Terms in this set (...)

1.) Which of the following is the FASTEST method to disclose one way hashed passwords?
A. Rainbow tables*
B. Private key disclosure
C. Dictionary attack
D. Brute Force
What are Rainbow Tables?
Immense lots of pre-computed hashes for every possible password. Rainbow tables are a type of precomputed password attack. The previous two attacks, Dictionary and Brute-Force, enter a password into the locked program, the program then hashes the entry and compares the hash to the correct password hash. Rainbow tables compute hashes for each word in a dictionary, store all of the hashes into a hash table, retrieve the hash of the password to be cracked, and do a comparison between each password hash and the real password hash. This method assumes that you can retrieve the hash of the password to be guessed and that the hashing algorithm is the same between the rainbow table and the password. As the majority of common, low-security hashes are computed using MD5, sometimes SHA-1, this problem isn't very worrisome.
Rainbow tables have only become an efficient technique recently, as the hard drive space needed to store the hashes was slightly combersome until memory became cheaper.
What is Dictionary Attack?
What is Brute Force Attack?
Brute force password attacks are a last resort to cracking a password as they are the least efficient. In the most simple terms, brute force means to systematically try all the combinations for a password. This method is quite efficient for short passwords, but would start to become infeasible to try, even on modern hardware, with a password of 7 characters or larger. Assuming only alphabetical characters, all in capitals or all in lower-case, it would take 267 (8,031,810,176) guesses. This also assumes that the cracker knows the length of the password. Other factors include number, case-sensitivity, and other symbols on the keyboard. The complexity of the password depends upon the creativity of the user and the complexity of the program that is using the password.
The upside to the brute force attack is that it will ALWAYS find the password, no matter it's complexity. The downside is whether or not you will still be alive when it finally guesses it.
What is Salting?
One other element of passwords that is becoming more and more common is a technique called "salting." Salting a password means, more or less, adding bits of information (aka the "salt") to the given password before hashing it, so that the password is not merely guessable by a standard rainbow table, as the hashes are not of simple words anymore. Salting makes cracking a password much more difficult, but it should be noted that this only complicates cracking programs that use hashes rather than rapid input. Normal dictionary and brute-force attacks are not affected by the salt.
What are Hashed Passwords?
A branch of cryptography; random data looking strings of characters into which the passwords have been mathematically algorithms hashed/transformed to prevent them from being misused; one-way function; difficult to reverse; not designed to be decrypted; no private key. Simple hashing is SHA1 easy to crack. More secure hashing is bycrypt (you have time to change all your passwords).
2.) A network has been impacted by downtime resulting from unauthorized devices connecting directly to the wired network. The network administrator has been tasked to research and evaluate technical controls that would effectively mitigate risks associated with such devices. Which of the following capabilities would be MOST suitable for implementation in this scenario?
A. Host hardening
D. Loop protection
E. Port Security*
Host Hardening
Limiting network access to a system by the traditional method of turning off unnecessary network services, by firewalling, or by enforcing authentication to use a service.
NIDS (Network Intrusion Detection System)
In NIDS, anti-threat software is installed only at specific points such as servers that interface between the outside environment and the network segment to be protected. attempts to detect hacking activities, denial of service attacks or port scans on a computer network or a computer itself. The NIDS monitors network traffic and helps to detect these malicious activities by identifying suspicious patterns in the incoming packets. The NIDS can monitor incoming, outgoing, and local traffic. Inspecting outgoing or local traffic can yield valuable insight into malicious activities, just as inspecting incoming traffic can. Some attacks can originate and stay with the local network or be staged inside the network with an outside-the-network target. The NIDS also works with other systems, like a firewall, to help better protect against known attack sources (e.g. a suspected attacker IP address). A NIDS is often a standalone hardware appliance that includes network detection capabilities. It will usually consist of hardware sensors located at various points along the network. It may also consist of software that is installed on various computers connected along the network. The NIDS analyzes data packets both inbound and outbound and offer real-time detection.
HIDS (Host Intrusion Detection System)
In HIDS, anti-threat applications such as firewalls, antivirus software and spyware-detection programs are installed on every network computer that has two-way access to the outside environment such as the Internet.
takes place on a single host system. Currently, HIDS involves installing an agent on the local host that monitors and reports on the system configuration and application activity. Some common abilities of HIDS systems include log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting1. They often also have the ability to baseline a host system to detect variations in system configuration. A host-based intrusion detection system (HIDS) is a system that monitors a computer system on which it is installed to detect an intrusion and/or misuse, and responds by logging the activity and notifying the designated authority. A HIDS can be thought of as an agent that monitors and analyzes whether anything or anyone, whether internal or external, has circumvented the system's security policy.
A HIDS analyzes the traffic to and from the specific computer on which the intrusion detection software is installed. A host-based system also has the ability to monitor key system files and any attempt to overwrite these files.
Loop Protection
A Switching loop or bridge loop occurs in computer networks when there is more than one Layer 2 (OSI model) path between two endpoints (e.g. multiple connections between two network switches or two ports on the same switch connected to each other).

Looping can be taken advantage of by attackers to initiate DoS attacks because of its repetitive nature. When transmissions loop, they needlessly consume bandwidth and disrupt network services. Loop protection consists of enabling STP (spanning tree protocol) on the network switches. Protection on the Layer 2.
Port Security
Port security is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port.

Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits:

•You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted.

•You can enable port security on a per port basis.
A series of actions to be taken in order to make it hard for an attacker to successfully attack computers in a network environment. Hardening refers to providing various means of protection in a computer system. Protection is provided in various layers and is often referred to as defense in depth. Protecting in layers means to protect at the host level, the application level, the operating system level, the user level, the physical level and all the sublevels in between. Each level requires a unique method of security.

A hardened computer system is a more secure computer system.

Hardening is also known as system hardening.

Hardening's goal is to eliminate as many risks and threats to a computer system as necessary. Hardening activities for a computer system can include:

•Keeping security patches and hot fixes updated
•Monitoring security bulletins that are applicable to a system's operating system and applications
•Installing a firewall
•Closing certain ports such as server ports
•Not allowing file sharing among programs
•Installing virus and spyware protection, including an anti-adware tool so that malicious software cannot gain access to the computer on which it is installed
•Keeping a backup, such as a hard drive, of the computer system
•Disabling cookies
•Creating strong passwords
•Never opening emails or attachments from unknown senders
•Removing unnecessary programs and user accounts from the computer
•Using encryption where possible
•Hardening security policies, such as local policies relating to how often a password should be changed and how long and in what format a password must be in
Anything with an IP address (Servers, Clients, Routers, Firewalls)
3.) A company is providing mobile devices to all employees. The system administrator has been tasked with providing input for the company's mobile device policy. Which of the following are valid security concepts that the system administrator should include when offering feedback to management? (Select Two)
A. Transitive trust
B. Asset tracking*
C. Remote wiping*
E. Key management
Transitive Trust
Transitive trust is a two-way relationship automatically created between parent and child domains in a Microsoft Active Directory forest. When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent.
Asset Tracking
Asset tracking refers to the method of tracking physical assets, either by scanning barcode labels attached to the assets or by using tags using GPS or RFID which broadcast their location.
Mobile asset management is managing availability and serviceability of assets used to move, store, secure, protect and control inventory within the enterprise and along the supply chain or in conjunction with service providing.
Remote Wiping
Remote wipe is a security feature that allows a network administrator or device owner to send a command to a computing device and delete data.
HSM (Hardware Security Module)
A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.
A hardware security module (HSM) is a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Hardware security modules act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.
Key Management
Key management is the management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.[1]

Key management concerns keys at the user level, either between users or systems. This is in contrast to key scheduling; key scheduling typically refers to the internal handling of key material within the operation of a cipher.

Successful key management is critical to the security of a cryptosystem. In practice it is arguably the most difficult aspect of cryptography because it involves system policy, user training, organizational and departmental interactions, and coordination between all of these elements.
4.) Forensics analyst is asked to identify identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is known to have the lowest collision rate. Which of the following should be selected?
A. MD4
B. MD5
C. SHA-128*
D. AES-256
An algorithm is a well-defined procedure that allows a computer to solve a problem. Another way to describe an algorithm is a sequence of unambiguous instructions.
Hashing. MD4 is an earlier version of MD5, an algorithm used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual.
MD5 (Message Digest)
Hashing. MD5 is an algorithm that is used to verify data integrity through the creation of a 128-bit message digest from data input (which may be a message of any length) that is claimed to be as unique to that specific data as a fingerprint is to the specific individual.
The MD5 algorithm is an extension of MD4, which the critical review found to be fast, but possibly not absolutely secure. In comparison, MD5 is not quite as fast as the MD4 algorithm, but offers much more assurance of data security.
SHA-128 (Secure Hash Algorithm)
Hashing. SHA isn't encryption, it's a one-way hash function. You use SHA functions to take a large document and compute a "digest" (also called "hash") of the input. It's important to realize that this is a one-way process. You can't take a digest and recover the original document. SHA is used to generate a hash of data
AES-256 (Advanced Encryption Standard)
Symmetric Cryptography. AES stands for Advanced Encryption Standard, which is the norm used worldwide to encrypt data. AES (Advanced_Encryption_Standard) is a symmetric encryption standard. AES is used to encrypt data. Prevent people from viewing that data with knowing some secret.

256 refers to the key size - the larger the size, the more possible keys there are. For example if I encrypted an email using AES and I sent that email to you then you and I would both need to know the shared key used to encrypt and decrypt the email.
List the algorithms from least to greatest chance of collision rate.
MD5 <64
5.) John wants to secure an 802.11n network. Which of the following encryption methods would provide the highest level of protection?
C. WPA2 with AES*
D. WPA2 with TKIP
802.11n Network
802.11n is a specification for wireless LAN (WLAN) communications. 802.11n, an addition to the 802.11 family of standards, will increase wireless local area network(WLAN) speed, improve reliability and extend the range of wireless transmissions.

802.11n uses multiple input / multiple output (MIMO) technology and a wider radio frequency channel. It also provides a mechanism called frame aggregation to decrease time between transmissions. Current WLAN technologies require that the sending station request the channel, send one packet, release the channel, and then request again in order to send the next packet. With frame aggregation, once a station requests the channel and has the authority to transmit, it can transmit a series of frames without having to release the channel and regain authority for each frame. With 802.11n, raw data throughput is expected to reach as much as 600 Mbps -- that's more than 10 times the throughput of 802.11g.
Encryption Standards Methods
WEP, WPA + TKIP, WPA + TKIP/AES (TKIP is there as a fallback method), WPA + AES, WPA2 + AES
Encryption Methods Ranked lowest to highest level of protection?
1. None - open network
2. WEP
4. WPA + TKIP/AES (TKIP is there as a fallback method)
5. WPA + AES
6. WPA2 + AES
WPA (Wi-Fi Protected Access )
Wi-Fi Protected Access was the Wi-Fi Alliance's direct response and replacement to the increasingly apparent vulnerabilities of the WEP standard. It was formally adopted in 2003, a year before WEP was officially retired. The most common WPA configuration is WPA-PSK (Pre-Shared Key). Some of the significant changes implemented with WPA included message integrity checks (to determine if an attacker had captured or altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than fixed key used in the WEP system. TKIP was later superseded by Advanced Encryption Standard (AES).

WPA, like its predecessor WEP, has been shown via both proof-of-concept and applied public demonstrations to be vulnerable to intrusion.
WEP (Wired Equivalent Privacy)
Wired Equivalent Privacy (WEP) is the most widely used Wi-Fi security algorithm in the world. This is a function of age, backwards compatibility, and the fact that it appears first in the encryption type selection menus in many router control panels.

Despite various improvements, work-arounds, and other attempts to shore up the WEP system, it remains highly vulnerable and systems that rely on WEP should be upgraded or, if security upgrades are not an option, replaced. The Wi-Fi Alliance officially retired WEP in 2004.
WPA2 with AES
This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol. You should be using this option. On devices with less confusing interfaces, the option marked "WPA2" or "WPA2-PSK" will probably just use AES, as that's a common-sense choice.

WPA has, as of 2006, been officially superseded by WPA2. One of the most significant changes between WPA and WPA2 was the mandatory use of AES algorithms and the introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP (still preserved in WPA2 as a fallback system and for interoperability with WPA).

Currently, the primary security vulnerability to the actual WPA2 system is an obscure one (and requires the attacker to already have access to the secured Wi-Fi network in order to gain access to certain keys and then perpetuate an attack against other devices on the network). As such, the security implications of the known WPA2 vulnerabilities are limited almost entirely to enterprise level networks and deserve little to no practical consideration in regard to home network security.
WPA2 with TKIP
This uses the modern WPA2 standard with older TKIP encryption. This isn't secure, and is only a good idea if you have older devices that can't connect to a WPA2-PSK (AES) network.
6.) Which of the following is the MOST influential concern that contributes to an organization's ability to extend enterprise policies to mobile devices?
A. Support of mobile OS*
B. Availability of mobile browsers
C. Support of mobile apps
D. Public key management
7.) An application service provider has notified customers of a breach resulting from improper configuration changes. In the incident, a server intended for internal access only was made accessible to external parties. Which of the following configurations were likely to have been improperly modified resulting in the breach?
IDS (Intrusion Detection System)
An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network.

IDS come in a variety of "flavors" and approach the goal of detecting suspicious traffic in different ways.


There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat. We'll cover each of these briefly.
CRL (Certificate Revocation List)
A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. CRLs are a type of blacklist and are used by various endpoints, including Web browsers, to verify whether a certificate is valid and trustworthy. Digital certificates are used in the encryption process to secure communications, most often by using the TLS/SSL protocol. The certificate, which is signed by the issuing Certificate Authority, also provides proof of the identity of the certificate owner.

When a Web browser makes a connection to a site using TLS, the Web server's digital certificate is checked for anomalies or problems; part of this process involves checking that the certificate is not listed in a Certificate Revocation List. These checks are crucial steps in any certificate-based transaction because they allow a user to verify the identity of the owner of the site and discover whether the Certificate Authority still considers the digital certificate trustworthy.

The X.509 standard defines the format and semantics of a CRL for a public key infrastructure. Each entry in a Certificate Revocation List includes the serial number of the revoked certificate and the revocation date. The CRL file is signed by the Certificate Authority to prevent tampering. Optional information includes a time limit if the revocation applies for only a period of time and a reason for the revocation. CRLs contain certificates that have either been irreversibly revoked (revoked) or that have been marked as temporarily invalid (hold).

Digital certificates are revoked for many reasons. If a CA discovers that it has improperly issued a certificate, for example, it may revoke the original certificate and reissue a new one. Or if a certificate is discovered to be counterfeit, the CA will revoke it and add it to the CRL. The most common reason for revocation occurs when a certificate's private key has been compromised. Other reasons for revoking a certificate include the compromise of the issuing CA, the owner of the certificate no longer owning the domain for which it was issued, the owner of the certificate ceasing operations entirely or the original certificate being replaced with a different certificate from a different issuer.

The problem with Certificate Revocation Lists, as with all blacklists, is that they are difficult to maintain and are an inefficient method of distributing critical information in real time. When a certificate authority receives a CRL request from a browser, it returns a complete list of all the revoked certificates that the CA manages. The browser must then parse the list to determine if the certificate of the requested site has been revoked. Although the CRL may be updated as often as hourly, this time gap could allow a revoked certificate to be accepted, particularly because CRLs are cached to avoid incurring the overhead involved with repeatedly downloading them. Also, if the CRL is unavailable, then any operations depending upon certificate acceptance will be prevented and that may create a denial of service.
VPN (Virtual Private Network)
A virtual private network (VPN) is a technology that creates an encrypted connection over a less secure network. The benefit of using a secure VPN is it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. The justification for using VPN access instead of a private network usually boils down to cost and feasibility: It is either not feasible to have a private network -- e.g., for a traveling sales rep -- or it is too costly to do so. The most common types of VPNs are remote-access VPNs and site-to-site VPNs.

A remote-access VPN uses a public telecommunication infrastructure like the internet to provide remote users secure access to their organization's network. This is especially important when employees are using a public Wi-Fi hotspot or other avenues to use the internet and connect into their corporate network. A VPN client on the remote user's computer or mobile device connects to a VPN gateway on the organization's network. The gateway typically requires the device to authenticate its identity. Then, it creates a network link back to the device that allows it to reach internal network resources -- e.g., file servers, printers and intranets -- as though it was on that network locally.

A remote-access VPN usually relies on either IPsec or Secure Sockets Layer (SSL) to secure the connection, although SSL VPNs are often focused on supplying secure access to a single application, rather than to the entire internal network. Some VPNs provide Layer 2 access to the target network; these require a tunneling protocol like PPTP or L2TP running across the base IPsec connection.

Parsing VPN gateways.

A site-to-site VPN uses a gateway device to connect the entire network in one location to the network in another -- usually a small branch connecting to a data center. End-node devices in the remote location do not need VPN clients because the gateway handles the connection. Most site-to-site VPNs connecting over the internet use IPsec. It is also common to use carrier MPLS clouds, rather than the public internet, as the transport for site-to-site VPNs. Here, too, it is possible to have either Layer 3 connectivity (MPLS IP VPN) or Layer 2 (Virtual Private LAN Service, or VPLS) running across the base transport.

VPNs can also be defined between specific computers, typically servers in separate data centers, when security requirements for their exchanges exceed what the enterprise network can deliver. Increasingly, enterprises also use VPN connections in either remote-access mode or site-to-site mode to connect -- or connect to -- resources in a public infrastructure-as-a-service environment. Newer hybrid-access scenarios put the VPN gateway itself in the cloud, with a secure link from the cloud service provider into the internal network.
NAT(Network Address Translation)
Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The main use of NAT is to limit the number of public IP addresses an organization or company must use, for both economy and security purposes.

The most common form of network translation involves a large private network using addresses in a private range ( to, to, or 192.168.0 0 to The private addressing scheme works well for computers that only have to access resources inside the network, like workstations needing access to file servers and printers. Routers inside the private network can route traffic between private addresses with no trouble. However, to access resources outside the network, like the Internet, these computers have to have a public address in order for responses to their requests to return to them. This is where NAT comes into play.

Internet requests that require Network Address Translation (NAT) are quite complex but happen so rapidly that the end user rarely knows it has occurred. A workstation inside a network makes a request to a computer on the Internet. Routers within the network recognize that the request is not for a resource inside the network, so they send the request to the firewall. The firewall sees the request from the computer with the internal IP. It then makes the same request to the Internet using its own public address, and returns the response from the Internet resource to the computer inside the private network. From the perspective of the resource on the Internet, it is sending information to the address of the firewall. From the perspective of the workstation, it appears that communication is directly with the site on the Internet. When NAT is used in this way, all users inside the private network access the Internet have the same public IP address when they use the Internet. That means only one public addresses is needed for hundreds or even thousands of users.

There are other uses for Network Address Translation (NAT) beyond simply allowing workstations with internal IP addresses to access the Internet. In large networks, some servers may act as Web servers and require access from the Internet. These servers are assigned public IP addresses on the firewall, allowing the public to access the servers only through that IP address. However, as an additional layer of security, the firewall acts as the intermediary between the outside world and the protected internal network. Additional rules can be added, including which ports can be accessed at that IP address. Using NAT in this way allows network engineers to more efficiently route internal network traffic to the same resources, and allow access to more ports, while restricting access at the firewall. It also allows detailed logging of communications between the network and the outside world.

Additionally, NAT can be used to allow selective access to the outside of the network, too. Workstations or other computers requiring special access outside the network can be assigned specific external IPs using NAT, allowing them to communicate with computers and applications that require a unique public IP address. Again, the firewall acts as the intermediary, and can control the session in both directions, restricting port access and protocols.

NAT is a very important aspect of firewall security. It conserves the number of public addresses used within an organization, and it allows for stricter control of access to resources on both sides of the firewall.
8.) Joe just installed a new (ECS) environmental control system for a room that is critical to the company's operation and needs the ability to manage and monitor the system from any part of the network. Which of the following should the security administrator utilize to minimize the attack surface and still allow the needed access?
A. Create an encrypted connection between the ECS and the engineer's computer
*B. Configure the ECS host-based firewall to block non-ECS application traffic
C. Implement an ACL that permits the necessary management and monitoring traffic
D. Install a firewall that only allows traffic to the ECS from a single management and monitoring network
ACL (Access Control List)
An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each object has a security attribute that identifies its access control list. The list has an entry for each system user with access privileges. The most common privileges include the ability to read a file (or all the files in a directory), to write to the file or files, and to execute the file (if it is an executable file, or program).
A firewall is a network security system, either hardware- or software-based, that uses rules to control incoming and outgoing network traffic.

A firewall acts as a barrier between a trusted network and and an untrusted network. A firewall controls access to the resources of a network through a positive control model. This means that the only traffic allowed onto the network is defined in the firewall policy; all other traffic is denied.
9.) Numerous users within an organization are unable to log into the web based financial application. The network team places a sniffer on the segment where the application resides and sees the following log entries.
05:31:14.312254 SYN

05:31:14:312255 SYN


Which of the following is MOST likely occurring?
A. DOS attack
B. Ping flood attack
C. Smurf attack
*D. Replay attack
E. Xmas attack
DOS Attack
A denial-of-service attack is a security event that occurs when an attacker takes action that prevents legitimate users from accessing targeted computer systems, devices or other network resources.

Denial-of-service (DoS) attacks typically flood servers, systems or networks with traffic in order to overwhelm the victim resources and make it difficult or impossible for legitimate users to use them. While an attack that crashes a server can often be dealt with successfully by simply rebooting the system, flooding attacks can be more difficult to recover from.
Ping Flood Attack
Ping of Death (a.k.a. PoD) is a type of Denial of Service (DoS) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.

While PoD attacks exploit legacy weaknesses which may have been patched in target systems. However, in an unpatched systems, the attack is still relevant and dangerous. Recently, a new type of PoD attack has become popular. This attack, commonly known as a Ping flood, the targeted system is hit with ICMP packets sent rapidly via ping without waiting for replies.
Smurf Attack
A Smurf attack is a form of a distributed denial of service (DDoS) attack that renders computer networks inoperable. The Smurf program accomplishes this by exploiting vulnerabilities of the Internet Protocol (IP) and Internet Control Message Protocols (ICMP).

The steps in a Smurf attack are as follows:
•First, the malware creates a network packet attached to a false IP address — a technique known as "spoofing."
•Inside the packet is an ICMP ping message, asking network nodes that receive the packet to send back a reply
•These replies, or "echoes," are then sent back to network IP addresses again, setting up an infinite loop.
Replay Attack
A replay attack is an attack where an authentication session is replayed by an attacker to fool a computer into granting access. It may be any form or retransmission of a network data transmission but is usually used to gain authentication in a fraudulent manner.

A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.
Xmas Attack
A Christmas tree attack sends a large number of Christmas tree packets to an end device. A Christmas tree packet has all the options set so that any protocol can be used. The name is derived from the idea that all the settings are turned to "on" within the packet so it is lit up like a Christmas tree.

Christmas tree packets require much more processing by routers and end devices than other packets. Large numbers of these packets can use up so much processing power that it ties up these devices effectively making any other task nearly impossible thus denying service to legitimate traffic.

Receiving these types of packets is not usual and therefore should be regarded as suspicious. Intrusion detection systems can detect these packets as do some firewalls.
10.) You want to communicate securely with a third party via email using PGP. Which of the following should you send to the third party to enable the third party to securely encrypt email replies?
A. Private key
B. Key escrow
*C. Public key
D. Recovery key
PGP (Pretty Good Privacy)
Pretty Good Privacy or PGP is a popular program used to encrypt and decrypt email over the Internet, as well as authenticate messages with digital signatures and encrypted stored files.

Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.
Private Key
A private key is a tiny bit of code that is paired with a public key to set off algorithms for text encryption and decryption. It is created as part of public key cryptography during asymmetric-key encryption and used to decrypt and transform a message to a readable format. Public and private keys are paired for secure communication, such as email.

A private key is also known as a secret key.
Key Escrow
With key escrow, on the other hand, a third-party gets copies of a cryptographic key. The US government led the push for key escrow back in the pre-dot-com era. The idea was for law enforcement agencies to have the ability to decrypt encrypted messages if they had the necessary court order. There was even talk of laws requiring all encryption to have this feature. It turned out that people weren't comfortable with the government having this ability and that technical problems plagued the proposed escrow schemes. In the end, the idea failed terribly. It's definitely not a feature that enterprise encryption products need.
Public Key
Public key cryptography is an asymmetric scheme that uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. Youpublishyour public keytotheworldwhile keeping your private key secret. Anyone with a copy of your public key can then encrypt information that only you can read. Even people you have never met.

It is computationally infeasible to deduce the private key from the public key. Anyone who has a public key can encrypt information but cannot decrypt it. Only the person who has the corresponding private key can decrypt the information.
Recovery Key
Key recovery lets you backup and restore cryptographic keys.

t also lets you recover your systems in the event of a failure, like a natural disaster might cause.
11.) Which of the following should you implement if you want to preserve your internal authentication and authorization process and credentials if you are going to a cloud service provider?
A. Dual factor authentication
B. Federation
*C. Single sign on
Cloud Service Provider
Dual Factor Authentication
Single-Sign On
12.) A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks against computers at the police department?
A. Private network addresses
B. Disable SSID broadcast
*C. Separate Layer 2 vlans
D. Enable proxy arp on router
ARP Spoofing Attacks
Private Network Addresses
Disable SSID Broadcast
Layer 2 VLANS
Proxy ARP
13.) During a recent vulnerability assessment, the pen testers were able to successfully crack a large number of employee passwords. The company technology use agreement clearly states that passwords used on the company network must be at least eight characters long and contain at least one uppercase letter and special character. What can they do to standardize and enforce these rules across the entire organization to resolve this issue?
*B. Group Policy
C. User policy
D. Kerberos
Vulnerability Assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems.
Penetration Tester
A penetration test, or sometimes pentest, is a software attack on a computer system that looks for security weaknesses, potentially gaining access to the computer's features and data. The process typically identifies the target systems and a particular goal—then reviews available information and undertakes various means to attain the goal.
LDAP (Lightweight Directory Access Protocol)
Short for Lightweight Directory Access Protocol, a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it's a simpler version of X.500, LDAP is sometimes called X.500-lite.

Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.
Group Policy
Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft's Active Directory to implement specific configurations for users and computers. Group Policy can also be used to define user, security and networking policies at the machine level.

Group Policy allows administrators to define options for what users can do on a network - including what files, folders and applications they can access. The collections of user and computer settings are referred to as Group Policy Objects (GPOs), which are administered from a central interface called the Group Policy Management Console. Group Policy can also be managed with command-line tools such as gpresult and gpupdate. In Windows Server 2008, setting extensions known as Group Policy preferences were added to provide administrators with better targeting and flexibility.
User Policy
An end user policy is a set of directives that describes what actions employees must take -- or avoid -- in order to protect corporate assets. An end user policy can be an informal set of guidelines handed out to employees or hung in a public place or it can be a more formal signed contract, whose violation is terms for dismissal.
Kerberos /ˈkərbərɒs/ is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology, the ferocious three-headed guard dog of Hades (hellhound).

Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos is built in to all major operating systems, including Microsoft Windows, Apple OS X, FreeBSD and Linux.

Since Windows 2000, Microsoft has incorporated the Kerberos protocol as the default authentication method in Windows, and it is an integral component of the Windows Active Directory service. Broadband service providers also use Kerberos to authenticate DOCSIS cable modems and set-top boxes accessing their networks.

Kerberos was originally developed for Project Athena at the Massachusetts Institute of Technology (MIT). The name Kerberos was taken from Greek mythology; Kerberos (Cerberus) was a three-headed dog who guarded the gates of Hades. The three heads of the Kerberos protocol represent a client, a server and a Key Distribution Center (KDC), which acts as Kerberos' trusted third-party authentication service.

Users, machines and services using Kerberos need only trust the KDC, which runs as a single process and provides two services: an authentication service and a ticket granting service. KDC "tickets" provide mutual authentication, allowing nodes to prove their identity to one another in a secure manner. Kerberos authentication uses conventional shared secret cryptography to prevent packets traveling across the network from being read or changed and to protect messages from eavesdropping and replay attacks.
14.) You want to create several different environments for application development, testing, and quality control. Controls are being put into place to manage how software is moved into the production environment. Which of the following should the software development manager request to be put into place to implement the three new environments?
A. Application firewalls
*B. Network segmentation
C. Trusted computing
Development Environment
Development - you worry about people who will use the product.

On the other hand, "Dev" means "Development", its the environment which the developers work on.

On the other hand, "Dev" means "Development", its the environment which the developers work on.
Testing Environment
A Test environment is where you test your upgrade procedure against controlled data and perform controlled testing of the resulting Waveset application.
QA Environment
A QA environment is where you test your upgrade procedure against data, hardware, and software that closely simulate the Production environment and where you allow intended users to test the resulting Waveset application.
Production Environment
Production - you worry about people who are using the product.

"Prod" means "Production". It describes the environment you are providing to the customers.

A Production environment is where the Waveset application is actually available for business use.
Application Firewalls
An application firewall is an enhanced firewall that limits access by applications to the operating system (OS) of a computer. Conventional firewalls merely control the flow of data to and from the central processing unit (CPU), examining each packet and determining whether or not to forward it toward a particular destination. An application firewall offers additional protection by controlling the execution of files or the handling of data by specific applications.

For best performance, a conventional firewall must be configured by the user. The user must know which ports unwanted data is likely to enter or leave through. An application firewall prevents the execution of programs or DLL (dynamic link library) files which have been tampered with. Thus, even though an intruder might get past a conventional firewall and gain entry to a computer, server, or network, destructive activity can be forestalled because the application firewall does not allow any suspected malicious code to execute.
Network Segmentation
"Network segmentation" refers to the physical and logical separation of IT assets and resources - such as data, applications, servers and users. Isolating a network into segments reduces the size of the attack surface by limiting the IT assets that are accessible from each segment. The resources connected to a segment, regardless of their nature - physical, virtual, or human - wholesale NBA jerseys are prevented from interacting with (or even being "seen" by) resources on other network segments. At its most fundamental level, network segmentation creates and maintains logically grouped subsets of resources that are isolated from all other, implicitly untrusted, groups - even when those other groups are part of the same business organization.

Emerging information about recent security breaches illustrates the critical role network segmentation has in protecting any organization's IT assets. Network segmentation allows you to isolate and apply segment-specific policies to, for example, your Cardholder Data Environment (CDE). It enables organizations to apply more granular controls (in this example, PCI DSS-based policies) to limit potential exposure and reduce risk. The ultimate goal of network segmentation is to protect your most sensitive data from unauthorized access wholesale mlb jerseys or disclosure.
Trusted Computing
Trusted computing is a broad term that refers to technologies and proposals for resolving computer security problems through hardware enhancements and associated software modifications. Several major hardware manufacturers and software vendors, collectively known as the Trusted Computing Group (TCG), are cooperating in this venture and have come up with specific plans. The TCG develops and promotes specifications for the protection of computer resources from threats posed by malicious entities without infringing on the rights of end users.

Microsoft defines trusted computing by breaking it down into four technologies, all of which require the use of new or improved hardware at the personal computer (PC) level:
•Memory curtaining -- prevents programs from inappropriately reading from or writing to each other's memory.
•Secure input/output (I/O) -- addresses threats from spyware such as keyloggers and programs that capture the contents of a display.
•Sealed storage -- allows computers to securely store encryption keys and other critical data.
•Remote attestation -- detects unauthorized changes to software by generating encrypted certificates for all applications on a PC.

In order to be effective, these measures must be supported by advances and refinements in the software and operating systems (OSs) that PCs use.

Within the larger realm of trusted computing, the trusted computing base (TCB) encompasses everything in a computing system that provides a secure environment. This includes the OS and its standard security mechanisms, computer hardware, physical locations, network resources and prescribed procedures.

The term trusted PC refers to the industry ideal of a PC with built-in security mechanisms that place minimal reliance on the end user to keep the machine and its peripheral devices secure. The intent is that, once effective mechanisms are built into hardware, computer security will be less dependent on the vigilance of individual users and network administrators than it has historically been. Concerns have arisen, however, about possible loss of user privacy and autonomy as a result of such changes.
15.) A research user needs to transfer multiple terabytes of data across a network. The data is not confidential, so for performance reasons, does not need to be encrypted. However, the authentication process must be confidential. Which of the following is the BEST solution to satisfy these requirements?
A. Secured LDAP
*B. Kerberized FTP
D. SAML 2.0
Kerberized FTP
Kerberized FTP provides secure authentication of your file transfer protocol (FTP) sessions without passing your Kerberos password in the clear across the internet.

Kerberized FTP programs intercept cleartext userIDs/passwords used by unauthorized intruders to log in to various machines and wreak havoc. Sending your password over the network in the clear is a grave security risk. Avoid this kind of theft by using secure FTP whenever possible.
SCP (Secure Copy)
Secure copy or SCP is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol. "SCP" commonly refers to the: Secure Copy Protocol. Secure Copy (remote file copy program).
SAML 2.0 (Security Assertion Markup Language 2.0)
A version of the SAML standard for exchanging authentication and authorization data between security domains.

The Security Assertion Markup Language (SAML) version 2.0 is a standard for the communication of assertions about principals, typically users. The assertion can include the means by which a subject was authenticated, attributes associated with the subject, and an authorization decision for a given resource.
16.) What technology would you use to ensure that the systems that your organization is using is going to deployed as securely as possible and prevent files and services from operation outside of a strict rule set?
A. Host based intrusion detection
*B. Host based firewall
C. Trusted OS
D. Antivirus
Antivirus (or anti-virus) software is used to safeguard a computer from malware, including viruses, computer worms, and Trojan horses. Antivirus software may also remove or prevent spyware and adware, along with other forms of malicious programs. Free antivirus software generally only searches your computer using signature-based detection which involves looking for patterns of data that are known to be related to already-identified malware. Paid antivirus software will usually also include heuristics to catch new, or zero-day threats, by either using genetic signatures to identify new variants of existing virus code or by running the file in a virtual environment (also called a sandbox), and watching what it does to see if it has malicious intent.
17.) A security specialist has implemented antivirus software and whitelisting controls to prevent malware and unauthorized application installation on the company systems. The combination of these two technologies is an example of which of the following?
*A. Defense in depth
B. Vulnerability scanning
C. Application hardening
D. Anti-malware
Application whitelisting is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications.

In general, a whitelist is an index of approved entities. In infosec, whitelisting works best in centrally managed environments, where systems are subject to a consistent workload. The National Institute of Standards and Technology suggests using application whitelisting in high-risk environments, where it is vitally important that individual systems be secure and less important that software be useable without restrictions. To provide more flexibility, a whitelist may also index approved application components, such as software libraries, plug-ins, extensions and configuration files.
Malicious software (malware) is the wide range of software applications developed with a malicious intent. The methods used for malware installation is unlike any other software installation you are accustomed to because malware is installed through devious means. People often use the terms virus and malware interchangeably. However, a virus is a type of malware.

Trojan Horse
Logic Bombs
Defense in Depth
Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier.

Defense in depth minimizes the probability that the efforts of malicious hackers will succeed. A well-designed strategy of this kind can also help system administrators and security personnel identify people who attempt to compromise a computer, server, proprietary network or ISP (Internet service provider). If a hacker gains access to a system, defense in depth minimizes the adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent recurrence.

Components of defense in depth include antivirus software, firewalls, anti-spyware programs, hierarchical passwords, intrusion detection and biometric verification. In addition to electronic countermeasures, physical protection of business sites along with comprehensive and ongoing personnel training enhances the security of vital data against compromise, theft or destruction.
Vulnerability Scanning
Vulnerability scanning is a security technique used to identify security weaknesses in a computer system. Vulnerability scanning can be used by individuals or network administrators for security purposes, or it can be used by hackers attempting to gain unauthorized access to computer systems.
Antimalware (anti-malware) is a type of software program designed to prevent, detect and remediate malicious programming on individual computing devices and IT systems.

Antimalware software protects against infections caused by many types of malware, including viruses, worms, Trojan horses, rootkits, spyware, keyloggers, ransomware and adware. Antimalware software can be installed on an individual computing device, gateway server or dedicated network appliance. It can also be purchased as a cloud service or be embedded in a computing device's firmware.

The terms antivirus software and antimalware software are often used as synonyms. Some antimalware vendors, however, like to differentiate the two terms in order to promote the capabilities of their own products and downplay the capabilities of products that carry the more traditional label, antivirus.
18. What can be implemented to address the findings that revealed a company is lacking deterrent security controls?
A. Rogue machine detection
B. Continuous security monitoring
*C. Security cameras
Rogue Machine Detection
In general, a rogue is someone who strays from the accepted path, is mischievous, or is a cheat. In information technology, the term has several usages.

1) A rogue Internet service provider ( ISP ) is one that knowingly originates spam (unsolicited mass e-mail).

2) A rogue Web site is one that subverts a legitimate Web site by appearing to replace it.

3) In programming, rogue code is another term for code that constitutes a virus .

4) Rogue is the name of an animated computer game written in UNIX. It is a dungeons-and-dragons game that has given rise to numerous variations that are popular among young people.
Deterrent Security
Security; the act of making someone decide not to do something
19.) A technician is about to perform a major upgrade to the operating system of a critical system. This system is currently in a virtualization environment. Which of the following actions would result in the LEAST amount of downtime if the upgrade were to fail?
A. Enabling live migration in the VM settings on the virtual server
B. Clustering the storage for the server to add redundancy
C. Performing a full backup of the virtual machine
*D. Taking an initial snapshot of the system
Virtualization Environment
Virtualization is the creation of a virtual -- rather than actual -- version of something, such as an operating system, a server, a storage device or network resources.

You probably know a little about virtualization if you have ever divided your hard drive into different partitions. A partition is the logical division of a hard disk drive to create, in effect, two separate hard drives.

Virtualization describes a technology in which an application, guest operating system or data storage is abstracted away from the true underlying hardware or software. A key use of virtualization technology is server virtualization, which uses a software layer called a hypervisor to emulate the underlying hardware. This often includes the CPU's memory, I/O and network traffic. The guest operating system, normally interacting with true hardware, is now doing so with a software emulation of that hardware, and often the guest operating system has no idea it's on virtualized hardware. While the performance of this virtual system is not equal to the performance of the operating system running on true hardware, the concept of virtualization works because most guest operating systems and applications don't need the full use of the underlying hardware. This allows for greater flexibility, control and isolation by removing the dependency on a given hardware platform. While initially meant for server virtualization, the concept of virtualization has spread to applications, networks, data and desktops.
Virtual Server
A virtual server is a server that shares hardware and software resources with other operating systems (OS), versus dedicated servers. Because they are cost-effective and provide faster resource control, virtual servers are popular in Web hosting environments.

Ideally, a virtual server mimics dedicated server functionalities. Rather than implement multiple dedicated servers, several virtual servers may be implemented on one server.

Each virtual server is designated a separate OS, software and independent reboot provisioning. In a virtual server environment for Web hosting, website administrators or Internet service providers (ISP) may have different domain names, IP addresses, email administration, file directories, logs and analytics. Additionally, security systems and passwords are maintained as if they were in a dedicated server environment. To reduce Web hosting costs, server software installation provisioning is often available.

An overflow of virtual servers in a physical machine may lead to resource hogging, and if a virtual server uses more resources than another, performance issues usually result.
20.) What is the name for an attack that can be used to guess the PIN of an access point for the purpose of connecting to the wireless network?
A. IV attack
B. Rainbow table attack
C. Replay attack
*D. WPS attack
IV Attack (Initialization Vector)
An initialization vector (IV) is an arbitrary number that can be used along with a secret key for data encryption. This number, also called a nonce, is employed only one time in any session.

The use of an IV prevents repetition in data encryption, making it more difficult for a hacker using a dictionary attack to find patterns and break a cipher. For example, a sequence might appear twice or more within the body of a message. If there are repeated sequences in encrypted data, an attacker could assume that the corresponding sequences in the message were also identical. The IV prevents the appearance of corresponding duplicate character sequences in the ciphertext.

The ideal IV is a random number that is made known to the destination computer to facilitate decryption of the data when it is received. The IV can be agreed on in advance, transmitted independently or included as part of the session setup prior to exchange of the message data. The length of the IV (the number of bits or bytes it contains) depends on the method of encryption. The IV length is usually comparable to the length of the encryption key or block of the cipher in use.
Rainbow Table Attack
It's when somebody uses a Rainbow table to crack passwords.
WPS Attack
WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.

An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.
21.) When performing a risk analysis, which of the following is considered a threat?
*A. The potential exploitation of vulnerability
B. The presence of a risk in the environment
C. The transference of risk to another party
D. The lack of mitigation for vulnerabilities
Risk Analysis
22.) A company would like to protect its e-commerce site from SQL injection and cross site scripting (XSS). The company should consider deploying which of the following technologies?
*B. Web application firewall
C. Proxy
D. Sandbox
SQL Injection
Cross Site Scripting (XSS)
23.) A company uses digital signatures to sign contracts. The company requires external entities to create an account with a third party digital signature provider and to sign an agreement stating that they will protect the account from unauthorized access. Which of the following security goals is the company trying to address in the given scenario?
A. Availability
*B. Non-repudiation
C. Authentication
D. Confidentiality
E. Due diligence
Digital Signatures
Due Diligence
24.) The security administrator generates a key pair and sends one key inside a request file to a third party. The third party sends back a signed file. In this scenario the file sent by the administrator is a :
Key Pair
25.) A third party has been contracted to perform a remote penetration test of the DMZ network. The company has only provided the third party with the billing department contact information for final payment and a technical point of contact who will receive the penetration test results. Which of the following tests will be performed?
*A. Gray box
B. White box
C. Black box
D. False positive
DMZ Network
Gray Box
White Box
Black Box
False Positive
26.) An administrator is reviewing the logs for a content management system that supports the organizations public facing websites. The administrator is concerned about the number of attempted login failures from other countries for administrator accounts. Which of the following capabilities is BEST to implement if the administrator wants the system to dynamically react to such attacks?
A. Netflow-based rate timing
B. Disable generic administrative accounts
C. Automated log analysis
*D. Intrusion prevention system
Netflow-Based Rate Timing
Automated Log Analysis
Intrusion Prevention System
27.) Jane, a security analyst, is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic?
A. Vulnerability scanner
*B. Nmap
C. Netstat
D. Packet analyzer
Network Traffic
Vulnerability Scanner
Packet Analyzer
28.) A high traffic website is experiencing numerous brute force attacks against its user base. The attackers are using a very large botnet to carry out the attack. As a result, many users passwords are being compromised. Which of the following actions is appropriate for the website administrators to take in order to reduce the threat from this type of attack in the future?
*A. Temporarily ban each IP address after five failed login attempts
B. Prevent users from using dictionary words in their passwords
C. Prevent users from using passwords that they have used before
D. Require user passwords to be at least ten characters in length
29.) An employee connects a wireless access point to the only jack in the conference room to provide internet access during a meeting. The access point is configured to secure its users with WPA2-TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the internet. Which of the following is the reason the malicious user is able to intercept and see the clear text communications?
A. The malicious user is running a wireless sniffer
B. The wireless access point is broadcasting the SSID
*C. The malicious user is able to capture the wired communication
D. The meeting attendees are using unencrypted hard drives
Wireless Access Point
Wireless Sniffer
30.) A user is able to access shares that store confidential information that is not related to the users current job duties. Which of the following should be implemented to prevent this from occurring?
*A. Authorization
B. Authentication
C. Federation
D. Identification
31.) A security administrator is having continued issues with malware variants infecting systems and encrypting several types of files. The malware users a document macro to create a randomly named executable that downloads the encrypting payload of the malware. Once downloaded the malware searches all drives, creates an HTML file with decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would BEST interrupt the malware before it encrypts the other files while minimizing adverse impacts to the users?
*A. Block execution of documents with macros
B. Block addition of documents with macros
C. Block the creation of the HTML document on the local system
D. Block running external files from within documents
Document Macro
32.) A healthcare organization is in the process of building and deploying a new web server in the DMZ that will enable public internet users the ability to securely send and receive messages from their primary care physicians. Which of the following should the security administrator consider?
A. An in-band method for key exchange and an out of band method for the session
B. An out of band method for key exchange and an in band method for the session
C. A symmetric algorithm for key exchange and an asymmetric algorithm for the session
*D. An asymmetric algorithm for key exchange and a symmetric algorithm for the session
Web Server
In-Band Method for Key Exchange
Out-Band Method for Key Exchange
Symmetric Algorithm
Asymmetric Algorithm
33.) Which of the following should be used to implement voice encryption?
A. SSLv3
Voice Encryption
34.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control?
*A. Digital signatures
B. Role-based access control
C. Session keys
D. Non-repudiation
Digital Signatures
Role-Based Access Control
Session Keys
35.) Company policy states that when a virus or malware alert is received, the suspected host is immediately removed from the company network. Which of the following BEST describes this component of incident response?
A. Mitigation
*B. Isolation
C. Recovery
D. Reporting
E. Remediation
36.) A security manager has noticed several unrecognized devices connecting to the company's internal wireless network. Only company -issued devices should be connected to the network. Which of the following controls should be implemented to prevent the unauthorized devices from connecting to the wireless network? ( Select Two)
*A. MAC filtering
B. Create a separate wireless VLAN
C. Implement 802.11n
D. Enable WPA2
*E. Configure DHCP reservations
MAC Filtering
Wireless VLAN
DHCP Reservations
37.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select two)
A. Reinstall the procps package in case system utilities were modified
*B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
*E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
procps package
tmp directories
Kernel Modules
38.) A manager is reviewing bids for internet service in support of a new corporate office location. The location will provide 24 hour service in the organization's global user population. In which of the following documents would the manager MOST likely find quantitative data regarding latency levels and MTTR?
Latency Levels
39.) A system administrator decided to perform maintenance on a production server servicing retail store operations. The system rebooted in the middle of the day due to the installations of monthly operating system patches. The downtime results in lost revenue dut to the system being unavailable. Which of the following would reduce the likelihood of this issue occurring again?
A. Routine system auditing
*B. Change management controls
C. Business continuity planning
D. Data loss prevention implementation
40.) A UNIX server recently had restricted directories deleted as the result of an insider threat. The root account was used to delete the directories while logged on at the server console. There are five administrators that know the root password. Which of the following could BEST identify the administrator that removed the restricted directories?
A. DHCP logs
B. CCTV review
C. DNS Logs
D. Network traffic
41.) A system administrator is part of the organizations contingency and business continuity planning process. The systems administrator and relevant team participate in the analysis of a contingency situation intended to elicit constructive discussion. Which of the following types of activity is MOST accurately described in this scenario?
A. Business impact analysis
B. Full-interruption exercise
*C. Tabletop exercise
D. Lessons learned
E. Parallel simulation
Business Impact Analysis
Full-Interruption Exercise
Tabletop Exercise
Parallel Simulation
42.) Recently, the desktop support group has been performing a hardware refresh and has replaced numerous computers. An auditor discovered that a number of the new computers did not have the company's antivirus software installed on them. Which of the following could be utilized to notify the network support group when computers without the antivirus software are added to the network?
A. Network port protection
D. MAC filtering
Network Port Protection
MAC Filtering
43.) Which of the following types of attacks uses email to specifically target high level officials within an organization?
A. Spim
*B. Spear Phishing
C. Pharming
D. Spoofing
Spear Phishing
44.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing?
A. Dual Control
B. Least Privilege
*C. Separation of duties
D. Job rotation
Dual Control
Least Privilege
Separation of Duties
Job Rotation
45.) A company just purchased a new digital thermostat that automatically will update to a new firmware version when needed. Upon connecting it to the network a system administrator notices that he cannot get access to the thermostat but can get access to all other network devices. Which of the following is the MOST likely reason the thermostat is not connecting to the internet?
*A. The company implements a captive portal
B. The thermostat is using the incorrect encryption algorithm
C. The WPA2 shared key is incorrect
D. The company's DHCP server scope is full
Captive Portal
46.) A company has a proprietary device that requires access to the network be disabled. Only authorized users should have access to the device. To further protect the device from unauthorized access, which of the following would also need to be implemented?
A. Install NIPS within the company to protect all assets
B. Block port 80 and 443 on the firewall
C. Install a cable lock to prevent theft of the device
*D. Install software to encrypt access to the hard drive
Proprietary Device
Port 80
Port 443
47.) A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user reported that their badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise the wireless network?
A. Asset tracking
B. Honeynet
*C. Strong PSK
D. MAC filering
PKI Certificates
Smart Chip Enabled Badge
Asset Tracking
48.) The CSO is concerned with unauthorized access at the company's off-site datacenter. The CSO would like to enhance the security posture of the datacenter. Which of the following would BEST prevent unauthorized individuals from gaining access to the datacenter?
*A. Security guard
B. Video monitoring
C. Magnetic entry cards
D. Fencing
49.) One of the driving factors towards moving an application to a cloud infrastructure is increased application availability. In the case where a company creates a private cloud, the risk of application downtime is being:
A. Transferred
*B. Avoided
C. Mitigated
D. Accepted
50.) A security administrator wishes to set up a site to site IPSec VPN tunnel between two locations. Which of the following IPSec encryptions and hashing algorithms would be chosen for the least performance impact?
IPsec VPN Tunnel
51.) Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented In software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
*D. Cryptographic operations can be far slower than with hardware based encryption
Software-Based Disk Encryption
52.) A network administrator discovers that telnet was enabled on the companys human resources payroll server and that someone outside of the HR subnet has been attempting to log into the server. The network administrator has disabled telnet on the payroll server. Which of the following is a method of tracking attempts to log onto telnet without exposing important company data?
A. Banner grabbing
B. Active port numbers
*C. Honeypot
D. Passive IPS
Banner Grabbing
Passive IPS
Active Port Numbers
53.) A penetration tester is attempting to determine the operating system of a remote host. Which of the following methods will provide this information?
A. Protocol analyzer
B. Honeypot
C. Fuzzer
*D. Banner grabbing
Protocol Analyzer
54.) A company's security analyst is investigating the suspected compromise of the company's intranet web server. The compromise occurred at a time when no users were logged into the domain. Which of the following is Most likely to have prevented the attack from a new machine introduced to the corporate network?
A. Domain log review
B. 802.1x
*D. Rogue detection
Domain Log Review
Rogue Detection
55.) Which of the following types of attacks are MOST likely to be successful when using fuzzing against an executable program? ( select Two)
A. SQL injection
B. Session hijacking
*C. Integer overflow
*D. Buffer overflow
E. Header manipulation
SQL Injection
Session Hijacking
Integer Overflow
Buffer Overflow
Header Manipulation
56.) Which of the following authentication services utilizes UDP for communication between client and server?
A. Kerberos
57.) As their data set rapidly grows and changes, a company is experiencing availability problems with their database. The security manager recommends switching to a more scalable system with dynamic schemas. Which of the following would meet the security manager's requirements?
C. MariaDB
A company provides wireless access for employees and a guest wireless network for visitors. The employee wireless network is encrypted and requires a password. The guest wireless network does not use an encrypted connection and does not require a password. An administrator walks by a visitors laptop and notices the following command line output: reaver -I mon -b 7A:E5:9A:42:2C:C1 -vv
[+] Trying pin 12345678
[+] 93.41% complete @ 2016-04-16 11:25:15 (15 seconds)
[+] WARNING: 10 failed connections in a row
[+] Trying pin 12345688

Which of the following should the administrator implement and why?
A. Initiate employee password changes because the visitor has captured passwords and is attempting offline cracking of those passwords
B. Implement two factor wireless authentication because the visitor will eventually brute force the network key
C. Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is encrypted with WEP
*D. Disable WPS because the visitor is trying to crack the employee network
E. Apply MAC filtering because the visitor already has the network password
59.) When implementing a mobile security strategy for an organization, which of the following is the MOST influential concern that contributes to that organizations ability to extend enterprise policies to mobile devices?
*A. Support for mobile OS
B. Support of mobile apps
C. Availability of mobile browsers
D. Public key management
60.) A system administrator runs a network inventory scan every Friday at 11:00 am to track the progress of a large organizations operating system upgrade of all laptops. The system administrator discovers that some laptops are now only being reported as IP addresses. Which of the following is MOST likely the cause of this issue?
*B. Host-based firewalls rules
C. All the laptops are currently turned off
D. DNS replication
61.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials?
*A. Single sign-on
B. Dual factor authentication
C. Federation
62.) An employee has been terminated due to inappropriate internet use. A computer forensics technician at the organization acquired an image of the hard drive and hashed it using MD5. The former employee has filed a lawsuit. The former employee's attorney requests a copy of the image so it can be independently reviewed by the legal team. Upon receiving the image, the attorney's technician also generates an MD5 hash of the image and comes up with a different output than what was provided. Which of the following MOST likely occurred?
A. The wrong preshared key was used
B. The hashes were produced using different algorithms
C. The hashes were produced on two different operating systems
*D. Files on the image have been altered
63.) A security architect is supporting a project team responsible for a new extranet application. As part of their activities, the team is identifying roles within the system and documenting possible conflicts between roles that could lead to collusion between users. Which of the following principles of risk mitigation is the team implementing?
A. Dual control
B. Least privilege
*C. Separation of duties
D. Job rotation
64.) A company hosts sites for multiple vendors and provides information to users globally. Which of the following is a critical security consideration in this environment?
A. Proxy servers to enforce a single access mechanism to the data warehouse
B. Firewalls to ensure that the data warehouse is not accessible to the internet
*C. Access controls to prevent users from accessing the entire data warehouse
D. Query protocols should use non-standard ports to protect user result-sets
65.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using:
*B. Multicast
C. Anycast
IGMP Snooping
66.) A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The security engineer finds malicious code on the endpoint during a forensics analysis. Which of the following MOST likely explains this occurrence?
A. The external entity breached the IDS
*B. The antivirus engine was evaded
C. The DLP did not detect the malicious code
D. The endpoint was running on a hypervisor
67.) A security administrator recently implemented IPSec for remote users. Which of the following ports must be allowed through the firewall in order for remote access to be successful if the tunneling protocol is PPTP?
A. UDP 500
B. UDP 1723
*C. TCP 1723
D. TCP 4500
UDP 500
UDP 1723
TCP 1723
TCP 4500
68.) A user has been working on a project to implement controls for data storage. Which of the following policies defines how long specific data should remain on company equipment?
*A. Data retention policy
B. Data wiping policy
C. Data classification policy
D. Data disposal policy
Data Retention Policy
Data Wiping Policy
Data Classification Policy
Data Disposal Policy
69.) A system administrator has received several service desk tickets relating to users receiving rejection notices from third-party destination email servers. The users in question were previously able to send emails to the recipients mentioned in the ticket. Which of the following items should the system administrator review to determine a possible cause for the issue?
A. *DNS blacklists
B. Spam filter configuration
C. Local hosts file
D. SMTP queue
DNS Blacklist
Spam Filter
70.) An enterprise needs to be able to receive files that contain PII from many customers at different times. The data must remain encrypted during transport and while at rest. Which of the following encryption solutions would meet both of these requirements?
71.) A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was inundated with commits which exhausted available space on the volume. Which of the following attacks has been performed against the database server?
A. DoS
*B. SQL injection
C. SYN flood
D. DDos
E. Cross-site scripting
SYN Flood
Cross-site scripting
72.) Virtualization would provide an ROI when implemented under which of the following situations?
A. Numerous servers with no fail-over requirement
B. Multiple existing 100% utilized physical servers
C. Numerous clients with a requirement for fast processors
*D. Multiple existing but underutilized physical servers
73.) An organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed to comply with the analysis and recreation of an incident. This concern is also known as which of the following?
A. Data ownership
B. Forensics
*C. Chain of custody
D. Acceptable use
Data Ownership
Chain of Custody
Acceptable Use
74.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
*E. Role-based access control
Rule-Based Access Control
Role-Based Access Control
75.) Which of the following network design components would assist in separating network traffic based on the logical location of users?
A. IPSec
76.) The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact that the SSID has been disabled. Which of the following would further obscure the presence of the wireless network?
A. Upgrade the encryption to WPA or WPA2
B. Create a non-zero length SSID for the wireless router
C. Reroute wireless users to a honeynet
*D. Disable responses to a broadcast probe request
77.) A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks?
A. SQL injection
B. Header manipulation
*C. Cross-site scripting
D. Flash cookie exploitation
Header Manipulation
Flash Cookie Exploitation
78.) Virtualization that allows an operating system kernel to run multiple isolated instances of a guest OS is :
A. Process segregation
B. Software defined network
*C. Containers
D. Emulation
79.) A plant security officer is continually losing connection to two IP cameras that monitor several critical high voltage motors. Which of the following should the network administrator do to BEST ensure the availability of the IP camera connections?
A. Use a wireless bridge instead of the network cables
B. Replace patch cables with shielded cables
*C. Change existing cables with optical cables
D. Add new conduit runs for the network cables
Wireless Bridge
Optical Cables
Conduit Runs
80.) During a trial for possession of illegal content, a defense attorney argues that several of the files on the forensic image may have been tampered with. How can a technician BEST disprove this argument?
A. Trace the chain-of-custody from the time of arrest until the time of trial
B. Have a forensic investigator undergo a polygraph examination
*C. Take hashes from the suspect source drive, and compare them to hashes on the forensics image
D. Access the system logs on the forensic image, and see if any logins occurred after the suspect's arrest
81.) An auditing organization frequently deploys field employees to customer sites worldwide. While at the customer sites, the field employees often need to connect to the local network to access documents and data. Management is concerned that the field employee laptops might become infected with malware while on the customer networks. Which of the following could be deployed to decrease the amount of risk incurred by the field employees?
82.) Joe, a user, wants to configure his workstation to make certain that the certificate he receives when connecting to websites is still valid. Which of the following should Joe enable on his workstation to achieve this?
*A. Certificate revocation
B. Key escrow
C. Registration authority
D. Digital signatures
Certificate Revocation
Registration Authority
83.) When implementing a new system, a systems administrator works with the information system owner to identify and document the responsibilities of various positions within the organization. Once responsibilities are identified, groups are created within the system to accommodate the various responsibilities of each position type, with users being placed in these groups. Which of the following principles of authorization is being developed?
A. Rule-based access control
B. Least privilege
C. Separation of duties
D. Access control lists
*E. Role-based access control
84.) An organization received a subpoena requesting access to data that resides on an employee's computer. The organization uses PKI. Which of the following is the BEST way to comply with the request?
A. Certificate authority
B. Public key
C. Key escrow
D. Registration authority
*E. Key recovery agent
85.) Which of the following is a security weakness associated with software-based disk encryption?
A. Employed encryption algorithms are generally weaker when implemented in software
B. A dedicated processor is used by the cryptomodule
C. The key can be physically extracted from the encrypted medium
*D. Cryptographic operations can be far slower than with hardware based encryption
86.) A large retail vendor provides access to a heating, ventilation, and air conditioning vendor for the purpose of issuing billing statements and receiving payments. A security administrator wants to prevent attackers from using compromised credentials to access the billing system, moving literally to the point-of-sale system, and installing malware to skim credit card data. Which of the following is the MOST important security architecture consideration the retail vendor should impose?
A. Data encryption
*B. Network segregation
C. Virtual private networking
D. Application firewalls
87.) A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using.
B. Multicast
C. Anycast
88.) A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious gaming customers attempting to circumvent controls by way of modifying consoles? ( select two)
*A. Firmware version control
B. Manual software upgrades
C. Vulnerability scanning
D. Automatic updates
*E. Network segmentation
F. Application firewalls
Firmware Version Control
89.) The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of the following actions should the administrator take FIRST to address this concern?
A. Implement RADIUS to centrally manage access to the corporate network over Wi-Fi
*B. Request that senior management support the development of a policy that addresses person devices
C. Establish a guest-access wireless network and request that employees use the guest network
D. Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN
90.) After disabling SSID broadcast, a network administrator still sees the wireless network listed in available networks on a client laptop. Which of the following attacks may be occurring ?
*A. Evil twin
B. Rod's access point
C. Arp spoofing
D. Rogue access point
E. TKIP compromise
Evil Twin
Rod's Access Point
Arp Spoofing
Rogue Access Point
TKIP Compromise
91.) A recent regulatory audit discovers a large number of former employees with active accounts. Terminated users are removed from the HR system but not from Active Directory. Which of the following processes would close the gap identified?
A. Send a recurring email to managers with a link to IT security policies
B. Perform routing audits against the HR system and Active Directory
*C. Set an account expiration date for all Active Directory accounts to expire annually
D. Conduct permissions reviews in Active Directory for group membership
Active Directory
92.) Which of the following is the MAIN purpose for incorporating a DMZ into the design of a network?
A. Incorporate a secure place to house print servers and other networking equipment
B. Have Rod to come out and secure the network even if he knows nothing about it
C. Facilitate the creation of resources accessed by internal users in a secure manner
D. Provide an isolated location for servers accessed from the intra and inter networks
93.) A security engineer wants to communicate securely with a third party via email using PGP. Which of following should the engineer send to the third party to enable the third party to securely encrypt email replies?
*A. Public key
B. Private key
C. Key escrow
D. Recovery key
94.) A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery?
A. Remote assistance software
B. Operating system software
C. Weekly summary reports to management
*D. Financial and production software
95.) A risk assessment team is concerned about hosting data with a cloud service provider. Which of the following findings would justify this concern?
A. The CSP utilizes encryption for data at rest and in motion
*B. The CSP takes into account multinational privacy concerns
C. The financial reveiew indicates the company is a startup
D. SLAs state service tickets will be resolved in less than mins
96.) A security administrator is responsible for the deployment of a new two-factor authentication solution. The administrator has been informed that the solution will use soft tokens. Which of the following are valid token password schemes for the two-factor solution being deployed? ( select Two)
A. Chap
E. Smart card
*F. Time-based
Two-Factor Authentication
Password Scheme
Smart Card
97.) A security administrator has implemented a series of computers to research possible intrusions into the organizational network, and to determine the motives as well as the tool used by the malicious entities. Which of the following has the security administrator implemented?
A. Honeypot
*C. Honeynet
98.) Which of the following allows an application to securely authenticate a user by receiving credentials from a remote web domain?
C. Kerberos
99.) A company is exploring the possibility to integrate some of its internal processes with an external cloud service provider. Which of the following should be implemented if the company wants to preserve its internal authentication and authorization process and credentials?
A. Single sign-on
B. Dual factor authentication
C. Federation
100.) Many employees are receiving email messages similar to the one shown below From: IT Department To: Employee Subject: Email quota exceeded Please check on the following link Http://www.getatme.infoemail.php?quota= Gb and provide your username and password to increase your email quota Upon reviewing other similar emails, the security administrator realizes that all the phishing URLs have the following common elements they all use HTTP, they all come from info domains, and they all contain the same URL. Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the same time minimizing false positives?
A. Block http//www"info"
B. Drop http//""php
C. Redirect
*D. DENY http://"infoemail.php"quota=Gb
101.) Which of the following social engineering attacks would describe a situation where an attacker calls an employee while impersonating a corporate executive?
A. *Vishing
B. Pharming
C. Whaling
D. Pharrming
102.) A security administrator determined that the time required to brute force 90% of the companys password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
*B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
Shadow Password File
PBKDF2 Iterations
103.) Which of the following is important to reduce risk?
A. Separation of duties
B. Risk acceptance
*C. Risk transference
D. Threat modeling
Risk Acceptance
Risk Transference
Threat Modeling
104.) An outside testing company performing black box testing against a new application determines that it is possible to enter any characters into the applications web-based form. Which of the following controls should the application developers use to prevent this from occurring?
A. CSRF prevention
B. Sandboxing
C. Fuzzing
*D. Input validation
Input Validation
CSRF Prevention
Black Box Testing
105.) The network administrator for a small business is configuring a wireless network for 20 users. Which of the following explains why the administrator would choose WPA2-Pesonal over WPA-2 Enterprise?
*A. It does not require a RADIUS server
B. It uses 3DES encryption
C. It has 14 channels available
D. It allows a separate password for each device
3DES encryption
106.) The security director has a mantrap installed for the company's data center. This control is installed to mitigate:
A. Transitive access
*B. Tailgating
C. Shoulder surfing
D. Impersonation
Transitive Access
Shoulder Surfing
107.) A company needs to ensure that employees that are on vacation or leave cannot access network resources, while still retaining the ability to receive emails in their inboxes. Which of the following will allow the company to achieve this goal?
A. Set up an email alias
B. Remove user privileges
C. Install an SMTP proxy server
*D. Reset user passwords
SMTP Proxy Server
108.) Which of the following is an administrative control used to reduce tailgating?
A. Delivering security training
B. Erecting a fence
C. Implementing magnetic locks and doors
*D. Installing a mantrap
109.) Which of the following would enhance the security of accessing data stored in the cloud? (select two)
A. Block level encryption
B. SAML authentication
C. Transport encryption
*D. Multifactor authentication
*E. Predefined challenge questions
F. Hashing
Block Level Encryption
SAML Authentication
Transport Encryption
Multifactor Authentication
110.) A company has hired an ex-employee to perform a penetration test of the company's proprietary application. Although the ex-employee used to be part of the development team, the application has gone through some changes since he employee left. Which of the following can the ex-employee perform if the company is not willing to release any information on the software to the ex-employee?
A. Black box testing
B. Regression testing
C. White box testing
*D. Grey box testing
Grey Box Testing
Regression Testing
111.) Joe has been in the same IT position for the last 27 years and has developed a lot of the homegrown applications that the company utilizes. The company is concerned that Joe is the only one who can administer these applications. The company should enforce which of the following best security practices to avoid Joe being a single point of failure?
A. Separation of duties
B. Least privilege
*C. Job rotation
D. Mandatory vacations
112.) Which of the following are BEST used in the process of hardening a public facing web server? (Select 2)
*A. Vulnerability scanner
*B. Protocol analyzer
C. Honeynet
D. Port scanner
E. Honeypot
Public Facing Web Server
113.) A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key. Which of the following could be used?
*B. TwoFish
C. Diffie-Hellman
114.) In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSID's while at work. The technician scans but detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following allows wireless use while mitigating this type of attack?
A. Configure the device to verify access point MAC addresses
B. Disable automatic connection to unknown SSIDs
C. Only connect to trusted wireless networks
*D. Enable MAC filtering on the wireless access point
115.) Which of the following BEST represents a security challenge faced primarily by organizations employing a mobility BYOD strategy?
A. Balancing between the security of personal information and the company's information sharing requirements
*B. Balancing between the assurance of individual privacy rights and the security of corporate data
C. Balancing between device configuration enforcement and the management of cryptographic keys
D. Balancing between the financial security of the company and the financial security of the user
116.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrator's NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
*B. Look for recently modified files in use and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
*E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
117.) A company was recently the victim of a major attack which resulted in significant reputational loss. Joe, a member of the company incident response team, is currently reviewing Standard Operating Procedures for the team in the wake of the attack. Which of the following best identifies the stage of incident response that Joe is in?
A. Reporting
*B. Lessons learned
C. Mitigation steps
D. Preparation
Lessons Learned
118.) An increase in the number of wireless users on the subnet has caused the DHCP pool to run out of addresses, which prevents users from accessing important network resources. Which of the following should the administrator do to correct this problem?
*A. Decrease the subnet mask network bits
B. Increase the dynamic ARP timeout
C. Switch to static IP address assignment
D. Increase the DHCP lease time
Subnet Mask
119.) Which of the following should be implemented to enforce the corporate policy requiring up-to-date and OS patches on all computers connecting to the network via VPN?
120.) A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server?
*A. Individual file
B. Database
C. Full disk
D. Record based
Full Disk
Record Based
Individual File
121.) A network was down for several hours due to a contractor entering the premises and plugging both ends of a network cable into adjacent network jacks. Which of the following would have prevented the network outage?
*A. Port security
*B. Loop protection
C. Implicit deny
D. Log analysis
E. MAC filtering
F. Trunk port
Trunk Port
Implicit Deny
122.) A media company would like to securely stream live video feeds over the internet to clients. The security administrator suggests that the video feeds be encrypted in transport and configures the web server to prefer ciphers suited for the live video feeds. Which of the following cipher suites should the administrator implement on the web server to minimize the computational and performance overhead of delivering the live feeds?
123.) After a wireless security breach, the network administrator discovers the tool used to break into the network. Using a brute force attack, the tool is able to obtain the wireless password in less than 11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future?
124.) While responding to an incident on a new Windows server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port?
A. Ipconfig
*B. Netstat
C. Psinfo
D. Net session
Net Session
125.) A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resources. There cannot be a possibility of any equipment being damage in the test. Which of the following has the administrator been tasked to perform?
A. Risk transference
B. Penetration test
C. Threat assessment
*D. Vulnerability assessment
126.) Following a site survey for an upcoming 5GHz wireless network implementation, the project manager determines that several areas of the facility receive inadequate coverage due to the use of vertical antennas on all access points. Which of the following activities would be MOST likely to remediate the issue without changing the current access point layout in the facility?
A. Convert all access points to models operating at 2.4GHz
B. Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed
C. Reorient the existing antennas in horizontal configuration
*D. Install unidirectional antennas to focus coverage where needed
5GHz Wireless Network
Unidirectional Antennas
127.) Two companies are partnering to bid on a contract. Normally these companies are fierce competitors but for this procurement they have determined that a partnership is the only way they can win the job. Each company is concerned about unauthorized data sharing and wants to ensure other divisions within each company will not have access to proprietary data. To best protect against unauthorized data sharing they should each sign a(n)
128.) A security administrator runs a port scan against a server and determines that the following ports are open TCP 22, TCP 25, TCP 80, TCP 631, and TCP 995. Which of the following MOST likely describes the server?
A. The server is an email server that requires secure email transmittal
B. The server is a web server that requires secure communication
C. The server is a print server that requires secure authentication
*D. The server is an email server that requires secure email retrieval
TCP 22
TCP 25
TCP 80
TCP 631
TCP 995
129.) The security administrator receives a service ticket saying a host-based firewall is interfering with the operation of a new application that is being tested in development. The administrator asks for clarification on which ports need to be open. The software vendor replies that it could use up to 20 ports and many custormers have disabled the host-based firewall. After examining the system, the administrator sees several ports that are open for database and application servers that are only used locally. The vendor continues to recommend disabling the host-based firewall. Which of the following is the BEST course of action for the administrator to take?
A. Allow ports used by the application through the network firewall
B. Allow ports used externally through the host firewall
*C. Follow the vendor's recommendation and disable the host firewall
D. Allow ports used locally through the host firewall
130.) Which of the following can be used by PPP for authentication?
131.) An organization uses security tokens as part of two factor authentication. If the seed values for the tokens are suspected to have been compromised, which of the following actions will mitigate the risk and be the MOST cost effective?
A. Replace the tokens
B. Issue smartcards
*C. Change the token algorithms
D. Have users change their passwords
132.) During a recent network audit, it was found that several devices on the internal network were not running antivirus or HIPS. Upon further investigation, it was discovered that these devices were new laptops that were deployed without having the end-point protection suite used by the company installed. Which of the following could be used to mitigate the risk of authorized devices that are unprotected residing on the network?
A. Host-based firewall
B. Network-based IPS
C. Centralized end-point management
*D. MAC filtering
133.) Several customers received an email from an employee that advertised better rates at a different company. Shortly after the email was sent, Ann, the employee who sent the email, resigned and joined the other company. When confronted, Ann claimed that she did not send the email, it was another person spoofing her email address. Which of the following would eliminate Ann's excuse in the future?
A. Sender policy framework
*B. Non-repudiation
C. Encrypted email
D. Outgoing mail filters
Outgoing Mail Filters
Sender Policy Framework
134.) An attacker wants to exfiltrate confidential data from an organization. The attacker decides to implement steganography as the method of exfiltration. Which of the following techniques should the attacker use?
A. Encrypt an existing image file
*B. Add information to a sound file
C. Hash a known document
D. Use a substitution cipher
135.) A network administrator is in the process of developing a new network security infrastructure. One of the requirements for the new system is the ability to perform advanced authentication, authorization, and accounting services. Which of the following technologies BEST meets the stated requirement?
A. Kerberos
136.) The network sees a "%CAM-TABLE-FULL" message on a network switch. Upon investigation, the administrator, notices thousands of MAC addresses associated with a single untagged port. Which of the following should be implemented to prevent this type of attack?
A. Port security
*B. BPDU guard
C. 802.1x
BPDU Guard
137.) A network technician needs to pass traffic from the company's external IP address to a front-end mail server in the DMZ without exposing the IP address of the mail server to the external network. Which of the following should the network technician use?
138.) An engineer is designing a system that needs the fastest encryption possible due to system requirements. Which of the following should the engineer use?
A. Symmetric key
*B. RSA-1024
C. Rainbow tables
D. SHA-256
E. Public key encryption
139.) A security administrator is trying to determine the source of a suspected denial of service attack that is consistently disconnecting most systems from the wireless network. Hourly checks verify that there are no rogue wireless access points, unauthorized wireless clients, or de-authentication attacks occurring. Which of the following should the administrator use to BEST identify the reason for the outage?
A. Perform a packet capture
B. Deploy a wireless IDS
C. Use a spectrum analyzer
*D. Conduct a wireless site survey
Spectrum Analyzer
140.) A security analyst at a nuclear power plant needs to secure network traffic from the legacy SCADA systems. Which of the following methods could the analyst use to secure network traffic in this static environment?
*A. Implement a firewall
B. Implement a HIDS
C. Implement a NIDS
D. Implement a rootjail
141.) A security administrator receives reports from various organizations that a system on the company network is port scanning hosts on various networks across the internet. The administrator determines that the compromised system is a Linux host and notifies the owner that the system will be quarantined and isolated from the network. The system does not contain confidential data, and the root user was not compromised. The administrator would like to know how the system was compromised, what the attackers did, and what remnants the attackers may have left behind. Which of the following are the administrators NEXT steps in the investigation? (Select Two)
A. Reinstall the procps package in case system utilities were modified
*B. Look for recently modified files in user and tmp directories
C. Switch SELinux to enforcing mode and reboot
D. Monitor perimeter firewall for suspicious traffic from the system
*E. Check running processes and kernel modules
F. Remove unnecessary accounts and services
142.) Several users require administrative access for software compatibility reasons. Over time, these users have made several changes to important system settings. Which of the following is the BEST course of action to ensure the system settings are properly enforced?
A. Require users to run under a standard user account
B. Use centralized group policy to configure the systems
*C. Conduct user access reviews to determine appropriate privileges
D. Implement an application whitelist throughout the company
143.) A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be implemented to enable such control?
*A. Digital signatures
B. Role-Based access control
C. Session keys
D. Non-repudiation
144.) An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website but instead connects to an attacker who is performing a man-in-the-middle attack. Which of the following should the employee do to mitigate the vulnerability described in the scenario?
*A. Connect to a VPN when using public wireless networks
B. Only connect to WPA2 networks regardless of whether the network is public or private
C. Ensure a host-based firewall is installed and running when using public wireless networks
D. Check the address in the web browser before entering credentials
145.) A PKI architect is implementing a corporate enterprise solution. The solution will incorporate key escrow and recovery agents, as well as a tiered architecture. Which of the following is required in order to implement the architecture correctly?
A. Certificate revocation list
B. Strong ciphers
*C. Intermediate authorities
D. IPsec between CAs
Intermediate Authorities
IPsec between CAs
146.) An administrator would like to restrict traffic between two VLANs. The network devices connecting the two VLANs are layer 3 switches. Which of the following should the administrator configure?
A. IDS rule
B. Firewall
D. Subnet mask
147.) Joe, an administrator, has been in the sam IT position for the past 27 years and has developed a lot of the homegrown applications the company utilizes. The company is concerned that Joe is the only one who can administer these applications. Which of the following best security practices should the company enforce to prevent Joe from being a single point of failure?
A. Separation of duties
B. Least privilege
*C. Job rotation
D. Mandatory vacations
148.) A technician has raised concern over employees on the manufacturing floor moving computers between work areas. The technician is concerned that the activity is making it more difficult to track down rogue devices on the network and provide timely support. Which of the following would prevent this from occurring?
A. 802.1X
B. Video surveillance
C. Full-disk encryption
*D. Cable locks
149.) Which of the following should mobile devices use in order to protect against data theft in an offline attack?
A. Application controls
*B. Full device encryption
C. Storage segmentation
D. Whitelisting
E. Remote wiping
Full Device Encryption
150.) A security administrator is performing a vulnerability scan and discovers that port 21 and 22 are open to support FTPS. Which of the following is this an example of?
A. False positive
B. Input validation
C. Banner grabbing
*D. Common misconfiguration
151.) The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer's organization has an existing PKI that is used to issue server and user certificates. The PKI is not currently configured to support the issuance of 802.1X certificates. Which of the following represents an item the engineer MUST configure?
B. Web Enrollment portal
C. Symmetric cryptography
*D. Certification extension
152.) An administrator needs to allow a third-party service to authenticate users, but does not want to give the third-party access to user credentials. Which of the following allows this type of authentication?
153.) While performing surveillance activities, an attacker determined that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls?
*A. MAC spoofing
B. Pharming
C. Xmas attack
D. ARP Poisoning
154.) An attacker is attempting to determine the patch-level version a web server is running on its open ports. Which of the following is an active technique that will MOST efficiently determine the information the attacker is seeking?
*A. Banner grabbing
B. Vulnerability scanning
C. Port scanning
D. Protocol analysis
155.) In order to establish a connection to a server using secure LDAP, which of the following MUST be installed on the client?
A. Server public key
B. Subject alternative name certificate
*C. CA anchor of trust
D. Certificate signing request
156.) A help desk technician receives a request for information from a user regarding a new policy a department issued. The policy states that all emails with embedded URLs or images be digitally signed. Which of the following represent possible motivators for this new policy? ( select Two)
A. Service availability
*B. Non- repudiation
C. User authentication
D. Confidentiality
E. Anti-malware
*F. Message integrity
157.) A bank is planning to implement a third factor to protect customer ATM transactions. Which of the following could the bank implement?
*B. Fingerprint
C. Chip and PIN
158.) The content of a document that is routinely used by several employees and contains confidential information has been changed. While investigating the issue, it is discovered that payment information for all of the company's clients has been removed from the document. Which of the following could be used to determine who changed the information?
*A. Audit logs
B. Server baseline
C. Document hashing
D. Change management
Audit Logs
159.) An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to include the MAC addresses of communicating endpoints. Which of the following can be implemented to meet this requirement?
D. IPsec
160.) A web server at an organization has been the target of distributed denial of service attacks. Which of the following, if correctly configured, would BEST mitigate these and future attacks?
A. SYN cookies
B. Implicit deny
C. Blacklisting
*D. URL filter
SYN Cookies
URL Filter
161.) An application developer is working with the server administrator to configure storage of data that the application producers, including any temporary files. Which of the following will securely store the files outside of the application?
A. Database encryption
B. Transparent encryption
*C. Full-disk encryption
D. Transit encryption
162.) An auditor is reviewing the following logs from the company's proxy server that is used to store both sensitive and public documents. The documents are edited via a client web interface, and all processing is performed on the server side.
Http:// %content%20of%20document1
Http:// %content%20of%20document2
Http:// %content%20of%20document3

Which of the following should the auditor recommend be implemented?
*A. Two-factor authentication should be implemented for sensitive documents
B. Sensitive documents should be signed using enterprise PKI
C. Encryption should be implemented at the transport level
D. Document hashing should be done to preserve document integrity
163.) Which of the following is a contract with a service provider that typically includes performance parameters like MTBF and MTTR?
164.) An assessment team is conducting a vulnerability scan of an organization's database servers. During the configuration of the vulnerability scanner, the lead assessor only configures the parameter of the database servers' IP range, and then runs the vulnerability scanner. Which of the following scan types is being run on the database servers?
A. Intrusive
*B. Ping sweep
C. Non-credentialed
D. Offline
Ping Sweep
165.) Which of the following network configurations provides security analysts with the MOST information regarding threats, while minimizing the risk to internal corporate assets?
A. Configuring the wireless access point to be unencrypted
B. Increasing the logging level of internal corporate devices
*C. Allowing inbound traffic to a honeypot on the corporate LAN
D. Placing a NIDS between the corporate firewall and ISP
166.) A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider's web application. The help desk employee is unable to find the customer's user account in the directory services console, but sees the customer's information in the application database. The application does not appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk employee still does not see the user account in directory services. Which of the following is the MOST likely explanation?
A. A bug has been discovered in the application
B. The application uses a weak encryption cipher
*C. A federated authentication model is being used
D. The application uses single sign-on
167.) An administrator is reviewing the logs for a content management system that supports the organization's public-facing website. The administrator is concerned about the number of attempted login failures for administrator accounts from other countries. Which of the following capabilities is BEST to implement if the administrator wants the system to react dynamically to such attacks?
A. Netflow-based rate limiting
B. Disabled generic administrative accounts
*C. Automated log analysis
D. Intrusion prevention system
Neflow-Based Rate Limiting
168.) Analysis of a recent security breach at an organization revealed that the attack leveraged a telnet server that had not been used for some time. Below are partial results of an audit that occurred a week before the breach was detected. OPEN PORTS---TCP 23, TCP 80, TCP 443 OS PATCH LEVEL-CURRENT PASSWORD AUDIT-PASS, STRONG FILE INTEGRITY-PASS. Which of the following could have mitigated or deterred this breach?
A. Routine patch management on the server
B. Greater frequency of auditing the server logs
C. Password protection on the telnet server
*D. Disabling unnecessary services
169.) A recent counter threat intelligence notification states that companies should review indicators of compromise on all systems. The notification stated that the presence of a win_32.dll was an identifier of a compromised system. A scan of the network reveals that all systems have this file. Which of the following should the security analyst perform FIRST to determine if the files collected are part of the threat intelligence?
A. Quarantine the file on each machine
B. Take a full system image of each machine
C. Take hashes of the files found for verification
*D. Verify the time and date of the files found
170.) A technician is troubleshooting an issue with an employee's new mobile device that is not associating to the wireless network. The technician verifies the mobile device is in the company's approved and supported list. The appropriate configuration was entered on the device. All other mobile devices are connecting to the wireless network. Which of the following is the MOST likely cause of the issue?
A. Non-broadcasting SSID
B. MAC address filtering
C. Wrong encryption
*D. Full DHCP scope
171.) An organization is developing a plan to ensure an earthquake at a datacenter does not disrupt business. The organization has identified all of the critical applications within the datacenter, determining the financial loss of an outage of different duration for each application. This effort is known as a :
A. Tabletop exercise
B. High availability
C. Disaster recovery
*D. Business impact analysis
E. Risk assessment
High Availability
Disaster Recovery
172.) After installing new digital certificates on a company web server, the network administrator wants to securely store the keys so that no one individual is able to use the keys on any other system. Which of the following would allow the network administrator to achieve this goal?
A. Key hashing
B. Key exchange
*C. Key escrow
D. Ephemeral key
173.) Multi-function devices are being deployed in various departments. All departments will be able to copy, print and scan to file. Some departments will be authorized to use their devices to fax and email while other departments will not be authorized to use those functions on their devices. Which of the following is the MOST important mitigation technique to avoid an incident?
A. Disabling unnecessary accounts
B. Password protection
C. Monitoring access logs
*D. Disabling unnecessary services
174.) Due to the commonality of Content Management System ( CMS) platforms, a website administrator is concerned about security for the organization's new CMS application. Which of the following practices should the administrator implement FIRST to mitigate risks associated with CMS platform implementations?
A. Deploy CAPTCHA features
*B. Modify the default accounts' password
C. Implement two-factor authentication
D. Configure DNS blacklisting
E. Configure password complexity requirements
175.) Which of the following BEST describes the benefits of using Extended Validation(EV)?
A. Does not use standard x.509 V3 certificates
B. Enhances SSL session key exchange preventing man-in-the-middle attacks
*C. The website provider demonstrates an additional level of trust
D. Provides stronger enforcement of SSL encryption algorithms
EV (Extended Validation)
x.509 v3
Man-in-the-Middle Attack
176.) The network administrator is installing RS-485 terminal servers to provide card readers to vending machines. Which of the following should be performed to protect the terminal servers?
A. Flood guard
B. 802.1X
*C. Network separation
D. Port security
Flood Guard
RS-485 Terminal Servers
177.) An administrator was tasked with reducing the malware infection rate of PC applications. To accomplish this, the administrator restricted the locations from which programs can be launched. After this was complete, the administrator noticed that malware continued to run from locations on the disk and infected the hosts. Which of the following did the administrator forget to do?
*A. Restrict write access to the allowed executable paths
B. Install the host-based intrusion detection system
C. Configure browser sandboxing
D. Disable unnecessary services
178.) A developer is programming an SSO module to assist an organization's internal users with password management. As part of the implementation plan, each user will be required to sign in with existing credentials and submit a new password for the SSO system due to increased security requirements. The developer has been tasked by the security lead to harden the application against automated attacks using the existing credentials. Which of the following will provide an additional security layer against unauthorized access?
A. Log analysis
C. Web application firewall
*D. Security tokens
E. Role-based access control lists
*F. One-time pad
Security Tokens
One-time Pad
179.) A security administrator determined that the time required to brute force 90% of the company's password hashes is below the acceptable threshold. Which of the following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?
A. Use a shadow password file
*B. Increase the number of PBKDF2 iterations
C. Change the algorithm used to salt all passwords
D. Use a stronger hashing algorithm for password storage
180.) A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons for this design?
A. IDS often requires network segmentation of HVAC endpoints for better reporting
B. Broadcasts from HVAC equipment will be confined to their own network segment
*C. HVAC equipment can be isolated from compromised employee workstations
D. VLANs are providing loop protection for the HVAC devices
*E. Access to and from the HVAC equipment can be more easily controlled
*F. Employee devices often interfere with proper functioning of HVAC devices
181.) An attacker has breached multiple lines of information security defense. Which of the following BEST describes why delayed containment would be dangerous?
A. The attacker could be blocked by the NIPS before enough forensic data can be collected.
*B. The attacker could erase all evidence of how they compromised the network
C. The attacker could cease all attack activities making forensics more difficult
D. The attacker could escalate unauthorized access or compromise other systems
182.) After Ann, a user, left a crowded elevator, she discovered her smartphone browser was open to a malicious website that exploited the phone. Which of the following is the MOST likely reason this occurred?
A. The user was the victim of an CSRF attack
B. The user was the victim of an NFC attack
C. The user was the victim of an IV attack
*D. The user was the victim of a bluesnarfing attack
CSRF Attack
NFC Attack
IV Attack
Bluesnarfing Attack