calls. What type of attack is this?
A. Man-in-the-browser
B. Man-in-the-middle
C. Buffer overflow
D. Session hijacking
126. Your company has hired a penetration testing firm to test the company network security.
The penetration tester has just been able to achieve guest-level privileges on one low-
security system. What best describes this phase of the test?
A. Vulnerability scanning
B. Initial exploit
C. Black-box testing
D. White-box testing
127. What is the primary risk from using outdated software?
A. It may not have all the features you need.
B. It may not have the most modern security features.
C. It may no longer be supported by the vendor.
D. It may be easier to break into than newer software.
128. You are responsible for software testing at Acme Corporation. You want to check all soft-
ware for bugs that might be used by an attacker to gain entrance into the software or your
network. You have discovered a web application that would allow a user to attempt to put
a 64-bit value into a 4-byte integer variable. What is this type of flaw?
A. Memory overflow
B. Buffer overflow
C. Variable overflow
D. Integer overflow
129. Which type of virus is most difficult to analyze by reverse engineering?
A. Polymorphic
B. Macro
C. Armored
D. Boot sector
130. What type of attack attempts to deauthorize users from a resource, such as a wireless
access point (WAP)?
A. Disassociation
B. Session hijacking
C. Man-in-the-middle
D. Smurf attack
131. John is a network administrator for a large retail chain. He has discovered that his
DNS server is being attacked. The attack involves false DNS requests from spoofed IP
addresses. The requests are far larger than normal. What type of attack is this?
A. Amplification
B. DNS poisoning
C. DNS spoofing
D. Smurf attack
132. Heidi is a security officer for an investment firm. Many of the employees in her firm travel
frequently and access the company intranet from remote locations. Heidi is concerned about
users logging in from public WiFi, as well as other people seeing information such as login
credentials or customer data. Which of the following is Heidi’s most significant concern?
A. Social engineering
B. Shoulder surfing
C. Man-in-the-middle attack
D. CSRF
133. Cross-site scripting is an attack on the
.
that is based on the
trusting the
A. user, user, website
B. user, website, user
C. website, website, user
D. user, website, website
134. You are a security officer for a large investment firm. Some of your stock traders handle
very valuable accounts with large amounts of money. You are concerned about someone
targeting these specific traders to get their login credentials and access account informa-
tion. Which of the following best describes the attack you are concerned about?
A. Spear phishing
B. Man-in-the-middle
C. Target phishing
D. Vishing
135. You lead an incident response team for a large retail chain store. You have discovered
what you believe is spyware on the point-of-sale systems. But the malware in question is
encrypted, preventing you from analyzing it. What best describes this?
A. An armored virus
B. Ransomware
C. Polymorphic virus
D. Trojan horse
136. Jared has discovered malware on the workstations of several users. This particular mal-
ware provides administrative privileges for the workstation to an external hacker. What
best describes this malware?
A. Trojan horse
B. Logic bomb
C. Multipartite virus
D. Rootkit
137. Users in your company report someone has been calling their extension and claiming to
be doing a survey for a large vendor. Based on the questions asked in the survey, you sus-
pect that this is a scam to elicit information from your company’s employees. What best
describes this?
A. Spear phishing
B. Vishing
C. War dialing
D. Robocalling
138. Cross-site request forgery is an attack on the
trusting the
.
33
that is based on the
A. website, website, user
B. user, user website
C. website, user, website
D. user, website, user
139. What type of virus can infect both a file in the operating system and the boot sector?
A. Multipartite
B. Rootkit
C. Ransomware
D. Worm
140. John is analyzing a recent malware infection on his company network. He discovers mal-
ware that can spread rapidly and does not require any interaction from the user. What
best describes this malware?
A. Worm
B. Virus
C. Logic bomb
D. Trojan horse
141. Your company has issued some new security directives. One of these new directives is that
all documents must be shredded before being thrown out. What type of attack is this try-
ing to prevent?
A. Phishing
B. Dumpster diving
C. Shoulder surfing
D. Man-in-the-middle
142. What type of attack embeds malicious code into a document or spreadsheet?
A. Logic bomb
B. Rootkit
C. Trojan horse
D. Macro virus
143. You are a network security analyst for an online retail website. Users report that they
have visited your site and had their credit cards stolen. You cannot find any evidence of
any breach of your website. You begin to suspect that these users were lured to a fake site.
You have found a website that is spelled exactly like your company site, with one letter
different. What is this attack called?
A. URL hijacking
B. DNS poisoning
C. Cross-site scripting
D. Man-in-the-middle
144. You have discovered that someone has been trying to log on to your web server. The person
has tried a wide range of likely passwords. What type of attack is this?
A. Rainbow table
B. Birthday attack
C. Dictionary attack
D. Spoofing
145. You have just started a new job as a security administrator for Acme Corporation. You
discover they have weak authentication protocols. You are concerned that an attacker
might simply capture and re-send a user’s login credentials. What type of attack is this?
A. Replay attack
B. IP spoofing
C. Login spoofing
D. Session hijacking
146. What is the primary difference between active and passive reconnaissance?
A. Active will be done manually, passive with tools.
B. Active is done with black-box tests and passive with white-box tests.
C. Active is usually done by attackers and passive by testers.
D. Active will actually connect to the network and could be detected; passive won’t.
147. What is the primary difference between a vulnerability scan and a penetration test?
A. Vulnerability scans are done by employees and penetration tests by outside teams.
B. Vulnerability scans only use tools; penetration tests are manual.
C. Vulnerability scans just identify issues; penetration tests attempt to exploit them.
D. Vulnerability scans are usually white-box tests; penetration tests are black-box tests.
148. When an attacker breaches one system and uses that as a base to attack a related system,
what is this called?
A. Man-in-the-middle
B. Pivot
C. Shimming
D. Vishing
149. Terrance is conducting a penetration test for a client. The client is a major e-commerce
company and is primarily concerned about security for their web server. He has just
finished running Nmap and OWASP Zap on the target web server. What is this activity
called?
A. Passive scanning
B. Black-box testing
C. Active scanning
D. White-box testing
150. You have just taken over as the CISO for a large bank. You are concerned about making
sure all systems are secure. One major concern you have is security misconfiguration.
Which of the following is not a common security misconfiguration?
A. Unpatched operating system
B. Default accounts with passwords
C. Unneeded services running
D. No firewall running


+++++++++++


2
Install and configure network components,
both hardware- and software-based, to support
organizational security.
■ ■
■ ■
■ ■
Firewall
■ ■ ACL
■ ■ Application-based vs. network-based
■ ■ Stateful vs. stateless
■ ■ Implicit deny
VPN concentrator
■ ■ Remote access vs. site-to-site
■ ■ IPSec
■ ■ Tunnel mode
■ ■ Transport mode
■ ■ AH
■ ■ ESP
■ ■ Split tunnel vs. full tunnel
■ ■ TLS
■ ■ Always-on VPN
NIPS/NIDS
■ ■ Signature-based
■ ■ Heuristic/behavioral
■ ■ Anomaly
■ ■ Inline vs. passive
■ ■ In-band vs. out-of-band
■ ■ Rule
■ ■ False positive
■ ■ False negative
Router
■ ■ ACLs
■ ■ Antispoofing
Switch
■ ■ Port security
■ ■ Layer 2 vs. Layer 3
■ ■ Loop prevention
■ ■ Flood guard
Proxy
■ ■ Forward and reverse proxy
■ ■ Transparent
■ ■ Application/multipurpose
Load balancer
■ ■
■ ■
Analytics
Scheduling
■ ■ Affinity
■ ■ Round-robin
■ ■ Active-passive
■ ■ Active-active
■ ■ Virtual IPs
Access point
■ ■ SSID
■ ■ MAC filtering
■ ■ Signal strength
■ ■ Band selection/width
■ ■ Antenna types and placement
■ ■ Fat vs. thin
■ ■ Controller-based vs. standalone
SIEM
■ ■
Aggregation■ ■
■ ■
■ ■
■ ■ Correlation
■ ■ Automated alerting and triggers
■ ■ Time synchronization
■ ■ Event deduplication
■ ■ Logs/WORM
DLP
■ ■ USB blocking
■ ■ Cloud-based
■ ■ Email
NAC
■ ■ Dissolvable vs. permanent
■ ■ Host health checks
■ ■ Agent vs. agentless
Mail gateway
■ ■ Spam filter
■ ■ DLP
■ ■ Encryption
■ ■ Bridge
■ ■ SSL/TLS accelerators
■ ■ SSL decryptors
■ ■ Media gateway
■ ■ Hardware security module
✓ ✓ 2.2 Given a scenario, use appropriate software tools to
assess the security posture of an organization.
■ ■ Protocol analyzer
■ ■ Network scanners
■ ■
Rogue system detection
■ ■
Network mapping
■ ■ Wireless scanners/cracker
■ ■ Password cracker
■ ■ Vulnerability scanner
■ ■ Configuration compliance scanner■ ■ Exploitation frameworks
■ ■ Data sanitization tools
■ ■ Steganography tools
■ ■ Honeypot
■ ■ Backup utilities
■ ■ Banner grabbing
■ ■ Passive vs. active
■ ■ Command line tools
■ ■ ping
■ ■ netstat
■ ■ tracert
■ ■ nslookup/dig
■ ■ arp
■ ■ ipconfig/ip/ifconfig
■ ■ tcpdump
■ ■ nmap
■ ■ netcat
✓ ✓ 2.3 Given a scenario, troubleshoot common
security issues.
■ ■ Unencrypted credentials/clear text
■ ■ Logs and events anomalies
■ ■ Permission issues
■ ■ Access violations
■ ■ Certificate issues
■ ■ Data exfiltration
■ ■ Misconfigured devices
■ ■ Firewall
■ ■ Content filter
■ ■ Access points
■ ■ Weak security configurations
■ ■ Personnel issues
■ ■
Policy violation■ ■ Insider threat
■ ■ Social engineering
■ ■ Social media
■ ■ Personal email
■ ■ Unauthorized software
■ ■ Baseline deviation
■ ■ License compliance violation (availability/integrity)
■ ■ Asset management
■ ■ Authentication issues
✓ ✓ 2.4 Given a scenario, analyze and interpret output from
security technologies.
■ ■ HIDS/HIPS
■ ■ Antivirus
■ ■ File integrity check
■ ■ Host-based firewall
■ ■ Application whitelisting
■ ■ Removable media control
■ ■ Advanced malware tools
■ ■ Patch management tools
■ ■ UTM
■ ■ DLP
■ ■ Data execution prevention
■ ■ Web application firewall
✓ ✓ 2.5 Given a scenario, deploy mobile devices securely.
■ ■
Connection methods
■ ■ Cellular
■ ■ WiFi
■ ■ SATCOM
■ ■ Bluetooth
■ ■ NFC
■ ■ ANT■ ■
■ ■
■ ■ Infrared
■ ■ USB
Mobile device management concepts
■ ■ Application management
■ ■ Content management
■ ■ Remote wipe
■ ■ Geofencing
■ ■ Geolocation
■ ■ Screen locks
■ ■ Push notification services
■ ■ Passwords and pins
■ ■ Biometrics
■ ■ Context-aware authentication
■ ■ Containerization
■ ■ Storage segmentation
■ ■ Full device encryption
Enforcement and monitoring for:
■ ■ Third-party app stores
■ ■ Rooting/jailbreaking
■ ■ Sideloading
■ ■ Custom firmware
■ ■ Carrier unlocking
■ ■ Firmware OTA updates
■ ■ Camera use
■ ■ SMS/MMS
■ ■ External media
■ ■ USB OTG
■ ■ Recording microphone
■ ■ GPS tagging
■ ■ WiFi direct/ad hoc
■ ■ Tethering
■ ■ Payment methods■ ■
Deployment models
■ ■ BYOD
■ ■ COPE
■ ■ CYOD
■ ■ Corporate-owned
■ ■ VDI
✓ ✓ 2.6 Given a scenario, implement secure protocols.
■ ■
■ ■
Protocols
■ ■ DNSSEC
■ ■ SSH
■ ■ S/MIME
■ ■ SRTP
■ ■ LDAPS
■ ■ FTPS
■ ■ SFTP
■ ■ SNMPv3
■ ■ SSL/TLS
■ ■ HTTPS
■ ■ Secure POP/IMAP
Use cases
■ ■ Voice and video
■ ■ Time synchronization
■ ■ Email and web
■ ■ File transfer
■ ■ Directory services
■ ■ Remote access
■ ■ Domain name resolution
■ ■ Routing and switching
■ ■ Network address allocation
■ ■ Subscription services
■
Technologies and Tools
1. John is looking for a new firewall for a small company. He is concerned about DoS
attacks, particularly the SYN flood. Which type of firewall would give the best protection
against the SYN flood?
A. Packet filter
B. Application gateway
C. Bastion
D. SPI

2. You are responsible for network security at an insurance company. A lot of employ-
ees bring their own devices. You have security concerns about this. You have decided
to implement a process whereby when users connect to your network, their devices are
scanned. If a device does not meet your minimum security requirements, it is not allowed
to connect. What best describes this?
A. NAC
B. SPI
C. IDS
D. BYOD

3. Ahmed is responsible for VPN connections at his company. His company uses IPSec
exclusively. He has decided to implement IPSec in a mode that encrypts the data of only
the packet, not the headers. What is this called?
A. Tunneling
B. IKE
C. ESP
D. Transport

4. Maria is responsible for monitoring IDS activity on her company’s network. Twice in the
past month there has been activity reported on the IDS that investigation has shown was
legitimate traffic. What best describes this?
A. False negative
B. Passive
C. Active

D. False positive
5. Juanita is a network administrator for a large university. The university has numerous
systems, each with logs she must monitor and analyze. What would be the best approach
for her to view and analyze logs from a central server?
A. NAC
B. Port forwarding
C. IDS

D. SIEMChapter 2

6. Enrique is responsible for web application security at his company. He is concerned about
attacks such as SQL injection. Which of the following devices would provide the best pro-
tection for web attacks on his web application server?
A. ACL
B. SPI
C. WAF
D. IDS

7. ACME Company has several remote offices. The CIO wants to set up permanent secure
connections between the remote offices and the central office. What would be the best
solution for this?
A. L2TP VPN
B. IPSEC VPN
C. Site-to-site VPN
D. Remote-access VPN

8. Mary is responsible for network security at a medium-sized insurance company. She is
concerned that the offices are too open to public traffic and someone could simply con-
nect a laptop to an open RJ45 jack and access the network. Which of the following would
best address this concern?
A. ACL
B. IDS
C. VLAN
D. Port security

9. You are the network administrator for an e-commerce company. You are responsible for
the web server cluster. You are concerned about not only failover, but also load-balancing
and using all the servers in your cluster to accomplish load-balancing. What should you
implement?
A. Active-active
B. Active-passive
C. Affinity
D. Round-robin
10. Donald is working as a network administrator. He is responsible for the database cluster.
Connections are load-balanced in the cluster by each new connection being simply sent to
the next server in the cluster. What type of load-balancing is this?
A. Round-robin
B. Affinity
C. Weighted
D. Rotating
11. Gerald is setting up new wireless access points throughout his company’s building. The
wireless access points have just the radio transceiver, with no additional functionality.
What best describes these wireless access points?
A. Fat
B. Repeater
C. Thick
D. Thin
12. Mohaned is an IT manager for a hotel. His hotel wants to put wireless access points on
each floor. The specifications state that the wireless access points should have minimal
functionality, with all the configuration, authentication, and other functionality centrally
controlled. What type of wireless access points should Mohaned consider purchasing?
A. Fat
B. Controller-based
C. Stand-alone
D. 801.11i
13. What IPSec protocol provides authentication and encryption?
A. AH
B. ESP
C. IKE
D. ISAKMP
14. Terrance is implementing IPSec. He wants to ensure that the packets are encrypted, and
that the packet and all headers are authenticated. What should he implement?
A. AH
B. ESP
C. AH and ESP
D. IKE
15. You are responsible for security at your company. One of management’s biggest concerns
is that employees might exfiltrate sensitive data. Which of the following would you
implement first?
A. IPS
B. Routine audits of user machines
C. VLAN
D. USB blocking
16. You are responsible for email server security in your company. You want to implement
encryption of all emails, using third-party authenticated certificates. What protocol
should you implement?
A. IMAP
B. S/MIMEChapter 2
C. PGP
D. SMTP-S

17. Joanne is responsible for all remote connectivity to her company’s network. She knows
that administrators frequently log in to servers remotely to execute command-line com-
mands and Linux shell commands. She wants to make sure this can only be done if the
transmission is encrypted. What protocol should she use?
A. HTTPS
B. RDP
C. Telnet
D. SSH
18. You are responsible for network management at your company. You have been using
SNMP for many years. You are currently using SNMP v2. A colleague has recently
suggested you upgrade to SNMP v3. What is the primary benefit of SNMP v3?
A. It is much faster.
B. It integrates with SIEM.
C. It uses CHAP authentication.
D. It is encrypted.
19. Employees in your company are allowed to use tablets. They can select a tablet from four
different models approved by the company but purchased by the employee. What best
describes this?
A. BYOD
B. CYOD
C. COPE
D. BYOE
20. Mahmoud is considering moving all company desktops to a VDI deployment. Which of
the following would be a security advantage of VDI?
A. Employees can work from any computer in the company.
B. VDI is more resistant to malware.
C. Patch management is centrally controlled.
D. It eliminates man-in-the-middle attacks.
21. You have been assigned to select a backup communication method for your company to
use in case of significant disasters that disrupt normal communication. Which option
would provide the most reliability?
A. Cellular
B. WiFi
C. SATCOM
D. VoIP
22. John is concerned about the security of data on smartphones and tablets that his company
issues to employees. Which of the following would be most effective in preventing data
loss, should a device be stolen?
A. Remote wipe
B. Geolocation
C. Strong PIN
D. Limited data storage
23. What does geofencing accomplish?
A. Provides the location for a mobile device.
B. Limits the range a mobile device can be used in.
C. Determines WiFi coverage areas.
D. Segments the WiFi.
24. What best describes mobile device content management?
A. Limiting how much content can be stored.
B. Limiting the type of content that can be stored.
C. Blocking certain websites.
D. Digitally signing authorized content.
25. Frank believes there could be a problem accessing the DHCP server from a specific client.
He wants to check by getting a new dynamic IP. What command will do this?
A. ipconfig /request
B. NETSTAT -renew
C. ipconfig /renew
D. NETSTAT /request
26. Teresa is responsible for network administration at a health club chain. She is trying for
find a communication technology that uses low power and can spend long periods in
low-power sleep modes. Which of the following technologies would be the best fit?
A. WiFi
B. Cellular
C. Bluetooth
D. ANT
27. What technology was first introduced in Windows Vista and still exists in Windows that
helps prevent malware by requiring user authorization to run executables?
A. DEP
B. DLP
C. UTM
D. ANT

28. John is responsible for security of his company’s new e-commerce server. He wants to
ensure that online transactions are secure. What technology should he use?
A. L2TP
B. IPSec
C. SSL
D. TLS
29. Frank is a network administrator for a small college. The college has implemented a
simple NIDS. However, the NIDS seems to only catch well-known attacks. What
technology is this NIDS likely missing?
A. Heuristic scanning
B. Signature scanning
C. Passive scanning
D. Active scanning
30. You are concerned about an attacker enumerating all of your network. What protocol
might help at least mitigate this issue?
A. HTTPS
B. TLS
C. IPSec
D. LDAPS
31. You have been asked to implement a secure protocol for transferring files that uses digital
certificates. Which protocol would be the best choice?
A. FTP
B. SFTP
C. FTPS
D. SCP
32. Ahmed is responsible for VoIP at his company. He has been directed to ensure that all
VoIP calls have the option to be encrypted. What protocol is best suited for security
VoIP calls?
A. SIP
B. TLS
C. SRTP
D. SSH
33. What is the purpose of screen locks on mobile devices?
A. To encrypt the device
B. To limit access to the device
C. To load a specific user’s apps
D. To connect to WiFi
34. Maria is a security engineer with a large bank. Her CIO has asked her to investigate
the use of context-aware authentication for online banking. Which of the following best
describes context-aware authentication?
A. In addition to username and password, authentication is based on the entire context
(location, time of day, action being attempted, etc.).
B. Without a username or password, authentication is based on the entire context
(location, time of day, action being attempted, etc.).
C. Authentication that requires a username and password, but in the context of a token
or digital certificate
D. Authentication that requires a username and password, but not in the context of a
token or digital certificate
35. What does application management accomplish for mobile devices?
A. Only allows applications from the iTunes store to be installed
B. Ensures the company has a list of all applications on the devices
C. Ensures only approved applications are installed on the devices
D. Updates patches on all applications on mobile devices
Dominick is responsible for security at a medium-sized insurance company. He is very
concerned about detecting intrusions. The IDS he has purchased states that he must have
an IDS on each network segment. What type of IDS is this?
A. Active
B. IPS
C. Passive
D. Inline
37. Remote employees at your company frequently need to connect to both the secure
company network via VPN and open public websites, simultaneously. What technology
would best support this?
A. Split tunnel
B. IPSec
C. Full tunnel
D. TLS
38. Denish is looking for a solution that will allow his network to retrieve information from a
wide range of web resources, while all traffic passes through a proxy. What would be the
best solution?
A. Forward proxy
B. Reverse proxy
C. SPI
D. Open proxy
39. Someone has been rummaging through your company’s trash bins seeking to find
documents, diagrams, or other sensitive information that has been thrown out. What
is this called?
A. Dumpster diving
B. Trash diving
C. Social engineering
D. Trash engineering
40. Derrick is responsible for a web server cluster at his company. The cluster uses various
load-balancing protocols. Derrick wants to ensure that clients connecting from Europe are
directed to a specific server in the cluster. What would be the best solution to his problem?
A. Affinity
B. Binding
C. Load balancing
D. Round-robin
41. Teresa is responsible for WiFi security in her company. Her main concern is that there are
many other offices in the building her company occupies and that someone could easily
attempt to breach their WiFi from one of these locations. What technique would be best
in alleviating her concern?
A. Using thin WAPs
B. Geofencing
C. Securing the Admin screen
D. WAP placement
42. Juan is responsible for the SIEM in his company. The SIEM aggregates logs from 12 servers.
In the event that a breach is discovered, which of the following would be Juan’s most impor-
tant concern?
A. Event duplication
B. Time synchronization
C. Impact assessment
D. Correlation
43. When you are considering an NIDS or NIPS, what are your two most important
concerns?
A. Cost and false positives
B. False positives and false negatives
C. Power consumption and cost
D. Management interface and cost
44. Shelly is very concerned about unauthorized users connecting to the company routers.
She would like to prevent spoofing. What is the most essential antispoofing technique for
routers?
A. ACL
B. Logon
C. NIPS
D. NIDS
45. Farès has implemented a flood guard. What type of attack is this most likely to defend
against?
A. SYN attack
B. DNS poisoning
C. MAC spoofing
D. ARP spoofing
46. Terrance is trying to get all of his users to connect to a certificate server on his network.
However, some of the users are using machines that are incompatible with the certificate
server, and changing those machines is not an option. Which of the following would be
the best solution for Terrance?
A. Use an application proxy for the certificate server.
B. Use NAT with the certificate server.
C. Change the server.
D. Implement a protocol analyzer.
47. John is implementing virtual IP load-balancing. He thinks this might alleviate network
slowdowns, and perhaps even mitigate some of the impact of a denial-of-service attack.
What is the drawback of virtual IP load-balancing?
A. It is resource-intensive.
B. Most servers don’t support it.
C. It is connection-based, not load-based.
D. It works only on Unix/Linux servers.
48. There has been a breach of the ACME network. John manages the SIEM at ACME. Part
of the attack disrupted NTP; what SIEM issue would this most likely impact?
A. Time synchronization
B. Correlation
C. Event duplication
D. Events not being logged
49. What command would produce the image shown here?
A. ping -n 6 -l 100 192.168.1.1
B. ping 192.168.1.1 -n 6 -s 100
C. ping #6 s 100 192.168.1.1
D. ping -s 6 -w 100 192.168.1.1
50. You are a security officer for a large law firm. You are concerned about data loss preven-
tion. You have limited the use of USBs and other portable media, you use an IDS to look
for large volumes of outbound data, and a guard searches all personnel and bags before
they leave the building. What is a key step in DLP that you have missed?
A. Portable drives
B. Email
C. Bluetooth
D. Optical media
51. Which of the following email security measures would have the most impact on
phishing emails?
A. Email encryption
B. Hardening the email server
C. Digitally signing email
D. Spam filter
52. Joanne has implemented TLS for communication with many of her networks servers. She
wants to ensure that the traffic cannot be sniffed. However, users now complain that this
is slowing down connectivity. Which of the following is the best solution?
A. Increase RAM on servers.
B. Change routers to give more bandwidth to traffic to these servers.
C. Implement TLS accelerators.
D. Place all servers in clusters with extensive load-balancing.
53. Olivia has discovered steganography tools on an employee’s computer. What is the
greatest concern regarding employees having steganography tools?
A. Password cracking
B. Data exfiltration
C. Hiding network traffic
D. Malware
54. What command would generate the output shown here?
A. netstat -a
B. netstat -o
C. arp -a
D. arp -g
55. John has discovered that an attacker is trying to get network passwords by using software
that attempts a number of passwords from a list of common passwords. What type of
attack is this?
A. Dictionary
B. Rainbow table
C. Brute force
D. Session hijacking
56. Isabella has found netcat installed on an employee’s computer. That employee is not
authorized to have netcat. What security concern might this utility present?
A. It is a password cracker.
B. It is a packet sniffer.
C. It is a network communication utility.
D. It is a DoS tool.
57. Omar is a network administrator for ACME Company. He is responsible for the cer-
tificate authorities within the corporate network. The CAs publish their CRLs once per
week. What, if any, security issue might this present?
A. Revoked certificates still being used
B. Invalid certificates being issued
C. No security issue
D. Certificates with weak keys
58. Hans is a network administrator for a large bank. He is concerned about employees vio-
lating software licenses. What would be the first step in addressing this issue?
A. Performing software audits
B. Scanning the network for installed applications
C. Establishing clear policies
D. Blocking the ability of users to install software
59. You are responsible for authentication methods at your company. You have implemented
fingerprint scanners to enter server rooms. Frequently people are being denied access to
the server room, even though they are authorized. What problem is this?
A. FAR
B. FRR
C. CER
D. EER
60. John is responsible for network security at a very small company. Due to both budget
constraints and space constraints, John can select only one security device. What should
he select?
A. Firewall
B. Antivirus
C. IDS
D. UTM
61. You are responsible for security at Acme Company. Recently, 20 new employee network
accounts were created, with the default privileges for the network. You have discovered
that eight of these have privileges that are not needed for their job tasks. Which security
principle best describes how to avoid this problem in the future?
A. Least privileges
B. Separation of duties
C. Implicit deny
D. Weakest link
62. Mary is concerned that SIEM logs at her company are not being stored long enough, or
securely enough. She is aware that it is possible a breach might not be discovered until
long after it occurs. This would require the company to analyze older logs. It is important
that Mary find an SIEM log backup solution that can a) handle all the aggregate logs of
the SIEM, b) be maintained for a long period of time, and c) be secure. What solution
would be best for her?
A. Back up to large-capacity external drives.
B. Back up to large-capacity backup tapes.
C. Back up to WORM storage.
D. Back up to tapes that will be stored off-site.
63. Elizabeth is responsible for SIEM systems in her company. She monitors the company’s
SIEM screens every day, checking every hour. What, if any, would be a better approach
for her to keep up with issues that appear in the logs?
A. Automatic alerts
B. Having logs forwarded to her email
C. Nothing, this is fine.
64. You are responsible for network security at a university. Faculty members are issued
laptops. However, many of the faculty members leave the laptops in their offices most of
the time (sometimes even for weeks). You are concerned about theft of laptops. In this
scenario, what would be the most cost-effective method of securing the laptops?
A. FDE
B. GPS tagging
C. Geofencing
D. Tethering
65. You work at a defense contracting company. You are responsible for mobile device
security. Some researchers in your company use company-issued tablets for work. These
tablets may contain sensitive, even classified data. What is the most important security
measure for you to implement?
A. FDE
B. GPS tagging
C. Geofencing
D. Content management
66. When using any HIDS/HIPS or NIDS/NIPS, the output is specific to the vendor. How-
ever, what is the basic set of information that virtually all HIDSs/HIPSs or
NIDSs/NIPSs provide?
A. IP addresses (sender and receiver), ports (sender and receiver), and protocol
B. IP addresses (sender and receiver), ports (sender and receiver), and attack type
C. IP addresses (sender and receiver), ports (sender and receiver), usernames, and
machine names
D. Usernames, machine names, and attack type
67. You are responsible for firewalls in your company. You are reviewing the output of the
gateway firewall. What basic information would any firewall have in its logs?
A. For all traffic: the source and destination IP and port, protocol, and whether it was
allowed or denied
B. For only blocked traffic: the source and destination IP and port as well as the reason
for the traffic being denied/blocked
C. For all traffic: the source and destination IP and port, whether it was allowed or
denied, and the reason it was denied/blocked
D. For only blocked traffic: the source and destination IP, protocol, and the reason it
was denied/blocked
68. Teresa is responsible for incident response at ACME Company. There was a recent breach
of the network. The breach was widespread and affected many computers. As part of the
incident response process, Teresa will collect the logs from the SIEM, which aggregates
logs from 20 servers. Which of the following should she do first?
A. Event de-duplication
B. Log forwardingChapter 2
C. Identify the nature of the attack
D. Identify the source IP of the attack
69. Hector is responsible for NIDS/NIPS in his company. He is configuring a new NIPS
solution. What part of the NIPS collects data?
A. Sensor
B. Data source
C. Manager
D. Analyzer
70. Gerald is a network administrator for a small financial services company. He is respon-
sible for controlling access to resources on his network. What mechanism is responsible
for blocking access to a resource based on the requesting IP address?
A. ACL
B. NIPS
C. HIPS
D. Port blocking
71. Elizabeth is responsible for secure communications at her company. She wants to give
administrators the option to log in remotely and to execute command-line functions, but
she wants this to only be possible via a secure, encrypted connection. What action should
she take on the firewall?
A. Block port 23 and allow ports 20 and 21.
B. Block port 22 and allow ports 20 and 21.
C. Block port 22 and allow port 23.
D. Block port 23 and allow port 22.
72. Mark is looking for a proxy server for his network. The purpose of the proxy server is
to ensure that the web servers are hidden from outside clients. All of the different web
servers should appear to the outside world as if they were the proxy server. What type of
proxy server would be best for Mark to consider?
A. Forward
B. Reverse
C. Transparent
D. Firewall
73. Your company has hired an outside security firm to perform various tests of your
network. During the vulnerability scan you will provide that company with logins for
various systems (i.e., database server, application server, web server, etc.) to aid in their
scan. What best describes this?
A. A white-box test
B. A gray-box test
C. A credentialed scan
D. A logged-in scan
74. Lars is responsible for incident response at ACME Company. He is particularly concerned
about the network segment that hosts the corporate web servers. He wants a solution that
will detect potential attacks and notify the administrator so the administrator can take
whatever action he or she deems appropriate. Which of the following would be the best
solution for Lars?
A. HIDS
B. HIPS
C. NIDS
D. NIPS
75. Mia is responsible for security devices at her company. She is concerned about detecting
intrusions. She wants a solution that would work across entire network segments. How-
ever, she wants to ensure that false positives do not interrupt work flow. What would be
the best solution for Mia to consider?
A. HIDS
B. HIPS
C. NIDS
D. NIPS
76. Abigail is a security manager for a small company. Many employees want to use handheld
devices, such as smartphones and tablets. The employees want to use these devices both
for work and outside of work. Abigail is concerned about security issues. Which of the
following would be the most secure solution?
A. COPE
B. CYOD
C. Geotagging
D. BYOD
77. You are responsible for always-on VPN connectivity for your company. You have been
told that you must use the most secure mode for IPSec that you can. Which of the follow-
ing would be the best for you to select?
A. Tunneling
B. AH
C. IKE
D. Transport
78. Debra is the network administrator for her company. Her company’s web servers are all in
a cluster. Her concern is this: if one of the servers in the cluster fails, will the backup server
be capable of running for a significant amount of time? She wants to make sure that the
backup won’t soon fail. What would be her best choice in clustering?
A. Active-active
B. Round-robin
C. Affinity
D. Active-passive
79. Omar is responsible for wireless security in his company. He wants completely different
WiFi access (i.e., a different SSID, different security levels, and different authentication
methods) in different parts of the company. What would be the best choice for Omar to
select in WAPs?
A. Fat
B. Thin
C. Repeater
D. Full
80. Lilly is a network administrator for a medium-sized financial services company. She wants
to implement company-wide encryption and digital signing of emails. But she is concerned
about cost, since there is a very limited budget for this. What would be her best choice?
A. SMTPS
B. S/MIME
C. IMAPS
D. PGP
81. Edward is a security manager for a bank. He has recently been reading a great deal
about malware that accesses system memory. He wants to find a solution that would
stop programs from utilizing system memory. Which of the following would be the
best solution?
A. DEP
B. FDE
C. UTM
D. IDS
82. Sarah is the CIO for a small company. She recently had the entire company’s voice calls
moved to VoIP. Her new VoIP system is using SIP with RTP. What might be the concern
with this?
A. SIP is not secure.
B. RTP is not secure.
C. RTP is too slow.
D. SIP is too slow.
83. What command would generate the output shown here?
A. nslookup
B. ipconfig
C. netstat -a
D. dig
84. Emiliano is a network administrator for a large web-hosting company. His company also
issues digital certificates to web-hosting clients. He wants to ensure that a digital certifi-
cate will not be used once it has been revoked. He also wants to ensure that there will be
no delay between when the certificate is revoked and when browsers are made aware that
it is revoked. What solution would be best for this?
A. OCSP
B. X.509
C. CRL
D. PKI
85. Elizabeth is responsible for security at a defense contracting company. She is concerned
about users within her network exfiltrating data by attaching sensitive documents to
emails. What solution would best address this concern?
A. Email encryption
B. USB blocking
C. NIPS
D. Content filtering
86. Victor is concerned about data security on BYOD and COPE. He is concerned specifi-
cally about data exposure should the device become lost or stolen. Which of the following
would be most effective in countering this concern?
A. Geofencing
B. Screen lock
C. GPS tagging
D. Device encryption
87. Gabriel is using nmap to scan one of his servers whose IP address is 192.168.1.1. He wants
to perform a ping scan, but the network blocks ICMP, so he will try a TCP ping scan and
do so very slowly. Which of the following would accomplish that?
A. nmap -O -PT -T1 192.168.1.1
B. nmap -O – T3 192.168.1.1
C. nmap -T -T1 192.168.1.1
D. nmap -PT -T5 192.168.1.1
88. Mary is a network administrator for ACME Company. She sometimes needs to run a
packet sniffer so that she can view the network traffic. She wants to find a well-known
packet sniffer that works on Linux. Which of the following would be her best choice?
A. Ophcrack
B. Nmap
C. Wireshark
D. Tcpdump
89. What command produced the output shown here?
A. tracert -h 10 www.chuckeasttom.com
B. tracert www.chuckeasttom.com
C. netstat www.chuckeasttom.com
D. nmap www.chuckeasttom.com
90. Daryll has been using a packet sniffer to observe traffic on his company’s network. He has
noticed that traffic between the web server and the database server is sent in clear text.
He wants a solution that will not only encrypt that traffic, but also leverage the existing
digital certificate infrastructure his company has. Which of the following would be the
best solution for Daryll?
A. TLS
B. SSL
C. IPSec
D. WPA2
91. Jarod is concerned about DLP in his organization. Employees all have cloud-based solu-
tions for data storage. What DLP-related security hazard, if any, might this create?
A. No security hazard
B. Malware from the cloud
C. Data exfiltration through the cloud
D. Security policies don’t apply to the cloud.
92. Derrick is a network administrator for a large company. The company network is seg-
mented into zones of high security, medium security, low security, and the DMZ. He is
concerned about external intruders and wishes to install a honeypot. Which is the most
important zone to put the honeypot in?
A. High security
B. Medium security
C. Low security
D. DMZ
93. Sheila is responsible for data backups for all the company servers. She is concerned about
frequency of backup and about security of the backup data. Which feature, found in some
backup utility software, would be most important to her?
A. Using data encryption
B. Digitally signing the data
C. Using automated backup scheduling
D. Hashing the backup data
94. Frank is a web server administrator for a large e-commerce company. He is concerned
about someone using netcat to connect to the company web server and retrieving detailed
information about the server. What best describes his concern?
A. Passive reconnaissance
B. Active reconnaissance
C. Banner grabbing
D. Vulnerability scanning
95. Mike is responsible for testing security at his company. He is using a tool that identifies
vulnerabilities and provides mechanisms to test them by attempting to exploit them. What
best describes this type of tool?
A. Vulnerability scanner
B. Exploit framework
C. Metasploit
D. Nessus
96. William is a security officer for a large bank. When executives’ laptops are decommis-
sioned, he wants to ensure that the data on those laptops is completely wiped so that it
cannot be recovered, even using forensic tools. How many times should William wipe a
hard drive?
A. 1
B. 3
C. 5
D. 7
97. You are responsible for firewalls in your organization. You are concerned about ensuring
that all firewalls are properly configured. The gateway firewall is configured as follows:
to only allow inbound traffic on a very few specific, required ports; all traffic (allowed
or blocked) is logged and logs forwarded to the SIEM. What, if anything, is missing from
this configuration?
A. Nothing, it is a good configuration.
B. Encrypting all traffic
C. Outbound connection rules
D. Digital certificate authentication for inbound traffic
98. Charles is responsible for security for web servers in his company. Some web servers are
used for an internal intranet, and some for external websites. He has chosen to encrypt
all web traffic, and he is using self-signed X.509 certificates. What, if anything, is wrong
with this approach?
A. He cannot encrypt all HTTP traffic.
B. He should use PGP certificates.
C. He should not use self-signed certificates.
D. Nothing; this is an appropriate configuration.
99. You are responsible for the security of web servers at your company. You are configuring
the WAF and want to allow only encrypted traffic to and from the web server, including
traffic from administrators using a command-line interface. What should you do?
A. Open port 80 and 23, and block port 443.
B. Open port 443 and 23, and block port 80.
C. Open port 443 and 22, and block port 80 and 23.
D. Open port 443, and block all other ports.
100. Francis is a security administrator at a large law firm. She is concerned that confidential
documents, with proprietary information, might be leaked. The leaks could be intentional
or accidental. She is looking for a solution that would embed some identifying informa-
tion into documents in such a way that it would not be seen by the reader but could be
extracted with the right software. What technology would best meet Francis’s needs?
A. Symmetric encryption
B. Steganography
C. Hashing
D. Asymmetric encryption
101. You are responsible for the gateway firewall for your company. You need to configure a
firewall to allow only email that is encrypted to be sent or received. What action should
you take?
A. Allow ports 25, 110, and 143. Block ports 465, 993, and 995.
B. Block ports 25, 110, and 143. Allow ports 465, 993, and 995.
C. Allow ports 25, 110, and 443. Block ports 465, 993, and 143.
D. Block ports 465, 994, and 464. Allow ports 25, 110, and 80.
102. Mark is responsible for security for a small bank. He has a firewall at the gateway as well
as one at each network segment. Each firewall logs all accepted and rejected traffic. Mark
checks each of these logs regularly. What is the first step Mark should take to improve his
firewall configuration?
A. Integrate with SIEM.
B. Add a honeypot.
C. Integrate with AD.
D. Add a honeynet.
103. You are setting up VPNs in your company. You are concerned that anyone running a
packet sniffer could obtain metadata about the traffic. You have chosen IPSec. What
mode should you use to accomplish your goals of preventing metadata being seen?
A. AH
B. ESP
C. Tunneling
D. Transport
104. John is responsible for configuring security devices in his network. He has implemented a
robust NIDS in his network. However, on two occasions the NIDS has missed a breach.
What configuration issue should John address?
A. False negative
B. Port blocking
C. SPI
D. False positive
105. You are responsible for communications security at your company. Your company has a
large number of remote workers, including traveling salespeople. You wish to make sure that
when they connect to the network, it is in a secure manner. What should you implement?
A. L2TP VPN
B. IPSec VPN
C. Site-to-site VPN
D. Remote-access VPN
106. Your company is issuing portable devices to employees for them to use for both work and
personal use. This is done so the company can control the security of the devices. What, if
anything, is an issue this process will cause?
A. Personal information being exposed
B. Company data being exfiltrated
C. Devices being insecurely configured
D. No issues
107. Marsha is responsible for mobile device security. Her company uses COPE for mobile
devices. All phones and tablets have a screen lock and GPS tagging. What is the next,
most important step for Marsha to take to secure the phones?
A. Implement geofencing.
B. Implement application management.
C. Implement geolocation.
D. Implement remote wipe.
108. Valerie is responsible for mobile device security at her company. The company is using
BYOD. She is concerned about employees’ personal device usage compromising company
data on the phones. What technology would best address this concern?
A. Containerization
B. Screen lock
C. Full disk encryption
D. Biometrics
109. Jack is a chief information security officer (CISO) for a small marketing company. The
company’s sales staff travel extensively and all use mobile devices. He has recently become
concerned about sideloading. Which of the following best describes sideloading?
A. Installing applications to Android devices via USB
B. Loading software on any device via WiFi
C. Bypassing the screen lock
D. Loading malware on a device without the user being aware
110. You are responsible for DLP at a large company. Some employees have COPE and others
BYOD. What DLP issue might these devices present?
A. COPE can be USB OTG.
B. BYOD can be USB OTG.
C. COPE and BYOD can be USB OTG.
D. Only jailbroken COPE or BYOD can be USB OTG.
111. John is responsible for network security at a large company. He is concerned about a
variety of attacks but DNS poisoning in particular. Which of the following protocols
would provide the most help in mitigating this issue?
A. IPSec
B. DNSSEC
C. L2TP
D. TLS
112. You are responsible for network security at your company. You have discovered that NTP
is not functioning properly. What security protocol will most likely be affected by this?
A. Radius
B. DNSSEC
C. IPSec
D. Kerberos
113. Frank is concerned about DHCP starvation attacks. He is even more worried since he
learned that anyone can download software called a “gobbler” and execute a DHCP
starvation attack. What technology would most help him mitigate this risk?
A. Encrypt all DHCP communication with TLS.
B. FDE on the DHCP server
C. Network Address Allocation
D. IPSec for all DHCP communications
114. You are trying to allocate appropriate numbers of IP addresses for various subnets in your
network. What would be the proper CIDR notation for an IP v4 subnet with 59 nodes?
A. /27
B. /29
C. /24
D. /26
115. Lydia is trying to reduce costs at her company and at the same time centralize network
administration and maintain direct control of the network. Which of the following solu-
tions would provide the most network administration centralization and control while
reducing costs?
A. Outsourcing network administration
B. IaaS
C. PaaS
D. Moving all OSs to open source
116. You are investigating a remote access protocol for your company to use. The protocol
needs to fully encrypt the message, use reliable transport protocols, and support a range
of network protocols. Which of the following would be the best choice?
A. RADIUS
B. Diameter
C. TACACS +
D. IPSec
117. Carrol is responsible for network connectivity in her company. The sales department is
transitioning to VoIP. What are two protocols she must allow through the firewall?
A. RADIUS and SNMP
B. TCP and UDP
C. SIP and RTP
D. RADIUS and SIP
118. John is setting up all the database servers on their own subnet. He has placed them on
10.10.3.3/29. How many nodes can be allocated in this subnet?
A. 32
B. 16
C. 8
D. 6
119. Carlos is a security manager for a small company that does medical billing and records
management. He is using application blacklisting to prevent malicious applications from
being installed. What, if anything, is the weakness with this approach?
A. None, this is the right approach.
B. It might block legitimate applications.Chapter 2
C. It might fail to block malicious applications.
D. It will limit productivity.
120. Joanne is a security administrator for a large company. She discovered that approximately
100 machines on her network were recently attacked by a major virus. She is concerned
because there was a patch available that would have stopped the virus from having any
impact. What is the best solution for her to implement on her network?
A. Installing patch management software
B. Using automatic updates
C. Putting unpatched machines on a Bridge
D. Scanning all machines for patches every day
121. A review of your company’s network traffic shows that most of the malware infections are
caused by users visiting illicit websites. You want to implement a solution that will block
these websites, scan all web traffic for signs of malware, and block the malware before it
enters the company network. Which of the following technologies would be the best
solution?
A. IDS
B. Firewall
C. UTM
D. SIEM
122. You work for a large bank. The bank is trying to limit the risk associated with the use of
unapproved USB devices to copy documents. Which of the following would be the best
solution to this problem?
A. IDS
B. DLP
C. Content filtering
D. NIPS
123. Match the letter of the functionality with the device in the following table.
A. Detect intrusions on a single machine
B. Use aggregate logs
C. Filter network packets based on a set of rules
D. Detect intrusions on a network segment
Firewall
HIDS
SIEM
NIDS
124. Francine is concerned about employees in her company jailbreaking their COPE devices.
What would be the most critical security concern for jailbroken devices?
A. They would no longer get security patches.
B. It would disable FDE.
C. Unauthorized applications could be installed.
D. Data could be exfiltrated on these devices.
125. You are responsible for mobile device security in your company. Employees have COPE
devices. Many employees only enter the office infrequently, and you are concerned that
their devices are not receiving firmware updates on time. What is the best solution for this
problem?
A. Scheduled office visits for updates
B. OTA updates
C. Moving from COPE to BYOD
D. A policy that requires users to update their firmware regularly
126. Frank is looking for a remote authentication and access protocol. It must be one that uses
UDP due to firewall rules. Which of the following would be the best choice?
A. RADIUS
B. Diameter
C. TACACS +
D. IPSec
127. You have discovered that one of the employees at your company tethers her smartphone
to her work PC to bypass the corporate web security and access prohibited websites while
connected to the LAN. What would be the best way to prevent this?
A. Disable wireless access.
B. Implement a WAF.
C. Implement a policy against tethering.
D. Implement an HIPS.
128. You work for a large bank. One of your responsibilities is to ensure that web banking
logins are as secure as possible. You are concerned that a customer’s account login could
be compromised and someone else would use that login to access the customer’s account.
What is the best way to mitigate this threat?
A. Use SMS authentication for any logins from an unknown location or computer.
B. Encrypt all traffic via TLS.
C. Require strong passwords.
D. Do not allow customers to log on from any place other than their home computer.
129. You have discovered that some employees in your company have installed custom firm-
ware on their portable devices. What security flaw would this most likely lead to?
A. Unauthorized software can run on the device.
B. The device may not connect to the network.
C. The device will overheat.
D. This is not really a security issue.
130. You are configuring BYOD access for your company. You want the absolute most robust
security for the BYOD on your network. What would be the best solution?
A. Agentless NAC
B. Agent NAC
C. Digital certificate authentication
D. Two-factor authentication
131. You work for a large law firm and are responsible for network security. It is common for
guests to come to the law firm (clients, expert witnesses, etc.) who need to connect to the
firm’s WiFi. You wish to ensure that you provide the maximum security when these guests
connect with their own devices, but you also wish to provide assurance to the guest that
you will have minimal impact on their device. What is the best solution?
A. Permanent NAC agent
B. Agentless NAC
C. Dissolvable NAC agent
D. Implement COPE
132. Tom is concerned about how his company can best respond to breaches. He is interested
in finding a way to identify files that have been changed during the breach. What would
be the best solution for him to implement?
A. NAC
B. NIDS
C. File integrity checker
D. Vulnerability scanner
133. Mary works for a large insurance company and is responsible for cybersecurity. She is
concerned about insiders and wants to detect malicious activity on the part of insiders.
But she wants her detection process to be invisible to the attacker. What technology best
fits these needs?
A. Hybrid NIDS
B. Out-of-band NIDS
C. NIPS
D. NNIDS
134. Denish is responsible for security at a large financial services company. The company
frequently uses SSL/TLS for connecting to external resources. He has concerns that an
insider might exfiltrate data using an SSL/TLS tunnel. What would be the best solution to
this issue?
A. NIPS
B. SSL decryptor
C. NIDS
D. SSL accelerator
135. You want to allow a media gateway to be accessible through your firewall. What ports
should you open? (Choose two.)
A. 2427
B. 1707
C. 2227
D. 1727
136. Match the letter with the protocol in the following table.
A. Wireless security
B. Voice over IP
C. VPN
D. Secure command-line interface
IPSec
WPA2
SSH
SIP
137. Dennis is implementing wireless security throughout his network. He is using WPA2.
However, there are some older machines that cannot connect to WPA2—they only
support WEP. At least for now, he must keep these machines. What is the best solution
for this problem?
A. Put those machines on a different VLAN.
B. Deny wireless capability for those machines.
C. Put those machines on a separate wireless network with separate WAP.
D. Encrypt their traffic with TLS.
138. You are a security administrator for Acme Company. Employees in your company
routinely upload and download files. You are looking for a method that allows users to
remotely upload or download files in a secure manner. The solution must also support
more advanced file operations such as creating directories, deleting files, and so forth.
What is the best solution for this?
A. SFTP
B. SSH
C. SCP
D. IPSec

139. Your company allows BYOD on the network. You are concerned about the risk of malicious
apps being introduced to your network. Which of the following policies would be most help-
ful in mitigating that risk?
A. Prohibiting apps from third-party stores
B. Application blacklisting
C. Antimalware scanning
D. Requiring FDE on BYOD
140. John is the CISO for a small company. The company has password policies, but John is
not sure the policies are adequate. He is concerned that someone might be able to “crack”
company passwords. What is the best way for John to determine whether his passwords
are vulnerable?
A. Run a good vulnerability scan.
B. Perform a password policy audit.
C. Use one or more password crackers himself.
D. Ensure that passwords are stored as a hash.
141. You are scanning your network using a packet sniffer. You are seeing traffic on ports
25 and 110. What security flaw would you most likely notice on these ports?
A. Website vulnerabilities
B. Unencrypted credentials
C. Misconfigured FTP
D. Digital certificate errors
142. Abigail is a network administrator with ACME Company. She believes that a network
breach has occurred in the data center as a result of a misconfigured router access list,
allowing outside access to an SSH server. Which of the following should she search for
in the logs to confirm if such a breach occurred?
A. Traffic on port 23
B. Traffic on port 22
C. Unencrypted credentials
D. Malformed network packets
143. Gianna is evaluating the security of her company. The company has a number of mobile
apps that were developed in house for use on COPE devices. She wants to ensure that
these apps are updated as soon as an update is available. What should she ensure is being
used?
A. Firmware OTA
B. Push notifications
C. Scheduled updates
D. A policy against custom firmware

144. Liam is concerned about the security of both COPE and BYOD devices. His company uses
a lot of Android-based devices, and he is concerned about users getting administrative
access and altering security features. What should he prohibit in his company?
A. Third-party app stores
B. Jailbreaking
C. Custom firmware
D. Rooting
145. Heidi works for a large company that issues various mobile devices (tablets and phones)
to employees. She is concerned about unauthorized access to mobile devices. Which of the
following would be the best way to mitigate that concern?
A. Biometrics
B. Screen lock
C. Context-aware authentication
D. Storage segmentation
146. You are looking for a point-to-point connection method that would allow two devices to
synchronize data. The solution you pick should not be affected by EMI (electromagnetic
interference) and should be usable over distances exceeding 10 meters, provided there is a
line-of-sight connection. What would be the best solution?
A. Bluetooth
B. WiFi
C. Infrared
D. RF
147. You wish to use nmap to scan one of your servers, whose IP address is 192.168.1.16. The
target is one of your own Windows servers. You want a scan that is the most thorough,
and you are not concerned about it being detected. Which of the following would best
accomplish that?
A. nmap -sW -sL -T1 192.168.1.16/24
B. nmap -sW -sT -T1 192.168.1.16
C. nmap -sW -sT -T5 192.168.1.16/24
D. nmap -sW -sT -sO -T5 192.168.1.16
148. What command would produce the output shown here?
A. nestat -a
B. arp -a
C. arp -s
D. netstat -s
149. Ethan has noticed some users on his network accessing inappropriate videos. His network
uses a proxy server that has content filtering with blacklisting. What is the most likely
cause of this issue?
A. Sites not on the blacklist
B. Misconfigured content filtering
C. Misconfigured proxy server
D. Someone circumventing the proxy server
150. You are looking for tools to assist in penetration testing your network. Which of the
following best describes Metasploit?
A. Hacking tool
B. Vulnerability scanner
C. Exploit framework
D. Network scanner
151. Logan is responsible for enforcing security policies in his company. There are a number of
policies regarding the proper configuration of public-facing servers. Which of the follow-
ing would be the best way for Logan to check to see if such policies are being enforced?
A. Periodically audit selected servers.
B. Implement a configuration compliance scanning solution.
C. Conduct routine penetration tests of those servers.
D. Implement a vulnerability scanning solution.


++++++
+++++

Architecture and
Design
The CompTIA Security+ Exam
SY0-501 topics covered in this
chapter include the following:
✓ ✓ 3.1 Explain use cases and purpose for frameworks, best
practices and secure configuration guides.
■ ■
■ ■
Industry-standard frameworks and reference architectures
■ ■ Regulatory
■ ■ Non-regulatory
■ ■ National vs. international
■ ■ Industry-specific frameworks
Benchmarks/secure configuration guides
■ ■
■ ■
■ ■
Platform/vendor-specific guides
■ ■ Web server
■ ■ Operating system
■ ■ Application server
■ ■ Network infrastructure devices
General purpose guides
Defense-in-depth/layered security
■ ■ Vendor diversity
■ ■ Control diversity
■ ■
■ ■ Administrative
■ ■ Technical
User training
✓ ✓ 3.2 Given a scenario, implement secure network
architecture concepts.
■ ■
Zones/topologies
■ ■
DMZ■ ■
■ ■
■ ■
■ ■
■ ■ Extranet
■ ■ Intranet
■ ■ Wireless
■ ■ Guest
■ ■ Honeynets
■ ■ NAT
■ ■ Ad hoc
Segregation/segmentation/isolation
■ ■ Physical
■ ■ Logical (VLAN)
■ ■ Virtualization
■ ■ Air gaps
Tunneling/VPN
■ ■ Site-to-site
■ ■ Remote access
Security device/technology placement
■ ■ Sensors
■ ■ Collectors
■ ■ Correlation engines
■ ■ Filters
■ ■ Proxies
■ ■ Firewalls
■ ■ VPN concentrators
■ ■ SSL accelerators
■ ■ Load balancers
■ ■ DDoS mitigator
■ ■ Aggregation switches
■ ■ Taps and port mirror
SDN✓ ✓ 3.3 Given a scenario, implement secure systems design.
■ ■
■ ■
Hardware/firmware security
■ ■ FDE/SED
■ ■ TPM
■ ■ HSM
■ ■ UEFI/BIOS
■ ■ Secure boot and attestation
■ ■ Supply chain
■ ■ Hardware root of trust
■ ■ EMI/EMP
Operating systems
■ ■
■ ■
Types
■ ■ Network
■ ■ Server
■ ■ Workstation
■ ■ Appliance
■ ■ Kiosk
■ ■ Mobile OS
■ ■ Patch management
■ ■ Disabling unnecessary ports and services
■ ■ Least functionality
■ ■ Secure configurations
■ ■ Trusted operating system
■ ■ Application whitelisting/blacklisting
■ ■ Disable default accounts/passwords
Peripherals
■ ■ Wireless keyboards
■ ■ Wireless mice
■ ■ Displays
■ ■ WiFi-enabled MicroSD cards
■ ■ Printers/MFDs
■ ■ External storage devices
■ ■ Digital cameras✓ ✓ 3.4 Explain the importance of secure staging
deployment concepts.
■ ■ Sandboxing
■ ■ Environment
■ ■ Development
■ ■ Test
■ ■ Staging
■ ■ Production
■ ■ Secure baseline
■ ■ Integrity measurement
✓ ✓ 3.5 Explain the security implications of embedded
systems.
■ ■ SCADA/ICS
■ ■ Smart devices/IoT
■ ■ Wearable technology
■ ■ Home automation
■ ■ HVAC
■ ■ SoC
■ ■ RTOS
■ ■ Printers/MFDs
■ ■ Camera systems
■ ■ Special purpose
■ ■ Medical devices
■ ■ Vehicles
■ ■ Aircraft/UAV
✓ ✓ 3.6 Summarize secure application development and
deployment concepts.
■ ■
Development life-cycle models
■ ■
■ ■
Waterfall vs. Agile
Secure DevOps
■ ■ Security automation
■ ■ Continuous integration■ ■ Baselining
■ ■ Immutable systems
■ ■ Infrastructure as code
■ ■ Version control and change management
■ ■ Provisioning and deprovisioning
■ ■ Secure coding techniques
■ ■
■ ■
✓ ✓ 3.7
■ ■
■ ■ Proper error handling
■ ■ Proper input validation
■ ■ Normalization
■ ■ Stored procedures
■ ■ Code signing
■ ■ Encryption
■ ■ Obfuscation/camouflage
■ ■ Code reuse/dead code
■ ■ Server-side vs. client-side execution and validation
■ ■ Memory management
■ ■ Use of third-party libraries and SDKs
■ ■ Data exposure
Code quality and testing
■ ■ Static code analyzers
■ ■ Dynamic analysis (e.g., fuzzing)
■ ■ Stress testing
■ ■ Model verification
Compiled vs. runtime code
Summarize cloud and virtualization concepts.
Hypervisor
■ ■ Type I
■ ■ Type II
■ ■ Application cells/containers
■ ■ VM sprawl avoidance
■ ■ VM escape protection
■ ■ Cloud storage■ ■
Cloud deployment models
■ ■ SaaS
■ ■ PaaS
■ ■ IaaS
■ ■ Private
■ ■ Public
■ ■ Hybrid
■ ■ Community
■ ■ On-premise vs. hosted vs. cloud
■ ■ VDI/VDE
■ ■ Cloud access security broker
■ ■ Security as a Service
✓ ✓ 3.8 Explain how resiliency and automation strategies
reduce risk.
■ ■
Automation/scripting
■ ■ Automated courses of action
■ ■ Continuous monitoring
■ ■ Configuration validation
■ ■ Templates
■ ■ Master image
■ ■ Non-persistence
■ ■ Snapshots
■ ■ Revert to known state
■ ■ Rollback to known configuration
■ ■ Live boot media
■ ■ Elasticity
■ ■ Scalability
■ ■ Distributive allocation
■ ■ Redundancy
■ ■ Fault tolerance
■ ■ High availability
■ ■ RAID✓ ✓ 3.9
Explain the importance of physical security controls.
■ ■ Lighting
■ ■ Signs
■ ■ Fencing/gate/cage
■ ■ Security guards
■ ■ Alarms
■ ■ Safe
■ ■ Secure cabinets/enclosures
■ ■ Protected distribution/Protected cabling
■ ■ Airgap
■ ■ Mantrap
■ ■ Faraday cage
■ ■ Lock types
■ ■ Biometrics
■ ■ Barricades/bollards
■ ■ Tokens/cards
■ ■ Environmental controls
■ ■ HVAC
■ ■ Hot and cold aisles
■ ■ Fire suppression
■ ■ Cable locks
■ ■ Screen filters
■ ■ Cameras
■ ■ Motion detection
■ ■ Logs
■ ■ Infrared detection
■ ■ Key management
■
Architecture and Design
1. Caroline has been asked to find a standard to guide her company’s choices in
implementing information security management systems. She is looking for a standard
that is international. Which of the following would be the best choice for her?
A. ISO 27002
B. ISO 27017
C. NIST 800-12
D. NIST 800-14
2. You are responsible for network security at an e-commerce company. You want to ensure
that you are using best practices for the e-commerce website your company hosts. What
standard would be the best for you to review?
A. OWASP
B. NERC
C. NIST
D. ISA/IEC
3. Cheryl is responsible for cybersecurity at a mid-sized insurance company. She has decided
to utilize a different vendor for network antimalware than she uses for host antimalware.
Is this a recommended action, and why or why not?
A. This is not recommended; you should use a single vendor for a particular security
control.
B. This is recommended; this is described as vendor diversity.
C. This is not recommended; this is described as vendor forking.
D. It is neutral. This does not improve or detract from security.
4. Maria is a security administrator for a large bank. She is concerned about malware, par-
ticularly spyware that could compromise customer data. Which of the following would be
the best approach for her to mitigate the threat of spyware?
A. Computer usage policies, network antimalware, and host antimalware
B. Host antimalware and network antimalware
C. Host and network antimalware, computer usage policies, and website whitelisting
D. Host and network antimalware, computer usage policies, and employee training
5. Gabriel is setting up a new e-commerce server. He is concerned about security issues.
Which of the following would be the best location to place an e-commerce server?
A. DMZ
B. Intranet
C. Guest network
D. Extranet
6. Enrique is concerned about backup data being infected by malware. The company backs
up key servers to digital storage on a backup server. Which of the following would be
most effective in preventing the backup data being infected by malware?
A. Place the backup server on a separate VLAN.
B. Air-gap the backup server.
C. Place the backup server on a different network segment.
D. Use a honeynet.
7. Janelle is the security administrator for a small company. She is trying to improve security
throughout the network. Which of the following steps should she take first?
A. Implement antimalware on all computers.
B. Implement acceptable use policies.
C. Turn off unneeded services on all computers.
D. Turn on host-based firewalls on all computers.
8. Mary is the CISO for a mid-sized company. She is attempting to mitigate the danger
of computer viruses. Which administrative control can she implement to help achieve
this goal?
A. Implement host-based antimalware.
B. Implement policies regarding email attachments and file downloads.
C. Implement network-based antimalware.
D. Block portable storage devices from being connected to computers.
9. You are the network administrator for a large company. Your company frequently has
nonemployees in the company such as clients and vendors. You have been directed to
provide these nonemployees with access to the Internet. Which of the following is the best
way to implement this?
A. Establish a guest network.
B. Allow nonemployees to connect only to the DMZ.
C. Allow nonemployees to connect only to the intranet.
D. Establish limited accounts on your network for nonemployees to use.
10. Juan is a network administrator for an insurance company. His company has a number
of traveling salespeople. He is concerned about confidential data on their laptops. What is
the best way for him to address this?
A. FDE
B. TPM
C. SDN
D. DMZ
11. Terrance is responsible for secure communications on his company’s network. The
company has a number of traveling salespeople who need to connect to network
resources. What technology would be most helpful in addressing this need?
A. VPN concentrator
B. SSL accelerator
C. DMZ
D. Guest network
12. Mohaned is concerned about malware infecting machines on his network. One of his
concerns is that malware would be able to access sensitive system functionality that
requires administrative access. What technique would best address this issue?
A. Implementing host-based antimalware
B. Using a nonadministrative account for normal activities
C. Implementing FDE
D. Making certain the operating systems are patched
13. John works for an insurance company. His company uses a number of operating systems,
including Windows and Linux. In this mixed environment, what determines the network
operating system?
A. The OS of the DNS server
B. The OS of the domain controller
C. The OS of the majority of servers
D. The OS of the majority of client computers
14. Juanita is implementing virtualized systems in her network. She is using Type I
hypervisors. What operating system should be on the machines for her to install
the hypervisor?
A. None
B. Windows
C. Any operating system
D. Windows or Linux
15. You are responsible for security at your company. You want to improve cloud security by
following the guidelines of an established international standard. What standard would
be most helpful?
A. NIST 800-14
B. NIST 800-53
C. ISO 27017
D. ISO 27002
16. You are responsible for setting up a kiosk computer that will be in your company’s lobby.
It will be accessible for visitors to locate employee offices, obtain the guest WiFi pass-
word, and retrieve general public company information. What is the most important thing
to consider when configuring this system?
A. Using a strong administrator password
B. Limiting functionality to only what is needed
C. Using good antivirus protection
D. Implementing a host-based firewall
17. You are concerned about peripheral devices being exploited by an attacker. Which of the
following is the first step you should take to mitigate this threat?
A. Disable WiFi for any peripheral that does not absolutely need it.
B. Enable BIOS protection for peripheral devices.
C. Use strong encryption on all peripheral devices.
D. Configure antivirus on all peripherals.
18. Which design concept limits access to systems from outside users while protecting users
and systems inside the LAN?
A. DMZ
B. VLAN
C. Router
D. Guest network
19. Which of the following is the equivalent of a VLAN from a physical security perspective?
A. Perimeter security
B. Partitioning
C. Security zones
D. Firewall
20. In an attempt to observe hacker techniques, a security administrator configures a
nonproduction network to be used as a target so that he can covertly monitor network
attacks. What is this type of network called?
A. Active detection
B. False subnet
C. IDS
D. Honeynet
21. You have instructed all administrators to disable all nonessential ports on servers at their
sites. Why are nonessential protocols a security issue that you should be concerned about?
A. Nonessential ports provide additional areas of attack.
B. Nonessential ports can’t be secured.
C. Nonessential ports are less secure.
D. Nonessential ports require more administrative effort to secure.
22. Which type of firewall examines the content and context of each packet it encounters?
A. Packet filtering firewall
B. Stateful packet filtering firewall
C. Application layer firewall
D. Gateway firewall
23. Which of the following would prevent a user from installing a program on a company-
owned mobile device?
A. Whitelisting
B. Blacklisting
C. ACL
D. HIDS
24. You’re designing a new network infrastructure so that your company can allow unauthen-
ticated users connecting from the Internet to access certain areas. Your goal is to protect
the internal network while providing access to those areas. You decide to put the web
server on a separate subnet open to public contact. What is this subnet called?
A. Guest network
B. DMZ
C. Intranet
D. VLAN
25. Upper management has decreed that a firewall must be put in place immediately, before
your site suffers an attack similar to one that struck a sister company. Responding to
this order, your boss instructs you to implement a packet filter by the end of the week. A
packet filter performs which function?
A. Prevents unauthorized packets from entering the network
B. Allows all packets to leave the network
C. Allows all packets to enter the network
D. Eliminates collisions in the network
26. You’re outlining your plans for implementing a wireless network to upper management.
Which protocol was designed to provide security for a wireless network and is considered
equivalent to the security of a wired network?
A. WAP
B. WPA
C. WPA2
D. WEP
27. An IV attack is usually associated with which of the following wireless protocols?
A. WEP
B. WAP
C. WPA
D. WPA2

28. Suzan is responsible for application development in her company. She wants to have all
web applications tested prior to being deployed live. She wants to use a test system that is
identical to the live server. What is this called?
A. Production server
B. Development server
C. Test server
D. Predeployment server
29. John is responsible for security in his company. He is implementing a kernel integrity sub-
system for key servers. What is the primary benefit of this action?
A. To detect malware
B. To detect whether files have been altered
C. To detect rogue programs being installed
D. To detect changes to user accounts
30. You are responsible for BIOS security in your company. Which of the following is the
most fundamental BIOS integrity technique?
A. Verifying the BIOS version
B. Using a TPM
C. Managing BIOS passwords
D. Backing up the BIOS
31. You have been asked to implement security for SCADA systems in your company. Which
of the following standards will be most helpful to you?
A. NIST 800-82
B. PCI-DSS
C. NIST 800-30
D. ISO 27002
32. Joanne works for a large insurance company. Some employees have wearable technology,
such as smart watches. What is the most significant security concern from such devices?
A. These devices can distract employees.
B. These devices can be used to carry data in and out of the company.
C. These devices may not have encrypted drives.
D. These devices may not have strong passwords.
33. John is installing an HVAC system in his datacenter. What will this HVAC have the most
impact on?
A. Confidentiality
B. Availability
C. Fire suppression
D. Monitoring access to the datacenter
34. Maria is a security engineer with a manufacturing company. During a recent investiga-
tion, she discovered that an engineer’s compromised workstation was being used to con-
nect to SCADA systems while the engineer was not logged in. The engineer is responsible
for administering the SCADA systems and cannot be blocked from connecting to them.
What should Maria do to mitigate this threat?
A. Install host-based antivirus software on the engineer’s system.
B. Implement account usage auditing on the SCADA system.
C. Implement an NIPS on the SCADA system.
D. Use FDE on the engineer’s system.
35. Lucy works as a network administrator for a large company. She needs to administer sev-
eral servers. Her objective is to make it easy to administer and secure these servers, as well
as making the installation of new servers more streamlined. Which of the following best
addresses these issues?
A. Setting up a cluster
B. Virtualizing the servers
C. Putting the servers on a VLAN
D. Putting the servers on a separate subnet
36. Gerard is responsible for secure communications with his company’s e-commerce server.
All communications with the server use TLS. What is the most secure option for Gerard
to store the private key on the e-commerce server?
A. HSM
B. FDE
C. SED
D. SDN
37. You are the security officer for a large company. You have discovered malware on one of
the workstations. You are concerned that the malware might have multiple functions and
might have caused more security issues with the computer than you can currently detect.
What is the best way to test this malware?
A. Leave the malware on that workstation until it is tested.
B. Place the malware in a sandbox environment for testing.
C. It is not important to test it; just remove it from the machine.
D. Place the malware on a honeypot for testing.
38. Web developers in your company currently have direct access to the production server and
can deploy code directly to it. This can lead to unsecure code, or simply code flaws being
deployed to the live system. What would be the best change you could make to mitigate
this risk?
A. Implement sandboxing.
B. Implement virtualized servers.
C. Implement a staging server.
D. Implement deployment policies.
39. Denish is concerned about the security of embedded devices in his company. He is most
concerned about the operating system security for such devices. Which of the following
would be the best option for mitigating this threat?
A. RTOS
B. SCADA
C. FDE
D. TPM
40. Which of the following 802.11 standards is supported in WPA2, but not in WEP or WPA?
A. 802.11a
B. 802.11b
C. 802.11i
D. 802.11n
41. Teresa is responsible for WiFi security in her company. Which wireless security protocol
uses TKIP?
A. WPA
B. CCMP
C. WEP
D. WPA2
42. Juan is responsible for wireless security in his company. He has decided to disable the SSID
broadcast on the single AP the company uses. What will the effect be on client machines?
A. They will no longer be able to use wireless networking.
B. They will no longer see the SSID as a preferred network when they are connected.
C. They will no longer see the SSID as an available network.
D. They will be required to make the SSID part of their HomeGroup.
43. Which cloud service model provides the consumer with the infrastructure to create appli-
cations and host them?
A. SaaS
B. PaaS
C. IaaS
D. CaaS
44. Which cloud service model gives the consumer the ability to use applications provided by
the cloud provider over the Internet?
A. SaaS
B. PaaS
C. IaaS
D. CaaS
45. Which feature of cloud computing involves dynamically provisioning (or deprovisioning)
resources as needed?
A. Multitenancy
B. Elasticity
C. CMDB
D. Sandboxing
46. Which type of hypervisor implementation is known as “bare metal”?
A. Type I
B. Type II
C. Type III
D. Type IV
47. Mohaned is a security analyst and has just removed malware from a virtual server. What
feature of virtualization would he use to return the virtual server to a last known good
state?
A. Sandboxing
B. Hypervisor
C. Snapshot
D. Elasticity
48. Lisa is concerned about fault tolerance for her database server. She wants to ensure that if
any single drive fails, it can be recovered. What RAID level would support this goal while
using distributed parity bits?
A. RAID 0
B. RAID 1
C. RAID 3
D. RAID 5
49. Jarod is concerned about EMI affecting a key escrow server. Which method would be
most effective in mitigating this risk?
A. VLAN
B. SDN
C. Trusted platform module
D. Faraday cage
50. John is responsible for physical security at his company. He is particularly concerned
about an attacker driving a vehicle into the building. Which of the following would
provide the best protection against this threat?
A. A gate
B. Bollards
C. A security guard on duty
D. Security cameras
51. Mark is responsible for cybersecurity at a small college. There are many computer labs
that are open for students to use. These labs are monitored only by a student worker, who
may or may not be very attentive. Mark is concerned about the theft of computers. Which
of the following would be the best way for him to mitigate this threat?
A. Cable locks
B. FDE on the lab computers
C. Strong passwords on the lab computers
D. Having a lab sign-in sheet
52. Joanne is responsible for security at a power plant. The facility is very sensitive and secu-
rity is extremely important. She wants to incorporate two-factor authentication with
physical security. What would be the best way to accomplish this?
A. Smart cards
B. A mantrap with a smart card at one door and a pin keypad at the other door
C. A mantrap with video surveillance
D. A fence with a smart card gate access
53. Which of the following terms refers to the process of establishing a standard for security?
A. Baselining
B. Security evaluation
C. Hardening
D. Normalization
54. You are trying to increase security at your company. You’re currently creating an outline
of all the aspects of security that will need to be examined and acted on. Which of the fol-
lowing terms describes the process of improving security in a trusted OS?
A. FDE
B. Hardening
C. SED
D. Baselining
55. Which level of RAID is a “stripe of mirrors”?
A. RAID 1+0
B. RAID 6
C. RAID 0
D. RAID 1
56. Isabella is responsible for database management and security. She is attempting to remove
redundancy in the database. What is this process called?
A. Integrity checking
B. Deprovisioning
C. Baselining
D. Normalization
57. A list of applications approved for use on your network would be known as which of the
following?
A. Blacklist
B. Red list
C. Whitelist
D. Orange list
58. Hans is a security administrator for a large company. Users on his network visit a wide
range of websites. He is concerned they might get malware from one of these many web-
sites. Which of the following would be his best approach to mitigate this threat?
A. Implement host-based antivirus.
B. Blacklist known infected sites.
C. Set browsers to allow only signed components.
D. Set browsers to block all active content (ActiveX, JavaScript, etc.).
59. Elizabeth has implemented agile development for her company. What is the primary dif-
ference between agile development and the waterfall method?
A. Agile has fewer phases.
B. Waterfall has fewer phases.
C. Agile is more secure.
D. Agile repeats phases.
60. John is using the waterfall method for application development. At which phase should he
implement security measures?
A. Requirements
B. Design
C. Implementation
D. All
61. You are responsible for database security at your company. You are concerned that pro-
grammers might pass badly written SQL commands to the database, or that an attacker
might exploit badly written SQL in applications. What is the best way to mitigate this
threat?
A. Programmer training
B. Programming policies
C. Agile programming
D. Stored procedures

62. Mary is concerned about application security for her company’s application development.
Which of the following is the most important step for addressing application security?
A. Proper error handling
B. Regular data backups
C. Encrypted data transmission
D. Strong authentication
63. Farès is responsible for managing the many virtual machines on his company’s networks.
Over the past two years, the company has increased the number of virtual machines sig-
nificantly. Farès is no longer able to effectively manage the large number of machines.
What is the term for this situation?
A. VM overload
B. VM sprawl
C. VM spread
D. VM zombies
64. Mary is responsible for virtualization management in her company. She is concerned
about VM escape. Which of the following methods would be the most effective in mitigat-
ing this risk?
A. Only share resources between the VM and host if absolutely necessary.
B. Keep the VM patched.
C. Use a firewall on the VM.
D. Use host-based antimalware on the VM.
65. You work at a large company. You are concerned about ensuring that all workstations
have a common configuration, no rogue software is installed, and all patches are kept up
to date. Which of the following would be the most effective for accomplishing this?
A. Use VDE.
B. Implement strong policies.
C. Use an image for all workstations.
D. Implement strong patch management.
66. Juan is responsible for the physical security of the company server room. He has been
asked to recommend a type of fire suppression system for the server room. Which of the
following would be the best choice?
A. Wet pipe
B. Deluge
C. Pre-action
D. Halon
67. You are responsible for server room security for your company. You are concerned about
physical theft of the computers. Which of the following would be best able to detect theft
or attempted theft?
A. Motion sensor–activated cameras
B. Smart card access to the server rooms
C. Strong deadbolt locks for the server rooms
D. Logging everyone who enters the server room
68. Teresa has deployed session tokens on her network. These would be most effective against
which of the following attacks?
A. DDoS
B. Replay
C. SYN flood
D. Malware
69. Hector is using infrared cameras to verify that servers in his datacenter are being properly
racked. Which of the following datacenter elements is he concerned about?
A. EMI blocking
B. Humidity control
C. Hot and cold aisles
D. HVAC
70. Gerald is concerned about unauthorized people entering the company’s building. Which
of the following would be most effective in preventing this?
A. Alarm systems
B. Fencing
C. Cameras
D. Security guards
71. Which of the following is the most important benefit from implementing SDN?
A. It will stop malware.
B. It provides scalability.
C. It will detect intrusions.
D. It will prevent session hijacking.
72. Mark is an administrator for a health care company. He has to support an older, legacy
application. He is concerned that this legacy application might have vulnerabilities that
would affect the rest of the network. What is the most efficient way to mitigate this?
A. Use an application container.
B. Implement SDN.
C. Run the application on a separate VLAN.
D. Insist on an updated version of the application.
73. Lars is auditing the physical security of a company. The company uses chain-link fences
on its perimeter. The fence is over pavement, not soft ground. How close to the ground
should the bottom of the fence be?
A. Touching the ground
B. Within 4 inches
C. There is no standard for this.
D. Within 2 inches
74. Mia has to deploy and support a legacy application. The configuration for this application
and the OS it runs on are very specific and cannot be changed. What is the best approach
for her to deploy this?
A. Use an immutable server.
B. Use a VM.
C. Set permissions on the application so it cannot be changed.
D. Place the application on a separate VLAN.
75. To mitigate the impact of a software vendor going out of business, a company that uses
vendor software should require which one of the following?
A. A detailed credit investigation prior to acquisition
B. A third-party source-code escrow
C. Substantial penalties for breach of contract
D. Standby contracts with other vendors
76. Abigail is responsible for datacenters in a large, multinational company. She has to sup-
port multiple datacenters in diverse geographic regions. What would be the most effective
way for her to manage these centers consistently across the enterprise?
A. Hire datacenter managers for each center.
B. Implement enterprise-wide SDN.
C. Implement Infrastructure as Code (IaC).
D. Automate provisioning and deprovisioning.
77. Olivia is responsible for web application security for her company’s e-commerce server.
She is particularly concerned about XSS and SQL injection. Which technique would be
most effective in mitigating these attacks?
A. Proper error handling
B. The use of stored procedures
C. Proper input validation
D. Code signing
78. Sophia wants to test her company’s web application to see if it is handling input validation
and data validation properly. Which testing method would be most effective for this?
A. Static code analysis
B. Fuzzing
C. Baselining
D. Version control
79. Omar is using the waterfall method for software development in his company. Which of
the following is the proper sequence for the waterfall method?
A. Requirements, design, implementation, testing, deployment, maintenance
B. Planning, designing, coding, testing, deployment
C. Requirements, planning, designing, coding, testing, deployment
D. Design, coding, testing, deployment, maintenance
80. Lilly is responsible for security on web applications for her company. She is checking to
see that all applications have robust input validation. What is the best way to implement
validation?
A. Server-side validation
B. Client-side validation
C. Validate in transit
D. Client-side and server-side validation
81. Edward is responsible for web application security at a large insurance company. One
of the applications that he is particularly concerned about is used by insurance adjusters
in the field. He wants to have strong authentication methods to mitigate misuse of the
application. What would be his best choice?
A. Authenticate the client with a digital certificate.
B. Implement a very strong password policy.
C. Secure application communication with TLS.
D. Implement a web application firewall (WAF).
82. Sarah is the CIO for a small company. The company uses several custom applications
that have complicated interactions with the host operating system. She is concerned about
ensuring that systems on her network are all properly patched. What is the best approach
in her environment?
A. Implement automatic patching.
B. Implement a policy that has individual users patch their systems.
C. Delegate patch management to managers of departments so they can find the best
patch management for their departments.
D. Immediately deploy patches to a test environment, then as soon as testing is complete
have a staged rollout to the network.
83. John is examining the logs for his company’s web applications. He discovers what he
believes is a breach. After further investigation, it appears as if the attacker executed code
from one of the libraries the application uses, code that is no longer even used by the
application. What best describes this attack?
A. Buffer overflow
B. Code reuse attack
C. DoS attack
D. Session hijacking
84. Emiliano is a network administrator and is concerned about the security of peripheral
devices. Which of the following would be a basic step he could take to improve security
for those devices?
A. Implement FDE.
B. Turn off remote access (SSH, telnet, etc.) if not needed.
C. Utilize fuzzy testing for all peripherals.
D. Implement digital certificates for all peripherals.
85. Ixxia is a software development team manager. She is concerned about memory leaks in
code. What type of testing is most likely to find memory leaks?
A. Fuzzing
B. Stress testing
C. Static code analysis
D. Normalization
86. Victor is a network administrator for a medium-sized company. He wants to be able to
access servers remotely so that he can perform small administrative tasks from remote
locations. Which of the following would be the best protocol for him to use?
A. SSH
B. Telnet
C. RSH
D. SNMP
87. Mark is responsible for a server that runs sensitive software for a major research facility.
He is very concerned that only authorized software execute on this server. He is also
concerned about malware masquerading as legitimate, authorized software. What
technique would best address this concern?
A. Secure boot
B. Software attestation
C. Sandboxing
D. TPM
88. Hannah is a programmer with a large software company. She is interested in ensuring that
the module she just created will work well with a module created by another program.
What type of testing is this?
A. Unit testing
B. Regression testing
C. Stress testing
D. Integration testing
89. Erik is responsible for the security of a SCADA system. Availability is a critical issue.
Which of the following is most important to implement?
A. SIEM
B. IPS
C. Automated patch control
D. Honeypot
90. You are concerned about the security of new devices your company has implemented.
Some of these devices use SoC technology. What would be the best security measure you
could take for these?
A. Using a TPM
B. Ensuring each has its own cryptographic key
C. Using SED
D. Using BIOS protection
91. Vincent works for a company that manufactures portable medical devices, such as insulin
pumps. He is concerned about ensuring these devices are secure. Which of the following is
the most important step for him to take?
A. Ensure all communications with the device are encrypted.
B. Ensure the devices have FDE.
C. Ensure the devices have individual antimalware.
D. Ensure the devices have been fuzz tested.
92. Emile is concerned about securing the computer systems in vehicles. Which of the follow-
ing vehicle types has significant cybersecurity vulnerabilities?
A. UAV
B. Automobiles
C. Airplanes
D. All of the above
93. Ariel is responsible for software development in her company. She is concerned that the
software development team integrate well with the network system. She wants to ensure
that software development processes are aligned with the security needs of the entire
network. Which of the following would be most important for her to implement?
A. Integration testing
B. Secure DevOps
C. Clear policies
D. Employee training

94. Greg is a programmer with a small company. He is responsible for the web application.
He has become aware that one of the modules his web application uses may have a secu-
rity flaw allowing an attacker to circumvent authentication. There is an update available
for this module that fixes the flaw. What is the best approach for him to take to mitigate
this threat?
A. Submit an RFC.
B. Immediately apply the update.
C. Place the update on a test server, then if it works apply it to the production server.
D. Document the issue.
95. You are using a sophisticated system that models various attacks on your networks. You
intend for this system to help your team realize weak areas and improve response to
incidents. What is the most important step to take before relying on data from this system?
A. Get approval from a CAB.
B. Thoroughly review the systems documentation.
C. Verify the models being used.
D. Perform integration testing on the system.
96. Your company has an accounting application that was developed in-house. It has been in
place for 36 months, and functioning very well, with very few issues. You have just made
a minor change to the tax calculation based on a change in tax law. What should be your
next step?
A. Deploy the change.
B. Get CAB approval for the change.
C. Perform stress testing.
D. Perform regression testing.
97. Tom works as a software development manager for a large company. He is trying to
explain to management the difference between compiled code and runtime code. What is
the biggest advantage of compiled code?
A. Better performance
B. Platform independence
C. More secure
D. Faster development time
98. Your company is interested in keeping data in the cloud. Management feels that public
clouds are not secure but is concerned about the cost of a private cloud. What is the
solution you would recommend?
A. Tell them there are no risks with public clouds.
B. Tell them they will have to find a way to budget for a private cloud.
C. Suggest that they consider a community cloud.
D. Recommend against a cloud solution at this time.
99. Your development team primarily uses Windows, but they need to develop a specific solu-
tion that will run on Linux. What is the best solution to getting your programmers access
to Linux systems for development and testing?
A. Set their machines to dual-boot Windows and Linux.
B. PaaS
C. Set up a few Linux machines for them to work with as needed.
D. IaaS
100. Daniel works for a mid-sized financial institution. The company has recently moved some
of its data to a cloud solution. Daniel is concerned that the cloud provider may not sup-
port the same security policies as the company’s internal network. What is the best way to
mitigate this concern?
A. Implement a cloud access security broker.
B. Perform integration testing.
C. Establish cloud security policies.
D. Implement Security as a Service.
101. Hanz is responsible for the e-commerce servers at his company. He is concerned about
how they will respond to a DoS attack. Which software testing methodology would be
most helpful in determining this?
A. Regression testing
B. Stress testing
C. Integration testing
D. Fuzz testing
102. You are the CIO for a small company. The company wants to use cloud storage for some
of its data, but cost is a major concern. Which of the following cloud deployment models
would be best?
A. Community cloud
B. Private cloud
C. Public cloud
D. Hybrid cloud
103. Alisha is monitoring security for a mid-sized financial institution. Under her predecessor
there were multiple high-profile breaches. Management is very concerned about detecting
any security issues or breach of policy as soon as possible. Which of the following would
be the best solution for this?
A. Monthly audits
B. NIPS
C. NIDS
D. Continuous monitoring

104. Helga works for a bank and is responsible for secure communications with the online
banking application. The application uses TLS to secure all customer communications.
She has noticed that since migrating to larger encryption keys, the server’s performance
has declined. What would be the best way to address this issue?
A. Implement a VPN concentrator.
B. Implement an SSL accelerator.
C. Return to smaller encryption keys.
D. Upgrade all servers.
105. What is the primary advantage of allowing only signed code to be installed on computers?
A. It guarantees that malware will not be installed.
B. It improves patch management.
C. It verifies who created the software.
D. It executes faster on computers with a TPM.
106. Which of the following is the best description for VM sprawl?
A. When VMs on your network outnumber physical machines
B. When there are more VMs than IT can effectively manage
C. When a VM on a computer begins to consume too many resources
D. When VMs are spread across a wide area network
107. Which of the following is the best description of a stored procedure?
A. Code that is in a DLL, rather than the executable
B. Server-side code that is called from a client
C. SQL statements compiled on the database server as a single procedure that can be
called
D. Procedures that are kept on a separate server from the calling application, such as in
middleware
108. Farès is responsible for security at his company. He has had bollards installed around the
front of the building. What is Farès trying to accomplish?
A. Gated access for people entering the building
B. Video monitoring around the building
C. Protecting against EMI
D. Preventing a vehicle from being driven into the building
109. Jane is concerned about servers in her datacenter. She is particularly worried about EMI.
What damage might EMI most likely cause to servers?
A. Damage to chips (CPU or RAM)
B. Temperature control issues
C. Malware infections
D. The staff could be locked out of the servers.
110. You are concerned about VM escape attacks. Which of the following would provide the
most protection against this?
A. Completely isolate the VM from the host.
B. Install a host-based antivirus on both the VM and the host.
C. Implement FDE on both the VM and the host.
D. Use a TPM on the host.
111. Teresa is the network administrator for a small company. The company is interested in a
robust and modern network defense strategy but lacks the staff to support it. What would
be the best solution for Teresa to use?
A. Implement SDN.
B. Use automated security.
C. Use Security as a Service.
D. Implement only as much security controls as they can support.
112. Dennis is trying to set up a system to analyze the integrity of applications on his network.
He wants to make sure that the applications have not been tampered with or Trojaned.
What would be most useful in accomplishing this goal?
A. Implement NIPS.
B. Use cryptographic hashes.
C. Sandbox the applications in question.
D. Implement NIDS.
113. George is a network administrator at a power plant. He notices that several turbines had
unusual ramp-ups in cycles last week. After investigating, he finds that an executable was
uploaded to the system control console and caused this. Which of the following would be
most effective in preventing this from affecting the SCADA system in the future?
A. Implement SDN.
B. Improve patch management.
C. Place the SCADA system on a separate VLAN.
D. Implement encrypted data transmissions.
114. Tom is responsible for VPN connections in his company. His company uses IPSec for
VPNs. What is the primary purpose of AH in IPSec?
A. Encrypt the entire packet.
B. Encrypt just the header.
C. Authenticate the entire packet.
D. Authenticate just the header.
115. Mia is a network administrator for a bank. She is responsible for secure communications
with her company’s customer website. Which of the following would be the best for her to
implement?
A. SSL
B. PPTP
C. IPSec
D. TLS

116. Abigail is responsible for setting up an NIPS on her network. The NIPS is located in one
particular network segment. She is looking for a passive method to get a copy of all traf-
fic to the NIPS network segment so that it can analyze the traffic. Which of the following
would be her best choice?
A. Using a network tap
B. Using port mirroring
C. Setting the NIPS on a VLAN that is connected to all other segments
D. Setting up an NIPS on each segment
117. Janice is explaining how IPSec works to a new network administrator. She is trying to
explain the role of IKE. Which of the following most closely matches the role of IKE in
IPSec?
A. It encrypts the packet.
B. It establishes the SAs.
C. It authenticates the packet.
D. It establishes the tunnel.
118. Jeff is the security administrator for an e-commerce site. He is concerned about DoS
attacks. Which of the following would be the most effective in addressing this?
A. DDoS mitigator
B. WAF with SPI
C. NIPS
D. Increased available bandwidth
119. Doug is a network administrator for a small company. The company has recently imple-
mented an e-commerce server. This has placed a strain on network bandwidth. What
would be the most cost-effective means for him to address this issue?
A. Isolate the new server on a separate network segment.
B. Upgrade the network to CAT 7.
C. Move to fiber optic.
D. Implement aggregation switches.
120. Liam is responsible for monitoring security events in his company. He wants to see how
diverse events may connect. He is interested in identifying different indicators of compro-
mise that may point to the same breach. Which of the following would be most helpful for
him to implement?
A. NIDS
B. SIEM
C. Correlation engine
D. Aggregation switch
121. Emily manages the IDS/IPS for her network. She has an NIPS installed and properly
configured. It is not detecting obvious attacks on one specific network segment. She has
verified that the NIPS is properly configured and working properly. What would be the
most efficient way for her to address this?
A. Implement port mirroring for that segment.
B. Install an NIPS on that segment.
C. Upgrade to a more effective NIPS.
D. Isolate that segment on its own VLAN.
122. You have been instructed to find a VPN solution for your company. Your company uses
TACACS+ for remote access. Which of the following would be the best VPN solution for
your company?
A. PPTP
B. RADIUS
C. L2TP
D. CHAP
123. Jacob is the CIO for a mid-sized company. His company has very good security policies
and procedures. The company has outsourced its web application development to a well-
known web programming company. Which of the following should be the most important
security issue for Jacob to address?
A. The web application vendor’s hiring practices
B. The financial stability of the web application vendor
C. Security practices of the web application vendor
D. Having an escrow for the source code
124. Gerard is responsible for physical security at his company. He is considering using cam-
eras that would detect a burglar entering the building at night. Which of the following
would be most useful in accomplishing this goal?
A. Motion-sensing camera
B. Infrared-sensing camera
C. Sound-activated camera
D. HD camera
125. Tim is implementing a Faraday cage around his server room. What is the primary purpose
of a Faraday cage?
A. Regulate temperature
B. Regulate current
C. Block intrusions
D. Block EMI
126. You are working for a large company. You are trying to find a solution that will provide
controlled physical access to the building and record every employee who enters the
building. Which of the following would be the best for you to implement?
A. A security guard with a sign-in sheet
B. Smart card access
C. A camera by the entrance
D. A sign-in sheet by the front door
127. David is responsible for cryptographic keys in his company. What is the best way to
deauthorize a public key?
A. Send out a network alert.
B. Delete the digital certificate.
C. Publish that certificate in the CRL.
D. Notify the RA.
128. Thomas is trying to select the right fire extinguisher for his company’s server room.
Which of the following would be his best choice?
A. Type A
B. Type B
C. Type C
D. Type D
129. Carole is concerned about security for her server room. She wants the most secure lock
she can find for the server room door. Which of the following would be the best choice for
her?
A. Combination lock
B. Key-in-knob
C. Deadbolt
D. Padlock
130. What is the ideal humidity range for a server room?
A. 70% to 80%
B. 40% to 60%
C. Below 30%
D. Above 70%
131. Molly is implementing biometrics in her company. Which of the following should be her
biggest concern?
A. FAR
B. FRR
C. CER
D. EER
132. Daniel is responsible for physical security in his company. All external doors have
electronic smart card access. In an emergency such as a power failure, how should the
doors fail?
A. Fail secure
B. Fail closed
C. Fail open
D. Fail locked
133. Donald is responsible for networking for a defense contractor. He is concerned that
emanations from UTP cable could reveal classified information. Which of the following
would be his most effective way to address this?
A. Migrate to CAT 7 cable.
B. Implement protected cabling.
C. Place all cable in a Faraday cage.
D. Don’t send any classified information over the cable.
134. Fred is responsible for physical security in his company. He wants to find a good way
to protect the USB thumb drives that have BitLocker keys stored on them. Which of the
following would be the best solution for this situation?
A. Store the drives in a secure cabinet.
B. Encrypt the thumb drives.
C. Don’t store BitLocker keys on these drives.
D. Lock the thumb drives in desk drawers.
135. Juanita is responsible for servers in her company. She is looking for a fault-tolerant
solution that can handle two drives failing. Which of the following should she select?
A. RAID 1+0
B. RAID 3
C. RAID 5
D. RAID 6
136. You are a network administrator for a mid-sized company. You need all workstations to
have the same configuration. What would be the best way for you to accomplish this?
A. Push out a configuration file.
B. Implement a policy requiring all workstations to be configured the same way.
C. Ensure all computers have the same version of the operating system and the same
applications installed.
D. Use a master image that is properly configured and image all workstations from that.

137. Mike is a network administrator for an e-commerce company. There have been several
updates to the operating system, the web server software, and the web application, all
within the last 24 hours. It appears that one of these updates has caused a significant
security problem. What would be the best approach for Mike to take to correct this
problem?
A. Remove the updates one at a time to see which corrects the problem.
B. Roll the server back to the last known good state.
C. Investigate and find out which update caused the problem, and remove only that
update.
D. Investigate and find out which update caused the problem, and find a patch for that
issue.
138. Which device would most likely process the following rules?
PERMIT IP ANY EQ 443
DENY IP ANY ANY
A. NIPS
B. HIPS
C. Content filter
D. Firewall
139. Ixxia is responsible for security at a mid-sized company. She wants to prevent users on her
network from visiting job-hunting sites while at work. Which of the following would be
the best device to accomplish this goal?
A. Proxy server
B. NAT
C. Firewall
D. NIPS
140. You are responsible for an e-commerce site. The site is hosted in a cluster. Which of the
following techniques would be best in assuring availability?
A. A VPN concentrator
B. Aggregate switching
C. An SSL accelerator
D. Load balancing
141. When you are concerned about application security, what is the most important issue in
memory management?
A. Never allocate a variable any larger than is needed.
B. Always check bounds on arrays.
C. Always declare a variable where you need it (i.e., at function or file level if possible).
D. Make sure you release any memory you allocate.
142. Darrel is looking for a cloud solution for his company. One of the requirements is that
the IT staff can make the transition with as little change to the existing infrastructure as
possible. Which of the following would be his best choice?
A. Off-premises cloud
B. On-premises cloud
C. Hybrid solution
D. Use only a community cloud
143. Ryan is concerned about the security of his company’s web application. Since the
application processes confidential data, he is most concerned about data exposure. Which
of the following would be the most important for him to implement?
A. WAF
B. TLS
C. NIPS
D. NIDS
144. Arjun has just taken over web application security for a small company. He notices that
some values are temporarily stored in hidden fields on one of the web pages. What is this
called and how would it be best characterized?
A. This is obfuscation, a weak security measure.
B. This is data hiding, a weak security measure.
C. This is obfuscation, a possible security flaw.
D. This is data hiding, a possible security flaw.
145. What is the primary reason a company would consider implementing Agile programming?
A. To speed up development time
B. To improve development documentation
C. To focus more on design
D. To focus more on testing
146. When you’re implementing security cameras in your company, which of the following is
the most important concern?
A. High-definition video
B. Large storage capacity
C. How large an area the camera can cover
D. Security of the camera and video storage
147. What is the primary security issue presented by monitors?
A. Unauthorized users may see confidential data.
B. Data can be detected from electromagnetic emanations.
C. Poor authentication
D. Screen burn

148. Clark is responsible for mobile device security in his company. Which of the following is
the most important security measure for him to implement?
A. Encrypted drives
B. Patch management
C. Remote wiping
D. Geotagging
149. Which of the following security measures is most effective against phishing attacks?
A. User training
B. NIPS
C. Spam filters
D. Content filter
150. You are the CISO for a mid-sized health care company. Which of the following is the most
important for you to implement?
A. Industry best practices
B. Contractual requirements
C. Strong security policies
D. Regulatory requirements

+++++
++++


4
Identity and Access
Management
The CompTIA Security+ Exam
SY0-501 topics covered in this
chapter include the following:
✓ ✓ 4.1 Compare and contrast identity and access
management concepts.
■ ■
Identification, authentication, authorization and accounting
(AAA)
■ ■
Multifactor authentication
■ ■ Something you are
■ ■ Something you have
■ ■ Something you know
■ ■ Somewhere you are
■ ■ Something you do
■ ■ Federation
■ ■ Single sign-on
■ ■ Transitive trust
✓ ✓ 4.2 Given a scenario, install and configure identity and
access services.
■ ■ LDAP
■ ■ Kerberos
■ ■ TACACS+
■ ■ CHAP
■ ■ PAP
■ ■ MSCHAP
■ ■ RADIUS
■ ■ SAML
■ ■ OpenID Connect■ ■ OAUTH
■ ■ Shibboleth
■ ■ Secure token
■ ■ NTLM
✓ ✓ 4.3 Given a scenario,implement identity and access
management controls.
■ ■
■ ■
■ ■
■ ■
■ ■
Access control models
■ ■ MAC
■ ■ DAC
■ ■ ABAC
■ ■ Role-based access control
■ ■ Rule-based access control
Physical access control
■ ■ Proximity cards
■ ■ Smart cards
Biometric factors
■ ■ Fingerprint scanner
■ ■ Retinal scanner
■ ■ Iris scanner
■ ■ Voice recognition
■ ■ Facial recognition
■ ■ False acceptance rate
■ ■ False rejection rate
■ ■ Crossover error rate
Tokens
■ ■ Hardware
■ ■ Software
■ ■ HOTP/TOTP
Certificate-based authentication
■ ■ PIV/CAC/smart card
■ ■ IEEE 802.1x■ ■ File system security
■ ■ Database security
✓ ✓ 4.4 Given a scenario, differentiate common account
management practices.
■ ■
■ ■
■ ■
Account types
■ ■ User account
■ ■ Shared and generic accounts/credentials
■ ■ Guest accounts
■ ■ Service accounts
■ ■ Privileged accounts
General Concepts
■ ■ Least privilege
■ ■ Onboarding/offboarding
■ ■ Permission auditing and review
■ ■ Usage auditing and review
■ ■ Time-of-day restrictions
■ ■ Recertification
■ ■ Standard naming convention
■ ■ Account maintenance
■ ■ Group-based access control
■ ■ Location-based policies
Account policy enforcement
■ ■ Credential management
■ ■ Group policy
■ ■ Password complexity
■ ■ Expiration
■ ■ Recovery
■ ■ Disablement
■ ■ Lockout
■ ■ Password history
■ ■ Password reuse
■ ■ Password lengthChapter 4
114
■
Identity and Access Management
1. Jack is using smart cards for authentication. He is trying to classify the type of authentica-
tion for a report to his CIO. What type of authentication is Jack using?
A. Type I
B. Type II
C. Type III
D. Strong
2. Carole is responsible for various network protocols at her company. The network time
protocol has been intermittently failing. Which of the following would be most affected?
A. Kerberos
B. RADIUS
C. CHAP
D. LDAP
3. You are selecting an authentication method for your company’s servers. You are looking
for a method that periodically reauthenticates clients to prevent session hijacking. Which
of the following would be your best choice?
A. PAP
B. SPAP
C. CHAP
D. OAUTH
4. Emiliano is working for a small company. His company is concerned about authentica-
tion and wants to implement biometrics using facial recognition and fingerprint scanning.
How would this authentication be classified?
A. Type I
B. Type II
C. Type III
D. Strong
5. Lisa is setting up accounts for her company. She wants to set up accounts for the Oracle
database server. Which of the following would be the best type of account to assign to the
database service?
A. User
B. Guest
C. Admin
D. Service
6. You have been asked to select an authentication method that will support single sign-on,
integrate with SAML, and work well over the Internet. Which of the following would be
your best choice?
A. Shibboleth
B.
OAUTHChapter 4
C. SPAP
D. CHAP
■
Identity and Access Management
115
7. Which authentication method was used as a native default for older versions of Microsoft
Windows?
A. PAP
B. CHAP
C. OAUTH
D. NTLM
8. Carl has been asked to set up access control for a server. The requirements state that users
at a lower privilege level should not be able to see or access files or data at a higher privi-
lege level. What access control model would best fit these requirements?
A. MAC
B. DAC
C. RBAC
D. SAML
9. Clarice is concerned about an attacker getting information regarding network resources
in her company. Which protocol should she implement that would be most helpful in miti-
gating this risk?
A. LDAP
B. TLS
C. SNMP
D. LDAPS
10. Ahmed is looking for an authentication protocol for his network. He is very concerned
about highly skilled attackers. As part of mitigating that concern, he wants an authentica-
tion protocol that never actually transmits a user’s password, in any form. Which authen-
tication protocol would be a good fit for Ahmed’s needs?
A. CHAP
B. Kerberos
C. RBAC
D. Type II
11. You work for a social media website. You wish to integrate your users’ accounts with
other web resources. To do so, you need to allow authentication to be used across differ-
ent domains, without exposing your users’ passwords to these other services. Which of the
following would be most helpful in accomplishing this goal?
A. Kerberos
B. SAML
C. OAUTH
D. OpenIDChapter 4
116
■
Identity and Access Management
12. Mary is trying to set up remote access to her network for salespeople in her company.
Which protocol would be most helpful in accomplishing this goal?
A. RADIUS
B. Kerberos
C. CHAP
D. OpenID
13. Victor is trying to identify the protocol used by Windows for authentication to a server
that is not part of the network domain. Which of the following would be most useful for
Victor?
A. Kerberos
B. NTLM
C. OpenID
D. CHAP
14. You have been asked to find an authentication service that is handled by a third party.
The service should allow users to access multiple websites, as long as they support the
third-party authentication service. What would be your best choice?
A. OpenID
B. Kerberos
C. NTLM
D. Shibboleth
15. Abigail is implementing biometrics for her company. She is trying to get the false rejection
rate and false acceptance rate to the same level. What is the term used for this?
A. Crossover error rate
B. Leveling
C. Balanced error rate
D. Remediation
16. Mia is responsible for website security for a bank. When a user forgets their password, she
wants a method to give them a temporary password. Which of the following would be the
best solution for this situation?
A. Facial recognition
B. Digital certificate authentication
C. RBAC
D. TOTP
17. George wants a secure authentication protocol that can integrate with RADIUS and can
use digital certificates. Which of the following would be his best choice?
A. CHAP
B.
802.11iChapter 4
C. 802.1x
D. OAUTH
■
Identity and Access Management
117
18. Jacob is responsible for database server security in his company. He is very concerned
about preventing unauthorized access to the databases. Which of the following would be
the most appropriate for him to implement?
A. ABAC
B. TOTP
C. HIDS
D. DAMP
19. Mason is responsible for security at a company that has traveling salespeople. The com-
pany has been using ABAC for access control to the network. Which of the following is an
issue that is specific to ABAC and might cause it to incorrectly reject logins?
A. Geographic location
B. Wrong password
C. Remote access is not allowed by ABAC.
D. Firewalls usually block ABAC.
20. You work for a U.S. defense contractor. You are setting up access cards that have chips
embedded in them to provide access control for users in your company. Which of the fol-
lowing types of cards would be best for you to use?
A. CAC
B. PIV
C. NFC
D. Smart card
21. Darrell is concerned that users on his network have too many passwords to remember and
might write down their passwords, thus creating a significant security risk. Which of the
following would be most helpful in mitigating this issue?
A. OAUTH
B. SSO
C. OpenID
D. Kerberos
22. Fares is a security administrator for a large company. Occasionally, a user needs to access
a specific resource that they don’t have permission to access. Which access control meth-
odology would be most helpful in this situation?
A. Mandatory Access Control
B. Discretionary Access Control
C. Role-based Access Control
D. Rule-based Access ControlChapter 4
118
■
Identity and Access Management
23. You are comparing biometric solutions for your company, and the product you pick must
have an appropriate False Acceptance Rate (FAR). Which of the following best describes
FAR?
A. How often an unauthorized user is granted access by mistake
B. How readily users accept the new technology, based on ease of use
C. How often an authorized user is not granted access
D. How frequently the system is offline
24. Amelia is looking for a network authentication method that can use digital certificates
and does not require end users to remember passwords. Which of the following would
best fit her requirements?
A. OAUTH
B. Tokens
C. OpenID
D. RBAC
25. You are responsible for setting up new accounts for your company network. What is the
most important thing to keep in mind when setting up new accounts?
A. Password length
B. Password complexity
C. Account age
D. Least privileges
26. Stefan just became the new security officer for a university. He is concerned that student
workers who work late on campus could try and log in with faculty credentials. Which of
the following would be most effective in preventing this?
A. Time of day restrictions
B. Usage auditing
C. Password length
D. Credential management
27. Jennifer is concerned that some people in her company have more privileges than they
should. This has occurred due to people moving from one position to another, and having
cumulative rights that exceed the requirements of their current jobs. Which of the follow-
ing would be most effective in mitigating this issue?
A. Permission auditing
B. Job rotation
C. Preventing job rotation
D. Separation of dutiesChapter 4
■
Identity and Access Management
119
28. Chloe has noticed that users on her company’s network frequently have simple passwords
made up of common words. Thus, they have weak passwords. How could Chloe best miti-
gate this issue?
A. Increase minimum password length.
B. Have users change passwords more frequently.
C. Require password complexity.
D. Implement Single Sign-On (SSO).
29. Bart is looking for a remote access protocol for his company. It is important that the
solution he selects support multiple protocols and use a reliable network communication
protocol. Which of the following would be his best choice?
A. RADIUS
B. TACACS+
C. NTLM
D. CHAP
30. You are looking for an authentication method that has one-time passwords and
works well with the Initiative for Open Authentication. However, the user should
have unlimited time to use the password. Which of the following would be your best
choice?
A. CHAP
B. TOTP
C. HOTP
D. ABAC
31. Gerard is trying to find a flexible remote access protocol that can use either TCP or UDP.
Which of the following should he select?
A. RADIUS
B. DIAMETER
C. TACACS+
D. TACACS
32. Emiliano is considering voice recognition as part of his access control strategy. What is
one weakness with voice recognition?
A. People’s voices change.
B. Systems require training.
C. High false negative rate
D. High false positive rateChapter 4
120
■
Identity and Access Management
33. You are explaining facial recognition to a colleague. What is the most significant draw-
back to implementing facial recognition?
A. These systems can be expensive.
B. These systems can be fooled with facial hair, glasses, etc.
C. These systems have a high false positive rate.
D. The systems require a long time to observe a face.
34. Mohanned is responsible for account management at his company. He is very concerned
about hacking tools that rely on rainbow tables. Which of the following would be most
effective in mitigating this threat?
A. Password complexity
B. Password age
C. Password expiration
D. Password length
35. Mary is a security administrator for a mid-sized company. She is trying to securely off-
board employees. What should she do with the network account for an employee who is
being off-boarded?
A. Disable the account.
B. Delete the account.
C. Change the account password.
D. Leave the account as is.
36. Your supervisor tells you to implement security based on your users’ physical characteris-
tics. Under which type of security would hand scanning and retina scanning fall?
A. CHAP
B. Multifactor
C. Biometrics
D. Token
37. What port does TACACS use?
A. TCP 143
B. TCP and UDP 49
C. TCP 443
D. UDP 53
38. A company-wide policy is being created to define various security levels. Which of the fol-
lowing systems of access control would use documented security levels like Confidential
or Secret for information?
A. RBAC
B. MAC
C. DAC
D. BBCChapter 4
■
Identity and Access Management
121
39. There is a common security issue that is extremely hard to control in large environments.
It occurs when a user has more computer rights, permissions, and privileges than what is
required for the tasks the user needs to fulfill. This is the opposite of what principle?
A. Separation of duties
B. Least privileges
C. Transitive trust
D. Account management
40. Users in your network are able to assign permissions to their own shared resources.
Which of the following access control models is used in your network?
A. DAC
B. RBAC
C. MAC
D. ABAC
41. John is performing a port scan of a network as part of a security audit. He notices that the
domain controller is using secure LDAP. Which of the following ports would lead him to
that conclusion?
A. 53
B. 389
C. 443
D. 636
42. Which of the following access control methods grants permissions based on the user’s
position in the organization?
A. MAC
B. RBAC
C. DAC
D. ABAC
43. Which of the following can be used as a means for dual-factor authentication?
A. Password and PIN number
B. RADIUS and L2TP
C. LDAP and WPA
D. Iris scan and password
44. Kerberos uses which of the following to issue tickets?
A. Authentication service
B. Certificate authority
C. Ticket-granting service
D. Key distribution centerChapter 4
122
■
Identity and Access Management
45. A company requires that a user’s credentials include providing something they know and
something they are in order to gain access to the network. Which of the following types of
authentication is being described?
A. Token
B. Two-factor
C. Kerberos
D. Biometrics
46. Samantha is looking for an authentication method that incorporates the X.509 standard
and will allow authentication to be digitally signed. Which of the following authentication
methods would best meet these requirements?
A. Certificate-based authentication
B. OAUTH
C. Kerberos
D. Smart cards
47. Your company relies heavily on cloud and SaaS service providers such as salesforce.com,
Office365, and Google. Which of the following would you have security concerns about?
A. LDAP
B. TACACS+
C. SAML
D. Transitive trust
48. Greg is responsible for database security for his company. He is concerned about authenti-
cation and permissions. Which of the following should be his first step?
A. Implement minimum password length.
B. Implement password lockout.
C. Conduct a permissions audit.
D. Ensure least privileges.
49. Which of the following is a step in account maintenance?
A. Implement two-factor authentication.
B. Check for time of day restrictions.
C. Review onboarding processes.
D. Check to see that all accounts are for active employees.
50. Tyrell works as a security officer for a mid-sized bank. All the employees only work in the
office; there are no employees who work remotely or travel for company business. Tyrell
is concerned about someone using an employee’s login credentials to access the bank’s
network. Which of the following would be most effective in mitigating this threat?
A. Kerberos authentication
B.
TOTPChapter 4
C. Location-based policies
D. Group-based access control
■
Identity and Access Management
123
51. Henry is an employee at Acme Company. The company requires him to change his
password every three months. He has trouble remembering new passwords, so he keeps
switching between just two passwords. Which policy would be most effective in prevent-
ing this?
A. Password complexity
B. Password history
C. Password length
D. Password age
52. Sheila is concerned that some users on her network may be accessing files that they should
not—specifically, files that are not required for their job tasks. Which of the following
would be most effective in determining if this is happening?
A. Usage auditing and review
B. Permissions auditing and review
C. Account maintenance
D. Policy review
53. In which of the following scenarios would using a shared account pose the least security
risk?
A. For a group of tech support personnel
B. For guest Wi-Fi access
C. For students logging in at a university
D. For accounts with few privileges
54. Which of the following is not a part of password complexity?
A. Using both uppercase and lowercase letters
B. Minimum password length
C. Using numbers
D. Using symbols (such as $, #, etc.)
55. Jane is setting up login accounts for federated identities. She wants to avoid requiring
the users to remember login credentials and allow them to use their logins from the
originating network. Which of the following technologies would be most suitable for
implementing this?
A. Credential management
B. OAUTH
C. Kerberos
D. ShibbolethChapter 4
124
■
Identity and Access Management
56. Sam is responsible for password management at a large company. Sometimes users cannot
recall their passwords. What would be the best solution for him to address this?
A. Changing password history length
B. Implementing password recovery
C. Eliminating password complexity
D. Lengthening password age
57. You are a security administrator for an insurance company. You have discovered that
there are a few active accounts for employees who left the company over a year ago.
Which of the following would best address this issue?
A. Password complexity
B. Offboarding procedures
C. Onboarding procedures
D. Password expiration
58. Maria is responsible for security at a small company. She is concerned about unauthorized
devices being connected to the network. She is looking for a device authentication process.
Which of the following would be the best choice for her?
A. CHAP
B. Kerberos
C. 802.11i
D. 802.1x
59. Laura is a security admin for a mid-sized mortgage company. She wants to ensure that the
network is using the most secure login and authentication scheme possible. Which of the
following would be her best choice?
A. Iris scanning
B. Fingerprint scanning
C. Multifactor authentication
D. Smart cards
60. Charles is a CISO for an insurance company. He recently read about an attack wherein
an attacker was able to enumerate all the network resources, and was able to make some
resources unavailable. All this was done by exploiting a single protocol. Which protocol
should Charles secure to mitigate this attack?
A. SNMP
B. LDAP
C. HTTP
D. DHCP
61. Robert is using PAP for authentication in his network. What is the most significant weak-
ness in PAP?
A. Unsigned authentication
B.
Single factorChapter 4
C. Credentials sent in cleartext
D. PAP does not support TACACS+.
■
Identity and Access Management
125
62. You are responsible for account access control and authorization at a large university.
There are approximately 30,000 students and 1,200 faculty/staff for whom you must
manage accounts. Which of the following would be the best access control/account man-
agement approach?
A. Group-based
B. Location-based
C. MAC
D. DAC
63. Which of the following is most important in managing account permissions?
A. Account recertification
B. Usage auditing
C. Standard naming conventions
D. Account recovery
64. Which of the following would be the best choice for naming the account of John Smith,
who is a domain administrator?
A. dm_jsmith
B. jsmithAdmin
C. AdministratorSmith
D. jsmith
65. Megan is very concerned about file system security on her network servers. Which of the
following is the most basic form of file system security?
A. Encryption
B. Access control
C. Auditing
D. RAID
66. Karen is responsible for account security in her company. She has discovered a reception-
ist whose account has a six-character password that has not been changed in two years,
and her password history is not being maintained. What is the most significant problem
with this account?
A. Nothing, this is adequate for a low-security position.
B. The password length is the most significant problem.
C. The lack of password history is the most significant problem.
D. The age of the password is the most significant problem.Chapter 4
126
■
Identity and Access Management
67. When you’re offboarding an employee, which of the following is the first thing you should do?
A. Audit their computer.
B. Conduct an out-processing questionnaire.
C. Disable accounts.
D. Delete accounts.
68. Which of the following is a difference between TACACS and TACACS+?
A. TACACS uses TCP, TACACS+ uses UDP
B. TACACS uses UDP, TACACS+ uses TCP
C. TACACS uses TCP or UDP, TACACS+ uses UDP
D. TACACS uses UDP, TACACS+ uses UDP or TCP
69. Greg is considering using CHAP or MS-CHAPv2 for authenticating remote users. Which
of the following is a major difference between the two protocols?
A. CHAP uses a hash for the challenge, MS-CHAPv2 uses AES.
B. CHAP provides mutual authentication, MS-CHAPv2 does not.
C. CHAP uses AES for the challenge, MS-CHAPv2 uses a hash.
D. MS-CHAPv2 provides mutual authentication, CHAP does not.
70. Terrance is looking for a physical access solution that uses asymmetric cryptography (pub-
lic key cryptography) to authorize the user. What type of solution is this?
A. Asynchronous password token
B. Challenge response token
C. TOTP token
D. Static password token
71. Which access control model is based on the Trusted Computer System Evaluation Criteria
(TCSEC)?
A. ABAC
B. MAC
C. RBAC
D. DAC
72. Mary is responsible for the security of database servers at a mortgage company. The serv-
ers are Windows Server 2016. She is concerned about file system security. Which of the
following Microsoft features would be most helpful to her in implementing file system
security?
A. Password policies
B. EFS
C. Account lockout
D. UACChapter 4
■
Identity and Access Management
127
73. Santiago manages database security for a university. He is concerned about ensuring that
appropriate security measures are implemented. Which of the following would be most
important to database security?
A. Password policies
B. Antivirus
C. EFS
D. Access control policies
74. Ingrid is reviewing her company’s recertification policy. Which of the following is the best
reason to recertify?
A. To audit usage
B. To enhance onboarding
C. To audit permissions
D. To manage credentials
75. Emma is concerned about credential management. Users on her network often have over a
half-dozen passwords to remember. She is looking for a solution to this problem. Which of
the following would be the best way to address this issue?
A. Implement a manager.
B. Use shorter passwords.
C. Implement OAUTH.
D. Implement Kerberos.
76. Magnus is concerned about someone using a password cracker on computers in his com-
pany. He is concerned that crackers will attempt common passwords in order to log in to
a system. Which of the following would be best for mitigating this threat?
A. Password age restrictions
B. Password minimum length requirements
C. Account lockout policies
D. Account usage auditing
77. Lucas is looking for an XML-based open standard for exchanging authentication infor-
mation. Which of the following would best meet his needs?
A. SAML
B. OAUTH
C. RADIUS
D. NTLMChapter 4
128
■
Identity and Access Management
78. Which of the following processes transpires when a user provides a correct username and
password?
A. Identification
B. Authentication
C. Authorization
D. Accounting
79. Min-seo is looking for a type of access control that enforces authorization rules by the
operating system. Users cannot override authentication or access control policies. Which
of the following best fits this description?
A. DAC
B. MAC
C. RBAC
D. ABAC
80. Hinata is considering biometric access control solutions for her company. She is concerned
about the crossover error rate (CER). Which of the following most accurately describes
the CER?
A. The rate of false acceptance
B. The rate of false rejection
C. The point at which false rejections outpace false acceptances
D. The point at which false rejections and false acceptances are equal
81. Joshua is looking for an authentication protocol that would be effective at stopping ses-
sion hijacking. Which of the following would be his best choice?
A. CHAP
B. PAP
C. SPAP
D. RADIUS
82. David is trying to select an authentication method for his company. He needs one that will
support REST as well as multiple web-based and mobile clients. Which of the following
would be his best choice?
A. Shibboleth
B. RADIUS
C. OpenID Connect
D. OAuth
83. Phillip is examining options for controlling physical access to the server room at his com-
pany. He wants a hands-free solution. Which of the following would be his best choice?
A. Smart cards
B.
Proximity cardsChapter 4
C. Tokens
D. Fingerprint scanner
■
Identity and Access Management
84. Which of the following is the most significant disadvantage of federated identities?
A. They cannot be used with Kerberos.
B. They don’t implement least privileges.
C. Poor password management
D. Transitive trust
85. Max is implementing type II authentication for his company. Which of the following
would be an example of type II authentication?
A. Strong passwords
B. Retinal scan
C. Smart cards
D. Timed one-time passwords
86. Nicole is implementing a server authentication method that depends on a TPM in the
server. Which of the following best describes this approach?
A. Hardware-based access control
B. Software-based access control
C. Digital certificate–based access control
D. Chip-based access control
129Chapter
5
Risk Management
The CompTIA Security+ Exam
SY0-501 topics covered in this
chapter include the following:
✓ ✓ 5.1 Explain the importance of policies, plans and
procedures related to organizational security.
■ ■ Standard operating procedure
■ ■ Agreement types
■ ■
■ ■ BPA
■ ■ SLA
■ ■ ISA
■ ■ MOU/MOA
Personnel management
■ ■ Mandatory vacations
■ ■ Jot rotation
■ ■ Separation of duties
■ ■ Clean desk
■ ■ Background checks
■ ■ Exit interviews
■ ■ Role-based awareness training
■ ■ Data owner
■ ■ System administrator
■ ■ System owner
■ ■ User
■ ■ Privileged user
■ ■ Executive user
■ ■ NDA
■ ■ Onboarding
■ ■ Continuing education
■ ■ Acceptable use policy/rules of behavior
■ ■ Adverse actions■ ■
General security policies
■ ■ Social media networks/applications
■ ■ Personal email
✓ ✓ 5.2 Summarize business impact analysis concepts.
■ ■ RTO/RPO
■ ■ MTBF
■ ■ MTTR
■ ■ Mission-essential functions
■ ■ Identification of critical systems
■ ■ Single point of failure
■ ■ Impact
■ ■ Life
■ ■ Property
■ ■ Safety
■ ■ Finance
■ ■ Reputation
■ ■ Privacy impact assessment
■ ■ Privacy threshold assessment
✓ ✓ 5.3
■ ■
Explain risk management processes and concepts.
Threat assessment
■ ■ Environmental
■ ■ Manmade
■ ■ Internal vs external
■ ■ Risk assessment
■ ■ SLE
■ ■ ALE
■ ■ ARO
■ ■ Asset value
■ ■ Risk register
■ ■ Likelihood of occurrence
■ ■ Supply chain assessment
■ ■ Impact
■ ■ Quantitative■ ■ Qualitative
■ ■ Testing
■ ■
■ ■
■ ■ Penetration testing authorization
■ ■ Vulnerability testing authorization
Risk response techniques
■ ■ Accept
■ ■ Transfer
■ ■ Avoid
■ ■ Mitigate
Change Management
✓ ✓ 5.4 Given a scenario, follow incident response procedures.
■ ■
■ ■
✓ ✓ 5.5
Incident response plan
■ ■ Documented incident types/category definitions
■ ■ Roles and responsibilities
■ ■ Reporting requirements/escalation
■ ■ Cyber-incident response teams
■ ■ Exercise
Incident response process
■ ■ Preparation
■ ■ Identification
■ ■ Containment
■ ■ Eradication
■ ■ Recovery
■ ■ Lessons learned
Summarize basic concepts of forensics.
■ ■ Order of volatility
■ ■ Chain of custody
■ ■ Legal hold
■ ■ Data acquisition
■ ■ Capture system image
■ ■ Network traffic and logs
■ ■ Capture video
■ ■ Record time offset■ ■ Take hashes
■ ■ Screenshots
■ ■ Witness interviews
■ ■ Preservation
■ ■ Recovery
■ ■ Strategic intelligence/counterintelligence gathering
■ ■
■ ■
Active logging
Track man-hours
✓ ✓ 5.6 Explain disaster recovery and continuity of operation
concepts.
■ ■
Recovery sites
■ ■ Hot site
■ ■ Warm site
■ ■ Cold site
■ ■ Order of restoration
■ ■ Backup concepts
■ ■
■ ■
■ ■ Differential
■ ■ Incremental
■ ■ Snapshots
■ ■ Full
Geographic considerations
■ ■ Off-site backups
■ ■ Distance
■ ■ Location selection
■ ■ Legal implications
■ ■ Data sovereignty
Continuity of operation planning
■ ■ Exercises/tabletop
■ ■ After-action reports
■ ■ Failover
■ ■ Alternate processing sites
■ ■ Alternate business practices✓ ✓ 5.7 Compare and contrast various types of controls.
■ ■ Deterrent
■ ■ Preventive
■ ■ Detective
■ ■ Corrective
■ ■ Compensating
■ ■ Technical
■ ■ Administrative
■ ■ Physical
✓ ✓ 5.8 Given a scenario, carry out data security and privacy
practices.
■ ■
■ ■
■ ■
Data destruction and media sanitization
■ ■ Burning
■ ■ Shredding
■ ■ Pulping
■ ■ Pulverizing
■ ■ Degaussing
■ ■ Purging
■ ■ Wiping
Data sensitivity labeling and handling
■ ■ Confidential
■ ■ Private
■ ■ Public
■ ■ Proprietary
■ ■ PII
■ ■ PHI
Data roles
■ ■ Owner
■ ■ Steward/custodian
■ ■ Privacy officer
■ ■ Data retention
■ ■ Legal and complianceChapter 5
136
■
Risk Management
1. You are a manager of a bank and you suspect one of your tellers has stolen money from
their station. After talking with your supervisor, you place the employee on leave with
pay, suspend their computer account, and obtain their proximity card and keys to the
building. Which of the following policies did you follow?
A. Mandatory vacations
B. Exit interviews
C. Adverse actions
D. Onboarding
2. Which of the following principles stipulates that multiple changes to a computer system
should not be made at the same time?
A. Due diligence
B. Acceptable use
C. Change management
D. Due care
3. Why are penetration test often not advised?
A. It can be disruptive for the business activities.
B. It is able to measure and authenticate the efficiency of a company’s defensive
mechanisms.
C. It’s able to find both known and unknown hardware or software weaknesses.
D. It permits the exploration of real risks and gives a precise depiction of a company’s IT
infrastructure security posture at any given time.
4. You are a security engineer and discovered an employee using the company’s computer
systems to operate their small business. The employee installed their personal software
on the company’s computer and is using the computer hardware, such as the USB port.
What policy would you recommend the company implement to prevent any risk of the
company’s data and network being compromised?
A. Acceptable use policy
B. Clean desk policy
C. Mandatory vacation policy
D. Job rotation policy
5. What should be done to back up tapes that are stored off-site?
A. Generate a file hash for each backup file.
B. Scan the backup data for viruses.
C. Perform a chain of custody on the backup tape.
D. Encrypt the backup data.
6. Which recovery site is the easiest to test?
A. Warm site
B.
Cold siteChapter 5
C. Hot site
D. Medium site
■
Risk Management
137
7. Katelyn is a network technician for a manufacturing company. She is testing a network
forensic capturing software and plugs her laptop into an Ethernet switch port and
begins capturing network traffic. Later she begins to analyze the data and notices some
broadcast and multicast packets, as well as her own laptop’s network traffic. Which of
the following statements best describes why Katelyn was unable to capture all network
traffic on the switch?
A. Each port on the switch is an isolated broadcast domain.
B. Each port on the switch is an isolated collision domain.
C. Promiscuous mode must be enabled on the NIC.
D. Promiscuous mode must be disabled on the NIC.
8. Which of the following is not a step of the incident response process?
A. Snapshot
B. Preparation
C. Recovery
D. Containment
9. Which of the following is another term for technical controls?
A. Access controls
B. Logical controls
C. Detective controls
D. Preventive controls
10. You are a security manager for your company and need to reduce the risk of employees
working in collusion to embezzle funds. Which of the following policies would you
implement?
A. Mandatory vacations
B. Clean desk
C. NDA
D. Continuing education
11. You are a security administrator, and your manager has asked you about protecting
the privacy of personally identifiable information (PII) that is collected. Which of the
following would be the best option to fulfill the request?
A. PIA
B. BIA
C. RTO
D. SPFChapter 5
138
■
Risk Management
12. Which of the following plans best identifies critical systems and components to ensure the
assets are protected?
A. DRP
B. BCP
C. IT contingency plan
D. Succession plan
13. After your company implemented a clean desk policy, you have been asked to secure
physical documents every night. Which of the following would be the best solution?
A. Department door lock
B. Locking cabinets and drawers
C. Proximity card
D. Onboarding
14. Your manager has instructed the team to test certain systems based on the business
continuity plan to ensure they are operating properly. The manager wants to ensure there
are no overlaps in the plan before implementing the test. Which continuity of operation
planning concept is your manager referring to?
A. After-action report
B. Failover
C. Eradication
D. Tabletop exercise
15. Which of the following is an example of PHI?
A. Passport number
B. Criminal record
C. Fingerprints
D. Name of school attended
16. Which of the following techniques attempts to predict the likelihood a threat will occur
and assigns monetary values should a loss occur?
A. Change management
B. Vulnerability assessment
C. Qualitative risk assessment
D. Quantitative risk assessment
17. Your competitors are offering a new service that is predicted to sell strong. After much
careful research, your company has decided not to launch a competing service due to the
uncertainty of the market and the enormous investment required. Which of the following
best describes the company’s decision?
A. Risk transfer
B.
Risk avoidanceChapter 5
C. Risk acceptance
D. Risk mitigation
■
Risk Management
139
18. Which of the following agreements is less formal than a traditional contract but still has a
certain level of importance to all parties involved?
A. SLA
B. BPA
C. ISA
D. MOU
19. Your company is considering moving its mail server to a hosting company. This will help
reduce hardware and server administrator costs at the local site. Which of the following
documents would formally state the reliability and recourse if the reliability is not met?
A. MOU
B. SLA
C. ISA
D. BPA
20. You have an asset that is valued at $16,000, the exposure factor of a risk affecting that
asset is 35%, and the annualized rate of occurrence if 75%. What is the SLE?
A. $5,600
B. $5,000
C. $4,200
D. $3,000
21. During a meeting, you present management with a list of access controls used on your
network. Which of the following controls is an example of a corrective control?
A. IDS
B. Audit logs
C. Antivirus software
D. Router
22. You are the new security administrator and have discovered your company lacks deterrent
controls. Which of the following would you install that satisfies your needs? (Choose
two.)
A. Lighting
B. Motion sensor
C. No trespassing signs
D. Antivirus scannerChapter 5
140
■
Risk Management
23. Your company’s security policy includes system testing and security awareness training
guidelines. Which of the following control types is this?
A. Detective technical control
B. Preventive technical control
C. Detective administrative control
D. Preventive administrative control
24. Which step of the incident response process occurs after containment?
A. Preparation
B. Recovery
C. Identification
D. Eradication
25. You are a security administrator for your company and you identify a security risk. You
decide to continue with the current security plan. However, you develop a contingency
plan in case the security risk occurs. Which of the following type of risk response
technique are you demonstrating?
A. Accept
B. Transfer
C. Avoid
D. Mitigate
26. Which of the following best visually shows the state of a computer at the time it was
collected by law enforcement?
A. Screenshots
B. Identification
C. Tabletop exercise
D. Generate hash values
27. You are asked to protect the company’s data should a complete disaster occur. Which
action would be the best option for this request?
A. Back up all data to tape, and store those tapes at an alternate location within the city.
B. Back up all data to tape, and store those tapes at an alternate location in another city.
C. Back up all data to disk, and store the disk in a safe in the company’s basement.
D. Back up all data to disk, and store the disk in a safe at the network administrator’s
home.
28. Which of the following would not be a purpose of a privacy threshold analysis?
A. Identify programs and systems that are privacy-sensitive.
B. Demonstrate the inclusion of privacy considerations during the review of a program
or system.
C. Identify systems that are considered a single point of failure.
D. Demonstrate compliance with privacy laws and regulations.Chapter 5
■
Risk Management
141
29. You have purchased new laptops for your salespeople. You plan to dispose of the hard
drives of the former laptops as part of a company computer sale. Which of the following
methods would you use to properly dispose of the hard drives?
A. Destruction
B. Shredding
C. Purging
D. Formatting
30. You are the head of the IT department of a school and are looking for a way to promote
safe and responsible use of the Internet for students. With the help of the teachers, you
develop a document for students to sign that describes methods of accessing the Internet
on the school’s network. Which of the following best describes this document?
A. Service level agreement
B. Acceptable use policy
C. Incident response plan
D. Chain of custody
31. You are the security administrator and have discovered a malware incident. Which of the
following responses should you do first?
A. Recovery
B. Eradication
C. Containment
D. Identification
32. You are an IT administrator for a company and you are adding new employees to an
organization’s identity and access management system. Which of the following best
describes the process you are performing?
A. Onboarding
B. Offboarding
C. Adverse action
D. Job rotation
33. Your company is partnering with another company and requires systems to be shared.
Which of the following agreements would outline how the shared systems should be
interfaced?
A. BPA
B. MOU
C. SLA
D. ISAChapter 5
142
■
Risk Management
34. Mark is an office manager at a local bank branch. He wants to ensure customer informa-
tion isn’t compromised when the deskside employees are away from their desks for the
day. What security concept would Mark use to mitigate this concern?
A. Clean desk
B. Background checks
C. Continuing education
D. Job rotation
35. You are a security administrator and advise the web development team to include a
CAPTCHA on the web page where users register for an account. Which of the following
controls is this referring to?
A. Deterrent
B. Detective
C. Compensating
D. Degaussing
36. Which of the following is not a common security policy type?
A. Acceptable use policy
B. Social media policy
C. Password policy
D. Parking policy
37. As the IT security officer, you are configuring data label options for your company’s
research and development file server. Regular users can label documents as contractor,
public, or internal. Which label should be assigned to company trade secrets?
A. High
B. Top secret
C. Proprietary
D. Low
38. Users are currently accessing their personal email through company computers, so you
and your IT team have created a security policy for email use. What is the next step after
creating and approving the email use policy?
A. Encrypt all user email messages.
B. Provide security user awareness training.
C. Provide every employee with their own device to access their personal email.
D. Forward all personal emails to their company email account.
39. Which of the following is not a physical security control?
A. Motion detector
B. Fence
C. Antivirus software
D. CCTVChapter 5
■
Risk Management
143
40. Which of the following might you find in a DRP?
A. Single point of failure
B. Prioritized list of critical computer systems
C. Exposure factor
D. Asset value
41. Your security manager wants to decide which risks to mitigate based on cost. What is this
an example of?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Business impact analysis
D. Threat assessment
42. Your company has outsourced its proprietary processes to Acme Corporation. Due to
technical issues, Acme Corporation wants to include a third-party vendor to help resolve
the technical issues. Which of the following must Acme Corporation consider before
sending data to the third party?
A. This data should be encrypted before it is sent to the third-party vendor.
B. This may constitute unauthorized data sharing.
C. This may violate the privileged user role-based awareness training.
D. This may violate a nondisclosure agreement.
43. Zack is a security administrator who has been given permission to run a vulnerability
scan on the company’s wireless network infrastructure. The results show TCP ports
21 and 23 open on most hosts. What port numbers do these refer to? (Choose two.)
A. FTP
B. SMTP
C. Telnet
D. DNS
44. Which of the following backup concepts is the quickest backup but slowest restore?
A. Incremental
B. Differential
C. Full
D. Snapshots
45. Which of the following operations should you undertake to avoid mishandling of tapes,
removal drives, CDs, and DVDs?
A. Degaussing
B. Acceptable use
C. Data labeling
D. WipingChapter 5
144
■
Risk Management
46. Which of the following can be classified as a single point of failure?
A. Failover
B. A cluster
C. Load balancing
D. A configuration
47. Which of the following are considered detective controls?
A. Closed-circuit television (CCTV)
B. Guard
C. Firewall
D. IPS
48. Your CIO wants to move the company’s large sets of sensitive data to an SaaS cloud
provider to limit the storage and infrastructure costs. Both the cloud provider and the
company are required to have a clear understanding of the security controls that will
be applied to protect the sensitive data. What type of agreement would the SaaS cloud
provider and your company initiate?
A. MOU
B. BPA
C. SLA
D. ISA
49. Which of the following is typically included in a BPA?
A. Clear statements detailing the expectation between a customer and a service provider
B. The agreement that a specific function or service will be delivered at the agreed-upon
level of performance
C. Sharing of profits and losses and the addition or removal of a partner
D. Security requirements associated with interconnecting IT systems
50. Your team powered off the SQL database server for over 7 hours to perform a test. Which
of the following is the most likely reason for this?
A. Business impact analysis
B. Succession plan
C. Continuity of operations plan
D. Service level agreement
51. Which of the following role-based positions should receive training on how to manage a
particular system?
A. Users
B.
Privileged usersChapter 5
C. Executive users
D. System owners
■
Risk Management
145
52. You maintain a network of 150 computers and must determine which hosts are secure and
which are not. Which of the following tools would best meet your need?
A. Vulnerability scanner
B. Protocol analyzer
C. Port scanner
D. Password cracker
53. You have been instructed to introduce an affected system back into the company’s environ-
ment and be sure that it will not lead to another incident. You test, monitor, and validate
that the system is not being compromised by any other means. Which of the incident
response processes have you completed?
A. Lessons learned
B. Preparation
C. Recovery
D. Containment
54. You discover that an investigator made a few mistakes during a recent forensic investiga-
tion. You want to ensure the investigator follows the appropriate process for the collection,
analysis, and preservation of evidence. Which of the following terms should you use for this
process?
A. Incident handling
B. Legal hold
C. Order of volatility
D. Chain of custody
55. You receive a call from the help desk manager stating that there has been an increase
in calls from users reporting their computers are infected with malware. Which of the
following incident response steps should be completed first?
A. Containment
B. Eradication
C. Lessons learned
D. Identification
56. Which of the following are examples of custodian security roles? (Choose two.)
A. Human resources employee
B. Sales executive
C. CEO
D. Server backup operatorChapter 5
146
■
Risk Management
57. You are the network administrator of your company, and the manager of a retail site
located across town has complained about the loss of power to their building several
times this year. The branch manager is asking for a compensating control to overcome the
power outage. What compensating control would you recommend?
A. Firewall
B. Security guard
C. IDS
D. Backup generator
58. James is a security administrator and is attempting to block unauthorized access to the
desktop computers within the company’s network. He has configured the computers’
operating systems to lock after 5 minutes of no activity. What type of security control has
James implemented?
A. Preventive
B. Corrective
C. Deterrent
D. Detective
59. Which of the following terms best describes sensitive medical information?
A. AES
B. PHI
C. PII
D. TLS
60. An accounting employee changes roles with another accounting employee every 4 months.
What is this an example of?
A. Separation of duties
B. Mandatory vacation
C. Job rotation
D. Onboarding
61. Which of the following are considered inappropriate places to store backup tapes?
(Choose two.)
A. Near a workstation
B. Near a speaker
C. Near a CRT monitor
D. Near an LCD screen
62. You are a member of your company’s security response team and have discovered an
incident within your network. You are instructed to remove and restore the affected
system. You restore the system with the original disk image and then install patches and
disable any unnecessary services to harden the system against any future attacks. Which
incident response process have you completed?
A. Eradication
B.
PreparationChapter 5
C. Containment
D. Recovery
■
Risk Management
147
63. You are a security administrator and have decided to implement a unified threat manage-
ment (UTM) appliance within your network. This appliance will provide antimalware,
spam filtering, and content inspection along with other protections. Which of the following
statements best describes the potential problem with this plan?
A. The protections can only be performed one at a time.
B. This is a complex plan because you will manage several complex platforms.
C. This could create the potential for a single point of failure.
D. You work with a single vendor and its support department.
64. You are attending a risk analysis meeting and are asked to define internal threats. Which
of the following is not considered an internal threat?
A. Employees accessing external websites through the company’s hosts
B. Embezzlement
C. Threat actors compromising a network through a firewall
D. Users connecting a personal USB thumb drive to a workstation
65. You are the network director and are creating the following year’s budget. You submit
forensic dollar amounts for the cyber incident response team. Which of the following
would you not submit? (Choose two.)
A. ALE amounts
B. SLE amounts
C. Training expenses
D. Man-hour expenses
66. Computer evidence of a crime is preserved by making an exact copy of the hard disk.
Which of the following does this demonstrate?
A. Chain of custody
B. Order of volatility
C. Capture system image
D. Taking screenshots
67. Which option is an example of a workstation not hardened?
A. Risk
B. Threat
C. Exposure
D. MitigateChapter 5
148
■
Risk Management
68. Which of the following elements should not be included in the preparation phase of the
incident response process?
A. Policy
B. Lesson learned documentation
C. Response plan/strategy
D. Communication
69. Which of the following does not minimize security breaches committed by internal
employees?
A. Job rotation
B. Separation of duties
C. Nondisclosure agreements signed by employees
D. Mandatory vacations
70. You find one of your employees posting negative comments about the company on Facebook
and Twitter. You also discover the employee is sending negative comments from their
personal email on the company’s computer. You are asked to implement a policy to help
the company avoid any negative reputation in the marketplace. Which of the following
would be the best option to fulfill the request?
A. Account policy enforcement
B. Change management
C. Security policy
D. Risk assessment
71. Which of the following statements best describes a differential backup?
A. Only the changed portions of files are backed up.
B. All files are copied to storage media.
C. Files that have changed since the last full backup are backed up.
D. Only files that have changed since the last full or incremental backup are backed up.
72. During which step of the incident response process does root cause analysis occur?
A. Preparation
B. Lessons learned
C. Containment
D. Recovery
73. Which of the following types of testing can help identify risks? (Choose two.)
A. Quantitative
B. Penetration testing
C. Vulnerability testing
D. QualitativeChapter 5
■
Risk Management
149
74. What can a company do to prevent sensitive data from being retrieved by dumpster
diving?
A. Degaussing
B. Capture system image
C. Shredding
D. Wiping
75. You are a network administrator and have been asked to send a large file that
contains PII to an accounting firm. Which of the following protocols would it be best
to use?
A. Telnet
B. FTP
C. SFTP
D. SMTP
76. Zackary is a network backup engineer and performs a full backup each Sunday evening
and an incremental backup Monday through Friday evenings. One of the company’s
network servers crashes on Thursday afternoon. How many backups will Zack need to do
to restore the server?
A. Two
B. Three
C. Four
D. Five
77. Your company website is hosted by an Internet service provider. Which of the following
risk response techniques is in use?
A. Risk avoidance
B. Risk register
C. Risk acceptance
D. Risk mitigation
78. A call center leases a new space across town, complete with a functioning computer
network that mirrors the current live site. A high-speed network link continuously
synchronizes data between the two sites. Which of the following describes the site at the
new leased location?
A. Cold site
B. Warm site
C. Hot site
D. Differential siteChapter 5
150
■
Risk Management
79. A security administrator is reviewing the company’s continuity plan, and it specifies an
RTO of 4 hours and an RPO of 1 day. Which of the following is the plan describing?
A. Systems should be restored within 1 day and should remain operational for at least
4 hours.
B. Systems should be restored within 4 hours and no later than 1 day after the
incident.
C. Systems should be restored within 1 day and lose, at most, 4 hours’ worth of data.
D. Systems should be restored within 4 hours with a loss of 1 day’s worth of data at
most.
80. Which of the following statements is true regarding a data retention policy?
A. Regulations require financial transactions to be stored for 7 years.
B. Employees must remove and lock up all sensitive and confidential documents when
not in use.
C. It describes a formal process of managing configuration changes made to a
network.
D. It is a legal document that describes a mutual agreement between parties.
81. You are attending a meeting with your manager and he wants to validate the cost of a
warm site versus a cold site. Which of the following reasons best justify the cost of a warm
site? (Choose two.)
A. Small amount of income loss during long downtime
B. Large amount of income loss during short downtime
C. Business contracts enduring no more than 72 hours of downtime
D. Business contracts enduring no more than 8 hours of downtime
82. Recently, company data that was sent over the Internet was intercepted and read by
hackers. This damaged the company’s reputation with its customers. You have been
asked to implement a policy that will protect against these attacks. Which of the
following options would you choose to help protect data that is sent over the Internet?
(Choose two.)
A. Confidentiality
B. Safety
C. Availability
D. Integrity
83. How do you calculate the annual loss expectancy (ALE) that may occur due to a threat?
A. Exposure Factor (EF) / Single Loss Expectancy (SLE)
B. Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO)
C. Asset Value (AV) × Exposure Factor (EF)
D. Single Loss Expectancy (SLE) / Exposure Factor (EF)Chapter 5
■
Risk Management
151
84. Which of the following impact scenarios would include severe weather events? (Choose
two.)
A. Life
B. Reputation
C. Salary
D. Property
85. Which of the following outlines a business goal for system restoration and allowable data
loss?
A. RPO
B. Single point of failure
C. MTTR
D. MTBF
86. Which of the following is an example of a preventive control? (Choose two.)
A. Data backups
B. Security camera
C. Door alarm
D. Cable locks
87. You are a security administrator for your company and you identify a security risk that
you do not have in-house skills to address. You decide to acquire contract resources. The
contractor will be responsible for handling and managing this security risk. Which of
the following type of risk response technique are you demonstrating?
A. Accept
B. Mitigate
C. Transfer
D. Avoid
88. You are an IT manager and discovered your department had a break-in, and the company’s
computers were physically damaged. What type of impact best describes this situation?
A. Life
B. Reputation
C. Property
D. Safety
89. Which of the following would help build informed decisions regarding a specific DRP?
A. Business impact analysis
B. ROI analysis
C. RTO
D. Life impactChapter 5
152
■
Risk Management
90. Each salesperson who travels has a cable lock to lock down their laptop when they step
away from the device. Which of the following controls does this apply?
A. Administrative
B. Compensating
C. Deterrent
D. Preventive
91. Which of the following secures access to company data in agreement to management
policies?
A. Technical controls
B. Administrative controls
C. HTTPS
D. Integrity
92. You are a server administrator for your company’s private cloud. To provide service to
employees, you are instructed to use reliable hard disks in the server to host a virtual
environment. Which of the following best describes the reliability of hard drives?
A. MTTR
B. RPO
C. MTBF
D. ALE
93. You are replacing a number of devices with a mobile appliance that combines several
functions. Which of the following describes the new implementation?
A. Cloud computing
B. Load balancing
C. Single point of failure
D. Virtualization
94. Which of the following can help mitigate adware intrusions?
A. Antivirus
B. Antispam
C. Spyware
D. Pop-up blocker
95. In the initial stages of a forensics investigation, Zack, a security administrator, was given
the hard drive of the compromised workstation by the incident manager. Which of the
following data acquisition procedures would Zack need to perform in order to begin the
analysis? (Choose two.)
A. Take hashes
B.
Take screenshotsChapter 5
C. Capture the system image
D. Start the order of volatility
■
Risk Management
153
96. Which of the following best describes a Computer Incident Response Team (CIRT)?
A. Personnel who participate in exercises to practice incident response procedures
B. Personnel who promptly and correctly handle incidents so they can be quickly
contained, investigated, and recovered from
C. A team to identify planning flaws before an actual incident occurs
D. Team members using a walk-through checklist to ensure understanding of roles in a
DRP
97. Which of the following decreases the success of brute-force attacks?
A. Password complexity
B. Password hints
C. Account lockout threshold
D. Enforce password history
98. A warrant has been issued to investigate a file server that is suspected to be part of an
organized crime to steal credit card information. You are instructed to follow the order of
volatility. Which data would you collect first?
A. RAM
B. USB flash drive
C. Hard disk
D. Swap files
99. What should human resources personnel be trained in regarding security policies?
A. Guidelines and enforcement
B. Order of volatility
C. Penetration assessment
D. Vulnerability assessment
100. Which of the following is not a basic concept of computer forensics?
A. Preserve evidence
B. Determine if the suspect is guilty based on the findings
C. Track man-hours and expenses
D. Interview all witnessesChapter 5
154
■
Risk Management
101. The Chief Information Officer (CIO) wants to set up a redundant server location so
that the production server images can be moved within 36 hours and the servers can be
restored quickly, should a catastrophic failure occur at the primary location. Which of the
following can be implemented?
A. Hot site
B. Cold site
C. Warm site
D. Load balancing
102. Choose the correct order of volatility when collecting digital evidence.
A. Hard disk drive, DVD-R, RAM, swap file
B. Swap file, RAM, DVD-R, hard disk drive
C. RAM, DVD-R, swap file, hard disk drive
D. RAM, swap file, hard disk drive, DVD-R
103. Which of the following pieces of information would be summarized in the lessons learned
phase of the incident response process? (Choose three.)
A. When the problem was first detected and by whom
B. How the problem was contained and eradicated
C. The work that was performed during the recovery
D. Preparing a company’s team to be ready to handle an incident at a moment’s notice
104. You receive a phone call from an employee reporting that their workstation is acting
strangely. You gather information from the intrusion detection system and notice unusual
network traffic from the workstation, and you determine the event may be an incident.
You report the event to your manager, who then begins to collect evidence and prepare for
the next steps. Which phase of the incident response process is this?
A. Preparation
B. Identification
C. Containment
D. Eradication
105. Your manager has asked you to recommend a way to transmit PII via email and maintain
its confidentiality. Which of the following options is the best solution?
A. Hash the information before sending.
B. Protect the information with a digital signature.
C. Protect the information by using RAID.
D. Encrypt the information before sending.
106. Which of the following statements best defines change management?
A. Responding to, containing, analyzing, and recovering from a computer-related incident
B. Means used to define which access permissions subjects have for a specific object
C. Procedures followed when configuration changes are made to a network
D. Categorizing threats and vulnerabilities and their potential impacts to a networkChapter 5
■
Risk Management
155
107. During which step of the incident response process does identification of incidents that
can be prevented or mitigated occur?
A. Containment
B. Eradication
C. Preparation
D. Lessons learned
108. Which of the following best describes the disadvantages of quantitative risk analysis
compared to qualitative risk analysis? (Choose two.)
A. Quantitative risk analysis requires complex calculations.
B. Quantitative risk analysis is sometimes subjective.
C. Quantitative risk analysis is generally scenario-based.
D. Quantitative risk analysis is more time-consuming than qualitative risk analysis.
109. Which of the following are disadvantages of using a cold site? (Choose two.)
A. Expense
B. Recovery time
C. Testing availability
D. Administration time
110. Which of the following policies should be implemented to minimize data loss or theft?
A. Password policy
B. PII handling
C. Chain of custody
D. Detective control
111. Which of the following should a comprehensive data policy include?
A. Wiping, disposing, storage, retention
B. Disposing, patching, storage, retention
C. Storage, retention, virtualization
D. Onboarding, storage, disposing
112. You have revealed a recent intrusion within the company’s network and have decided to
execute incident response procedures. The incident response team has identified audit
logs that hold information about the recent security breach. Prior to the incident, a
security consultant firm recommended that your company install a NTP server within
the network. Which of the following is a setback the incident response team will likely
encounter during the assessment?
A. Order of volatility
B. Chain of custody
C. Eradication
D. Record time offsetChapter 5
156
■
Risk Management
113. You plan to provide a word processing program to the employees in your company. You
decide not to install the program on each employee’s workstation but rather have a cloud
service provider host the application. Which of the following risk response techniques best
describes the situation?
A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transfer
114. Which of the following statements is true about incremental backup?
A. It backs up all files.
B. It backs up all files in a compressed format.
C. It backs up all new files and any files that have changed since the last full backup
without resetting the archive bit.
D. It backs up all new files and any files that have changed since the last full or
incremental backup and resets the archive bit.
115. The chief security officer (CSO) has seen four security breaches during the past
2 years. Each breach cost the company $30,000, and a third-party vendor has offered
to repair the security weakness in the system for $250,000. The breached system is set
to be replaced in 5 years. Which of the following risk response techniques should the
CSO use?
A. Accept the risk.
B. Transfer the risk.
C. Avoid the risk.
D. Mitigate the risk.
116. Which of the following would not be a guideline for performing a BIA?
A. Identify impact scenarios that put your business operations at risk.
B. Identify mission-essential functions and the critical systems within each function.
C. Approve and execute changes in order to ensure maximum security and availability
of IT services.
D. Calculate RPO, RTO, MTTR, and MTBF.
117. You are a network administrator and have purchased two devices that will work as
failovers for each other. Which of the following does this best demonstrate?
A. Integrity
B. Availability
C. Authentication
D. ConfidentialityChapter 5
■
Risk Management
157
118. Your company has lost power and the salespeople cannot take orders because the computers
and phone systems are unavailable. Which of the following would be the best options to an
alternate business practice? (Choose two.)
A. Tell the salespeople to go home for the day until the power is restored.
B. Tell the salespeople to use their cell phones until the power is restored.
C. Have the salespeople use paper and pen to take orders until the power is restored.
D. Have the salespeople instruct customers to fax their orders until the power is
restored.
119. Leigh Ann is the new network administrator for a local community bank. She studies the
current file server folder structures and permissions. The previous administrator didn’t
properly secure customer documents in the folders. Leigh Ann assigns appropriate file
and folder permissions to be sure that only the authorized employees can access the data.
What security role is Leigh Ann assuming?
A. Power user
B. Data owner
C. User
D. Custodian
120. Which of the following methods is not recommended for removing data from a storage
media that is used to store confidential information?
A. Formatting
B. Shredding
C. Wiping
D. Degaussing
121. A SQL database server is scheduled for full backups on Sundays at 2:00 a.m. and incre-
mental backups each weeknight at 11:00 p.m. Write verification is enabled, and backup
tapes are stored off-site at a bank safety deposit box. Which of the following should be
completed to ensure integrity and confidentiality of the backups? (Choose two.)
A. Use SSL to encrypt the backup data.
B. Encrypt the backup data before it is stored off-site.
C. Ensure that an employee other than the backup operator analyzes each day’s backup
logs.
D. Ensure that the employee performing the backup is a member of the administrators’
group.
122. You are planning to perform a security audit and would like to see what type of network
traffic is transmitting within your company’s network. Which of the following tools
would you use?
A. Port scanner
B. Vulnerability scanner
C. Protocol analyzer
D. Network intrusion detection systemChapter 5
158
■
Risk Management
123. Your company has hired a new administrative assistant to a commercial lender named
Leigh Ann. She will be using a web browser on a company computer at the office to access
internal documents on a public cloud provider over the Internet. Which type of document
should Leigh Ann read and sign?
A. Internet acceptable use policy
B. Audit policy
C. Password policy
D. Privacy policy
124. During a conversation with another colleague, you suggest there is a single point of failure
in the single load balancer in place for the company’s SQL server. You suggest implement-
ing two load balancers in place with only one in service at a given time. What type of load
balancing configuration have you described?
A. Active-active
B. Active directory
C. Round robin
D. Active-passive
125. Which of the following policies would you implement to help prevent the company’s users
from revealing their login credentials for others to view?
A. Job rotation
B. Data owner
C. Clean desk
D. Separation of duties
126. Which of the following are part of the chain of custody?
A. Delegating evidence collection to your manager
B. Capturing the system image to another hard drive
C. Capturing memory contents before capturing hard disk contents
D. Preserving, protecting, and documenting evidence
127. Zackary has been assigned the task of performing a penetration test on a server and was
given limited information about the inner workings of the server. Which of the following
tests will he be performing?
A. White box
B. Gray box
C. Black box
D. Clear box
128. Which of the following are considered administrative controls? (Choose two.)
A. Firewall rules
B.
Personnel hiring policyChapter 5
C. Separation of duties
D. Intrusion prevention system
■
Risk Management
159
129. Which of the following are examples of alternate business practices? (Choose two.)
A. The business’s point-of-sale terminal goes down, and employees use pen and paper to
take orders and a calculator to determine customers’ bills.
B. The network system crashes due to an update, and employees are told to take time off
until the company’s network system is restored.
C. Power is lost at a company’s site and the manager posts a closed sign until power is
restored.
D. A bank location has lost power, and the employees are sent to another location to
resume business.
130. Which of the following require careful handling and special policies for data retention and
distribution? (Choose two.)
A. Personal electronic devices
B. MOU
C. PII
D. NDA
131. Matt is the head of IT security for a university department. He recently read articles about
security breaches that involved malware on USB removable devices and is concerned about
future incidents within the university. Matt reviews the past incident responses to deter-
mine how these occurrences may be prevented and how to improve the past responses.
What type of document should Matt prepare?
A. MOU
B. SLA
C. After-action report
D. Nondisclosure agreement
132. Categorizing residual risk is most important to which of the following risk response
techniques?
A. Risk mitigation
B. Risk acceptance
C. Risk avoidance
D. Risk transfer
133. You are the IT manager and one of your employees asks who assigns data labels. Which of
the following assigns data labels?
A. Owner
B. Custodian
C. Privacy officer
D. System administratorChapter 5
160
■
Risk Management
134. Which of the following is the most pressing security concern related to social media
networks?
A. Other users can view your MAC address.
B. Other users can view your IP address.
C. Employees can leak a company’s confidential information.
D. Employees can express their opinion about their company.
135. You are a network administrator looking to test patches quickly and often before pushing
them out to the production workstations. Which of the following would be the best way
to do this?
A. Create a full disk image to restore the system after each patch installation.
B. Create a virtual machine and utilize snapshots.
C. Create an incremental backup of an unpatched workstation.
D. Create a differential backup of an unpatched workstation.
136. You have instructed your junior network administrator to test the integrity of the com-
pany’s backed-up data. Which of the following is the best way to test the integrity of a
backup?
A. Review written procedures.
B. Use software to recover deleted files.
C. Restore part of the backup.
D. Conduct another backup.
137. What concept is being used when user accounts are created by one employee and user
permissions are configured by another employee?
A. Background checks
B. Job rotation
C. Separation of duties
D. Collusion
138. Your company is requesting the installation of a fence around the property and cipher locks
on all front entrances. Which of the following concepts is your company concerned about?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
139. Which of the following is an example of a vulnerability assessment tool?
A. Ophcrack
B. John the Ripper
C. L0phtCrack
D. NessusChapter 5
■
Risk Management
161
140. A security analyst is analyzing the cost the company could incur if the customer database
was breached. The database contains 2,500 records with PII. Studies show the cost per
record would be $300. The likelihood that the database would be breached in the next
year is only 5%. Which of the following would be the ALE for a security breach?
A. $15,000
B. $37,500
C. $150,000
D. $750,000
141. Your team must perform a test of a specific system to be sure the system operates at the
alternate site. The results of the test must be compared with the company’s live environ-
ment. Which test is your team performing?
A. Cutover test
B. Walk-through
C. Parallel test
D. Simulation
142. Which of the following concepts defines a company goal for system restoration and
acceptable data loss?
A. MTBF
B. MTTR
C. RPO
D. ARO
143. Your IT team has created a disaster recovery plan to be used in case a SQL database
server fails. What type of control is this?
A. Detective
B. Corrective
C. Preventive
D. Deterrent
144. Which of the following is not a step in the incident response process?
A. Snapshot
B. Preparation
C. Recovery
D. Containment
145. Which of the following threats is mitigated by shredding paper documents?
A. Shoulder surfing
B. Physical
C. Adware
D. SpywareChapter 5
162
■
Risk Management
146. Your company hires a third-party auditor to analyze the company’s data backup and
long-term archiving policy. Which type of organization document should you provide
to the auditor?
A. Clean desk policy
B. Acceptable use policy
C. Security policy
D. Data retention policy
147. You are a network administrator and have been given the duty of creating users accounts
for new employees the company has hired. These employees are added to the identity
and access management system and assigned mobile devices. What process are you
performing?
A. Offboarding
B. System owner
C. Onboarding
D. Executive user
148. Which of the following defines a standard operating procedure (SOP)? (Choose three.)
A. Standard
B. Privacy
C. Procedure
D. Guideline
149. Computer equipment was suspected to be involved in a computer crime and was seized.
The computer equipment was left unattended in a corridor for 10 minutes while officers
restrained a potential suspect. The seized equipment is no longer admissible as evidence
because of which of the following violations?
A. Chain of custody
B. Order of volatility
C. Preparation
D. Eradication
150. Which of the following should be performed when conducting a qualitative risk analysis?
(Choose two.)
A. ARO
B. SLE
C. Asset estimation
D. Rating potential threatsChapter
6
Cryptography and PKI
The CompTIA Security+ Exam
SY0-501 topics covered in this
chapter include the following:
✓ ✓ 6.1 Compare and contrast basic concepts of
cryptography.
■ ■ Symmetric algorithms
■ ■ Modes of operation
■ ■ Asymmetric algorithms
■ ■ Hashing
■ ■ Salt, IV, nonce
■ ■ Elliptic curve
■ ■ Weak/deprecated algorithms
■ ■ Key exchange
■ ■ Digital signatures
■ ■ Diffusion
■ ■ Confusion
■ ■ Collision
■ ■ Steganography
■ ■ Obfuscation
■ ■ Stream vs. block
■ ■ Key strength
■ ■ Session keys
■ ■ Ephemeral key
■ ■ Secret algorithm
■ ■ Data-in-transit
■ ■ Data-at-rest
■ ■ Data-in-use■ ■ Random/pseudo-random number generation
■ ■ Key stretching
■ ■ Implementation vs. algorithm selection
■ ■ Crypto service provider
■ ■ Crypto modules
■ ■ Perfect forward secrecy
■ ■ Security through obscurity
■ ■ Common use cases
■ ■ Low power devices
■ ■ Low latency
■ ■ High resiliency
■ ■ Supporting confidentiality
■ ■ Supporting integrity
■ ■ Supporting obfuscation
■ ■ Supporting authentication
■ ■ Supporting non-repudiation
■ ■ Resource vs. security constraints
✓ ✓ 6.2 Explain cryptography algorithms and their basic
characteristics.
■ ■
■ ■
Symmetric algorithms
■ ■ AES
■ ■ DES
■ ■ 3DES
■ ■ RC4
■ ■ Blowfish/Twofish
Cipher modes
■ ■ CBC
■ ■ GCM
■ ■ ECB
■ ■ CTM
■ ■ Stream vs. block■ ■
■ ■
■ ■
■ ■
Asymmetric algorithms
■ ■ RSA
■ ■ DSA
■ ■ Diffie-Hellman
■ ■ Groups
■ ■ DHE
■ ■ ECDHE
■ ■ Elliptic curve
■ ■ PGP/GPG
Hashing algorithms
■ ■ MD5
■ ■ SHA
■ ■ HMAC
■ ■ RIPEMD
Key stretching algorithms
■ ■ BCRYPT
■ ■ PBKDF2
Obfuscation
■ ■ XOR
■ ■ ROT13
■ ■ Substitution ciphers
✓ ✓ 6.3 Given a scenario, install and configure wireless
security settings.
■ ■
■ ■
Cryptographic protocols
■ ■ WPA
■ ■ WPA2
■ ■ CCMP
■ ■ TKIP
Authentication protocols
■ ■ EAP
■ ■ PEAP
■ ■ EAP-FAST■ ■
■ ■ EAP-TLS
■ ■ EAP-TTLS
■ ■ IEEE 802.1x
■ ■ RADIUS Federation
Methods
■ ■ PSK vs. Enterprise vs. Open
■ ■ WPS
■ ■ Captive portals
✓ ✓ 6.4 Given a scenario, implement public key infrastructure.
■ ■
■ ■
■ ■
Components
■ ■ CA
■ ■ Intermediate CA
■ ■ CRL
■ ■ OCSP
■ ■ CSR
■ ■ Certificate
■ ■ Public key
■ ■ Private key
■ ■ Object identifiers (OID)
Concepts
■ ■ Online vs. offline CA
■ ■ Stapling
■ ■ Pinning
■ ■ Trust model
■ ■ Key escrow
■ ■ Certificate chaining
Types of certificates
■ ■ Wildcard
■ ■ SAN
■ ■ Code signing■ ■
■ ■ Self-signed
■ ■ Machine/computer
■ ■ Email
■ ■ User
■ ■ Root
■ ■ Domain validation
■ ■ Extended validation
Certificate formats
■ ■ DER
■ ■ PEM
■ ■ PFX
■ ■ CER
■ ■ P12
■ ■ P7BChapter 6
168
■
Cryptography and PKI
1. Which of the following would a public key be used for?
A. To decrypt a hash of a digital signature
B. To encrypt TLS traffic
C. To digitally sign messages
D. To decrypt TLS messages
2. Your company’s web server certificate has been revoked and external customers are
receiving errors when they connect to the website. Which of following actions must
you take?
A. Renew the certificate.
B. Create and use a self-signed certificate.
C. Request a certificate from the key escrow.
D. Generate a new key pair and new certificate.
3. Mary is concerned about the validity of an email because a coworker denies sending it.
How can Mary prove the authenticity of the email?
A. Symmetric algorithm
B. Digital signature
C. CRL
D. Asymmetric algorithm
4. Wi-Fi Alliance recommends that a passphrase be how many characters in length for
WPA2-Personal security?
A. 6 characters
B. 8 characters
C. 12 characters
D. 16 characters
5. Which of the following digital certificate management practices will ensure that a lost
certificate is not compromised?
A. CRL
B. Key escrow
C. Nonrepudiation
D. Recovery agent
6. Which of the following are restricted to 64-bit block sizes? (Choose two.)
A. DES
B. SHA
C. MD5
D. 3DESChapter 6
■
Cryptography and PKI
169
7. Your company has implemented a RADIUS server and has clients that are capable of using
multiple EAP types, including one configured for use on the RADIUS server. Your secu-
rity manager wants to implement a WPA2-Enterprise system. Since you have the RADIUS
server and clients, what piece of the network would you need?
A. Network access control
B. Authentication server
C. Authenticator
D. Supplicant
8. You are given the task of selecting an asymmetric encryption type that has an appropriate
level of encryption strength but uses a smaller key length than is typically required. Which
of the following encryption methods will accomplish your requirement?
A. Blowfish
B. RSA
C. DHE
D. ECC
9. Matt has been told that successful attacks have been taking place and data that has been
encrypted by his company’s software system has leaked to the company’s competitors.
Matt, through investigation, has discovered patterns due to the lack of randomness in
the seeding values used by the encryption algorithm in the company’s software. This
discovery has led to successful reverse engineering. What can the company use to ensure
patterns are not created during the encryption process?
A. One-time pad
B. Initialization vector
C. Stream cipher
D. Block cipher
10. You are asked to configure a WLAN that does not require a user to provide any creden-
tials to associate with a wireless AP and access a WLAN. What type of authentication is
said to be in use?
A. IV
B. WEP
C. WPA
D. Open
11. The CIO at your company no longer wants to use asymmetric algorithms because of the
cost. Of the following algorithms, which should the CIO discontinue using?
A. AES
B. RC4
C. RSA
D. TwofishChapter 6
170
■
Cryptography and PKI
12. Which of the following would you use to verify certificate status by receiving a response
of “good,” “revoked,” or “unknown”?
A. CRL
B. OSCP
C. RA
D. PKI
13. Which of the following symmetric key algorithms are block ciphers? (Choose two.)
A. MD5
B. 3DES
C. RC4
D. Blowfish
14. Which of the following encryption algorithms is the weakest?
A. Blowfish
B. AES
C. DES
D. SHA
15. What encryption protocol does WEP improperly use?
A. RC6
B. RC4
C. AES
D. DES
16. James, an IT manager, expresses a concern during a monthly meeting about weak user
passwords used on company servers and how they may be susceptible to brute-force
password attacks. Which concept can James implement to make the weak passwords
stronger?
A. Key stretching
B. Key escrow
C. Key strength
D. ECC
17. You are installing a network for a small business named Matrix Interior Design that the
owner is operating out of their home. There are only four devices that will use the wireless
LAN, and you are installing a SOHO wireless router between the wireless LAN clients
and the broadband connection. To ensure better security from outside threats connecting
to the wireless SOHO router, which of the following would be a good choice for the
WPA2-PSK passphrase?
A. 123456
B.
XXrcERr6Euex9pRCdn3h3Chapter 6
C. bRtlBv
D. HomeBusiness
■
Cryptography and PKI
171
18. You set up your wireless SOHO router to encrypt wireless traffic, and you configure the
router to require wireless clients to authenticate against a RADIUS server. What type of
security have you configured?
A. WPA2 Enterprise
B. WPA2 Personal
C. TKIP
D. WEP
19. You must implement a cryptography system that applies encryption to a group of data at a
time. Which of the following would you choose?
A. Stream
B. Block
C. Asymmetric
D. Symmetric
20. Which symmetric block cipher supersedes Blowfish?
A. RSA
B. Twofish
C. MD5
D. PBKDF2
21. Root CAs can delegate their authority to which of the following to issue certificates to
users?
A. Registered authorities
B. Intermediate CAs
C. CRL
D. CSR
22. Which of the following protocols should be used to authenticate remote access users with
smartcards?
A. PEAP
B. EAP-TLS
C. CHAP
D. MS-CHAPv2
23. Tom is sending Mary a document and wants to show the document came from him.
Which of the following should Tom use to digitally sign the document?
A. TKIP
B. Intermediate CA
C. Public key
D. Private keyChapter 6
172
■
Cryptography and PKI
24. Which of the following EAP types offers support for legacy authentication protocols such
as PAP, CHAP, MS-CHAP, or MS-CHAPv2?
A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS
25. You are conducting a training program for new network administrators for your
company. You talk about the benefits of asymmetric encryption. Which of the following
are considered asymmetric algorithms? (Choose two.)
A. RC4
B. DES
C. RSA
D. ECC
26. Which of the following is a form of encryption also known as ROT13?
A. Substitution cipher
B. Transposition cipher
C. Diffusion
D. Confusion
27. Matt needs to calculate the number of keys that must be generated for 480 employees
using the company’s PKI asymmetric algorithm. How many keys must Matt create?
A. 114,960
B. 480
C. 960
D. 229,920
28. You are conducting a one-time electronic transaction with another company. The transac-
tion needs to be encrypted, and for efficiency and simplicity, you want to use a single key
for encryption and decryption of the data. Which of the following types would you use?
A. Asymmetric
B. Symmetric
C. Hashing
D. Steganography
29. Which of the following uses two mathematically related keys to secure data during
transmission?
A. Twofish
B. 3DES
C. RC4
D. RSAChapter 6
■
Cryptography and PKI
173
30. You have been instructed by the security manager to protect the server’s data-at-rest.
Which of the following would provide the strongest protection?
A. Implement a full-disk encryption system.
B. Implement biometric controls on data entry points.
C. Implement a host-based intrusion detection system.
D. Implement a host-based intrusion prevention system.
31. Which of the following EAP types use a three-phase operation?
A. EAP-FAST
B. EAP-TLS
C. EAP-TTLS
D. PEAP
32. Which of the following is an encryption standard that uses a single 56-bit symmetric key?
A. DES
B. 3DES
C. AES
D. WPS
33. Which of the following cryptography concepts converts output data into a fixed-length
value and cannot be reversed?
A. Steganography
B. Hashing
C. Collision
D. IV
34. SSL is a protocol used for securing transactions transmitting over an untrusted network
such as the Internet. Which of the following best describes the action that occurs during
the SSL connection setup process?
A. The client creates a session key and encrypts it with the server’s private key.
B. The client creates a session key and encrypts it with the server’s public key.
C. The server creates a session key and encrypts it with the client’s private key.
D. The server creates a session key and encrypts it with the client’s public key.
35. Which of the following EAP types requires both server and client certificates?
A. EAP-FAST
B. PEAP
C. EAP-TLS
D. EAP-TTLSChapter 6
174
■
Cryptography and PKI
36. You are the network administrator for a small office of 35 users and need to utilize mail
encryption that will allow specific users to encrypt outgoing email messages. You are
looking for an inexpensive onsite encryption server. Which of the following would you
implement?
A. PGP/GPG
B. WPA2
C. CRL
D. EAP-TLS
37. You have been promoted to security administrator for your company and you need to be
aware of all types of hashing algorithms for integrity checks. Which algorithm offers a
160-bit digest?
A. MD5
B. RC4
C. SHA-1
D. AES
38. You are the security manager for your company, and a system administrator wants to
know if there is a way to reduce the cost of certificates by purchasing a certificate to cover
all domains and subdomains for the company. Which of the following solutions would
you offer?
A. Wildcards
B. Object identifiers
C. Key escrow
D. OCSP
39. Which of the following are authentication protocols? (Choose two.)
A. WPS
B. EAP
C. IPSec
D. IEEE 802.1x
40. Your company is looking to accept electronic orders from a vendor and wants to ensure
nonauthorized people cannot send orders. Your manager wants a solution that provides
nonrepudiation. Which of the following options would meet the requirements?
A. Digital signatures
B. Hashes
C. Steganography
D. Perfect forward secrecy
41. You are tasked to implement a solution to ensure data that are stored on a removable USB
drive hasn’t been tampered with. Which of the following would you implement?
A. Key escrow
B.
File backupChapter 6
C. File encryption
D. File hashing
■
Cryptography and PKI
175
42. Which of the following is mainly used for remote access into a network?
A. TACACS+
B. XTACACS
C. Kerberos
D. RADIUS
43. A security manager has asked you to explain why encryption is important and what
symmetric encryption offers. Which of the following is the best explanation?
A. Confidentiality
B. Nonrepudiation
C. Steganography
D. Collision
44. You are a security administrator and have discovered one of the employees has been
encoding confidential information into graphic files. Your employee is sharing these pic-
tures on their social media account. What concept was the employee using?
A. Hashing
B. Steganography
C. Symmetric algorithm
D. Asymmetric algorithm
45. Your company’s branch offices connect to the main office through a VPN. You recently
discovered the key used on the VPN has been compromised. What should you do to
ensure the key isn’t compromised in the future?
A. Enable perfect forward secrecy at the main office and branch office ends of the VPN.
B. Enable perfect forward secrecy at the main office end of the VPN.
C. Enable perfect forward secrecy at the branch office end of the VPN.
D. Disable perfect forward secrecy at the main office and branch office ends of the VPN.
46. You are configuring your friend’s new wireless SOHO router and discover a PIN on the
back of the router. Which of the following best describes the purpose of the PIN?
A. This is a WEP PIN.
B. This is a WPS PIN.
C. This is a WPA PIN.
D. This is a Bluetooth PIN.
47. Which of the following benefits do digital signatures provide? (Choose two.)
A. Nonrepudiation
B. Authentication
C. Encryption
D. Key exchangeChapter 6
176
■
Cryptography and PKI
48. Your company has asked you to recommend a secure method for password storage. Which
of the following would provide the best protection against brute-force attacks? (Choose
two.)
A. ROT13
B. MD5
C. PBKDF2
D. BCRYPT
49. Your IT support center is receiving a high number of calls stating that users trying to
access the company’s website are receiving certificate errors within their browsers. Which
of the following statements best describes what the issue is?
A. The website certificate has expired.
B. Users have forgotten their usernames or passwords.
C. The domain name has expired.
D. The network is currently unavailable.
50. In asymmetric encryption, what is used to decrypt an encrypted file?
A. Private key
B. Public key
C. Message digest
D. Ciphertext
51. You are performing a vulnerability assessment on a company’s LAN and determine they
are using 802.1x for secure access. Which of the following attacks can a threat actor use
to bypass the network security?
A. MAC spoofing
B. ARP poisoning
C. Ping of death
D. Xmas attack
52. Your security manager is looking to implement a one-time pad scheme for the company’s
salespeople to use when traveling. Which of the following best describes a requirement for
this implementation? (Choose three.)
A. The pad must be distributed securely and protected at its destination.
B. The pad must always be the same length.
C. The pad must be used only one time.
D. The pad must be made up of truly random values.
53. A threat actor has created a man-in-the-middle attack and captured encrypted communi-
cation between two users. The threat actor was unable to decrypt the messages. Which of
the following is the reason the threat actor is unable to decrypt the messages?
A. Hashing
B.
Symmetric encryptionChapter 6
C. Asymmetric encryption
D. Key escrow
■
Cryptography and PKI
177
54. You have implemented a PKI to send signed and encrypted data. The user sending data
must have which of the following? (Choose two.)
A. The receiver’s private key
B. The sender’s private key
C. The sender’s public key
D. The receiver’s public key
55. Which of the following best describes the drawback of symmetric key systems?
A. You must use different keys for encryption and decryption.
B. The algorithm is more complex.
C. The system works much more slowly than an asymmetric system.
D. The key must be delivered in a secure manner.
56. Your company is looking for a secure backup mechanism for key storage in a PKI. Which
of the following would you recommend?
A. CSR
B. Key escrow
C. CRL
D. CA
57. Which cryptography concept uses points on a curve to define public and private key pairs?
A. Obfuscation
B. ECC
C. Stream cipher
D. Block cipher
58. You are a security administrator and have been given instructions to update the access
points to provide a more secure connection. The access points are currently set to use
WPA TKIP for encryption. Which of the following would you configure to accomplish the
task of providing a more secure connection?
A. WEP
B. WPA2 CCMP
C. Enable MAC filtering
D. Disable SSID broadcast
59. Which of the following is an example of a stream cipher?
A. AES
B. DES
C. 3DES
D. RC4Chapter 6
178
■
Cryptography and PKI
60. Which of the following are negotiation protocols commonly used by TLS? (Choose two.)
A. DHE
B. ECDHE
C. RSA
D. SHA
61. Which of the following statements is true regarding symmetric key systems?
A. They use different keys on each end of the transported data.
B. They use public key cryptography.
C. They use multiple keys for creating digital signatures.
D. They use the same key on each end of the transported data.
62. Which of the following ciphers was created from the foundation of the Rijndael
algorithm?
A. TKIP
B. AES
C. DES
D. 3DES
63. Katelyn is sending an important email to Zackary, the manager of human resources.
Company policy states messages to human resources must be digitally signed. Which of
the following statements is correct?
A. Katelyn’s public key is used to verify the digital signature.
B. Katelyn’s private key is used to verify the digital signature.
C. Zackary’s public key is used to verify the digital signature.
D. Zackary’s private key is used to verify the digital signature.
64. Data integrity is provided by which of the following?
A. 3DES
B. MD5
C. AES
D. Blowfish
65. Which of the following is a symmetric encryption algorithm that is available in 128-bit,
192-bit, and 256-bit key versions?
A. AES
B. DES
C. RSA
D. TKIPChapter 6
■
Cryptography and PKI
179
66. Which of the following items are found within a digital certificate? (Choose two.)
A. Serial number
B. Default gateway
C. Public key
D. Session key
67. In an 802.1x implementation, which of the following devices mutually authenticate with
each other? (Choose two.)
A. Authentication server
B. Certificate authority
C. Domain controller
D. Supplicant
68. Which of the following statements is true regarding the confusion encryption method?
A. It puts one item in the place of another; for example, one letter for another or one
letter for a number.
B. It scrambles data by reordering the plain text in a certain way.
C. It uses a relationship between the plain text and the key that is so complicated the
plain text can’t be altered and the key can’t be determined.
D. Change in the plain text will result in multiple changes that are spread throughout
the cipher text.
69. Which of the following is required when employing PKI and preserving data is important?
A. CA
B. CRL
C. Key escrow
D. CER
70. You need to encrypt the signature of an email within a PKI system. Which of the follow-
ing would you use?
A. CER
B. Public key
C. Shared key
D. Private key
71. Which of the following standards was developed by the Wi-Fi Alliance and implements
the requirements of IEEE 802.11i?
A. NIC
B. WPA
C. WPA2
D. TKIPChapter 6
180
■
Cryptography and PKI
72. You are asked to create a wireless network for your company that implements a wire-
less protocol that provides maximum security while providing support for older wireless
devices. Which protocol should you use?
A. WPA
B. WPA2
C. WEP
D. IV
73. Bob is a security administrator and needs to encrypt and authenticate messages that are
sent and received between two systems. Which of the following would Bob choose to
accomplish his task?
A. Diffie-Hellman
B. MD5
C. SHA-256
D. RSA
74. Which of the following algorithms is generally used in mobile devices?
A. 3DES
B. DES
C. ECC
D. AES
75. Which of the following statements best describes the difference between public key
cryptography and public key infrastructure?
A. Public key cryptography is another name for an asymmetric algorithm, whereas
public key infrastructure is another name for a symmetric algorithm.
B. Public key cryptography uses one key to encrypt and decrypt the data, and public key
infrastructure uses two keys to encrypt and decrypt the data.
C. Public key cryptography is another name for asymmetric cryptography, whereas
public key infrastructure contains the public key cryptographic mechanisms.
D. Public key cryptography provides authentication and nonrepudiation, whereas public
key infrastructure provides confidentiality and integrity.
76. Your company has a public key infrastructure (PKI) in place to issue digital certificates to
users. Recently, your company hired temporary contractors for a project that is now com-
plete. Management has requested that all digital certificates issued to the contractors be
revoked. Which PKI component would you consult for the management’s request?
A. CA
B. CRL
C. RA
D. CSRChapter 6
■
Cryptography and PKI
181
77. Which of the following security setup modes are intended for use in a small office or
home office environment? (Choose two.)
A. WPS
B. WPA-Enterprise
C. WPA2-Enterprise
D. WPA2-Personal
78. Which of the following automatically updates browsers with a list of root certificates from
an online source to track which certificates are to be trusted?
A. Trust model
B. Key escrow
C. PKI
D. RA
79. Which of the following EAP types uses the concepts of public key infrastructure (PKI)?
A. EAP-TLS
B. PEAP
C. EAP-FAST
D. EAP-TTLS
80. Which of the following use PSK authentication? (Choose two.)
A. WPA-Enterprise
B. WPA-Personal
C. WPA2-Personal
D. WPA2-Enterprise
81. You are receiving calls from users who are connected to the company’s network and
are being redirected to a login page with the company’s logo after they type a popular
social media web address in an Internet browser. Which of the following is causing this to
happen?
A. WEP
B. Key stretching
C. MAC filtering
D. Captive portal
82. Elliptic curve cryptosystem (ECC) is an asymmetric algorithm. Which of the following
statements best describe why ECC is different from other asymmetric algorithms?
(Choose two.)
A. It is more efficient.
B. It provides digital signatures, secure key distribution, and encryption.
C. It uses more processing power to perform encryption.
D. It provides fast key generation.Chapter 6
182
■
Cryptography and PKI
83. WEP’s RC4 approach to encryption uses a 24-bit string of characters added to data
that are transmitted. The same plain text data frame will not appear as the same WEP-
encrypted data frame. What is this string of characters called?
A. Diffusion
B. IV
C. Session key
D. Hashing
84. Your manager has recently purchased a RADIUS server that will be used by remote
employees to connect to internal resources. Several client computers need to connect to the
RADIUS server in a secure manner. What should your manager deploy?
A. HIDS
B. UTM
C. VLAN
D. 802.1x
85. Katelyn, a network administrator, has deleted the account for a user who left the company
last week. The user’s files were encrypted with a private key. How can Katelyn view the
user’s files?
A. The data can be decrypted using the backup user account.
B. The data can be decrypted using the recovery agent.
C. She must re-create the former user’s account.
D. The data can be decrypted using a CRL.
86. Your company has recently implemented an encryption system on the network. The sys-
tem uses a secret key between two parties and must be kept secret. Which system was
implemented?
A. Asymmetric algorithm
B. Symmetric algorithm
C. Hashing algorithm
D. Steganography
87. Tim, a wireless administrator, has been tasked with securing the company’s WLAN.
Which of the following cryptographic protocols would Tim use to provide the most secure
environment for the company?
A. WPA2 CCMP
B. WEP
C. WPA
D. WPA2 TKIPChapter 6
■
Cryptography and PKI
183
88. Which of the following defines a hashing algorithm creating the same hash value from
two different messages?
A. AES
B. MD5
C. Hashing
D. Collision
89. Matt, a network administrator, is deciding which credential-type authentication to
use within the company’s planned 802.1x deployment. He is searching for a method
that requires a client certificate and a server-side certificate, and that uses tunnels for
encryption. Which credential-type authentication method would Matt use?
A. EAP-TLS
B. EAP-FAST
C. PEAP
D. EAP
90. A coworker is connecting to a secure website using HTTPS. The coworker informs you that
before the website loads, their web browser displays an error indicating that the site certifi-
cate is invalid and the site is not trusted. Which of the following is most likely the issue?
A. The web browser is requiring an update.
B. The server is using a self-signed certificate.
C. A web proxy is blocking the connection.
D. The web server is currently unavailable.
91. Zack, an administrator, needs to renew a certificate for the company’s web server. Which
of the following would you recommend Zack submit to the CA?
A. CSR
B. Key escrow
C. CRL
D. OCSP
92. Which of the following types of encryption offers easy key exchange and key management?
A. Obfuscation
B. Asymmetric
C. Symmetric
D. Hashing
93. Which of the following is used to exchange cryptographic keys?
A. Diffie-Hellman
B. HMAC
C. ROT13
D. RC4Chapter 6
184
■
Cryptography and PKI
94. Which of the following encryption algorithms is used to encrypt and decrypt data?
A. MD5
B. HMAC
C. Kerberos
D. RC4
95. Which of the following provides additional encryption strength by repeating the encryp-
tion process with additional keys?
A. 3DES
B. AES
C. Twofish
D. Blowfish
96. Which of the following security mechanisms can be used for the purpose of nonrepudia-
tion?
A. Encryption
B. Digital signature
C. Collision
D. CA
97. You are a network administrator for your company, and the single AP that allows cli-
ents to connect to the wireless LAN is configured with a WPA-PSK preshared key of the
company name followed by the number 1. Which of the following statements is correct
regarding this implementation?
A. It is secure because WPA-PSK resolved the problem with WEP.
B. It is secure because the preshared key is at least five characters long.
C. It is not secure because the preshared key includes only one number and the company
name so it can be easily guessed.
D. It is not secure because WPA-PSK is as insecure as WEP and should never be used.
98. You are a security technician and have been given the task to implement a PKI on the
company’s network. When verifying the validity of a certificate, you want to ensure
bandwidth isn’t consumed. Which of the following can you implement?
A. CRL
B. OCSP
C. Key escrow
D. CA
99. Which of the following types of device are found in a network that supports Wi-Fi
Protected Setup (WPS) protocol? (Choose three.)
A. Registrar
B. Supplicant
C. Enrollee
D. Access PointChapter 6
■
Cryptography and PKI
185
100. You are a network administrator for a distribution company and the manager wants to
implement a secure wireless LAN for a BYOD policy. Through research, you determine that
the company should implement AES encryption and the 802.1x authentication protocol. You
also determine that too many APs and clients will be installed and you will need to configure
each one with a preshared key passphrase. Which of the following will meet your needs?
A. WEP
B. WPA
C. WPA2-Personal
D. WPA2-Enterprise
101. The process of deleting data by sending a single erase or clear instruction to an address of
the nonvolatile memory is an example of securing which of the following?
A. Data-in-transit
B. Data-over-the-network
C. Data-in-use
D. Data-at-rest
102. Which of the following is an authentication service and uses UDP as a transport medium?
A. TACACS+
B. RADIUS
C. LDAP
D. Kerberos
103. Which of the following is true regarding the importance of encryption of data-at-rest for
sensitive information?
A. It renders the recovery of data more difficult should the user lose their password.
B. It allows the user to verify the integrity of the data on the stored device.
C. It prevents the sensitive data from being accessed after a theft of the physical equipment.
D. It renders the recovery of data easier should the user lose their password.
104. You are a network administrator and your manager has asked you to enable WPA2
CCMP for wireless clients, along with an encryption to protect the data transmitting
across the network. Which of the following encryption methods would you use along with
WPA2 CCMP?
A. RC4
B. DES
C. AES
D. 3DES
105. Which of the following is the least secure hashing algorithm?
A. MD5
B. RIPEMD
C. SHA-1
D. AESChapter 6
186
■
Cryptography and PKI
106. Which of the following types of attack sends two different messages using the same hash
function, causing a collision?
A. Xmas attack
B. DoS
C. Logic bomb
D. Birthday attack
107. Which of the following defines a file format commonly used to store private keys with
associated public key certificates?
A. PKCS #1
B. PKCS #3
C. PKCS #7
D. PKCS #12
108. Which of the following statements are true regarding ciphers? (Choose two.)
A. Stream ciphers encrypt fixed sizes of data.
B. Stream ciphers encrypt data one bit at a time.
C. Block ciphers encrypt data one bit at a time.
D. Block ciphers encrypt fixed sizes of data.
109. How many effective key sizes of bits does 3DES have? (Choose three.)
A. 56
B. 112
C. 128
D. 168
110. Which of the following statements is true about symmetric algorithms?
A. They hide data within an image file.
B. They use one key to encrypt data and another to decrypt data.
C. They use a single key to encrypt and decrypt data.
D. They use a single key to create a hashing value.
111. The CA is responsible for revoking certificates when necessary. Which of the following
statements best describes the relationship between a CRL and OSCP?
A. OCSP is a protocol to submit revoked certificates to a CRL.
B. CRL is a more streamlined approach to OCSP.
C. CRL validates a certificate in real time and reports it to the OCSP.
D. OCSP is a protocol to check the CRL during a certificate validation process.Chapter 6
■
Cryptography and PKI
187
112. Which of the following takes each bit in a character and is XORed with the corresponding
bit in the secret key?
A. ECDHE
B. PBKDF2
C. Obfuscation
D. One-time pad
113. Which of the following works similarly to stream ciphers?
A. One-time pad
B. RSA
C. AES
D. DES
114. Your manager wants to implement a security measure to protect sensitive company data
that reside on the remote salespeople’s laptops should they become lost or stolen. Which
of the following measures would you implement?
A. Implement WPS on the laptops.
B. Set BIOS passwords on the laptops.
C. Use whole-disk encryption on the laptops.
D. Use cable locks on the laptops.
115. You want to send confidential messages to a friend through email, but you do not have a
way of encrypting the message. Which of the following methods would help you achieve
this goal?
A. AES
B. Collision
C. RSA
D. Steganography
116. Which of the following cipher modes uses a feedback-based encryption method to ensure
that repetitive data result in unique cipher text?
A. ECB
B. CBC
C. GCM
D. CTM
117. Which statement is true regarding the difference between a secure cipher and a secure
hash?
A. A secure hash can be reversed; a secure cipher cannot.
B. A secure cipher can be reversed; a secure hash cannot.
C. A secure hash produces a variable output for any input size; a secure cipher does not.
D. A secure cipher produces the same size output for any input size; a hash does not.Chapter 6
188
■
Cryptography and PKI
118. Which certificate format is typically used on Windows OS machines to import and export
certificates and private keys?
A. DER
B. AES
C. PEM
D. PFX
119. What is another name for an ephemeral key?
A. PKI private key
B. MD5
C. PKI public key
D. Session key
120. Why would a threat actor use steganography?
A. To test integrity
B. To conceal information
C. To encrypt information
D. To create a hashing value
121. The CIO has instructed you to set up a system where credit card data will be encrypted
with the most secure symmetric algorithm with the least amount of CPU usage. Which of
the following algorithms would you choose?
A. AES
B. SHA-1
C. MD5
D. 3DES
122. Which of the following encryption methods is used by RADIUS?
A. Asymmetric
B. Symmetric
C. Elliptic curve
D. RSA
123. When setting up a secure wireless company network, which of the following should you
avoid?
A. WPA
B. WPA2
C. EAP-TLS
D. PEAPChapter 6
■
Cryptography and PKI
189
124. You want to authenticate and log connections from wireless users connecting with
EAP-TLS. Which of the following should be used?
A. Kerberos
B. LDAP
C. SAML
D. RADIUS
125. Which of the following would be used to allow certain traffic to traverse from a wireless
network to an internal network?
A. WPA
B. WEP
C. Load balancers
D. 802.1x
126. You are asked to see if several confidential files have changed, and you decide to use an
algorithm to create message digests for the confidential files. Which algorithm would
you use?
A. AES
B. RC4
C. Blowfish
D. SHA-1
127. Network data needs to be encrypted, and you are required to select a cipher that will
encrypt 128 bits at a time before the data are sent across the network. Which of the
following would you choose?
A. Stream cipher
B. Hash algorithm
C. Block cipher
D. Obfuscation
128. Which of the following are considered cryptographic hash functions? (Choose two.)
A. AES
B. MD5
C. RC4
D. SHA-256
129. A company’s database is beginning to grow, and the data-at-rest are becoming a concern
with the security administrator. Which of the following is an option to secure the
data-at-rest?
A. SSL certificate
B. Encryption
C. Hashing
D. TLS certificateChapter 6
190
■
Cryptography and PKI
130. Which of the following hardware devices can store keys? (Choose two.)
A. USB flash drive
B. Smartcard
C. PCI expansion card
D. Cipher lock
131. You are a security manager and have been asked to encrypt database system information
that contains employee social security numbers. You are looking for an encryption stan-
dard that is fast and secure. Which of the following would you suggest to accomplish the
requirements?
A. SHA-256
B. AES
C. RSA
D. MD5
132. James is a security administrator and wants to ensure the validity of public trusted certifi-
cates used by the company’s web server, even if there is an Internet outage. Which of the
following should James implement?
A. Key escrow
B. Recovery agent
C. OCSP
D. CSR
133. You are a security administrator looking to implement a two-way trust model. Which of
the following would you use?
A. ROT13
B. PGP
C. WPA2
D. PKI
134. If a threat actor obtains an SSL private key, what type of attack can be performed?
(Choose two.)
A. Eavesdropping
B. Man-in-the-middle
C. Social engineering
D. Brute force
135. Most authentication systems make use of a one-way encryption process. Which of the
following is an example of a one-way encryption?
A. Symmetric algorithm
B.
HashingChapter 6
C. Asymmetric algorithm
D. PKI
■
Cryptography and PKI
136. Which of the following transpires in a PKI environment?
A. The CA signs the certificate.
B. The RA signs the certificate.
C. The RA creates the certificate and the CA signs it.
D. The CA creates the certificate and the RA signs it.
137. Which of the following statements best describes how a digital signature is created?
A. The sender encrypts a message digest with the receiver’s public key.
B. The sender encrypts a message digest with the receiver’s private key.
C. The sender encrypts a message digest with his or her private key.
D. The sender encrypts a message digest with his or her public key.
138. AES is an algorithm used for which of the following?
A. Encrypting a large amount of data
B. Encrypting a small amount of data
C. Key recovery
D. Key revocation
139. PEAP protects authentication transfers by implementing which of the following?
A. TLS tunnels
B. SSL tunnels
C. AES
D. SHA hashes
140. AES-CCMP uses a 128-bit temporal key and encrypts data in what block size?
A. 256
141.
B. 192
C. 128
D. 64
Which of the following implement Message Integrity Code (MIC)? (Choose two.)
A. AES
B. DES
C. CCMP
D. TKIP
191Chapter 6
192
■
Cryptography and PKI
142. James, a WLAN security engineer, recommends to management that WPA-Personal secu-
rity should not be deployed within the company’s WLAN for their vendors. Which of the
following statements best describe James’s recommendation? (Choose two.)
A. Static preshared passphrases are susceptible to social engineering attacks.
B. WPA-Personal uses public key encryption.
C. WPA-Personal uses a weak TKIP encryption.
D. WPA-Personal uses a RADIUS authentication server.
143. Which of the following is correct regarding root certificates?
A. Root certificates never expire.
B. A root certificate contains the public key of the CA.
C. A root certificate contains information about the user.
D. A root certificate cannot be used to authorize subordinate CAs to issue certificates on
its behalf.
144. Which of the following statements are correct about public and private key pairs?
(Choose two.)
A. Public and private keys work in isolation of each other.
B. Public and private keys work in conjunction with each other as a team.
C. If the public key encrypts the data using an asymmetric encryption algorithm, the
corresponding private key is used to decrypt the data.
D. If the private key encrypts the data using an asymmetric encryption algorithm, the
receiver uses the same private key to decrypt the data.
145. Which of the following are the filename extensions for PKCS #12 files? (Choose two.)
A. .p12
B. .KEY
C. .pfx
D. .p7b
146. Your company has discovered that several confidential messages have been intercepted.
You decide to implement a web of trust to encrypt the files. Which of the following are
used in a web of trust concept? (Choose two.)
A. RC4
B. AES
C. PGP
D. GPG
147. Which of the following algorithms is typically used to encrypt data-at-rest?
A. Symmetric
B. Asymmetric
C. Stream
D. HashingChapter 6
■
Cryptography and PKI
193
148. Which of the following can assist in the workload of the CA by performing identification
and authentication of users requesting certificates?
A. Root CA
B. Intermediate CA
C. Registered authority
D. OSCP
149. You recently upgraded your wireless network so that your devices will use the 802.11n
protocol. You want to ensure all communication on the wireless network is secure with
the strongest encryption. Which of the following is the best choice?
A. WEP
B. WPA
C. WPA2
D. WPS
150. A college wants to move data to a USB flash drive and has asked you to suggest a way to
secure the data in a quick manner. Which of the following would you suggest?
A. 3DES
B. SHA-256
C. AES-256
D. SHA-512Chapter
7
Practice TestChapter 7
196
■
Practice Test
1. You are asked to separate the Sales and Marketing department’s network traffic on a
layer 2 device within a LAN. This will reduce broadcast traffic and prevent the depart-
ments from seeing each other’s resources. Which of the following types of network design
would be the best choice?
A. MAC
B. NAT
C. VLAN
D. DMZ
2. You are a network administrator and your company has asked you to perform a survey of
the campus for open Wi-Fi access points. You walk around with your smartphone look-
ing for unsecured access points that you can connect to without a password. What type of
penetration testing concept is this called?
A. Escalation of privilege
B. Active reconnaissance
C. Passive reconnaissance
D. Black-box
3. Which of the following is a certificate-based authentication that allows individuals access
to U.S. federal resources and facilities?
A. Proximity card
B. TOTP
C. PIV card
D. HOTP
4. You attempt to log into your company’s network with a laptop. The laptop is quarantined
to a restricted VLAN until the laptop’s virus definitions are updated. Which of the follow-
ing best describes this network component?
A. NAT
B. HIPS
C. DMZ
D. NAC
5. You have been asked to implement a security control that will limit tailgating in high-
secured areas. Which of the following security control would you choose?
A. Mantrap
B. Faraday cage
C. Airgap
D. Cable locks
6. Your company’s network administrator is placing an Internet web server in an isolated
area of the company’s network for security purposes. Which of the following architecture
concepts is the network administrator implementing?
A. Honeynet
B.
DMZChapter 7
C. Proxy
D. Intranet
■
Practice Test
197
7. Your company is offering a new product on its website. You are asked to ensure availabil-
ity of the web server when it receives a large number of requests. Which of the following
would be the best option to fulfill this request?
A. VPN concentrator
B. NIPS
C. SIEM
D. Load balancer
8. You are a security administrator for a manufacturing company that produces com-
pounded medications. To ensure individuals are not accessing sensitive areas where the
medications are created, you want to implement a physical security control. Which of the
following would be the best option?
A. Security guard
B. Signs
C. Faraday cage
D. Cameras
9. An attacker exploited a bug, unknown to the developer, to gain access to a database
server. Which of the following best describes this type of attack?
A. Zero-day
B. Cross-site scripting
C. ARP poisoning
D. Domain hijacking
10. A new employee added network drops to a new section of the company’s building. The
cables were placed across several fluorescent lights. When users attempted to connect to
the data center on the network, they experienced intermittent connectivity. Which of the
following environmental controls was the most likely cause of this issue?
A. DMZ
B. EMI
C. BIOS
D. TPM
11. What method should you choose to authenticate a remote workstation before it gains
access to a local LAN?
A. Router
B. Proxy server
C. VPN concentrator
D. FirewallChapter 7
198
■
Practice Test
12. Which of the following allows a company to store a cryptographic key with a trusted
third party and release it only to the sender or receiver with proper authorization?
A. CRL
B. Key escrow
C. Trust model
D. Intermediate CA
13. Your company recently upgraded the HVAC system for its server room. Which of the fol-
lowing security implications would the company be most concerned about?
A. Confidentiality
B. Availability
C. Integrity
D. Airgap
14. Your company provides secure wireless Internet access to visitors and vendors working
onsite. Some of the vendors are reporting they are unable to view the wireless network.
Which of the following best describes the issue?
A. MAC filtering is enabled on the WAP.
B. The SSID broadcast is disabled.
C. The wrong antenna type is being used.
D. The wrong band selection is being used.
15. Your company’s sales team is working late at the end of the month to ensure all sales are
reported for the month. The sales members notice they cannot save or print reports after
regular hours. Which of the following general concepts is preventing the sales members
from performing their job?
A. Job rotation
B. Time-of-day restrictions
C. Least privilege
D. Location-based policy
16. Which of the following symmetric algorithms are block ciphers? (Choose three.)
A. 3DES
B. ECDHE
C. RSA
D. RC4
E. SHA
F. TwofishChapter 7
■
Practice Test
199
17. A security officer has asked you to use a password cracking tool on the company’s comput-
ers. Which of the following best describes what the security officer is trying to accomplish?
A. Looking for strong passwords
B. Enforcing a minimum password length policy
C. Enforcing a password complexity policy
D. Looking for weak passwords
18. Which of the following test gives testers comprehensive network design information?
A. White box
B. Black box
C. Gray box
D. Purple box
19. You are the network administrator for your company and want to implement a wire-
less network and prevent unauthorized access. Which of the following would be the best
option?
A. RADIUS
B. TACACS+
C. Kerberos
D. OAUTH
20. Why is input validation important to secure coding techniques? (Choose two.)
A. It mitigates shoulder surfing.
B. It mitigates buffer overflow attacks.
C. It mitigates ARP poisoning.
D. It mitigates XSS vulnerabilities.
21. To authenticate, a Windows 10 user draws a circle around a picture of a dog’s nose and
then touches each ear starting with the right ear. Which of the following concepts is this
describing?
A. Something you do
B. Something you know
C. Something you have
D. Somewhere you are
22. Which of the following countermeasures is designed to best protect against a brute-force
password attack?
A. Password complexity
B. Account disablement
C. Password length
D. Account lockoutChapter 7
200
■
Practice Test
23. You are a security administrator reviewing the results from a network security audit. You
are reviewing options to implement a solution to address the potential poisoning of name
resolution server records. Which of the following would be the best choice?
A. SSL
B. SSH
C. DNSSEC
D. TLS
24. Your manager has implemented a new policy that requires employees to shred all sensitive
documents. Which of the following attacks is your manager attempting to prevent?
A. Tailgating
B. Dumpster diving
C. Shoulder surfing
D. Man-in-the-middle
25. Which of the following cryptography algorithms support multiple bit strengths?
A. DES
B. HMAC
C. MD5
D. AES
26. A network security auditor will perform various simulated network attacks against your
company’s network. Which should the security auditor acquire first?
A. Vulnerability testing authorization
B. Transfer risk response
C. Penetration testing authorization
D. Change management
27. A system administrator is told an application is not able to handle the large amount of traffic
the server is receiving on a daily basis. The attack takes the server offline and causes it to drop
packets occasionally. The system administrator needs to find another solution while keeping
the application secure and available. Which of the following would be the best solution?
A. Sandboxing
B. DMZ
C. Cloud computing
D. DLP
28. You are a security administrator and are observing unusual behavior in your network
from a workstation. The workstation is communicating with a known malicious destina-
tion over an encrypted tunnel. You have updated the antivirus definition files and per-
formed a full antivirus scan. The scan doesn’t show any clues of infection. Which of the
following best describes what has happened on the workstation?
A. Buffer overflow
B.
Session hijackingChapter 7
C. Zero-day attack
D. DDoS
■
Practice Test
201
29. You are the security engineer and have discovered that communication within your com-
pany’s encrypted wireless network is being captured with a sniffing program. The data
being captured is then being decrypted to obtain the employee’s credentials to be used at
a later time. Which of the following protocols is most likely being used on the wireless
access point? (Choose two.)
A. WPA2 Personal
B. WPA2 Enterprise
C. WPA
D. WEP
30. A network manager has implemented a strategy so that all workstations on the network
will receive required security updates regularly. Which of the following best describes
what the network manager implemented?
A. Sandboxing
B. Ad hoc
C. Virtualization
D. Patch management
31. Your manager wants to secure the FTP server by using SSL. Which of the following
should you configure?
A. FTPS
B. SFTP
C. SSH
D. LDAPS
32. You are an IT security officer and you want to classify and assess privacy risks throughout
the development life cycle of a program or system. Which of the following tools would be
best to use for this purpose?
A. BIA
B. PIA
C. RTO
D. MTBF
33. Which of the following types of risk analysis makes use of ALE?
A. Qualitative
B. ROI
C. SLE
D. QuantitativeChapter 7
202
■
Practice Test
34. Which of the following statements best describes mandatory vacations?
A. Companies ensure their employees can take time off to conduct activities together.
B. Companies use them as a tool to ensure employees are taking the correct amount of
days off.
C. Companies ensure their employees are properly recharged to perform their duties.
D. Companies use them as a tool for security protection to detect fraud.
35. Users of your company have been visiting the website www.abccompany.com and a recent
increase in virus detection has been noted. Your company has developed a relationship
with another company using the web address www.abccompany.com, but not with the site
that has been causing the increase of viruses. Which of the following would best describe
this attack?
A. Session hijacking
B. Cross-site scripting
C. Replay attack
D. Typo squatting
36. Which of the following would you enable in a laptop’s BIOS to provide full disk
encryption?
A. RAID
B. USB
C. HSM
D. TPM
37. Your company has hired a third-party auditing firm to conduct a penetration test against
your network. The firm wasn’t given any information related to the company’s network.
What type of test is the company performing?
A. White box
B. Red box
C. Black box
D. Gray box
38. Server room access is controlled with proximity cards and records all entries and exits.
These records are referred to if missing equipment is discovered, so employees can be iden-
tified. Which of the following must be prevented for this policy to become effective?
A. Shoulder surfing
B. Tailgating
C. Vishing
D. Dumpster divingChapter 7
■
Practice Test
203
39. Company users are stating they are unable to access the network file server. A company
security administrator checks the router ACL and knows users can access the web server,
email server, and printing services. Which of the following is preventing access to the net-
work file server?
A. Implicit deny
B. Port security
C. Flood guard
D. Signal strength
40. An employee informs you that the Internet connection is slow and they are having diffi-
culty accessing websites to perform their job. You analyze their computer and discover the
MAC address of the default gateway in the ARP cache is not correct. What type of attack
have you discovered?
A. DNS poisoning
B. Injection
C. Impersonation
D. ARP poisoning
41. Tony, a college student, downloaded a free word editor program to complete his essay.
After downloading and installing the software, Tony noticed his computer was running
slow and he was receiving notifications from his antivirus program. Which of the follow-
ing best describes the malware that he installed?
A. Keylogger
B. Worm
C. Ransomware
D. Trojan
42. Which of the following measures the amount of time required to return a failed device,
component, or network to normal functionality?
A. RTO
B. MTTR
C. MTBF
D. RPO
43. Natural disasters and intentional man-made attacks can cause the death of employees and
customers. What type of impact is this?
A. Safety
B. Life
C. Finance
D. ReputationChapter 7
204
■
Practice Test
44. A user finds and downloads an exploit that will take advantage of website vulnerabilities.
The user isn’t knowledgeable about the exploit and runs the exploit against multiple web-
sites to gain access. Which of the following best describes this user?
A. Man-in-the-middle
B. Script kiddie
C. White hat
D. Hacktivist
45. You are the IT security officer and you plan to develop a general cybersecurity aware-
ness training program for the employees. Which of the following best describes these
employees?
A. Data owners
B. Users
C. System administrators
D. System owners
46. The system administrator needs to secure the company’s data-at-rest. Which of the follow-
ing would provide the strongest protection?
A. Implement biometrics controls on each workstation.
B. Implement full-disk encryption.
C. Implement a host intrusion prevention system.
D. Implement a host intrusion detection system.
47. Which of the following is a true statement about qualitative risk analysis?
A. It uses numeric values to measure the impact of risk.
B. It uses descriptions and words to measure the impact of risk.
C. It uses industry best practices and records.
D. It uses statistical theories, testing, and experiments.
48. Which of the following firewalls tracks the operating state and characteristics of network
connections traversing it?
A. Stateful firewall
B. Stateless firewall
C. Application firewall
D. Packet filter firewall
49. Which of the following are examples of PII? (Choose two.)
A. Fingerprint
B. MAC address
C. Home address
D. GenderChapter 7
■
Practice Test
205
50. An employee informs you they have lost a corporate mobile device. What is the first action
you perform?
A. Enable push notification services.
B. Remotely wipe the mobile device.
C. Enable screen lock.
D. Enable geofencing.
51. You have created a backup routine that includes a full backup each Sunday night and
a backup each night of all data that has changed since Sunday’s backup. Which of the fol-
lowing best describes this backup schedule?
A. Full and incremental
B. Full and differential
C. Snapshots
D. Full
52. One of your colleagues attempted to ping a computer name and received the response of
fe80::3281:80ea:b72b:0b55. What type of address did the colleague view?
A. IPv6
B. IPv4
C. MAC address
D. APIPA
53. Which of the following defines the act of sending unsolicited messages to nearby Blue-
tooth devices?
A. Jamming
B. Bluesnarfing
C. Brute force
D. Bluejacking
54. You are a system administrator and you are creating a public and private key pair. You
have to specify the key strength. Which of the following would be your best choice?
A. RSA
B. DES
C. MD5
D. SHA
55. You are the security administrator for the sales department and the department needs to
email high volumes of sensitive information to clients to help close sales. All emails go
through a DLP scanner. Which of the following is the best solution to help the department
protect the sensitive information?
A. Automatically encrypt outgoing emails.
B.
Monitor all outgoing emails.Chapter 7
206
■
Practice Test
C. Automatically encrypt incoming emails.
D. Monitor all incoming emails.
56. You are the IT security officer of your company and have established a security policy
that requires users to protect all sensitive documents to avoid their being stolen. What
policy have you implemented?
A. Separation of duties
B. Clean desk
C. Job rotation
D. Privacy
57. Which of the following options can a security administrator deploy on a mobile device that
will deter undesirable people from seeing the data on the device if it is left unattended?
A. Screen lock
B. Push notification services
C. Remote wipe
D. Full device encryption
58. You are a system administrator and are asked to prevent staff members from using each
other’s credentials to access secured areas of the building. Which of the following will best
address this request?
A. Install a biometric reader at the entrance of the secure area.
B. Install a proximity card reader at the entrance of the secure area.
C. Implement least privilege.
D. Implement group policy enforcement.
59. A sales manager has asked for an option for sales reps who travel to have secure remote
access to your company’s database server. Which of the following should you configure
for the sales reps?
A. VPN
B. WLAN
C. NAT
D. Ad hoc
60. An attacker tricks one of your employees into clicking on a malicious link that causes an
unwanted action on the website the employee is currently authenticated to. What type of
attack is this?
A. Replay
B. Cross-site request forgery
C. Cross-site scripting
D. Buffer overflowChapter 7
■
Practice Test
207
61. Which of the following is considered the strongest access control?
A. RBAC
B. DAC
C. MAC
D. ABAC
62. Your company wants to expand its data center, but has limited space to store additional
hardware. The IT staff needs to continue their operations while expansion is underway.
Which of the following would best accomplish this expansion idea?
A. IaaS
B. Virtualization
C. SaaS
D. Public cloud
63. Which of the following algorithms have known collisions? (Choose two.)
A. MD5
B. AES
C. SHA
D. SHA-256
E. RSA
64. Which of the following must a security administrator implement to allow customers, ven-
dors, suppliers, and other businesses to obtain information while preventing access to the
company’s entire network?
A. Intranet
B. Internet
C. Extranet
D. Honeynet
65. The head of HR is conducting an exit interview with an IT network administrator named
Matt. The interview questions include Matt’s view of his manager, why he is leaving his
current position, and what he liked most about his job. Which of the following should
also be addressed in this exit interview?
A. Job rotation
B. NDA
C. Background checks
D. Property return form
66. Which of the following is considered the least secure authentication method?
A. TACACS+
B. CHAP
C. NTLM
D. PAPChapter 7
208
■
Practice Test
67. You are a security administrator for your company and have been asked to recommend a
secure method for storing passwords due to recent brute-force attempts. Which of the fol-
lowing will provide the best protection? (Choose two.)
A. ROT13
B. BCRYPT
C. RIPEMD
D. PBKDF2
68. You installed a WAP for a local coffee shop and have discovered the signal is extending
into the parking lot. Which of the following configurations will best correct this issue?
A. Change the antenna type.
B. Disable the SSID broadcast.
C. Reduce the signal strength for indoor coverage only.
D. Enable MAC filtering to prevent devices from accessing the wireless network.
69. You are a network administrator for a bank. A branch manager discovers that the desk-
side employees have the ability to delete lending policies found in a folder within the file
server. You review the permissions and notice the deskside employees have “modify”
permissions to the folder. The employees should have read permissions only. Which of the
following security principles has been violated?
A. Job rotation
B. Time-of-day restrictions
C. Separation of duties
D. Least privilege
70. Which of the following concepts of cryptography ensures integrity of data by the use of
digital signatures?
A. Key stretching
B. Steganography
C. Key exchange
D. Hashing
71. Your manager has asked you to recommend a public key infrastructure component to
store certificates that are no longer valid. Which of the following is the best choice?
A. Intermediate CA
B. CSR
C. CRL
D. Key escrow
72. You are a backup operator and receive a call from a user asking you to send sensitive docu-
ments immediately because their manager is going to a meeting with the company’s executives.
The user states the manager’s files are corrupted and he is attending the meeting in the next 5
minutes. Which of the following forms of social engineering best describes this situation?
A. Scarcity
B.
ConsensusChapter 7
C. Intimidation
D. Authority
■
Practice Test
209
73. Which of the following controls can you implement together to prevent data loss if a
mobile device is lost or stolen? (Choose two.)
A. Geofencing
B. Full-device encryption
C. Screen locks
D. Push notification services
74. You are asked to find the MAC address on a Linux machine. Which of the following
commands can you use to discover it?
A. ipconfig
B. ifconfig
C. tracert
D. ping
75. A chief security officer (CSO) notices that a large number of contractors work for the
company. When a contractor leaves the company, the provisioning team is not notified.
The CSO wants to ensure the contractors cannot access the network when they leave.
Which of the following polices best supports the CSO’s plan?
A. Account disablement
B. Account lockout policy
C. Enforce password history
D. Account expiration policy
76. The CISO wants to strengthen the password policy by adding special characters to users’
passwords. Which of the following control best achieves this goal?
A. Password complexity
B. Password length
C. Password history
D. Group policy
77. Which of the following deployment models allows a business to have more control of the
devices given to employees that handle company information?
A. DLP
B. COPE
C. BYOD
D. CYODChapter 7
210
■
Practice Test
78. A network administrator uses their fingerprint and enters a PIN to log onto a server.
Which of the following best describes this example?
A. Identification
B. Single authentication
C. Multifactor authentication
D. Transitive trust
79. Your company wants to perform a privacy threshold assessment (PTA) to identify all PII
residing in its systems before retiring hardware. Which of the following would be exam-
ples of PII? (Choose two.)
A. Date of birth
B. Email address
C. Race
D. Fingerprint
80. Your HIPS is incorrectly reporting legitimate network traffic as suspicious activity. What
is this best known as?
A. False positive
B. False negative
C. Credentialed
D. Noncredentialed
81. Matt, a network administrator, is asking how to configure the switches and routers to
securely monitor their status. Which of the following protocols would he need to imple-
ment on the devices?
A. SSH
B. SNMP
C. SMTP
D. SNMPv3
82. Your company has issued a hardware token-based authentication to administrators to
reduce the risk of password compromise. The tokens display a code that automatically
changes every 30 seconds. Which of the following best describes this authentication
mechanism?
A. TOTP
B. HOTP
C. Smartcard
D. Proximity cardChapter 7
■
Practice Test
211
83. You are the network administrator for your company’s Microsoft network. Your CISO is
planning the network security and wants a secure protocol that will authenticate all users
logging into the network. Which of the following authentication protocols would be the
best choice?
A. RADIUS
B. TACACS+
C. Kerberos
D. SAML
84. Which of the following is not a vulnerability of end-of-life systems?
A. When systems can’t be updated, firewalls and antiviruses are not sufficient
protection.
B. Out-of-date systems can result in fines in regulated industries.
C. When an out-of-date system reaches the end-of-life, it will automatically shut down.
D. Operating out-of-date systems can result in poor performance and reliability and can
lead to denial of services.
85. Which of the following statements are true regarding viruses and worms? (Choose two.)
A. A virus is a malware that self-replicates over the network.
B. A worm is a malware that self-replicates over the network.
C. A virus is a malware that replicates by attaching itself to a file.
D. A worm is a malware that replicates by attaching itself to a file.
86. Which of the following wireless attacks would be used to impersonate another WAP to
obtain unauthorized information from nearby mobile users?
A. Rogue access point
B. Evil twin
C. Bluejacking
D. Bluesnarfing
87. Tony, a security administrator, discovered through an audit that all the company’s access
points are currently configured to use WPA with TKIP for encryption. Tony needs to
improve the encryption on the access points. Which of the following would be the best
option for Tony?
A. WPA2 with CCMP
B. WEP
C. WPA with CCMP
D. WPSChapter 7
212
■
Practice Test
88. Your department manager assigns Tony, a network administrator, the job of expressing
the business and financial effects that a failed SQL server would cause if it was down for
4 hours. What type of analysis must Tony perform?
A. Security audit
B. Asset identification
C. Business impact analysis
D. Disaster recovery plan
89. You are the security administrator for a local hospital. The doctors want to prevent the
data from being altered while working on their mobile devices. Which of the following
would most likely accomplish the request?
A. Cloud storage
B. Wiping
C. SIEM
D. SCADA
90. You are a Unix engineer, and on October 29 you discovered that a former employee had
planted malicious code that would destroy 4,000 servers at your company. This mali-
cious code would have caused millions of dollars worth of damage and shut down your
company for at least a week. The malware was set to detonate at 9:00 a.m. on January 31.
What type of malware did you discover?
A. Logic bomb
B. RAT
C. Spyware
D. Ransomware
91. Which of the following is defined as hacking into a computer system for a politically or
socially motivated purpose?
A. Hacktivist
B. Insider
C. Script kiddie
D. Evil twin
92. A network administrator with your company has received phone calls from an individual
who is requesting information about their personal finances. Which of the following type
of attack is occurring?
A. Whaling
B. Phishing
C. Vishing
D. Spear phishingChapter 7
■
Practice Test
213
93. Which of the following can be restricted on a mobile device to prevent security violations?
(Choose three.)
A. Third-party app stores
B. Biometrics
C. Content management
D. Rooting
E. Sideloading
94. Which of the following does a remote access VPN usually rely on? (Choose two.)
A. IPSec
B. DES
C. SSL
D. SFTP
95. Matt, a security administrator, wants to use a two-way trust model for the owner of a cer-
tificate and the entity relying on the certificate. Which of the following is the best option
to use?
A. WPA
B. Object identifiers
C. PFX
D. PKI
96. If domain A trusts domain B, and domain B trusts domain C, then domain A trusts
domain C. Which concept does this describe?
A. Multifactor authentication
B. Federation
C. Single sign-on
D. Transitive trust
97. A user entered a username and password to log into the company’s network. Which of the
following best describes the username?
A. Authorization
B. Authentication
C. Identification
D. Accounting
98. Which of the following tools can be used to hide messages within a file?
A. Data sanitization
B. Steganography
C. Tracert
D. Network mapping
99. Which of the following is best used to prevent ARP poisoning on a local network?
(Choose two.)
A. Antivirus
B. Static ARP entries
C. Patching management
D. Port security
100. Which of the following is the best practice to place at the end of an ACL?
A. USB blocking
B. Time synchronization
C. MAC filtering
D. Implicit deny