Mock Exam 2
- You are the security administrator for a large multinational corporation, and you have used a black box penetration tester to find vulnerabilities in your company and exploit them as far you can. During the penetration test, it was found that there were some vulnerabilities in your Windows 10 desktop operating system. There were no vulnerabilities in any of your Linux or Unix systems. Which of the following BEST describes why the penetration tester was successful with the Windows 10 machines, but not with the Linux or Unix machines?
A. Linux and Unix are more secure than Windows 10
B. The penetration tester did not attempt to exploit the Linux/Unix machines
C. The Linux and Unix operating systems never have any vulnerabilities
D. The operating systems' attack vectors are very different
Answer: D
Concept: Different operating systems have different structures, so the attack vectors and the paths taken to attack them are different.
Wrong answers:
A. Not a proven fact—red herring
B. The penetration tests did attempt the exploit—that is why they had negative results
C. All operating systems suffer from vulnerabilities at one time or another
- You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the MOST secure for your wireless network?
A. PAP
B. WPA2-PSK
C. EAP-TLS
D. PEAP
Answer: C
Concept: EAP-TLS is a secure wireless authentication protocol, as it is uses certificates. It is the most secure EAP standard.
Wrong answers:
A. PAP shows the passwords in clear text and is used by VPN, not wireless networks
B. WPA2-PSK uses a wireless router password therefore, it is not secure
D. PEAP encrypts EAP packets for secure wireless authentication, but it is not as secure as EAP-TLS
- You are designing the network topology for a new company that is rapidly expanding from a one-premise company with 20 users to a medium-sized company with 300 users. The company tells you that it was subject to a DDoS attack last year that took the company down for over a day. In your network design, they don't want to implement a DMZ; therefore, the traffic will be coming directly from the internet. How do you propose to BEST mitigate against future DDoS attacks? Select two answers from the following list; each forms part of the solution:
A. Install a stateless firewall on the edge of your network to prevent incoming traffic
B. Install a stateful firewall on the edge of your network to prevent incoming traffic
C. Install an NIDS in your network as an additional layer of protection
D. Install an NIPS in your network as an additional layer of protection
E. Install an inline NIPS in your network as an additional layer of protection
Answer: B and E
Concept: A stateful firewall on the edge of your network can prevent a DDoS attack as it inspects the traffic, including the verbs. An inline NIPS will ensure that all network traffic coming from the firewall will go through it and be inspected thoroughly.
Wrong answers:
A. A stateless firewall is a basic firewall that will prevent unauthorized access, but does not really inspect the traffic thoroughly
C. An NIDS cannot be an additional layer of protection, as it just detects changes in traffic patterns and cannot prevent the attacks
D. Although installing an NIPS behind the firewall is a good idea, the inline NIPS is a much better solution, as all of the traffic passes through it
- You work on the cyber security team of a large multinational corporation, and you have been alerted to an attack on the web server inside your DMZ that is used for selling your products on the internet. You can see by running
netstatthat you have an unknown active connection. What should be the first step you take when investigating this incident?
A. Isolate the web server by disconnecting it from the network to prevent further damage
B. Disconnect all external active connections to ensure that the attack is stopped
C. Run a packet sniffer to capture the network traffic and identify the attacker
D. Take a screenshot of the damage done to the website and reporting it to the police
Answer: C
Concept: The first stage in any attack is to capture the volatile evidence. In this incident you would capture the network traffic to identify the source of the attack.
Wrong answers:
A. Disconnecting the attack will prevent further damage, but will not identify the attacker and prevent it from happening again
B. Again, this option will not identify the attacker, but may instead stop legitimate customers
D. A screenshot may not show the real damage being done, and will not identify the attacker
- I need to purchase a certificate that I can install on five mail servers. Which one should I purchase?
A. PEM certificate
B. Wildcard certificate
C. Subject Alternate Name (SAN) certificate
D. Root certificate
Answer: B
Concept: A wildcard certificate can be used on multiple servers in the same domain.
Wrong answers:
A. PEM is a base64 format
C. A SAN certificate can be used in servers in different domains
D. A root certificate can only be used by a CA
- You are the manager of a large IT company, and it is your duty to authorize administrative controls. Which of the following are actions that you would NORMALLY authorize? Select all that apply:
A. Collecting an ID badge
B. Creating an IT security policy
C. Purchasing a cable lock
D. Creating a new firewall rule
Answer: A and B
Concept: Writing policies, filling out forms, and anything to do with applying for ID badges are administrative controls.
Wrong answers:
C. A cable lock is a physical control
D. A firewall rule is a technical control to mitigate risk
- You are the operational manager for a financial company that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the least amount of time?
A. Cold site
B. Warm site
C. Hot site
D. Campus site
Answer: C
Concept: The hot site should be up and running with data less than one hour old.
Wrong answers:
A. The cold site is the hardest site to get up and running, and it only has power and water
B. A warm site has noncritical data, and the data is about a day old
D. This is a red herring, and has nothing to do with disaster recovery
- The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody?
A. Making a system image of the laptop
B. Placing the laptop in a polythene bag and seal it
C. Hashing the data so that data integrity is assured
D. Asking for proof of ownership of the laptop
Answer: A
Concept: The first step is to create a system image; or, if it is a hard drive, create a forensic copy.
Wrong answers:
B. This is the second step
C. This is one of the steps when we start to investigate the contents of the laptop
D. This is not relevant
- If an attacker is looking for information about the software versions that you use on your network, which of the following tools could they use? Select all that apply:
A. Protocol analyzer
B. Port scanner
C. Network mapper
D. Baseline analyzer
Answer: A and C
Concept: A Network mapper (Nmap) can identify new hosts on the network, identify what services are running, and identify what operating systems are installed. A protocol analyzer can tell what operating systems run on network hosts. This is sometimes called a packet sniffer.
Wrong answers:
B. A port scanner only tells you which ports are open
D. A baseline analyzer is a vulnerability scanner, and tells you about missing patches
- Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and coworkers, resulting in an inquiry being launched by the police. Initial evidence reported a that the victims had recently purchased IoT devices, such as health monitors, baby monitors, smart TVs, and refrigerators. Which of the following best describes why the attacks were successful?
A. The devices' default configurations had not been changed
B. The victims' houses had been broken into and hidden cameras were installed
C. The victims' wireless networks were broadcasting beyond the boundaries of their homes
D. The manufacturers of the devices installed hidden devices to allow them to film
Answer: A
Concept: IoT home-based automated devices should have the default configurations of the username and password changed.
Wrong answers:
B. This would be very unlikely for so many people
C. This may be a possibility, but is unlikely to be the main reason
D. This would not happen, or the manufacturer would lose their market share
- You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Your corporate admin team could not access the internet last week as they were getting their IP settings from one of the training room's DHCP servers. The training manager has asked you to separate the corporate admin machines into their own network with a different IP range from the training rooms. What is the most secure way of implementing this? Select the best option from the following list:
A. Create a VLAN on the switch and put the corporate admin team in the VLAN
B. Install a router in the LAN and place the corporate admin team in the new subnet
C. Create an NAT from the firewall and put the corporate machines in that network
D. Install a proxy server
Answer: C
Concept: A NAT hides the internal network from external resources and will separate the training machines from the corporate admin machines.
Wrong answers:
A. Putting a VLAN on the switch will segment the two networks, but it's not the best option
B. Installing a router creates a subnet and would also segment the two entities, but this is not the best option either
D. A proxy caches web pages and also filters traffic to and from the internet
- Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will allow for long periods of access. Select the two most suitable methods of authentication:
A. PAP
B. TACACS+
C. NTLM
D. RADIUS
Answer: B and D
Concept: AAA Server are used for centralized authentication as they provide authentication, authorization, and accounting, where they can record all log-ins and log-outs in a database.
Wrong answers:
A. PAP is a weak authentication system where passwords are shown in clear text
C. NTLM is a weak authentication protocol that is susceptible to pass-the-hash attacks
- From a security perspective, what is the MAJOR benefit of using imaging technologies such as Microsoft WDS or Symantec Ghost to image desktops and laptops that are being rolled out?
A. It provides a consistent baseline for all new machines
B. It ensures that all machines are patched
C. It reduces the number of vulnerabilities
D. It allows a non-technical person to roll out the images
Answer: A
Concept: When you build an image, all of the applications will have the same settings and updates and therefore will be consistent. A baseline consists of the applications that are installed at the current time.
Wrong answers:
B. Updates come out almost every week, so you will still need to patch an image, especially if it was taken a month or two ago
C. Vulnerabilities are discovered on a frequent basis, therefore this is not true
D. The fact is true, but from a security point of view it could pose a risk
- A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of this is a user accessing their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the BEST choice:
A. Kerberos
B. SAML
C. OAuth 2.0
D. Federation services
Answer: C
Concept: OAuth 2.0 is the industry-standard protocol for authorization. It is used by Open ID Connect, where people can be authenticated using their Facebook or Google account.
Wrong answers:
A. Kerberos is used only in Microsoft Active Directory
B. SAML is an XML-based authentication used in federation services
D. Federation services is third-party-to-third-party authentication that uses SAML, an XML-based authentication protocol
- You are the security administrator for a medium-sized company that needs to enforce a much stricter password policy via Group Policy. The aims of this policy are to do the following:
- Prevent using the same password within 12 password changes
- Ensure that they cannot change the password more than once a day
- Prevent weak passwords or simple passwords, such as
123456or'password', from being used
Select the following options that you will need to use to fulfill all of these goals:
A. Enforce password history
B. Minimum password length
C. Passwords must meet complexity requirements
D. Minimum password age
E. Maximum password length
Answers: A and C
Concept: The password history is the number of passwords that you need to remember before you can reuse them. Password complexity requires users to use three of the four following characters in the password: lower case, higher case, number, and special characters not used in programming. A minimum password age set to 1 means that you can change the password only once a day, preventing password rotation until you get back to the original password.
Wrong answers:
B. Password length was a requirement, but the longer the password length, the longer it will take a brute force attack to crack
E. In a group policy, there is no option for maximum password length
- You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply:
A. Tethering
B. Sideloading
C. Slipstreaming
D. Jailbreaking or rooting
E. Degaussing
Answers: B and D
Concept: Sideloading involves loading third-party applications onto an unlocked mobile phone. Jailbreaking (iOS), or rooting (Android), is where the phone has been unlocked, removing the vendor's restrictions on the mobile phone.
Wrong answers:
A. Tethering involves connecting your phone to a laptop to give the laptop internet access
C. Slipstreaming is a technique for installing drivers into an .iso file
E. Degaussing involves passing a charge over a hard drive to erase data
- You are the security administrator of a multinational company that has recently prevented brute-force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful?
A. Obfuscation
B. PBKDF2
C. XOR
D. bcrypt
Answer: B and D
Concept: PBKDF2 and bcrypt are key-stretching algorithms that insert random characters into password hashes, making them longer so that brute-force attacks need more processing and computation resources to crack them.
Wrong answers:
A. Obfuscation makes code obscure so that if someone steals your code, they cannot make sense of it
C. XOR (express OR) can be used to encrypt binary numbers
- You want to join a wireless network using a password. Which of the following wireless features would be most appropriate to achieve this objective?
A. WPA2-Enterprise
B. WPA2-TKIP
C. WPS
D. WPA2-PSK
E. WPA2-CCMP
Answer: D
Concept: PSK uses the WAP password to join the network.
Wrong answers:
A. WPA2-Enterprise uses 802.1x with RADIUS for authentication
B. WPA2-TKIP is backward compatible with legacy devices
C. WPS pushes a button to access the network
E. WPA2-CCMP is the strongest encryption, as it uses AES
- What is the main purpose of a Network Intrusion Detection System (NIDS)? Select the MOST appropriate option:
A. Identifying vulnerabilities
B. Identifying new network hosts
C. Identifying viruses
D. Identifying new web servers
Answer: B
Concept: NIDS identifies changes to the network and the network traffic.
Wronganswers:
A. This is the job of a vulnerability scanner
C. This is the job of a virus scanner
D. Web servers are not based in the LAN; normally, they are based in the DMZ
- A web server was the victim of an integer-overflow attack. How could this be prevented in the future?
A. Install a proxy server
B. Install SQL-injection
C. Input validation on forms
D. Install a web application firewall
Answer: C
Concept: Input validation prevents buffer-overflow attacks, integer-overflow attacks, and SQL-injection by restricting the input to a certain format.
Wrong answers:
A. A proxy server is used for web page caching and URL and content filtering
B. SQL-injection is a form of attack where the phrase 1 = 1 is used in a script
D. A web application firewall is used to protect web servers and their applications
- You have recently set up a new virtual network with over 1,000 guest machines. One of the hosts is running out of resources, such as memory and disk space. Which of the following best describes what is happening?
A. Virtual machine escape
B. End of system lifespan
C. System sprawl
D. Poor setup
Answer: C
Concept: System sprawl over-utilizes resources. This means that the system has started to run out of resources.
Wrong answers:
A. VM escape is where an attacker uses a virtual machine so that they can attack the host
B. This is where a vendor no longer supports an application
D. This is where the configuration is not set properly
- You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to achieve two-factor authentication? Select all that apply:
A. Palm reader
B. Signature verification
C. Thumb scanner
D. Gait
E. Iris scanner
Answer: B and D
Concept: Facial recognition is something you are for authentication. B and D are both something you do—you have a unique signature and your gait is how you walk.
Wrong answers:
A, C, and E all come under the something you are category.
- The security auditor has just visited your company and is recommending that change management to reduce the risk from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend for reducing the risk when you first evaluate the software? Select the BEST practices to adopt from the following list:
A. Jailbreaking
B. Sandboxing
C. Bluesnarfing
D. Chroot jail
E. Fuzzing
Answer: B and D
Concept: Sandboxing and chroot jail allow you to isolate an application inside a virtual guest machine.
A. This is the removal of the restriction that apple set on an iOS device
C. This is stealing contacts from a mobile device
E. This is putting random characters into an application
- You are the security administrator for a multinational corporation. You recently detected and thwarted an attack on your network when someone hacked into your network and took full control of one of the hosts. What type of attack best describes the attack you stopped?
A. Man-in-the-middle attack
B. Replay attack
C. Packet filtering
D. Remote exploit
Answer: D
Concept: An exploit looks for vulnerabilities in a system; a remote exploit is someone coming from outside your network.
Wrong answers:
A. A man-in-the-middle attack is an interception attack where messages are changed in real time as they pass between two hosts
B. A replay attack is a man-in-the-middle attack where the messages are replayed at a later date
C. Packet filtering is used by a firewall to stop certain protocols from accessing your network
- You are the security administrator for a multinational corporation recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM on all servers. Which of the following best describes why you have taken this action?
A. It will improve the server's performance
B. Prevent a man-in-the-middle attack
C. Prevent a pass-the-hash attack
D. Prevent a POODLE attack
Answer: C
Concept: Disabling NTLM will prevent pass-the-hash attacks.
Wrong answers:
A. This is a red herring; it has nothing to do with performance
B. A man-in-the-middle attack is an interception attack
D. A POODLE attack is a man-in-the-middle attack that targets downgrade browsers—SSL3.0 CBC
- The political adviser to the prime minister of the United Kingdom has returned from the two month of summer break that all staff are entitled to. He applied for an immediate transfer to another department, stating that his health is bad and the job was far too intense. When his replacement arrives, they find that during the summer recess, the political adviser shredded all documents relating to a political inquiry that involved their cousin. The police are immediately called in and say that they cannot prosecute the political adviser because of a lack of evidence. What precautions could the House of Parliament security team take to prevent further events such as this happening in the future?
A. Create a change-management document to ensure that the receptionists are more vigilant about people coming in out of hours
B. Enforce time-of-day restrictions so that nobody can access the IT systems during summer breaks
C. Enforce separation of duties to ensure that any document that is destroyed has been witnessed by a second person
D. Enforce mandatory vacations to prevent staff coming in during the recess
Answer: B
Concept: Time-of-day restrictions would have prevented someone accessing the system during the holidays.
Wrong answers:
A. If the staff of the House of Commons are on holiday, then there will be no receptionists present
C. Separation of duties cannot be enforced during a shutdown period
D. Mandatory vacations cannot be enforced when nobody is working
- You work in the forensics team of a very large multinational corporation where an attack has happened across three different sites in two different countries. You have been collecting the following log files from these locations:
- Firewall logs
- NIPS logs
- NIDS logs
What is the first action that you need to take when collating these logs?
A. Apply time normalization to these logs
B. Copy them into a worm drive so that they cannot be tampered with
C. Sort out the sequence of events by site
D. Raise chain of custody documentation for these logs
Answer: A
Concept: When collating forensic evidence, it needs to be put in a time sequence. In this case, we use time normalization to put it all in order. If we collect physical evidence from different computers, we use the record time offset to put the data and events in time sequence by using the regional time on the machine.
Wrong answers:
B. Copying into a worm drive will prevent deletion, but not the analysis of data.
C. This could be a first step, but it will not collate the information properly.
D. A chain of custody would be needed once you hand the evidence to someone else, but it is too early at this time for this. A chain of custody records who has handled the evidence.
- You are an Active Directory administrator and have been having problems with time synchronization regarding the Kerberos authentication protocols. Consequently, you have now contacted a third party to provide your time synchronization. They use Stratum Network Time Protocol (NTP) servers. What is the MOST secure method of setting up a Stratum server for time synchronization?
A. Having the servers connect to an internal Stratum 1 NTP server
B. Having the servers connect to an internal Stratum 2 NTP server
C. Having the servers connect to an internal Stratum 0 NTP server
D. Having the servers connect to an external Stratum 0 NTP server
Answer: A
Concept: The time server must be internal. The Stratum 1 NTP server connects to the Stratum 0 NTP server, which is the ultimate time source. However, if there is no internal Stratum 1 NTP server, then we will use an internal Stratum 0 NTP server.
Wrong answers:
B. A Stratum 2 server can only connect to a Stratum 1 time server
C. Only use an internal Stratum 0 server when an internal Stratum 1 server is not available
D. The connection to the time server should come from the internal network
- You are the network administrator for a company that runs an Active Directory domain environment where the system administrator is failing to keep you updated when new hosts are added to the network. You now decide that you will use your networking tools to do the following:
- Identify new hosts
- Identify operating system versions
- Identify services that are running
Which of the following network-based tools provide the information that you require? Select the most likely tools that you are MOST likely to use:
A. Protocol scanner
B. Microsoft baseline analyzer
C. Nmap
D. Penetration testing
Answers: A and C
Concept: Protocol scanners and network mappers can identify new hosts, operating system versions, and services that are running. An NIDS can detect new hosts.
Wrong answers:
B. The Microsoft baseline analyzer is a vulnerability scanner
D. A penetration tester is trying to break into your network
- You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to BEST prove this? Select all that apply:
A. MD5
B. 3DES
C. SHA1
D. Blowfish
Answer: A and C
Concept: Hashing proves data integrity, and SHA1 and MD5 are both hashing algorithms.
Explanation: When data is collected as part of a chain of custody, all data is hashed by SHA1, MD5, or HMAC. HMAC prior to looking through the data. When you finish the investigation you will run the hash a second time, if the hash matches then the data integrity is confirmed.
Wrong answers:
B and D are both used with encryption, not hashing.
- You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the
script>and</script>tags?
A. Cross-site scripting
B. Man-in-the-middle
C. Cross-site forgery attack
D. SQL-injection
Answer: A
Concept: Cross-Site Scripting (XSS) uses HTML tags with JavaScript. JavaScript can be identified by using the word var for variable—for example, varchar or var data.
- You are a system administrator working for a multinational company that has a windows domain and is using an active-passive model. Which of the following are the BEST reasons why your company would have adopted this model?
A. It provides vendor diversity
B. It provides much faster disaster recovery
C. It is the best model to use for symmetric encryption
D. It provides availability of your IT systems
Answers: B and D
Concept: Clustering provides availability, and it has a quick failover to the passive host should the active host fail.
Explanation: We would use an active-passive or active-active setup in the failover cluster so that if one node failed, the passive or second server would be up and running within seconds; users would not even be aware of this. This provides both faster disaster recovery and 99.999% availability, otherwise known as the five nines.
Wrong answers:
A. The cluster would come from the same vendor
C. Clustering is about availability—nothing to do with encryption
- You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following do you use as an authentication method by entering a PIN instead of a password?
A. Smart card
B. Kerberos
C. WPS
D. TOTP
Answer: A
Concept: A smart card uses a PIN.
Wrong answers:
B. Kerberos can be accessed by entering a username and password
C. WPS is accessed by pushing a button to connect to a wireless network
D. TOTP uses a secret key or code
- You are the security administrator for a large multinational corporation and you have a meeting with the CEO about the security posture of the company. He wants you to ensure the following are carried out effectively:
- The firewall logs are stored securely so that nobody can tamper with them
- Prevent elevation-of-privilege attacks
Which of the following are the BEST solutions to implement? Select all that apply:
A. Robocopy firewall logs to a worm drive
B. Robocopy firewall logs to a RAID 5 volume
C. Implement usage auditing and reviews
D. Carry out permission audits and reviews every seven days
Answer: A and D
Concept: Storing files on a worm drive prevents deletion. Continuous audits of permissions will help track escalations of privilege.
Wrong answers:
B. Storing data on a RAID volume is a solution for redundancy, but not the deletion of data
C. Account reviews may be quarterly, and so are not the best option
- You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the LEAST amount of administrative effort?
A. Email the people involved and ask them to delete the X509 from their desktop immediately
B. Carry out certificate pinning to prevent the CA from being compromised
C. Revoke the root CA X509 so it is added to the CRL
D. Revoke the X509 so it is added to the CRL
Answer: D
Concept: Once a certificate has been compromised, it should immediately be revoked so it is added to the CRL.
Wrong answers:
B. Certificate pinning cannot be set up after an event; it is set up to protect the CA against being compromised. This was only a low-level X509 that was compromised
C. There is no reason to revoke the root CA certificate as the certificate authority has not been compromised
- You need to install a new wireless access point that should be as secure as possible while also being backward compatibile with legacy wireless systems. Which of the following would help you in this?
A. WPA2 PSK
B. WPA
C. WPA2 CCMP
D. WPA2 TKIP
Answer: D
Concept: WPA2 is the most secure and TKIP is backward compatible.
Wrong answers:
A. WPA2 is used to connect to the wireless access point using a password
B. Although WPA is backward compatible, it is not strong
C. Although WPA2 CCMP is the most secure, it is not backward compatible
- You are the capacity planning administrator for a large multinational corporation, and find that Server 1 is running out of disk space. When you monitor its network card, it is at 100% utilization. Which of the following reasons best describes what is happening?
A. There are hardware errors on the server
B. Unauthorized software is being downloaded
C. Event logs are getting full and slowing down the system
D. The disks that were selected were too small
Answer: B
Concept: Unauthorized software takes up disk space and causes high network utilization.
Wrong answers:
A. If there were hardware errors, no download would have happened, and there would not be a decrease in disk space
C. The event logs are text files and will not use up too much space
D. This is not a good choice as the disks that are purchased would be of a reasonable size
- You are the security administrator and someone has just tried to attack your web server, which is protected by a web application firewall. When you look into the log files of the web application firewall, two of the rows of the log file have the following two entries:
var data = “<blackbeard> ++ </../etc/passwd>" Select* from customers where 1=1
Which of the following attacks are most likely to be have been attempted? Select all that apply:
A. Integer-overflow
B. SQL-injection
C. JavaScript
D. Buffer-overflow
Answers: B and C
Concept: An SQL-injection attack uses the phrase 1 = 1. JavaScript is commonly used in XSS attacks and uses the var variable, so if you see var, it is most likely to be JavaScript.
Wrong answers:
A. Integer-overflow is where larger numbers are used than should be used, normally with multiplication
C. Buffer-overflow is where more characters are used than should be. The strcat and strcpy are applications that cause buffer-overflow
- Data has previously only been classified as internal data and external data. The company recently added two new classifications: legal and financial. What would be the benefit of these new classifications? Select the best solution for the new data classifications:
A. You need a minimum of three classifications for it to be effective
B. Better data classification
C. Quicker indexing
D. Faster searching
Answer: B
Concept: The more data classifications there are, the easier to classify it will be.
Wrong answers:
A. Data classification has no minimum values
C. Indexing will be slower for more classifications
D. Faster searching is done by reducing the amount of data
- You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After lessons learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:
A. Federation services
B. EAP-TLS
C. Kerberos
D. RADIUS federation
Answer: C
Concept: Kerberos issues tickets for authentication, and each change has a different Updated Sequence Number (USN) and time stamps.
Wrong answers:
A. Federation services use SAML, an XML-based authentication protocol
B. EAP-TLS uses certificates and is used for wireless authentication
D. The RADIUS federation is a federation that uses wireless as its method of access
- Which of the following threat actors would be the most likely to steal a company's R&D data?
A. Organized criminals
B. A competitor
C. A script kiddie
D. A nation state
Answer: B
Concept: The R&D department creates a lot of a company's trade secrets; therefore, a competitor would steal them to beat you to the marketplace.
Wrong answers:
A. Organized crime is most likely to target financial transactions rather than R&D data
C. A script kiddie reuses someone else's scripts
D. A nation state is more interested in attacking foreign governments than R&D data
- You are a security administrator for a large multinational corporation based in the United Kingdom. You have just attended an annual seminar about the various types of password attacks. You have already disabled NTLM on all of the servers to prevent pass-the-hash attacks. Which of the following statements involves storing passwords as a hash value?
A. A collision attack, the hash value and the data match
B. A collision attack, the hash values match
C. A rainbow-table attack performs a search of simple passwords
D. A rainbow-table attack performs a search of precomputed hashes
Answer: B and D
Concept: A rainbow table is a list of precomputed hashes. A collision attack is where two hashes match.
Wrong answers:
A. When a hash is created, it takes the data inside a file and turns it into a hexadecimal hash value—they don't match
C. This is false; look at the explanation of the concept
- You are the new IT Director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know what you have asked for funds for "Vendor diversity". They have asked you to provide two good reasons why they should grant you the funds. Which of the following are the MOST suitable reasons why you wish to implement vendor diversity?
A. Reliability
B. Regulatory compliance
C. It is a best practice in the industry
D. Resiliency
Answer: A and D
Concept: Vendor diversity involves getting a service from two different providers at the same time. Vendor diversity provides reliability and resiliency. For example, if broadband from one provider fails, then the second provider's broadband should still be up and running.
Wrong answers:
B. There are no regulations that say you must get services from two suppliers
C. It is not an industry best practice, though it may well be advisable
- You are the network administrator for a large multinational corporation where you have captured packets that show that the traffic between the company's network devices is in clear text. Which of the following protocols could be used to secure the traffic between the company's network devices? Select all that apply.
A. SNMP V 3
B. SNMP
C. SCP
D. SFTP
Answer: A
Concept: Traffic between network devices uses a simple network transport protocol; the secure version is SMTPv3.
Wrong answers:
B. SNMP is not secure
C. SCP copies files securely
D. SFTP secures downloaded traffic from FTP sites
- You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output?
A. There was a zero-day virus
B. False negatives
C. False positives
D. The wrong filter was used to audit
Answer: C and D
Concept: If we are using the wrong configuration for the SIEM server, we will get poor monitoring, resulting in false positives.
Wrong answers:
A. A zero-day virus would not have been detected in the first place
B. False negatives allow attacks to happen, but are not detected
- You are a forensic investigator who has been called out to deal with a virus attack. You collect the information from the network card and volatile memory. After gathering, documenting, and securing the evidence of a virus attack, what is the best method for preventing further losses to the company?
A. Send a copy of the virus to the lab for analysis
B. Mitigate the attack and get the system back up and running
C. Initiate a chain of custody
D. Initiate business-impact analysis
Answer: B
Concept: Collecting the volatile evidence, mitigating the attack, removing the virus, and getting the system back up and running is the best thing to do.
Wrong answers:
A. This does not get you back up and running
C. A chain of custody records who has handled the evidence and does not get you back up and running
D. BIA only tells you the losses that you have incurred and does not generate any income
- You are the purchasing manager for a very large multinational company, and you are looking at the company's policy that deals with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance?
A. Budget laptops at $1,300 each
B. Budget laptops at $1,200 each
C. Budget laptops at $1,000 each
D. Budget laptops at $1,001 each
Answer: C
Concept:
SLE = ALE/ARO
ALE = 12 x 10,000 = $120,000
ARO = 12 X 10 = 120 laptops a year
Single loss expectancy = $120,000/120 = $1000
Explanation: The cost of losing the laptops is $120,000, the same as purchasing the insurance. You should not take out the insurance in the hope that next year you may lose fewer laptops, as a record number of laptops has already been lost.
Wrong answers:
A, B, and D would cost more than the insurance; therefore, in these cases, you would do better to take out the insurance.
- Your company has suffered a system-sprawl attack, and you need to be able to identify what has caused the attack and what the symptoms of the attack are. Which of the following attacks could cause system sprawl and what would be a tell-tale sign of it? Select the BEST two answers; each is a part of the solution:
A. SQL-injection
B. DoS attack
C. CPU at 100% utilization
D. Buffer-overflow
Answer: B and C
Concept: System sprawl is when your resources are running out—for example, if your CPU was at 100% utilization. When your system is running like this, it could also suffer from DoS, which makes resources unavailable with too many SYN flood attacks.
Wrong answers:
A. An SQL- injection attack involves placing the phrase 1 = 1 into a transact SQL script
D. A buffer-overflow attack involves putting more data into a field than it was programmed to handle
- Which of the following is a measure of reliability?
A. MTTR
B. MTBF
C. MTTF
D. RPO
Answer: B
Concept: Mean Time Between Failures (MTBF) is the measure of the number of failures. If I purchased a car and it broke down every day for the next week, I would take it back, as it would be unreliable.
Wrong answers:
A. MTTR is the mean time to repair. If I break down at 1 pm and it is repaired by 2 pm, the MTTR is 1 hour
C. MTTF is the mean time to failure; this is the lifespan of a piece of equipment
D. RPO is the recovery point objective. It is the amount of time a company can be without its data, meaning the acceptable downtime
- Which of the following are the characteristics of a third-party-to-third-party authentication protocol that uses XML-based authentication? Select the three BEST answers:
A. Single Sign-On (SSO)
B. Kerberos
C. SAML
D. Federation services
Answers: A, C, and D
Concept: Federation services is a third-party-to-third-party authentication method that uses SAML, an XML-based method for authentication. It also provides SSO. This means that you only log in once in order to get access to resources.
Wrong answer:
B. Kerberos uses a ticket granting ticker = t and only works on a Microsoft Active Directory domain.
