Security MCQ: February 2017

Archive for February 2017

Users received a spam email from an unknown source and chose the option in the email to unsubscribe and are now getting more spam as a result. Which one of the following is most likely the reason?

a. The unsubscribe option does not actually do anything.
b. The unsubscribe request was never received.
c. Spam filters were automatically turned off when making the selection to unsubscribe.
d. They confirmed that their addresses are "live."

Answer: D

An organization is looking for a mobile solution that allows both executives and employees to discuss sensitive information without having to travel to secure company locations. Which of the following fulfills this requirement?

a. GPS tracking
b. Voice encryption
c. Remote wipe
d. Passcode policy

Answer: B

The process of making an operating system more secure by closing known vulnerabilities and addressing security issues is known as which of the following?

a. Handshaking
b. Hardening
c. Hotfixing
d. All of the above

Answer: B

Hardening refers to the process of securing an operating system. Handshaking relates the agreement process before communication takes place; therefore, answer A is incorrect. A hotfix is just a security patch that gets applied to an operating system; therefore, answer C is incorrect. Hardening is the only correct answer; therefore, answer D is incorrect.

Which one of the following best describes the type of attack designed to bring a network to a halt by flooding the systems with useless traffic?

a. DoS
b. Ping of death
c. Teardrop
d. Social engineering

Answer: A

A DoS attack is designed to bring down a network by flooding the system with an overabundance of useless traffic. Although answers B and C are both types of DoS attacks, they are incorrect because DoS more accurately describes "a type of attack." Answer D is incorrect because social engineering describes the nontechnical means of obtaining information.

Which of the following is a common storage networking standard chosen by businesses for ease of installation, cost, and utilization of current Ethernet networks?

a. Fibre Channel
b. FTP
c. iSCSI
d. HTTPS

Answer: C

Businesses choose Internet Small Computer System Interface (iSCSI) due to ease of installation, cost, and utilization of current Ethernet networks. Answer A is incorrect. Fibre Channel infrastructure generally is more costly and complex to manage due to the separate network switching infrastructure. Answer B is incorrect. FTP servers provide user access to upload or download files between client systems and a networked FTP server. Answer D is incorrect because HTTPS is used for secured web-based communications.

Which of the following is included in a BYOD policy?

a. Key management
b. Data ownership
c. Credential management
d. Transitive trusts

Answer: B

When formulating a bring-your-own-device (BYOD) policy, the organization should clearly state who owns the data stored on the device, specifically addressing what data belongs to the organization. Answer A is incorrect because key management is intended to provide a single point of management for keys, enable users to manage the lifecycle of keys and to store them securely, and make key distribution easier. Answer C is incorrect because the use of credentials is to validate the identities of users, applications, and devices. Answer D is incorrect because transitive trusts enable decentralized authentication through trusted agents.

Never inserting untrusted data except in allowed locations can be used to mitigate which of the following attacks? (Select two answers.)

a. Buffer overflow
b. Cross-site request forgery (XSRF)
c. Cross-Site Scripting (XSS)
d. Input validation error

Answer: A & D.

A buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions, and input validation errors are a result of improper field checking in the code. Answer B is incorrect because Cross-site request forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while they are currently authenticated. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

A physical security plan should include which of the following? (Select all correct answers.)

a. Description of the physical assets being protected
b. The threats from which you are protecting against and their likelihood
c. Location of a hard disk's physical blocks
d. Description of the physical areas where assets are located

Answer: A, B & D.

A physical security plan should be a written plan that addresses your current physical security needs and future direction. With the exception of answer C, all the answers are correct and should be addressed in a physical security plan. A hard disk's physical blocks pertain to the file system.

Which one of the following is not considered a physical security component?

a. VPN tunnel
b. Mantrap
c. Fence
d. CCTV

Answer: A

A VPN tunnel is an example of data security, not physical security. Mantrap, fence, and CCTV are all components of physical security; therefore, answers B, C, and D are incorrect.

You have been tasked with mitigating the risk of password-based attacks. Which of the following should you consider to provide a control beyond just what someone knows?

a. Enforce complex passwords
b. Prevent the user from entering more than three incorrect passwords
c. Implement use of a one-time use token
d. A and B

Answer: C

Although both A and B provide controls for passwords, they are still both based on something the user knows: a password. A one-time use token can be a dedicated hardware token or may be a software token or text message on a mobile device. This would be an example of something the user has (for example, a hardware token or registered mobile device). Answer D is incorrect.

Security guards are a form of which specific type of control?

a. Management
b. Technical
c. Physical
d. Access

Answer: C

Physical controls include facility design details such as layout, door, locks, guards, and surveillance systems. Management controls include policies and procedures, whereas technical controls include access control systems, encryption, and data classification solutions, making answers A and B incorrect. Access controls include all three classifications (management, technical, and physical), making Answer D incorrect because the question asks for a specific type.

You want to be sure that the FTP ports that are required for a contract worker's functionality have been properly secured. Which of the following ports would you check?

a. 25/110/143
b. 20/21
c.137/138/139
d. 53

Answer: B

Ports 20 and 21 are used for FTP. Answer A is incorrect because these ports are used for email. Answer C is incorrect because these NetBIOS ports are required for certain Windows network functions such as file sharing. Answer D is incorrect because this port is used for DNS.

Which of the following is the best choice for encrypting large amounts of data?

a. Asymmetric encryption
b. Symmetric encryption
c. Elliptical curve encryption
d. RSA encryption

Answer: B

Public key encryption is not usually used to encrypt large amounts of data, but it is does provide an effective and efficient means of sending a secret key from which to do symmetric encryption thereafter, which provides the best method for efficiently encrypting large amounts of data. Therefore, answers A, C, and D are incorrect.

Which of the following is an example of a false negative result?

a. An authorized user is granted access to a resource.
b. An unauthorized user is granted access to a resource.
c. An authorized user is refused access to a resource.
d. An unauthorized user is refused access to a resource.

Answer: C

A false negative result involves access refusal for an authorized user, which makes answer D incorrect. Answers A and B are incorrect because they represent granted resource access.

After a new switch was implemented, some sporadic connectivity issues on the network have occurred. The issues are suspected to be device related. Which of the following would the organization implement as a method for additional checks in order to prevent issues?

a. Loop protection
b. Flood guard
c. Implicit deny
d. Port security

Answer: A

The loop protection feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial-of-service (DoS) attacks. Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

Due to organizational requirements, strong encryption cannot be used. Which of the following is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point?

a. Wireless Application Environment (WAE)
b. Wireless Session Layer (WSL)
c. Wired Equivalent Privacy (WEP)
d. Wireless Transport Layer Security (WTLS)

Answer: C

WEP is the most basic form of encryption that can be used on 802.11-based wireless networks to provide privacy of data sent between a wireless client and its access point. Answer A is incorrect. Wireless Application Environment (WAE) specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, tablets, and laptops. Answers B and D are incorrect. Wireless Session Layer (WSL), Wireless Transport Layer (WTL), and Wireless Transport Layer Security (WTLS) are the specifications that are included in the WAP standard.

While performing regular security audits, you suspect that your company is under attack and someone is attempting to use resources on your network. The IP addresses in the log files belong to a trusted partner company, however. Assuming an attack, which of the following might be occurring?

a. Replay
b. Authorization
c. Social engineering
d. Spoofing

Answer: D

The most likely answer is spoofing because this enables an attacker to misrepresent the source of the requests. Answer A is incorrect because this type of attack records and replays previously sent valid messages. Answer B is incorrect because this is not a type of attack but is instead the granting of access rights based on authentication. Answer C is incorrect because social engineering involves nontechnical means of gaining information.

Which form of fire suppression functions best in an Alaskan fire of burning metals?

a. Dry-pipe sprinkler
b. Wet-pipe sprinkler
c. Carbon dioxide
d. Dry powder

Answer: D

Combustible metal fires (Class D) require sodium chloride and copper-based dry powder extinguishers. Although dry-pipe would be preferable to wet-pipe sprinklers in regions that experience very low temperatures such as Alaska, water is only appropriate for wood, paper, and trash fires (Class A), making answers A and B incorrect. Answer C is incorrect because carbon dioxide and Halon extinguishers are useful for fires involving live electric wiring (Class C) and would not be used for burning metals.

An asset is valued at $12,000, the threat exposure factor of a risk affecting that asset is 25%, and the annualized rate of occurrence is 50%. What is the SLE?

a. $1,500
b. $3,000
c. $4,000
d. $6,000

Answer: B

The single loss expectancy (SLE) is the product of the value ($12,000) and the threat exposure (.25), or $3,000. Answer A is incorrect because $1,500 represents the annualized loss expectancy (ALE), which is the product of the SLE and the annualized rate of occurrence (ARO). Answers C and D are incorrect calculated values.

An organization has an access control list implemented on the border router, but it appears that unauthorized traffic is still being accepted. Which of the following would the organization implement to improve the blocking of unauthorized traffic?

a. Loop protection
b. Flood guard
c. Implicit deny
d. Port security

Answer: C

Implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access. Answer A is incorrect because the loop protection feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature to control network activity associated with denial-of-service (DoS) attacks. Answer D is incorrect because port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port.

Several organizational users are experiencing network and Internet connectivity issues. Which of the following would be most helpful in troubleshooting where the connectivity problems might exist?

a. SSL
b. IPsec
c. SNMP
d. Traceroute

Answer: D

Traceroute uses an ICMP echo request packet to find the path between two addresses. Answer A is incorrect because SSL is a public key-based security protocol that is used by Internet services and clients for authentication, message integrity, and confidentiality. Answer B is incorrect because the Internet Protocol Security (IPsec) authentication and encapsulation standard is widely used to establish secure VPN communications. Answer C is incorrect because SNMP is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices such as uninterruptible power supplies (UPSs).

Which of the following is the preferred type of encryption used in SaaS platforms?

a. Application level
b. Database level
c. Media level
d. HSM level

Answer: A

In a software-as-a-service (SaaS) environment, application-level encryption is preferred because the data is encrypted by the application before being stored in the database or file system. The advantage is that it protects the data from the user all the way to storage. Answer B is incorrect because in cloud implementations data should be encrypted at the application layer rather than within a database due to the complexity involved, and media encryption is managed at the storage layer. Answer C is incorrect because encryption of a complete virtual machine on infrastructure-as-a-service (IaaS) could be considered media encryption. Answer D is incorrect because a hardware security module (HSM) solution is mainly found in private datacenters that manage and offload cryptography with dedicated hardware appliances.

Which of the following is included in hardening a host operating system?

a. A policy for antivirus updates
b. A policy for remote wipe
c. An efficient method to connect to remote sites
d. An effective system for file-level security

Answer: D

Hardening of the operating system includes planning against both accidental and directed attacks, such as the use of fault-tolerant hardware and software solutions. In addition, it is important to implement an effective system for file-level security, including encrypted file support and secured file system selection that allows the proper level of access control. Answer A is incorrect because it is a host protection measure, not an OS hardening measure. Answer B is incorrect because this is a feature associated with data security, not host hardening. Answer C is incorrect because this is a secure communication measure.

TEMPEST deals with which of the following forms of environmental control?

a. HVAC
b. EMI shielding
c. Humidity
d. Cold-aisle

Answer: B

TEMPEST protections involve the hardening of equipment against EMI broadcast and sensitivity. Answers A and C are incorrect because HVAC controls include temperature and humidity management techniques to manage evolved heat in the data center and to minimize static charge buildup. Answer D is incorrect because hot-aisle/cold-aisle schemes provide thermal management for data centers by grouping air intakes on cold aisles and air exhausts on designated hot aisles, making HVAC more effective.

A situation in which a program or process attempts to store more data in a temporary data storage area than it was intended to hold is known as which of the following?

a. Buffer overflow
b. Denial of service
c. Distributed denial of service
d. Storage overrun

Answer: A

A buffer overflow occurs when a program or process attempts to store more data in a buffer than the buffer was intended to hold. The overflow of data can flow over into other buffers, overwriting or deleting data. A denial of service is a type of attack in which too much traffic is sent to a host, preventing it from responding to legitimate traffic. A distributed denial of service is similar, but it is initiated through multiple hosts; therefore, answers B and C are incorrect. Although answer D sounds correct, it is not.

Which of the following are steps that can be taken to harden FTP services?

a. Anonymous access to shared files of questionable or undesirable content should be limited.
b. Regular review of networks for unauthorized or rogue servers.
c. Technologies that allow dynamic updates must also include access control and authentication.
d. Unauthorized zone transfers should also be restricted.

Answer: A

Anonymous access to shared files of questionable or undesirable content should be limited for proper FTP server security. Answer B is incorrect because it is a hardening practice for DHCP services. Answers C and D are incorrect because they are associated with hardening DNS service.

Which statement concerning a network intrusion detection system (NIDS) is correct?

a. A NIDS knows such information as the applications that are running as well as the underlying operating systems so that it can provide a higher degree of accuracy regarding potential attacks.
b. Compared to a network intrusion prevention system (NIPS), a NIDS can more quickly take action to block and attack.
c. A NIDS attempts prevent malicious attacks by stopping the attack.
d. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis.

Answer: D

A network intrusion prevention system (NIPS) is similar to a NIDS in that it monitors network traffic to immediately react to block a malicious attack. One of the major differences between a NIDS and a NIPS is its location. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. A NIPS, on the other hand, would be located "in line" on the firewall itself. This can allow the NIPS to more quickly take action to block an attack.

What feature distinguishes a network intrusion prevention system (NIPS) from a network intrusion detection system (NIDS)?

a. A NIPS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis.
b. A NIPS is located "in line" on the firewall itself.
c. A NIPS is designed to integrate with existing antivirus, antispyware, and firewalls that are installed on the local host computer.
d. A NIPS can use a protocol stack verification technique.

Answer: B

One of the major differences between a NIDS and a NIPS is its location. A NIDS has sensors that monitor the traffic entering and leaving a firewall, and reports back to the central device for analysis. A NIPS, on the other hand, would be located "in line" on the firewall itself. This can allow the NIPS to more quickly take action to block an attack.

A more "intelligent" firewall is a(n) ______ firewall, sometimes called a next-generation firewall (NGFW).

a. rule-based
b. application-aware
c. hardware-based
d. host-based

Answer: B

A more "intelligent" firewall is an application-aware firewall, sometimes called a next-generation firewall (NGFW).

A ____ is a special type of firewall that looks at the applications using HTTP.

A _______________ is a special type of firewall that looks at the applications using HTTP.

a. network intrusion detection system (NIDS)
b. network intrusion prevention system (NIPS)
c. spam filter
d. web application firewall

Answer: D

A Web application firewall is a special type of firewall that looks at the applications using HTTP.

Using _______________, filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.

a. malware inspection and filtering
b. content inspection
c. uniform resource locator (URL) filtering
d. detailed reporting

Answer: A

With malware inspection and filtering, filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message.

Which type of Internet content filtering restricts unapproved websites from being displayed by searching for and matching keywords?

a. Uniform resource locator (URL filtering)
b. Profiling
c. Malware inspection
d. Content inspection

Answer: D

Internet content filters monitor Internet traffic and block access to preselected websites and files. A requested webpage is displayed only if it complies with the specified filters. Unapproved websites can be restricted based on the Uniform Resource Locator or URL (URL filtering) or by searching for and matching keywords such as sex or hate (content inspection) as well as looking for malware (malware inspection).

Which option for installing a corporate spam filter is considered to be the most effective approach?

a. Install the spam filter on the Domain Name Server (DNS).
b. Install the spam filter on the Post Office Protocol (POP3) server.
c. Install the spam filter with the Simple Mail Transfer Protocol (SMTP) server.
d. Contract with a third-party entity that filters out spam.

Answer: C

Installing the spam filter with the SMTP serve is the simplest and most effective approach.

A(n) _______________ captures packets to decode and analyzes their contents.

a. protocol analyzer
b. load balancer
c. Internet content filter
d. spam filter

Answer: A

A protocol analyzer captures packets to decode and analyzes their contents.

Which statement concerning heuristic monitoring is correct?

a. Heuristic monitoring operates by being adaptive and proactive.
b. Heuristic monitoring is founded on experience-based techniques.
c. Heuristic monitoring is designed for detecting statistical anomalies.
d. Heuristic monitoring looks for well-known patterns.

Answer: B

Heuristic monitoring is founded on experience-based techniques. It attempts to answer the question, "Will this do something harmful if it is allowed to execute?"

Which statement concerning anomaly-based monitoring is correct?

a. Anomaly-based monitoring is founded on experience based techniques.
b. Anomaly-based monitoring looks for well-known patterns.
c. Anomaly-based monitoring operates by being adaptive and proactive.
d. Anomaly-based monitoring is designed for detecting statistical anomalies.

Answer: D

Anomaly-based monitoring is designed for detecting statistical anomalies.

Which statement concerning signature-based monitoring is correct?

a. Signature-based monitoring is designed for detecting statistical anomalies.
b. Signature-based monitoring uses an algorithm to determine if a threat exists.
c. Signature-based monitoring operates by being adaptive and proactive.
d. Signature-based monitoring looks for well-known patterns.

Answer: D

A method for auditing usage is to examine network traffic, activity, transactions, or behavior and look for well-known patterns, much like antivirus scanning. This is known as signature-based monitoring because it compares activities against a predefined signature.

Which statement concerning behavior-based monitoring is correct?

a. It is necessary to update signature files before monitoring can take place.
b. It is necessary to compile a baseline of statistical behavior before monitoring can take place.
c. It can more quickly stop new attacks as compared to anomaly- and behavior-based monitoring.
d. Behavior-based monitoring operates in a reactive mode.

Answer: C

One of the advantages of behavior-based monitoring is that it is not necessary to update signature files or compile a baseline of statistical behavior before monitoring can take place. In addition, behavior-based monitoring can more quickly stop new attacks.

VPN transmissions are achieved through communicating with _______________.

a. network taps
b. endpoints
c. Internet content filters
d. proxy servers

Answer: B

VPN transmissions are achieved through communicating with endpoints. An endpoint is the end of the tunnel between VPN devices. An endpoint can be software on a local computer, a dedicated hardware device such as a VPN concentrator (which aggregates hundreds or thousands of VPN connections), or integrated into another networking device such as a firewall.

What term refers to a technology that enables authorized users to use an unsecured public network, such as the Internet, as if it were a secure private network?

a. Virtual private network (VPN)
b. Gateway
c. Intrusion detection system (IDS)
d. Port mirroring

Answer: A

A virtual private network (VPN) is a technology that enables authorized users to use an unsecured public network, such as the Internet, as if it were a secure private network.

A(n) _______________ can block malicious content in real time as it appears.

a. uniform resource locator (URL) filter
b. virtual private network (VPN)
c. Internet content filter
d. web security gateway

Answer: D

A web security gateway can block malicious content in real time as it appears (without first knowing the URL of a dangerous site).

A(n) _______________ is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user.

a. proxy server
b. load balancer
c. network tap
d. Internet content filter

Answer: A

A proxy server is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user.

Load balancing that is used for distributing HTTP requests received is sometimes called _______________.

a. content filtering
b. IP spraying
c. content inspection
d. port mirroring

Answer: B

Load balancing that is used for distributing HTTP requests received is sometimes called IP spraying.

A load balancer is typically located _______________ in a network configuration.

a. in front of a server
b. in front of a router
c. between a router and a server
d. between a router and a switch

Answer: C

Because load balancers generally are located between routers and servers, they can detect and stop attacks directed at a server or application.

Which type of switch network monitoring is best suited for high-speed networks that have a large volume of traffic?

a. Network tapping
b. Port mirroring
c. Load balancing
d. Packet filtering

Answer: A

A network tap is generally best for high-speed networks that have a large volume of traffic, while port mirroring is better for networks with light traffic.

What is the role of a switch?

a. To inspect packets and either accept or deny entry
b. To forward packets across different network computer networks
c. To intercept user requests from the internal secure network and then process that request on behalf of the user
d. To connect networks together so that they function as a single network segment

Answer: D

Early local area networks (LANs) used a hub, which is a standard network device for connecting multiple network devices together so that they function as a single network segment. A network switch is a device that connects network devices together. However, unlike a hub, a switch has a degree of "intelligence."

What is the role of a router?

a. To inspect packets and either accept or deny entry
b. To forward packets across different computer networks
c. To intercept user requests from the internal secure network and then process that request on behalf of the user
d. To connect networks together so that they function as a single network segment

Answer: B

A router is a network device that can forward packets across different computer networks. When a router receives an incoming packet, it reads the destination address and then, using information in its routing table, sends the packet to the next network toward its destination.

What type of firewall systems are static in nature and cannot do anything other than what they have been expressly configured to do?

a. Application-based
b. Authentication-based
c. Role-based
d. Rule-based

Answer: D

Rule-based systems are static in nature and cannot do anything other than what they have been expressly configured to do.

When a modern firewall receives a packet, it tends to use a(n) _______________ method to determine the action to be taken.

a. rule-based
b. role-based
c. application-based
d. authentication-based

Answer: C

Traditional firewalls are rule-based while more modern firewalls are application-based.

Which type of firewall packet filtering looks at the incoming packet and permits or denies it based on the conditions that have been set by the administrator?

a. Stateless packet filtering
b. Stateful packet filtering
c. Switched packet filtering
d. Secure packet filtering

Answer: A

Packets can be filtered by a firewall in one of two ways. Stateless packet filtering looks at the incoming packet and permits or denies it based on the conditions that have been set by the administrator. Stateful packet filtering keeps a record of the state of a connection between an internal computer and an external device and then makes decisions based on the connection as well as the conditions.

What is the primary role of a firewall?

a. To forward packets across different network computer networks
b. To intercept user requests from the internal secure network and then process that request on behalf of the user
c. To connect networks together so that they function as a single network segment
d. To inspect packets and either accept or deny entry

Answer: D

Although a host-based application software firewall that runs as a program on one client is different from a hardware-based network firewall designed to protect an entire network, their functions are essentially the same: to inspect packets and either accept or deny entry.

A new switch has been implemented in areas where there is very little physical access control. Which of the following would the organization implement as a method for additional checks to prevent unauthorized access?

a. Loop protection
b. Flood guard
c. Implicit deny
d. Port security

Answer: D

Port security is a Layer 2 traffic control feature on Cisco Catalyst switches. It enables individual switch ports to be configured to allow only a specified number of source MAC addresses coming in through the port. Answer A is incorrect because the loop guard feature makes additional checks in Layer 2 switched networks. Answer B is incorrect because a flood guard is a firewall feature used to control network activity associated with denial-of-service (DoS) attacks. Answer C is incorrect because implicit deny is an access control practice wherein resource availability is restricted to only those logons explicitly granted access.

Which of the following statements are true when discussing physical security? (Select all correct answers.)

a. Physical security attempts to control access to data from Internet users.
b. Physical security attempts to control unwanted access to specified areas of a building.
c. Physical security attempts to control the effect of natural disasters on facilities and equipment.
d. Physical security attempts to control internal employee access into secure areas.

Answer: B, C & D.

Natural disasters, unwanted access, and user restrictions are all physical security issues. Preventing Internet users from getting to data is data security, not physical security; therefore, answer A is incorrect.

Which one of the following defines APIs for devices such as smart cards that contain cryptographic information?

a. PKCS #11
b. PKCS #13
c. PKCS #4
d. PKCS #2

Answer: A

PKCS #11, the Cryptographic Token Interface Standards, defines an API named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography (ECC) standard. Both answers C and D are incorrect because PKCS #4 and PKCS #2 no longer exist and have been integrated into PKCS #1, RSA Cryptography Standard.

Which is the best rule-based access control constraint to protect against unauthorized access when admins are off-duty?

a. Least privilege
b. Separation of duties
c. Account expiration
d. Time of day

Answer: D

Time-of-day rules prevent administrative access requests during off-hours when local admins and security professionals are not on duty. Answer A is incorrect because least privilege is a principle of assigning only those rights necessary to perform assigned tasks. Answer B is incorrect because separation of duties aids in identification of fraudulent or incorrect processes by ensuring that action and validation practices are performed separately. Answer C is incorrect because account expiration policies ensure that individual accounts do not remain active past their designated lifespan but do nothing to ensure protections are enabled during admin downtime.

Which type of authorization provides no mechanism for unique logon identification?

a. Anonymous
b. Kerberos
c. TACACS
d. TACACS+

Answer: A

During anonymous access, such as requests to a public FTP server, unique identify of the requester is not determined and so cannot be used for personalized logon identification. Answers B, C, and D are incorrect because authorization services such as Kerberos, TACACS, and its replacement TACACS+ all verify access requests against a list of authorized credentials and so can log individual visits and identify access request logons.

Which of the following is not true regarding expiration dates of certificates?

a. Certificates may be issued for a week.
b. Certificates are issued only at yearly intervals.
c. Certificates may be issued for 20 years.
d. Certificates must always have an expiration date.

Answer: B

Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are incorrect.

What is the first step in performing a basic forensic analysis?

a. Ensure that the evidence is acceptable in a court of law
b. Identify the evidence
c. Extract, process, and interpret the evidence
d. Determine how to preserve the evidence

Answer: B

It is necessary to first identify the evidence that is available to be collected. Answer A is incorrect because protecting data's value as evidence must come after the type and form of evidence is known. Extraction, preservation, processing, and interpretation of evidence also follow the identification of data types and storage that must be collected, making answers C and D incorrect.

You are implementing network access for several internal business units that work with sensitive information on a small organizational network. Which of the following would best mitigate risk associated with users improperly accessing other segments of the network without adding additional switches?

a. Log analysis
b. Access control lists
c. Network segmentation
d. Proper VLAN management

Answer: D

VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. Answer A is incorrect because logging is the process of collecting data to be used for monitoring and auditing purposes. Answer B is incorrect because access control generally refers to the process of making resources available to accounts that should have access while limiting that access to only what is required. Answer C is incorrect because network segmentation is used for interconnected networks where a compromised system on one network can easily threaten machines on other network segments.

An organization is partnering with another organization which requires shared systems. Which of the following documents would outline how the shared systems interface?

a. SLA
b. BPA
c. MOU
d. ISA

Answer: D

An interconnection security agreement (ISA) is an agreement between organizations that have connected IT systems. Answer A is incorrect because a service level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. Answer B is incorrect because a business partners agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. Answer C is incorrect because a memorandum of understanding (MOU) is a document that outlines the terms and details of an agreement between parties, including each party's requirements and responsibilities.

Which form of cabling is least susceptible to EM interference?

a. STP
b. UTP
c. Coaxial
d. Fiber optic

Answer: D

Fiber-optic cabling is least subject to electromagnetic interference because its communications are conducted by transmitting pulses of light over glass, plastic, or sapphire transmission fibers. Twisted-pair (shielded STP as well as unshielded UTP) copper cables provide minimal shielding against interference but can function as antenna picking up nearby EM sources when extended over long cable runs, making answers A and B incorrect. Answer C is incorrect because although coaxial cables limit EM interference by encasing one conductor in a sheath of conductive material, they are still conductive and not as resistant as purely optical forms of communication.

An executive from ABC Corp receives an email from a vice president of XYZ Corp, which is a prestigious partner organization of ABC Corp. This email was formatted using XYZ's corporate logo, images, and text from their website (checked by the executive before opening the included form). After clicking the provided link, the executive was asked to verify his credentials for access to a confidential report about ABC Corp, but after he filled out the form, the executive received only a referral to XYZ's site. What type of attack was used in this scenario?

a. Phishing
b. Smishing
c. Vishing
d. Spear phishing

Answer: D

This is an example of a spear phishing attack, which uses fraudulent email to obtain access to data of value (here, the executive's credentials) from a targeted organization. Answer A is incorrect because while phishing attacks involve email, spear phishing attacks are targeted and customized to a selected target. The question's description of the images, links, and report all indicate a very targeted attack. Answer B is incorrect because smishing attacks are conducted using SMS messages. Answer C is similarly incorrect because vishing attacks employ telephone or VoIP audio communications.

Which of the following is most likely to use network segmentation as an alternate security method?

a. SCADA systems
b. Mainframes
c. Android
d. Gaming consoles

Answer: A

Network segmentation is one of the most effective controls an organization can implement in order to mitigate the effect of a network intrusion. Due to the sensitive nature of supervisory control and data acquisition (SCADA) systems, they would most likely use network segmentation. Answer B is incorrect because mainframes would most likely use security layers. Answer C is incorrect because Android would most likely use security layers. Answer D is incorrect. Most gaming consoles use firmware version control as an alternative security method.

Which of the following protocols supports DES, 3DES, RC2, and RSA2 encryption along with CHAP authentication, but was not widely adopted?

a. S-HTTP
b. S/MIME
c. HTTP
d. PPTP

Answer: A

An alternative to HTTPS is the Secure Hypertext Transport Protocol (S-HTTP), which was developed to support connectivity for banking transactions and other secure web communications. S-HTTP was not adopted by the early web browser developers (for example, Netscape and Microsoft) and so remains less common than the HTTPS standard. Additionally, S-HTTP encrypts individual messages so it cannot be used for VPN security. Answer B is incorrect. S/MIME is used to encrypt electronic mail transmissions over public networks. Answer C is incorrect because HTTP is used for unsecured web-based communications. Answer D is incorrect because Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a virtual private network (VPN) across TCP/IP-based data networks.

It is suspected that some recent network compromises are originating from the use of RDP. Which of the following TCP port traffic should be monitored?

a. 3389
b. 139
c. 138
d. 443

Answer: A

TCP port 3389 is used by RDP. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution. Answer D is incorrect because port 443 is used for HTTPS.

Which of the following are examples of protocol analyzers? (Check all correct answers.)

a. Metasploit
b. Wireshark
c. OVAL
d. Microsoft Message Analyzer
b. Wireshark

Answer: D

Windows Server operating systems come with a protocol analyzer called by Microsoft Message Analyzer. Third-party programs such as Wireshark can also be used for network monitoring. Metasploit is a framework used for penetration testing, and OVAL is intended as an international language for representing vulnerability information using an XML schema for expression; therefore, answers A and C are incorrect.

Which of the following types of attacks can be done by either convincing the users to click on an HTML page the attacker has constructed or insert arbitrary HTML in a target website that the users visit?

a. Buffer overflow
b. Cross-site request forgery (XSRF)
c. Cross-Site Scripting (XSS)
d. Input validation error

Answer: B

The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browsers. All they need to do is get the browsers to make a request to the website on their behalf. This can be done by either convincing the users to click on an HTML page the attacker has constructed or inserting arbitrary HTML in a target website that the users visit. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Which of the following types of attacks is executed by placing malicious executable code on a website?

a. Buffer overflow
b. Cross-site request forgery (XSRF)
c. Cross-Site Scripting (XSS)
d. Input validation error

Answer: C

Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect. The key element to understanding XSRF is that attackers are betting that users have a validated login cookie for the website already stored in their browsers. Answer D is incorrect because input validation errors are a result of improper field checking in the code.

Which of the following is needed to establish effective security baselines for host systems? (Select two correct answers.)

a. Cable locks
b. Mandatory settings
c. Standard application suites
d. Decentralized administration
b. Mandatory settings

Answer: C

To establish effective security baselines, enterprise network security management requires a measure of commonality between the systems. Mandatory settings, standard application suites, and initial setup configuration details all factor into the security stance of an enterprise network. Answer A is incorrect because cable locks have nothing to do with effective security baselines. Answer D is incorrect because decentralized management does not have anything to do with security baselines.

Which of the following best describes the process of encrypting and decrypting data using an asymmetric encryption algorithm?

a. Only the public key is used to encrypt, and only the private key is used to decrypt.
b. The public key is used to either encrypt or decrypt.
c. Only the private key is used to encrypt, and only the public key is used to decrypt.
d. The private key is used to decrypt data encrypted with the public key.

Answer: D

When encrypting and decrypting data using an asymmetric encryption algorithm, you use only the private key to decrypt data encrypted with the public key. Answers A and B are both incorrect because in public key encryption, if one key is used to encrypt, you can use the other to decrypt the data. Answer C is incorrect because the public key is not used to decrypt the same data it encrypted.

Which of the following algorithms is not an example of a symmetric encryption algorithm?

a. Rijndael
b. Diffie-Hellman
c. RC6
d. AES

Answer: B

Diffie-Hellman uses public and private keys, so it is considered an asymmetric encryption algorithm. Because Rijndael and Advanced Encryption Standard (AES) are now one in the same, they both can be called symmetric encryption algorithms; therefore, answers A and D are incorrect. Answer C is incorrect because RC6 is symmetric, too.

Which authorization protocol is generally compatible with TACACS?

a. LDAP
b. RADIUS
c. TACACS+
d. XTACACS

Answer: D

The Extended Terminal Access Controller Access Control System (XTACACS) protocol is a proprietary form of the TACACS protocol developed by Cisco and is compatible in many cases. Neither LDAP nor RADIUS is affiliated with the TACACS protocol, making answers A and B incorrect. Answer C is incorrect because the newer TACACS+ is not backward compatible with its legacy equivalent.

There have been some sporadic connectivity issues on the network. Which of the following is the best choice to investigate these issues?

a. Protocol analyzer
b. Circuit-level gateway logs
c. Spam filter appliance
d. Web application firewall logs

Answer: A

Protocol analyzers help you troubleshoot network issues by gathering packet-level information across the network. These applications capture packets and can conduct protocol decoding, putting the information into readable data for analysis. Answer B is incorrect because a circuit-level gateway filters based on source and destination addresses. Answer C is incorrect because all-in-one spam filter appliances allow for checksum technology, which tracks the number of times a particular message has appeared, and message authenticity checking, which uses multiple algorithms to verify authenticity of a message. Answer D is incorrect because a web application firewall is software or a hardware appliance used to protect the organization's web server from attack.

Your organization is exploring data-loss prevention (DLP) solutions. The proposed solution is a software network solution that would be installed near the network perimeter to monitor for and flag policy violations. This solution is targeting which of the following data states?

a. In-transit
b. At-rest
c. In-use
d. In-arrival

Answer: A

Protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer C is incorrect because protection of data in-use is considered to be an endpoint solution and the application is run on end-user workstations or servers in the organization. Answer D is incorrect because there is no such data state.

Your organization is exploring data-loss prevention (DLP) solutions. The proposed solution is a software storage solution that monitors how confidential data is stored. This solution is targeting which of the following data states?

a. In-transit
b. At-rest
c. In-use
d. In-service

Answer: B

Protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer A is incorrect because protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer C is incorrect because protection of data in-use is considered to be an endpoint solution and the application is run on end-user workstations or servers in the organization. Answer D is incorrect because there is no such data state.

Which of the following designates the amount of data loss that is sustainable and up to what point in time data recovery could happen before business is disrupted?

a. RTO
b. MTBF
c. RPO
d. MTTF

Answer: C

Recovery point objective (RPO) is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP's maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery could happen before business is disrupted. Answer A is incorrect because recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. Answer B is incorrect because mean time between failures (MTBF) is the average amount of time that passes between hardware component failures excluding time spent waiting for or being repaired. Answer D is incorrect because mean time to failure (MTTF) is the length of time a device or product is expected to last in operation.

Which of the following is true of digital signatures? (Choose the two best answers.)

a. They are the same as a hash function.
b. They can be automatically time-stamped.
c. They allow the sender to repudiate that the message was sent.
d. They cannot be imitated by someone else.
b. They can be automatically time-stamped.

Answer: D

Digital signatures offer several features and capabilities. This includes being able to ensure the sender cannot repudiate that he or she used the signature. In addition, non repudiation schemes are capable of offering time stamps for the digital signature. Answer A is incorrect. Hashing algorithms are only used for integrity purposes and only confirm original content. Answer C is incorrect because a key feature of digital signatures is to provide for nonrepudiation.

What is the acronym for the de facto cryptographic message standards developed by RSA Laboratories?

a. PKIX
b. X.509
c. PKCS
d. Both A and C

Answer: C

The Public Key Cryptography Standards (PKCS) are the de facto cryptographic message standards developed and maintained by RSA Laboratories, the Security Division of EMC. PKIX describes the development of Internet standards for X.509-based digital certificates; therefore, answers A, B, and D are incorrect.

To check the validity of a digital certificate, which one of the following would be used?

a. Corporate security policy
b. Certificate policy
c. Certificate revocation list
d. Expired domain names

Answer: C

A certificate revocation list (CRL) provides a detailed list of certificates that are no longer valid. A corporate security policy would not provide current information on the validity of issued certificates; therefore, answer A is incorrect. A certificate policy does not provide information on invalid issued certificates, either; therefore, answer B is incorrect. Finally, an expired domain name has no bearing on the validity of a digital certificate; therefore, answer D is incorrect.

Which of the following is the type of algorithm used by MD5?

a. Block cipher algorithm
b. Hashing algorithm
c. Asymmetric encryption algorithm
d. Cryptographic algorithm

Answer: B

Although the message digest (MD) series of algorithms is classified globally as a symmetric key encryption algorithm, the correct answer is hashing algorithm, which is the method that the algorithm uses to encrypt data. Answer A in incorrect because a block cipher divides the message into blocks of bits. Answer C is incorrect because MD5 is a symmetric key algorithm, not an asymmetric encryption algorithm (examples of this include RC6, Twofish, and Rijndael). Answer D is incorrect because cryptographic algorithm is a bogus term.

Which of the following is a hybrid cryptosystem?

a. PAP
b. MD5
c. RSA
d. GPG

Answer: D

Privacy Guard (GnuPG or GPG) is a hybrid cryptosystem that uses combination of public key and private key encryption. The incorrect choices are A, B, and C: PAP is a basic form of authentication during which the username and password are transmitted unencrypted, RSA is an asymmetric cipher, and MD5 is a hash.

Which of the following is information that is unlikely to result in a high-level financial loss or serious damage to the organization but still should be protected?

a. Public data
b. Confidential data
c. Sensitive data
d. Private data

Answer: D

Private data is information that is unlikely to result in a high-level financial loss or serious damage to the organization but still should be protected. Answer A is incorrect because the unauthorized disclosure, alteration, or destruction of public data would result in little or no risk to the organization. Answer B is incorrect because confidential data is internal information that defines the way in which the organization operates. Security should be high. Answer C is incorrect because sensitive data is considered confidential data.

Which of the following will help track changes to the environment when an organization needs to keep legacy machines?

a. Virtualization
b. Network storage policies
c. Host software baselining
d. Roaming profiles

Answer: C

Host software baselining can be done for a variety of reasons including malware monitoring and creating system images. Generally, the environment needs of an organization will fall into a legacy, enterprise, or high-security client. Answer A is incorrect because virtualization adds a layer of security as well as improves enterprise desktop management and control with faster deployment of desktops and fewer support calls due to application conflicts. Answer B is incorrect because network storage policies have nothing to do with desktop management. Answer D is incorrect because roaming profiles do not add a layer of security.

Which category of authentication includes smart cards?

a. Something you know
b. Something you have
c. Something you are
d. Something you do
e. Somewhere you are

Answer: B

Something you have includes smart cards, tokens, and keys. Something you know includes account logons, passwords, and PINs, making answer A incorrect. Answers C and D are incorrect because both something you are and something you do involve measures of personal biological qualities and do not require an external device such as a smart card or key. Answer E is incorrect because somewhere you are is generally associated with either being in a trusted or less trusted location which could be based on GPS coordinates or IP address.

Which process involves verifying keys as being authentic?

a. Authorization
b. Authentication
c. Access control
d. Verification

Answer: B

Authentication involves the presentation and verification of credentials of keys as being authentic. Answer A is incorrect because authorization involves checking authenticated credentials against a list of authorized security principles. Once checked, resource access is allowed or limited based on access control constraints, making Answer C incorrect. Answer D is incorrect because verification of credentials occurs during authentication (as being authentic) and authorization (as being authorized to request resource access) and is not a recognized access control process.

Which of the following uses a secure crypto-processor to authenticate hardware devices such as a PC or laptop?

a. Public key infrastructure
b. Full disk encryption
c. File-level encryption
d. Trusted Platform Module

Answer: D

Trusted Platform Module (TPM) refers to a secure crypto-processor used to authenticate hardware devices such as a PC or laptop. The idea behind TPM is to allow any encryption-enabled application to take advantage of the chip. Answer A is incorrect because public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. Answer B is incorrect because full-disk encryption involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. Answer C is incorrect because in file- or folder-level encryption, individual files or folders are encrypted by the file system itself.

Your organization is exploring endpoint data-loss prevention (DLP) solutions. This solution is targeting which of the following data states?

a. In-transit
b. At-rest
c. In-use
d. In-flux

Answer: C

Protection of data in-use is considered to be an endpoint solution and the application is run on end user workstations or servers in the organization. Answer A is incorrect because protection of data in-transit is considered to be a network solution and either a hardware or software solution is installed near the network perimeter to monitor for and flag policy violations. Answer B is incorrect because protection of data at-rest is considered to be a storage solution and is generally a software solution that monitors how confidential data is stored. Answer D is incorrect because there is no such data state.

An organization is looking to add a layer of security and maintain strict control over the apps employees are approved to use. Which of the following fulfills this requirement?

a. Blacklisting
b. Encryption
c. Lockout
d. Whitelisting

Answer: D

Application whitelisting only permits known good apps. When security is a concern, whitelisting applications is a better option because it allows organizations to maintain strict control over the apps employees are approved to use. Answer A is incorrect because although blacklisting is an option, it is not as effective as whitelisting. Answer B is incorrect because encryption has nothing to do with restricting application usage. Answer C is incorrect because lockout has to do with number of times a user can enter a passcode.

Which of the following methods would be the most effective method to physically secure computers that are used in a lab environment that operates on a part-time basis?

a. Security cables
b. Server cages
c. Locked cabinet
d. Hardware dongle

Answer: C

A locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength. Answer A is incorrect because security cables with combination locks can provide such security and are easy to use but are used mostly to secure laptops and leave the equipment exposed. Answer B is incorrect because PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. Answer D is incorrect because a hardware dongle is used for license enforcement.

Which of the following is an attack in which the end user executes unwanted actions on a web application while he is currently authenticated?

a. Buffer overflow
b. Input validation error
c. Cross-site scripting
d. Cross-site request forgery

Answer: D

Cross-site request forgery (XSRF) is an attack in which the end user executes unwanted actions on a web application while he is currently authenticated. Answer A is incorrect because a buffer overflow is a direct result of poor or incorrect input validation or mishandled exceptions. Answer B is incorrect because input validation errors are a result of improper field checking in the code. Answer C is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

The organization is concerned about vulnerabilities in commercial off-the-shelf (COTS) software. Which of the following might be the only means of reviewing the security quality of the program?

a. Fuzzing
b. Cross-Site Scripting
c. Input validation
d. Cross-site request forgery

Answer: A

In some closed application instances, fuzzing might be the only means of reviewing the security quality of the program. Answer B is incorrect because Cross-Site Scripting (XSS) vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A. Answer C is incorrect because input validation tests whether an application properly handles input from a source outside the application destined for internal processing. Answer D, Cross-site request forgery (XSRF), is an attack in which the end user executes unwanted actions on a web application while she is currently authenticated.

Which of the following are not methods for minimizing a threat to a web server? (Choose the two best answers.)

a. Disable all nonweb services
b. Ensure Telnet is running
c. Disable nonessential services
d. Enable logging

Answer: B & D.

Having Telnet enabled presents security issues and is not a primary method for minimizing threat. Logging is important for secure operations and is invaluable when recovering from a security incident. However, it is not a primary method for reducing threat. Answer A is incorrect because disabling all nonweb services might provide a secure solution for minimizing threats. Answer C is incorrect because each network service carries its own risks; therefore, it is important to disable all nonessential services.

What is the name given to the activity that consists of collecting information that will be later used for monitoring and review purposes?

a. Logging
b. Auditing
c. Inspecting
d. Vetting

Answer: A

Logging is the process of collecting data to be used for monitoring and auditing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer B is incorrect. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer C is incorrect. Vetting is the process of thorough examination or evaluation; therefore, answer D is incorrect.

Which of the following is a coordinated effort in which multiple machines attack a single victim or host with the intent to prevent legitimate service?

a. DoS
b. Masquerading
c. DDoS
d. Trojan horse

Answer: C

A distributed denial of service (DDoS) attack is similar to a denial-of-service (DoS) attack in that they both try to prevent legitimate access to services. However, a DDoS attack is a coordinated effort among many computer systems; therefore, answer A is incorrect. Masquerading involves using someone else's identity to access resources; therefore, answer B is incorrect. A Trojan horse is a program used to perform hidden functions; therefore, answer D is incorrect.

A user has downloaded trial software and subsequently downloads a key generator in order to unlock the trial software. The user's antivirus detection software now alerts the user that the system is infected. Which one of the following best describes the type of malware infecting the system?

a. Logic bomb
b. Trojan
c. Adware
d. Worm

Answer: B

Trojans are programs disguised as something useful. In this instance, the user was likely illegally trying to crack software, and in the process infected the system with malware. Although answers A, C, and D are types of malware, they are not the best choices.

Which rule of evidence within the United States involves Fourth Amendment protections?

a. Admissible
b. Complete
c. Reliable
d. Believable

Answer: A

Admissibility involves collecting data in a manner that ensures its viability in court, including legal requirements such as the Fourth Amendment protections against unlawful search and seizure. Answers B and C are incorrect because data must be collected completely and protected against modification to ensure reliability, but these are not concerns of the Fourth Amendment. Answer D is incorrect because believability focuses on evidence being understandable, documented, and not subject to modification during transition.

Which of the following is not a principal concern for first responders to a hacking incident within a corporation operating in the United States?

a. Whether EMI shielding is intact
b. Whether data is gathered properly
c. Whether data is protected from modification
d. Whether collected data is complete

Answer: A

EMI shielding is important to protecting data and services against unauthorized interception as well as interference but is not a principal concern for first responders following an incident. First responders must ensure that data is collected correctly and protect it from modification using proper controls ensuring a clear chain of evidence, making answers B and C incorrect. Answer D is incorrect because a first responder might be the only agent able to ensure that all data is collected before being lost due to volatility of storage.

_______ describes the potential that a weakness in hardware, software, process, or people will be identified and taken advantage of.

a. Vulnerability
b. Exploit
c. Threat
d. Risk

Answer: C

A threat is the potential that a vulnerability will be identified and exploited. Answer A is incorrect because a vulnerability is the weakness itself and not the likelihood that it will be identified and exploited. Answer B is incorrect because an exploit is the mechanism of taking advantage of a vulnerability rather than its likelihood of occurrence. Answer D is incorrect because risk is the likelihood that a threat will occur and the measure of its effect.

Which of the three principles of security is supported by an iris biometric system?

a. Confidentiality
b. Integrity
c. Availability
d. Vulnerability

Answer: A

Confidentiality involves protecting against unauthorized access, which biometric authentication systems support. Integrity is concerned with preventing unauthorized modification, making answer B incorrect. Answer C is not correct because availability is concerned with ensuring that access to services and data is protected against disruption. Answer D is incorrect because a vulnerability is a failure in one or more of the C-I-A principles.

When troubleshooting SSL, which two layers of the OSI model are of most value?

a. Application layer and presentation layer
b. Presentation layer and session layer
c. Application layer and transport layer
d. Physical layer and data link layer

Answer: C

SSL connections occur between the application and transport layers. Answer A is incorrect because SSL operates at a deeper level. Answer B is incorrect because the Secure Sockets Layer transport effectively fills the same role as these OSI model layers. Answer D is incorrect because the data has been abstracted beyond the level at which SSL operates.

At which layer of the OSI model does the Internet Protocol Security protocol function?

a. Network layer
b. Presentation layer
c. Session layer
d. Application layer

Answer: A

IPsec validation and encryption function at the network layer of the OSI model. Answers B, C, and D are incorrect because IPsec functions at a lower level of the OSI model.

You have recently had security breaches in the network. You suspect they might be coming from a telecommuter's home network. Which of the following devices would you use to require a secure method for employees to access corporate resources while working from home?

a. A router
b. A VPN concentrator
c. A firewall
d. A network-based IDS

Answer: B

A VPN concentrator is used to allow multiple users to access network resources using secure features that are built in to the device and are deployed where the requirement is for a single device to handle a very large number of VPN tunnels. Answer A is incorrect because a router forwards information to its destination on the network or the Internet. A firewall protects computers and networks from undesired access by the outside world; therefore, answer C is incorrect. Answer D is incorrect because network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and might have gotten through the firewall.

You want to implement a technology solution for a small organization that can function as a single point of policy control and management for access to Internet content. Which of the following should you choose?

a. Proxy gateway
b. Circuit-level gateway
c. Application-level gateway
d. Web security gateway

Answer: D

Web security gateways offer a single point of policy control and management for web-based content access. Answer A is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway's decisions are based on source and destination addresses. Answer C is incorrect because an application-level gateway understands services and protocols.

Which of the following is a network protocol that supports file transfers and is a combination of RCP and SSH?

a. HTTPS
b. FTPS
c. SFTP
d. SCP

Answer: D

The Secure Copy Protocol (SCP) is a network protocol that supports file transfers. SCP is a combination of RCP and SSH. It uses the BSD RCP protocol tunneled through the Secure Shell (SSH) protocol to provide encryption and authentication. Answer A is incorrect because HTTPS is used for secured web-based communications. Answer B is incorrect. FTPS, also known as FTP Secure and FTP-SSL, is an FTP extension that adds support for TLS and SSL. Answer C is incorrect because SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.

What is the recommended range of humidity level according to the ASHRAE?

a. 10% to 20%
b. 30% to 40%
c. 40% to 55%
d. 55% to 65%

Answer: C

The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends optimal humidity levels in the 40% to 55% range, making answers A, B, and D incorrect. Very low levels of humidity can promote the buildup of electrostatic charges that can harm sensitive electronic components. Very high levels of humidity can promote condensation on chilled surfaces and introduce liquid into operating equipment.

Which of the following serves the purpose of trying to lure a malicious attacker into a system?

a. Honeypot
b. Pot of gold
c. DMZ
d. Bear trap

Answer: A

A honeypot is used to serve as a decoy and lure a malicious attacker. Answers B and D are incorrect answers and are not legitimate terms for testing purposes. Answer C is incorrect because a demilitarized zone (DMZ) is an area between the Internet and the internal network.

Which of the following methods is the most effective way to physically secure laptops that are used in an environment such as an office?

a. Security cables
b. Server cages
c. Locked cabinet
d. Hardware dongle

Answer: A

Security cables with combination locks can provide such security and are easy to use. They are used mostly to secure laptops and leave the equipment exposed. Answer B is incorrect because PC Safe tower and server cages are designed to bolt to the floor and are meant to be in an environment that is static. Answer C is incorrect because a locked cabinet is an alternative for equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength. Answer D is incorrect because a hardware dongle is used for license enforcement.

If Sally wants to send a secure message to Mark using public key encryption but is not worried about sender verification, what does she need in addition to her original message text?

a. Sally's private key
b. Sally's public key
c. Mark's private key
d. Mark's public key

Answer: D

Sally needs Mark's public key to encrypt her original message in a form that only Mark can decrypt. Neither of Sally's keys is needed because the originator does not need to be validated, making answers A and B incorrect. Answer C is incorrect because Mark's private key is used for decrypting the encrypted message to reveal Sally's original message.

What is the name given to the system of digital certificates and certificate authorities used for public key cryptography over networks?

a. Protocol key instructions (PKI)
b. Public key extranet (PKE)
c. Protocol key infrastructure (PKI)
d. Public key infrastructure (PKI)

Answer: D

Public key infrastructure describes the trust hierarchy system for implementing a secure public key cryptography system over TCP/IP networks. Answers A, B, and C are incorrect because these are bogus terms.