Question 1

Which of the following keys is used to create a digital signature?

A
Public key of the sender
B
Private key of the sender
C
Public key of the receiver
D
Private key of the receiver

Explanation Details

Correct answer: Private key of the sender

A digital signature is a hash of the message that is encrypted with the sender's private key. The receiver
can decrypt the hash using the sender's public key. Since the sender is the only entity with a copy of the
private key, digital signatures are used to sign documents and verify the sender's identity. Digital
signatures assure the recipient that the message has not been tampered with during transmission by
comparing the decrypted hash with the hash generated by the receiver.

Question 2

Of the following, a Data Custodian is LEAST LIKELY to do what?

A
Record user activities involving the data
B
Classify data
C
Set access permissions
D
Backup the data

Explanation Details

Correct answer: Classify data

Data Custodians generally don’t classify data. The Data Owner is responsible for data classification.

Data Custodians are responsible for maintaining the data and ensuring its availability for the data owner.
Data Custodians are responsible for backing up data.

Question 3

In Microsoft Active Directory, what is the name given to the overall authority of the domain in
which anyone logging in must be authenticated?
A
Authenticator
B
Domain controller
C
Administrator
D
Supplicant

Explanation Details

Correct answer: Domain controller

A domain controller is what a user must authenticate with in Microsoft Active Directory. The domain
controller checks the credentials entered by the user to ensure they match what is stored within the
directory.

Administrator is the name of the main account, typically used to first set up the directory. A supplicant
and authenticator work together in LAN networks to ensure anyone joining has the proper authorization
and can authenticate prior to entry.

Question 4

Jim is a quality assurance manager for a machine shop. He logs in to his workstation using a
username and password. What BEST describes the role of the username?
A
Authentication
B
Identification
C
Accountability
D
Authorization

Explanation Details

Correct answer: Identification

Identification is the process of a subject claiming, or professing, an identity. A subject must provide an
identity to a system to start the authentication, authorization, and accountability processes. Providing an
identity might entail typing a username, swiping a smart card, waving a token device, speaking a phrase,
etc.

In this scenario, the username provides the user's identification, and the password provides
authentication.

Question 5

Ramesh is a penetration tester and has been hired to assess a facility's physical access controls. He
successfully picks a door lock. Of the following, what BEST describes picking?
A
Manipulating cylinder pins to open the lock
B
Applying enough tension to the cylinder that it causes the pins to shear
C
Re-creating a key by analyzing the bite marks left by a lock on a blank key
D
Wedging material between the shackle and the locking mechanism

Explanation Details

Correct answer: Manipulating cylinder pins to open the lock

Picking is the process of manipulating the cylinder pins to allow the attacker to open the lock. Picking
exploits mechanical imperfections that allow the attacker to set each pin one at a time by applying
tension to the cylinder.

Shimming is wedging material between the shackle and the locking mechanism. Impressioning is re-
creating a key by analyzing the bite marks left by a lock on a blank key. Brute force is applying enough
tension to the cylinder that it causes the pins to shear.

Question 6

The idea that a cryptographic system should be secure, even if the public knows everything about
the system except the key, is called what?
A
Kerckhoffs's principle
B
Crypto methodology
C
Nonrepudiation
D
Cryptanalysis

Explanation Details

Correct answer: Kerckhoffs's principle

Kerckhoffs's principle is often described as "the enemy knows the system." It assumes that everything
about a cryptographic system is public knowledge except for the key. This has the benefit of validating
an algorithm by the broader security community instead of relying on the insiders who created the
algorithm. This assumption can also discourage people from neglecting to secure the keys through a
false sense of security.

Cryptanalysis is incorrect because it is the study of beating codes and ciphers. Crypto methodology is a
fabricated answer. Nonrepudiation is incorrect because it is the assurance that a message originated from
the sender and not a masquerader.
Question 7

Which of the following BEST describes a known-plaintext attack?

A
When the attacker tries to reverse engineer the encryption process using cipher text
B
When an attacker already knows a portion of the plaintext
C
When an attacker already knows a portion of the decryption key
D
When the decryption key is used more than once

Explanation Details

Correct answer: When an attacker already knows a portion of the plaintext

A known-plaintext attack is an attack model for cryptanalysis where the attacker has samples of both the
plaintext and its encrypted version. Knowing a portion of the message can help decrypt the remainder of
the cipher text. This was exploited by the allies during World War II. The allies knew that the last part of
German-transmitted messages always contained the words "Heil Hitler.” The Germans also included a
standard weather report in the same location of every transmission. This vulnerability in the German
code procedures is one of the reasons the allies were able to crack the German enigma codes.

Question 8

Which of the following describes an optional UEFI feature that prevents unsigned software and
option ROMs from executing during the boot process?
A
Immutable architecture
B
Secure boot
C
Flashing
D
Fail securely
Explanation Details

Correct answer: Secure boot

Secure boot is an optional UEFI (Unified Extensible Firmware Interface) feature that prevents unsigned
software and option ROMs from executing during the boot process. Secure boot ensures that only
trusted operating system bootloaders are loaded, while preventing rootkits and similar malicious
software.

Flashing is the term commonly used to describe the process of updating UEFI, BIOS, or firmware.
Immutable architecture refers to an architecture management approach that relies on cloned device
templates to deliver a standardized environment. Fail securely is a secure design principle that bids
developers consider the security implications of exceptions (errors) in their code and incorporate error
handling routines that manage them, to preserve the security of the application (and the data accessible
through it). None of these, however, directly relate to security during the boot process.

Question 9

Sarah is an IT helpdesk technician performing a computer installation. What is the

RECOMMENDED minimum twisted-pair category she should use for a 1Gbps Ethernet
connection?
A
Category 1
B
Category 4
C
Category 5e
D
Category 7

Explanation Details

Correct answer: Category 5e

Category 5e (CAT5e) is the recommended minimum to be used for 1Gbps networks. At a technical
level, a 1Gbps connection is possible using (CAT5); however, Electromagnetic interference (EMI) and
crosstalk are more likely to occur, and it is not recommended.
Category 4 is incorrect because it is used for token rings up to 20 MBps. Category 7 is incorrect because
it is used for 10 gigabit Ethernet for data up to 10Gbps up to 100 meters. Category 1 is incorrect because
it is used for voice.

Question 10

Management of Maple Leaf Industries would like to focus heavily on cybersecurity training for all
employees. The company understands what threats are most common in its industry, is confident
about its ability to convey knowledge in an understandable fashion, and will strive to ensure all
employees complete the training.

What is one strategy not mentioned, which is MOST likely to help make this program effective?
A
Training frequently
B
Relying more on technical controls and less on education
C
Investing a lot of money
D
Hands-on training
Explanation Details

Correct answer: Training frequently

Training employees frequently will ensure better security for the organization as a whole. Generally
speaking, employees are the greatest threat to an organization. This is usually due to accidents, lack of
knowledge, and specifically, cyberattacks such as phishing attempts that could be thwarted with regular
education.

Investing a lot of money may help, but at some point the return on investment won't be great if
employees aren't trained on how to use new devices and misconfigure them anyway. Even when
configured properly, employees could still allow for attacks that the newest equipment may have been
purchased to prevent. Understanding how to use tools and how to avoid becoming victims involves
knowing both the technical and human sides to security. It's just as important to avoid becoming a
victim of a phishing attack as it is to understand how to properly configure a firewall.
Question 11

When creating a mobile device security policy, what type of application reduces the risk of stolen
data when the device is lost?
A
Antivirus
B
GPS tracking
C
Remote wiping
D
Proper device labeling

Explanation Details

Correct answer: Remote wiping

Remote wiping allows an administrator to delete information from a mobile device remotely. When a
device is lost or stolen, the administrator can send a command that initiates a wipe of data on the device.
However, this data can be quickly recovered if it was not encrypted before the remote wipe. Data on a
mobile device should be encrypted, and the remote wipe destroys the decryption key.

Antivirus helps prevent data theft, but it does not help prevent breaches when the device is lost.
GPS tracking and labeling are security processes that help IT keep track of a device's location.

Question 12

Identify the BEST control an organization might establish to increase security.

A
Random desk inspections
B
Frequent drug testing
C
Mandatory vacations and job rotation
D
Decrease in salary for causing security events

Explanation Details

Correct answer: Mandatory vacations and job rotation

The purpose of job rotation and mandatory vacations is to act as a deterrent and a detection tool. If one
knows that someone will be taking over their job functions soon, they are less likely to participate in
fraudulent activities. If someone does do something fraudulent, job rotation increases the likelihood it
will be discovered.

 A decrease in salary for causing security events will only keep people from coming forward if
there is a security event.
 Random desk inspections are not as effective as mandatory vacations and job rotation.
 Frequent drug testing only detects a particular character flaw that may or may not impact the
organization negatively. It’s not as effective as mandatory vacations and job rotation.

When a system crashes, and processing is moved to a redundant system, this action is BEST called
what?
A
Failover
B
Crossover
C
Swapover
D
Switchover

Explanation Details

Correct answer: Failover

Failover refers to any scenario in which standby equipment automatically takes over when the primary
system fails. Critical servers are often placed behind load balancers that use health checks, also known
as heartbeats, to verify the servers are still functioning correctly. If the load balancer detects a fault, it
will redirect traffic to a different server in the cluster or farm. Having failover in place helps to reduce
the impact of failures or disasters on a business.

Question 14

Prior to processing, form inputs on a website are filtered for certain content such as "1=1" and
"<SCRIPT>". What web application security technique is this an example of?
A
Cross-site scripting
B
Output encoding
C
Input validation
D
Request forgery

Explanation Details

Correct answer: Input validation

The filtering of certain content such as "1=1" and "<SCRIPT>" from form inputs prior to processing is
an example of input validation. Input validation is an application security technique used to ensure that
actual input is aligned to the input expected for a particular field, before it is processed. Such validation
does not just consider field type (e.g., that a date field follows the structure and format of a date mm-dd-
yyyy) but also field data (e.g., the lack of strings such as "1=1" and "<SCRIPT>", which could be used
to inject malicious code, if processed).

Output encoding is an application security technique used to ensure that certain characters within form
inputs are processed as data and not potentially misinterpreted as programming syntax (which could
similarly be used to inject malicious code, if processed). The conversion of certain characters within
form inputs (e.g., ') into their HTML character entity reference equivalents (e.g., &apos) prior to
processing is an example of output encoding. Cross-site scripting and request forgery are both types of
web application attacks that can result from weak input validation and/or output encoding.
Question 15

When testing vulnerabilities that an insider may exploit, what type of vulnerability or penetration
test will MOST LIKELY find or exploit those vulnerabilities?
A
Black box testing
B
Gray box testing
C
Red box testing
D
White box testing

Explanation Details

Correct answer: White box testing

White box testing gives the vulnerability scanner or penetration tester complete knowledge and access to
the network's inter-workings. This is more likely to find and exploit vulnerabilities used by insider
threats.

Black box testing is incorrect because the vulnerability scanner or penetration tester does not know the
network's inter-workings. Gray box testing is incorrect because the vulnerability scanner or penetration
tester is only provided with limited knowledge or access to a network. Red box testing is a fabricated
term.

Question 16

When building a wiring closet, what is MOST LIKELY the biggest security threat to consider?
A
Natural disasters
B
Phishing
C
Social engineering
D
Physical unauthorized access

Explanation Details

Correct answer: Physical unauthorized access

Wiring closets are the central storage areas for hardware, including routers, switches, cables, patch
panels, and (sometimes) computer equipment. Wiring closets should be secured using physical security
such as locks, swipe card access on the doors, and video surveillance. Just one snipped cable can cause
severe network outages.

Question 17

Which of the following access control models relies on classification labels, where each label
represents a security domain?
A
Mandatory Access Control (MAC)
B
Role-Based Access Control (RBAC)
C
Attribute-Based Access Control (ABAC)
D
Discretionary Access Control (DAC)

Explanation Details

Correct answer: Mandatory Access Control (MAC)

A system that employs Mandatory Access Control (MAC) uses classifications and labels to define user
access. Every resource is classified with a label, and users cannot access resources unless they have an
equal or greater clearance level. MAC is widely used in government and military environments. MAC is
often referred to as a lattice-based model because it looks like a garden lattice with well-defined
boundaries when it is represented on paper.
Discretionary Access Control (DAC) allows the Data Owner to control and define access to objects.
Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks.
Attribute-Based Access Control (ABAC) makes decisions based on attributes of the subject, object, or
actions.

Question 18

Pretty Good Privacy (PGP) uses which of the following to encrypt data?
A
Redundant scheme
B
Symmetric scheme
C
Asymmetric scheme
D
Hashing

Explanation Details

Correct answer: Symmetric scheme

Pretty Good Privacy (PGP) is a hybrid cryptosystem that uses the International Data Encryption
Algorithm (IDEA) to encrypt the data. PGP uses a web of trust instead of a traditional Public Key
Infrastructure (PKI). The commercial version uses RSA and the free version uses the Diffie-
Hellman key exchange.

Question 19

Of the following, which is one of the first steps while conducting a Business Impact Analysis
(BIA)?
A
Calculating the ALE
B
Identifying the organization's critical business functions
C
Identifying risks
D
Calculating the maximum tolerable downtime

Explanation Details

Correct answer: Identifying the organization's critical business functions

One of the first Business Impact Analysis (BIA) tasks should be identifying the organization's critical
business functions. The priority identification task, or criticality prioritization, involves creating a
comprehensive list of critical business functions and ranking them in order of importance.

Question 20

Which of the following is a legitimate disadvantage of a host-based intrusion detection system

(HIDS)?
A
The host-based intrusion detection system (HIDS) can be configured for every host monitored
B
The host-based intrusion detection system (HIDS) is an old computing system
C
A host-based intrusion detection system (HIDS) is unable to detect anomalies across an entire network
D
A host-based intrusion detection system (HIDS) is only suited for threats that target an entire network

Explanation Details

Correct answer: A host-based intrusion detection system (HIDS) is unable to detect anomalies across an
entire network

A host-based intrusion detection system (HIDS) only monitors individual computers. It monitors the
computer’s system logs, processes, requests, and application activity. It can examine events in more
detail for each individual computer than a Network-based Intrusion Detection System (NIDS). HIDSs
are unable to detect anomalies that occur on other systems on the network.
Question 21

What BEST defines a birthday attack?

A
A social engineering attack that tricks someone into divulging information after being told they have
won a prize for their birthday
B
Sending fragmented IP packets with oversized payloads
C
A higher likelihood of hash collisions
D
Spoofing the source IP address with the victim's address and flooding the broadcast address with ICMP
requests

Explanation Details

Correct answer: A higher likelihood of hash collisions

A birthday attack exploits a mathematical principle on probability. This is known as the mathematical
birthday paradox. For example, consider the scenario where a teacher with 30 students asks for
everybody's birthday. The odds are small if the teacher picked a specific day (say, 5th of October) that at
least one student was born on that particular day, it's around 8%. However, the probability that at least
one student has the same birthday as any other student is about 70%.

This same paradox can be used to find two passwords that produce the same hash value. This is known
as a hash collision.

Question 22

Data being sent across a network is BEST described as:

A
Data in transference
B
Data in transit
C
Data in use
D
Data in motion

Explanation Details

Correct answer: Data in transit

Data in transit is the term for data moving across a network. At this stage, TLS and SSL play a role in
encrypting this traffic.

Data in use refers to data actively being used by a program or application. This data could be found in
RAM or CPU caches. Data in motion and data in transference are fabricated.

Question 23

A data breach at which data classification level in a nongovernmental organization would likely
cause the MOST irreversible damage?
A
Sensitive
B
Public
C
Private
D
Confidential

Explanation Details

Correct answer: Confidential

Confidential is the highest level of data classification for a nongovernmental organization and could
cause the most irreversible damage if breached. Confidential information includes trade secrets, source
code, and information that keeps the organization competitive.
A data breach of private data could cause serious damage. A data breach of sensitive data would cause
limited damage. A data breach of public data would cause no damage.

Question 24

Which of the following software development methodologies was created FIRST?

A
Agile model
B
Spiral model
C
Waterfall model
D
Capability Maturity Model

Explanation Details

Correct answer: Waterfall model

Originally developed by Winston Royce in 1970, the waterfall model views a system's development life
cycle as a series of iterative steps. The waterfall model has six stages. Generally, you cannot skip or go
back steps using the waterfall model. The waterfall model was one of the first comprehensive attempts
to model the software development process.

Question 25

Which of the following is an appropriate method of evaluating application security when access to
the underlying source code is not available?
A
Code review
B
Web Application Firewall (WAF)
C
Dynamic Application Security Testing (DAST)
D
Static Application Security Testing (SAST)
Explanation Details

Correct answer: Dynamic Application Security Testing (DAST)

When access to the underlying source code is not available, Dynamic Application Security Testing
(DAST) is an appropriate method of evaluating application security. DAST testing evaluates application
security through the use of scanning, enumeration, and synthetic transaction activities performed against
the application's runtime services.

Static Application Security Testing (SAST) and code reviews are common methods to evaluate
application security, but they both require access to the underlying source code. A Web Application
Firewall (WAF) is not a method of evaluating application security, but often acts as a compensating
control to prevent certain application vulnerabilities from being exploited.

Question 26

Which of the following is NOT a valid step in creating a Business Continuity Plan (BCP) as
established by NIST?
A
Business Impact Analysis
B
Project budgeting
C
Developing the continuity policy planning statement
D
Scope the project

Explanation Details

Correct answer: Project budgeting

Project budgeting is not considered to be one of the standard high-profile steps set forth by NIST for
disaster recovery. NIST helps businesses establish standards and procedures to protect assets and avoid
risk.
Question 27

Which type of encryption does Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
MOST LIKELY use?
A
Stream
B
Symmetric
C
Asymmetric
D
Asymmetric and symmetric

Explanation Details

Correct answer: Asymmetric and symmetric

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) use both asymmetric and symmetric
encryption to protect data in transit. Asymmetric encryption is used to authenticate the Client or Server
and securely exchange the symmetric key. Symmetric encryption is used to encrypt data after the
handshake has taken place.

1. Client sends a Client hello message to the Server

2. Server sends the client a Server hello message encrypted with the private key
3. Client decrypts the message using the public key
4. Client sends pre-master secret encrypted with the public key
5. Server decrypts the pre-master secret with the private key
6. Both the Client and Server generate symmetric keys using the pre-master secret
7. Symmetric encryption begins between the Client and Server

Question 28

Which measure will MOST LIKELY delay a brute-force attack?

A
Increasing the size of the password
B
Using a series of numbers in the password
C
Changing the password frequently
D
Using specific pronouns in the password

Explanation Details

Correct answer: Increasing the size of the password

While changing passwords frequently may help ensure their integrity, it is not the best measure against a
brute-force attack. A brute-force attack rapidly applies a series of combinations to find a match.
Increasing the size of a password exponentially increases the workload, and therefore, the time needed
to successfully brute-force attack a password.

Changing the password frequently is incorrect because changing the password does not affect the speed
or ease with which it can be cracked. Using a series of numbers in the password is incorrect because a
strong password uses numbers and letters, and uppercase and lowercase. Using specific pronouns in the
password is incorrect because pronouns have no bearing on a password's strength.

Question 29

ACME Corporation has just recovered the critical computer systems from disaster. However, it
will change the way the business operates for years to come. Which plan will likely be MOST
useful at this point?
A
Business Recovery Plan
B
Disaster Recovery Plan
C
Disaster Continuity Plan
D
Business Continuity Plan

Explanation Details
Correct answer: Business Continuity Plan

A Business Continuity Plan (BCP) deals with both preparing for a disaster and aiding after a disaster has
occurred. The primary goal of a BCP is to reduce disaster-related risks to an acceptable level. A BCP is
broader than a Disaster Recovery Plan (DRP) and is focused on the business as a whole, not just IT
equipment.

Disaster Recovery Plan (DRP) is incorrect because it is a short-term plan designed to get systems back
online as fast as possible.

Disaster Continuity Plan and Business Recovery Plan are both fictitious terms.

Question 30

Of the following, which is MOST LIKELY to be considered spyware?

A
Phishing
B
Shoulder surfing
C
Key logger
D
Ransomware

Explanation Details

Correct answer: Key logger

A key logger is software that records each keystroke of a user. Key loggers can be used to steal
credentials, uncover private information, or reveal additional vulnerabilities in an information system.
Spyware is a type of malware that gathers sensitive information about a victim.

Question 31
Which of the following is characterized legally by an established contract of use and limitations?
A
Patents
B
Trade secrets
C
Licenses
D
Trademarks

Explanation Details

Correct answer: Licenses

All of the options are intellectual property, but only licenses are specific to legally securing established
contracts that set guidelines for usage. Licenses are a contract between a vendor and a consumer. Most
software vendors require a license per seat, which means you need to purchase one for each computer
that has the software installed.

Question 32

What type of password attack uses pre-computed hash values instead of computing them during
the attack?
A
Brute-force
B
Pretexting
C
Rainbow table
D
Dictionary

Explanation Details
Correct answer: Rainbow table

A rainbow table is usually a large file with a list of pre-computed hashes and corresponding passwords.
This reduces the time needed to crack a password, since the attacker searches for a hash instead of
generating passwords and hashes.

Pretexting is a social engineering technique. Brute-force attacks try every possible password for a given
character set and generate the hash values during the attack and require a lot of central processing unit
(CPU) or graphics processing unit (GPU) power. Dictionary attacks try all the words in the dictionary
and generate the hash values during the attack.

Question 33

Nora is a penetration tester who has been hired to assess an organization’s campus. She finds
CAD drawings classified as Sensitive. She discovers that two of the drawings are for the same part
and, when combined, should be classified as Confidential.

This process is MOST LIKELY known as what?

A
Collection
B
Mining
C
Aggregation
D
Deducing

Explanation Details

Correct answer: Aggregation

When discussing classification labels, data aggregation means that data classified at a higher level can
be inferred by combining data at a lower classification level.

Question 34
Which of the following is known as the first mathematical model of a multilevel security policy?
A
Biba
B
Brewer and Nash
C
Bell-LaPadula
D
Clark-Wilson

Explanation Details

Correct answer: Bell-LaPadula

Bell-LaPadula was the first mathematical model of a multilevel security policy. Access control
philosophies can be organized into models that define approaches to security issues. The Take-Grant
model, the Bell-LaPadula model, and the Biba model are examples of different access control models.

Bell-LaPadula was developed in the 1970s by the U.S. government to provide for better confidentiality.

Question 35

Which of the following BEST describes governance?

A
The legal process for passing legislation
B
Government-influenced business decisions; it is commonly found in state-owned organizations
C
A special audit process that demonstrates compliance with government regulations
D
A process in which senior management directs an organization to meet its objectives

Explanation Details

Correct answer: A process in which senior management directs an organization to meet its objectives
Governance is the process in which senior management directs an organization to meet its objectives.
Governance must involve oversight to ensure that the goals set by senior management have been met.
When performing security governance, IT managers need to keep security objectives in alignment with
business objectives.

Question 36

Both the CIO and newly appointed CISO want to select a more secure second channel of secure
communication within their disaster recovery plan, as the previous channel is deemed insecure by
NIST standards. What term would BEST describe this process?
A
Tailor-made
B
Change management
C
Tailoring
D
Scoping

Explanation Details

Correct answer: Tailoring

Tailoring is modifying standards in place to meet the needs of the current business. In this example, the
CIO and CISO already had the practice of a secondary secure channel in place, but it had to be altered to
conform to a more secure modern practice.

Scoping is similar to tailoring. Instead of altering standards, a business would completely remove the
standards that are not needed.

Change management is a more general term for implementing change in an organization. Therefore,
tailoring is changing and modifying protocols already in place to more specifically suit the needs of the
organization.

Tailor-made is a fabricated term.

Question 37

Apipa Pi Inc. is excited to begin migrating many of their systems from their physical servers to
cloud servers. The CISO is especially excited, as this will reduce the need to resolve problems in
person and allow for focus on larger projects within the business. However, the CISO also knows
the company still holds responsibilities for many things and must maintain high standards.

Of the following, what is one major component the business is no longer necessarily responsible
for after the transition to SaaS?
A
Client and endpoint
B
Application
C
Identity and access
D
Data

Explanation Details

Correct answer: Application

In a SaaS (Software as a Service) implementation, the cloud provider would be responsible for
everything up to the application. After that, Apipa Pi Inc. would have at least partial responsibility for
the remaining elements.

Apipa Pi Inc. would still have some responsibility for identity and access management, as they would
need to permit employees to access resources and manage logins, permissions, and passwords. The
company would still be responsible for the users and endpoints being used to access the data now stored
in the cloud. In fact, Apipa Pi has transferred a lot of risk to the cloud provider, yet at the same time,
they have increased their attack surface. Their data is now vulnerable to breaches conducted on the third
party cloud provider as well, not just on their own systems.

Question 38

What is the default subnet mask for the 172.16.1.1/16 network?

A
255.255.255.255
B
255.255.255.0
C
255.255.0.0
D
255.0.0.0

Explanation Details

Correct answer: 255.255.0.0

Class B networks have a classless inter-domain routing (CIDR) equivalent of /16 and a default subnet
mask of 255.255.0.0.

 255.255.255.0 is incorrect because it has a CIDR equivalent of /24.

 255.0.0.0 is incorrect because it has a CIDR equivalent of /8.
 255.255.255.255 is a host address subnet with a CIDR equivalent of /32.

Question 39

Of the following, which National Institute of Standards and Technology (NIST) publication
MOST LIKELY sets requirements for U.S. federal information systems?
A
NIST SP 800-187
B
NIST SP 800-124
C
NIST SP 800-122
D
NIST SP 800-53

Explanation Details

Correct answer: NIST SP 800-53

NIST SP 800-53 is a set of standards that federal agencies are required to meet. NIST SP 800-53 was
created in response to the passage of the Federal Information Security Management Act (FISMA).

Question 40

What data classification level indicates that information should stay within the organization but
would not likely cause grave damage to the organization if it were disclosed?
A
Confidential
B
Proprietary
C
Public
D
Sensitive

Explanation Details

Correct answer: Sensitive

Sensitive data should remain within the organization but isn't as critical as confidential or proprietary
data. For instance, a breach of profit earnings and forecasts wouldn't cause issues with customers or the
public, but it could cause internal problems in the organization. Sensitive data could cause damage but
not grave damage.

Question 41

Which of the following BEST helps an organization to review and prioritize risks?
A
Threat modeling
B
An external audit
C
A Business Impact Analysis (BIA)
D
An internal audit

Explanation Details

Correct answer: A Business Impact Analysis (BIA)

The Business Impact Analysis (BIA) must identify organizational risks. Identifying risks allows the
business to understand the risk and security needed for a specific system. A BIA also assigns priority
and asset value to a system to help determine costs associated with implementing the additional controls.

Question 42

Which of the following is the MOST thorough and secure method of removing data from a hard
drive with a spinning platter?
A
Destruction
B
Erasing
C
Remanence
D
Irradiation

Explanation Details

Correct answer: Destruction

Destruction is the most thorough way to ensure data cannot be recovered, since it leaves the media and
data unreadable and unrecoverable.

Erasing is one of the weakest ways to sanitize data, since it only breaks the link to the data, leaving the
data easily recoverable. Remanence is not a sanitization method but is the data that is left over after
sanitization. Irradiation may damage media, but will not destroy it.
Question 43

What BEST describes Bluejacking?

A
Unauthorized exfiltration of data from a device over Bluetooth
B
The use of the blue phreaking box
C
The sending of unsolicited messages over Bluetooth
D
Remote control over features and functions of a Bluetooth device (e.g., controlling the microphone)

Explanation Details

Correct answer: The sending of unsolicited messages over Bluetooth

Bluejacking is the sending of unsolicited messages over Bluetooth. An attacker may also send a
malicious attachment via Bluetooth. The goal is for the victim to allow an attacker to connect to the
device enabling the hacker can gain access to contacts, images, and other private data.

Bluesnarfing allows hackers to connect with a Bluetooth device without the user's knowledge and
extract information from the device.

Bluebugging is an attack that grants hackers remote control over the features and functions of a
Bluetooth device.

The use of the blue phreaking box is incorrect. Blue box phreaking was used in the 1960s to manipulate
telephone providers into making long-distance calls by generating signaling tones. Steve Wozniak and
Steve Jobs, founders of Apple computers, were known phone phreakers during their youth.

Question 44

What type of testing BEST identifies potential security flaws in a software’s design?
A
Fuzz testing
B
Misuse case testing
C
Interface testing
D
Bug testing

Explanation Details

Correct answer: Misuse case testing

Misuse case testing is used to help identify potential security flaws in a software’s design by examining
how software could be abused or manipulated into doing something malicious.

Interface testing is incorrect because it specifically examines a software’s interfaces, such as application
programming interface (API), graphical user interface (GUI), and physical interface. Fuzz testing is
incorrect because it only tests user input. Bug testing is a fabricated term.

Question 45

Which of the following BEST describes an incremental backup?

A
Captures changes since the last full backup
B
Captures a complete copy of all data
C
Captures changes since the last differential backup
D
Captures changes since the last full or incremental backup

Explanation Details

Correct answer: Captures changes since the last full or incremental backup

An incremental backup captures all the changes since the last full or incremental backup.
A full backup captures a complete copy of all data. A differential backup captures changes since the last
full backup.

Question 46

Which of the following does NOT fall into the category of software-defined everything (SDx)?
A
Software-defined network
B
Virtual machine
C
Virtual office
D
Virtual storage area network

Explanation Details

Correct answer: Virtual office

Software-defined everything (SDx) refers to replacing hardware with software through virtualization.

Virtual machines (VMs) run guest operating systems. There can be multiple VMs on one piece of
hardware, so new hardware is not needed for each operating system. Software-defined networks (SDNs)
separate controls from rules and remove the need for networking hardware such as routers and switches.
A storage area network (SAN) is a high-speed network that connects storage devices with servers; a
virtual storage area network (VSAN) virtualizes the storage controllers using virtual servers.

Virtual office is a fabricated term.

Question 47

Which government data classification label requires the most security and is considered the
highest level?
A
Confidential
B
Top Secret
C
Classified
D
Secret

Explanation Details

Correct answer: Top Secret

The Top Secret label is applied to information in which its unauthorized disclosure could reasonably be
expected to cause exceptionally grave damage to national security. It is the highest level of classification
used by the government.

The Secret label is applied to information in which its unauthorized disclosure could reasonably be
expected to cause severe damage to national security. Confidential is used in commercial environments,
not by the government. Classified is any data that has been assigned a classification label.

Question 48

In nongovernmental organizations, Personally Identifiable Information (PII) and Protected

Health Information (PHI) are classified as which data level?
A
Private
B
Confidential/proprietary
C
Sensitive
D
Secret

Explanation Details

Correct answer: Private

Personally identifiable information (PII) and protected health information (PHI) are both classified as
"private," and breach of the data would cause severe damage to an organization and the individuals
involved in the breach.

In private organizations, the standard classifications are:

 Public
 Sensitive
 Private
 Confidential

Question 49

In the Biba model, the star (*) integrity property means no ____ up.
A
Check
B
View
C
Write
D
Read

Explanation Details

Correct answer: Write

The Biba model has two main rules:

 Simple integrity property: States that a subject cannot read an object at a lower integrity level.
Known as (no read down).
 Star (*) integrity property: States that a subject cannot write to an object at a higher integrity
level. Known as (no write up).

Question 50
The "try...catch" functionality is an example of what?
A
Bounds
B
Error handling
C
Exception handling
D
Cross-site scripting

Explanation Details

Correct answer: Error handling

The "try....catch" functionality is an example of error handling used in software development. It's a form
of input handling in the event a user enters an unexpected input value.

Cross-site scripting involves script hidden inside the code of websites to hide a function on a webpage.
It is not a form of error handling in code.

Exception handling is closely related to error handling, except the exception handling technique doesn't
seek to execute the code in error. Error handling does in fact execute the code in error in an attempt to
still manage it properly.

Bounds is a fabricated term.

Question 51

What method commonly applied in cryptology allows one party to demonstrate knowledge of a
secret, without actually disclosing that secret to the other party?
A
Zero-knowledge proof
B
Symmetric key
C
Steganography
D
Defense-in-depth

Explanation Details

Correct answer: Zero-knowledge proof

A zero-knowledge proof allows one party to demonstrate knowledge of a secret without actually
disclosing that secret to the other party. It is a method commonly applied in cryptography to validate
passwords and keys (for example, validating an asymmetric private key through the use of a public key).

Defense-in-depth is a method to improve cybersecurity through layered controls. A symmetric key is a

secret shared between sender and receiver that is used as a key for both encryption and decryption.
Steganography is the practice of covertly embedding secrets into files or images.

Question 52

Which of the following was published by the Internet Activities Board (IAB) in 1989 to promote
responsible use of the internet and characterize unethical activities?
A
COSO Framework
B
Ten Commandments of Computer Ethics
C
RFC 1087
D
Code of Fair Information Practices

Explanation Details

Correct answer: RFC 1087

In 1989, the Internet Architecture Board (IAB) published RFC 1087, a statement of policy titled "Ethics
and the Internet". This statement promoted responsible use of the internet and characterized five
categories of activity as unethical. RFC 1087 is considered a forerunner to many contemporary ethics
policies.
The Ten Commandments of Computer Ethics was developed by the Computer Ethics Institute to
provide an ethical framework for computer use. Each of its canons begins with "Thou shalt not" in the
style of the biblical Ten Commandments. The Code of Fair Information Practices, developed by a
government advisory committee in 1973, was an early attempt at defining ethical principles for the
handling of personal information. The COSO Framework does not directly relate to ethics, but to
internal controls.

Question 53

Of the following, which BEST describes asymmetric encryption?

A
The ciphertext cannot be decrypted using the same key that was used to encrypt it
B
The output of asymmetric encryption is a fixed length
C
The keys to decrypt the ciphertext is split amongst multiple users; this is known as key escrow
D
The ciphertext is decrypted using the same key that was used to encrypt it

Explanation Details

Correct answer: The ciphertext cannot be decrypted using the same key that was used to encrypt it

In asymmetric encryption, the ciphertext is encrypted and decrypted using different keys. The most
common asymmetric algorithm is Rivest, Shamir, & Adleman (RSA). RSA uses public and private keys
that are generally made available through a public key infrastructure (PKI).

Question 54

Of the following, which is MOST LIKELY to be considered an asset?

A
Security standards
B
Reputation
C
Security updates
D
External hacker

Explanation Details

Correct answer: Reputation

An asset is anything of value to an organization. An organization's reputation is extremely valuable. As

a security specialist, it's your job to provide measures to protect these assets, sometimes even from each
other.

Question 55

Nadia is a network administrator and is monitoring endpoint connections to the internet. When
endpoints access a particular website, she notices they open dozens of additional connections to
various other IP addresses. She is concerned there may be security implications with this type of
behavior.

Of the following, what MOST LIKELY explains why this may happen?
A
Connection failures causing the client to open new connections
B
Content distribution network (CDN)
C
Spyware
D
A man-in-the-middle (MITM) attack

Explanation Details

Correct answer: Content distribution network (CDN)

A content distribution network (CDN) is a collection of different content that a website may display,
distributed across geographical regions. A CDN allows website creators to improve performance by
providing a website’s content in a geographical region closest to the client. This reduces latency and
download times.

Question 56

Which of the following would be BEST described as a directory for network services and assets?
A
Kerberos
B
XAML
C
LDAP
D
SSO

Explanation Details

Correct answer: LDAP

A directory service is a centralized database that includes information about subjects and objects. Many
directory services are based on the Lightweight Directory Access Protocol (LDAP), such as Microsoft's
Active Directory Domain Services.

Question 57

A hashing algorithm produces what?

A
A fixed-length output that cannot be reversed
B
A variable-length output that can be reversed
C
A variable-length output that cannot be reversed
D
A fixed-length output that can be reversed
Explanation Details

Correct answer: A fixed-length output that cannot be reversed

A hashing algorithm is a one-way mathematical operation that can accept an input value of any length
and generate a fixed-length output. The output cannot be mathematically reversed. Hashing algorithms
are used to validate a file's or message’s integrity. They are also used to store passwords. A password is
hashed, and the authentication server stores the output. The only way to reproduce the hash is to know
the original value

Question 58

Which of the following protocols is MOST LIKELY used to attach network storage to a server?
A
Internet Small Computer System Interface (iSCSI)
B
Distributed File System (DFS)
C
Real-Time Transport Protocol (RTP)
D
User Datagram Protocol (UDP)

Explanation Details

Correct answer: Internet Small Computer System Interface (iSCSI)

Internet Small Computer System Interface (iSCSI) is used to transmit SCSI commands through
Transmission Control Protocol (TCP) packets. iSCSI is frequently found in Storage Area Networks
(SANs) and allows a server to attach storage through Ethernet.

Question 59
Which of the following is the international standard known as the "Common Criteria" and
evaluates information technology product security?
A
ISO 14001
B
ISO 15408
C
ISO 9000
D
ISO 9001

Explanation Details

Correct answer: ISO 15408

ISO 15408 is the "Common Criteria for Information Technology Security." It was developed as a
standard for evaluating information technology products. ISO 15408 has seven levels.

 EAL1 – Functionally tested

 EAL2 – Structurally tested
 EAL3 – Methodically tested and checked
 EAL4 – Methodically designed, tested and reviewed
 EAL5 – Semiformally designed and tested
 EAL6 – Semiformally verified designed and tested
 EAL7 – Formally verified design and tested

ISO 14001 is the environmental management standard used to establish an environmental management
system (EMS). ISO 9000 covers the basic concepts for quality management systems. ISO 9001 sets the
requirements of a quality management system.

Question 60

There are many different types of fires an organization can be faced with. If a fire is ignited by
shorted electrical wires in a dropped ceiling, it would be classified as what class of fire?
A
Class A fire
B
Class B fire
C
Class D fire
D
Class C fire

Explanation Details

Correct answer: Class C fire

Fires are classified according to what material is burning. Class C fires are electrical fires. Class C fires
require carbon dioxide or dry powder to extinguish them. Using water on a Class C fire can cause
electrocution.

 Class A: Common combustibles, such as wood or paper

 Class B: Liquids, such as fuels and oils
 Class C: Electrical, such as wiring and equipment
 Class D: Combustible metals, such as magnesium or sodium

Question 61

Of the following, which protocol BEST provides confidentiality for email?

A
S/MIME
B
SSH
C
SMB3
D
SMTP

Explanation Details

Correct answer: S/MIME

Secure Multipurpose Internet Mail Extensions (S/MIME) is used to encrypt and digitally sign email.
S/MIME uses the RSA encryption algorithm and has been incorporated into many commercial products,
such as Microsoft Outlook, Mozilla Thunderbird, and MAC OS X Mail. S/MIME relies on the use of
the X.509 certificates for exchanging cryptographic keys.

Question 62

Which of the following would MOST likely be suitable to assist in preparing for a security audit?
A
BAS
B
DAST
C
Asking other companies about their experiences
D
Reviewing SIEM output

Explanation Details

Correct answer: BAS

A breach and attack simulation (BAS) would assist in preparing for a security audit. This system would
simulate an attack, exploiting and highlighting vulnerabilities to be remediated prior to an official audit.

Asking other companies about their experiences wouldn't be as advantageous, as their audits are likely
to be graded on the same guidelines and standards.

Reviewing SIEM output would identify potentially malicious traffic, but would not simulate attacks and
put us in the perspective of an attacker. It would simply tell us what people were doing in our network at
that given time.

Dynamic application security testing (DAST) would only evaluate software. It wouldn't take into
consideration open ports or insecure practices, and the suggested remediation would be mostly software-
based. This is only a small portion of the overall security in an organization.
Question 63

Which type of malicious software is MOST LIKELY used to achieve or maintain elevated
privileges?
A
Rootkit
B
Worm
C
Polymorphic virus
D
Spyware

Explanation Details

Correct answer: Rootkit

A rootkit is used to achieve or maintain elevated privileges on a victim’s host. Rootkits frequently
masquerade as system-level services to help remain undetected. Rootkits often have kernel-level access
and are very difficult to detect or remove.

Question 64

Of the following options, which BEST estimates the potential loss an asset may suffer from a
specific threat?
A
Annualized loss expectancy (ALE)
B
Threat evaluation
C
Threat modeling
D
Asset value calculation

Explanation Details
Correct answer: Annualized loss expectancy (ALE)

Annualized loss expectancy (ALE) measures exactly a one-year financial loss an asset may suffer from
a specifically identified threat.

The formula is ALE = SLE (single loss expectancy) x ARO (annualized rate of occurrence), and it is
used to determine risk and insurance requirements based on the potential for failure.

Threat modeling is incorrect because it is the process of identifying, understanding, and categorizing
potential threats; it does not assign an asset’s value. Asset value calculation is incorrect because it does
not estimate the loss an asset may suffer from a specific threat. Threat evaluation is a fictitious term.

Question 65

According to the Open Systems Interconnection (OSI) model, which layer is the Presentation
layer?
A
5
B
8
C
7
D
6

Explanation Details

Correct answer: 6

The Presentation layer is in the sixth layer of the Open Systems Interconnection (OSI) model and is
represented in descending sequence as the second layer from the top. The Presentation layer transforms
data into format structures that other systems can understand. Examples of Presentation layer formats
include JPEG, MPEG, ASCII, and GIF.
Question 66

Tegridy Inc. wants to find the most appropriate solution to back up its data center in the event of
a major natural disaster. What would be the BEST solution to securely back up data off-site and
protect against a natural disaster?
A
There is no viable solution and this is an accepted risk for all organizations
B
Provide the backup data to a trusted third party across town
C
Provide the backup data to a trusted third party in another state
D
Provide the backup data to a trusted third party in another country

Explanation Details

Correct answer: Provide the backup data to a trusted third party in another state

By providing backup data to a trusted third party in another state, Tegridy Inc. can ensure the data is
secure and untouched by their local natural disaster. A fire in California won't impact New York, so the
backup data can be transferred to a hot site or rebuilt data center as needed.

Providing the backup data to an entity across town would still open the door to the potential risk of a
local natural disaster.

Providing the data to a party in another country would be possible, but risks potentially violating
agreements between the organization and customers. Data in another country may require additional
regulatory precautions and increase risk if data governance practices are not followed carefully.

While natural disasters are a risk for any organization, many businesses take precautions instead of
simply accepting the risk as a whole because it is something that can reasonably be worked around.

Question 67

When software patches are introduced to fix a security weakness in the system, what function do
these patches perform?
A
Enhance features
B
Mitigate risk
C
Manage change
D
Transfer risk

Explanation Details

Correct answer: Mitigate risk

When patches are introduced to fix a security weakness in the system, they help mitigate risk. Software
patching is often performed on a regular basis to maintain the security of production software.

Question 68

A data center requires multi-factor authentication upon entering the server rooms. Employees are
required to use both a pin number and a second form of authentication to gain access.

Which would be the BEST option for a second form of authentication to meet these goals?
A
Passwords
B
Key cards with RFID
C
Physical tokens
D
Biometrics

Explanation Details

Correct answer: Biometrics

Biometrics is another way to authenticate an individual's identity. This is usually accomplished with
facial recognition, palm vein analysis, thumbprint analysis, or even gait analysis. These are forms of
authentication that are least prone to replication or use without the proper person being present.

Physical tokens, key cards, and passwords are prone to being stolen and used without the owner's
consent. Biometrics is an example of something you are, physical tokens and key cards are something
you have, and passwords are something you know.

Question 69

When discussing risk analysis, which of the following is the likelihood of an exploit?
A
Risk
B
Threat
C
Safeguard
D
Vulnerability

Explanation Details

Correct answer: Risk

When quantifying risk, it can be defined as the possibility or likelihood that a vulnerability will be
exploited.

Risk is viewed as the possibility that something could happen to damage, destroy, or disclose data or
other resources. Risk assessment and management are used to reduce risk. Before any security policies
are made, risk must always be defined and assessed within the organization.

Question 70

The Trusted Computer System Evaluation Criteria (TCSEC) and Information Technology
Security Evaluation Criteria (ITSEC) were replaced by what?
A
The International Standard for System Security Evaluation Criteria (ISSSEC)
B
Common Criteria
C
Evaluation Criteria
D
ISO 27000

Explanation Details

Correct answer: Common Criteria

The U.S. Department of Defense-developed Trusted Computer System Evaluation Criteria (TCSEC),
and the European Union-developed Information Technology Security Evaluation Criteria (ITSEC) were
replaced with Common Criteria. Common Criteria is published as ISO Standard 15408. It was
developed as a standard for evaluating information technology products. Common Criteria has seven
levels.

 EAL1 – Functionally tested

 EAL2 – Structurally tested
 EAL3 – Methodically tested and checked
 EAL4 – Methodically designed, tested and reviewed
 EAL5 – Semiformally designed and tested
 EAL6 – Semiformally verified designed and tested
 EAL7 – Formally verified design and tested

Question 71

The possibility that harm may occur and cause damage, destroy, or disclose data is known as
what?
A
Exposure
B
Threat
C
Vulnerability
D
Risk
Explanation Details

Correct answer: Risk

Risk is viewed as the possibility that something could happen to damage, destroy, or disclose data or
other resources. Risk assessment and management are used to reduce risk. Before any security policies
are made, risk must always be defined and assessed within the organization

Question 72

Which of the following is based on the IEEE 802.3 standard and uses individual units of data
called frames?
A
Bluetooth
B
Ethernet
C
Token ring
D
FDDI

Explanation Details

Correct answer: Ethernet

Ethernet is a shared media local area network (LAN) technology that allows numerous devices to
communicate over the same medium but requires that the devices take turns communicating and
performing collision detection or avoidance. Ethernet is based on the IEEE 802.3 standard and employs
broadcast and collision domains. Devices communicate over Ethernet using a media access control
(MAC) address. Ethernet is a data link layer technology.

Question 73

When disaster strikes, what should be the highest priority in every organization?
A
Established chain of command structure
B
Risk loss insurance
C
Security of the company's highest-valued assets
D
Knowledge of employee whereabouts

Explanation Details

Correct answer: Knowledge of employee whereabouts

Each of these choices may be considered a high priority, but it is internationally understood that
employee safety is paramount. Employee safety should always be the priority when designing a
Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP).

Question 74

What is the remaining data that can be recovered after the initial delete called?
A
Unallocated data
B
Data remanence
C
Leftover data
D
Purged data

Explanation Details

Correct answer: Data remanence

Data remanence is the remaining data that can be recovered after the initial delete.

Unallocated data, purged data, and leftover data are all fabricated terms.
Question 75

A process is a program loaded in memory. What BEST describes what a thread is?
A
A string of 1s and 0s
B
An individual instruction set
C
The implementation string of a process
D
The path that a process follows

Explanation Details

Correct answer: An individual instruction set

A thread is an individual instruction set that must be worked on by the CPU. Threads can execute in
parallel with other threads that are part of the same parent process. This is known as multithreading.
Threads are dynamically built and destroyed by the parent process. A process is a program loaded in
memory.

Question 76

Of the following, which BEST explains the rule-based access control model?
A
Global rules govern and are set for each user individually
B
Each user has different rules applied to them
C
Local rules are applied to all users in the organization
D
Global rules are applied to all users equally

Explanation Details

Correct answer: Global rules are applied to all users equally

A rule-based access control model uses global rules applied to all users and other subjects equally. It
does not apply rules locally or to individual users. Firewalls include a set of rules or filters called access
control lists (ACLs), defined by an administrator. The firewall examines all traffic and only allows
traffic that meets one of the specified rules. The final rule is generally a "deny all," meaning that any
remaining traffic that did not meet previous rules will be denied.

Question 77

Quantitative risk management has which of the following in its favor compared to qualitative risk
management?
A
Prioritizes the most critical risk
B
Measures risk consistently and objectively according to a set formula
C
Portrays which risks are more serious
D
Reviews where the most harm has been done

Explanation Details

Correct answer: Measures risk consistently and objectively according to a set formula

Quantitative risk management deals with the exact quantities of factors involved in risk. Qualitative risk
management attempts to assign priorities of importance, distinguishing lower risk from higher risk
factors.

Quantitative loss can be measured numerically, but qualitative loss is measured subjectively.

Question 78

A proxy server redirects the user to a warning page when the user attempts to access a restricted
site. If the user decides they want to continue onto that page, they can do so after acknowledging
the risk. This is an example of which operational control?
A
Recovery control
B
Corrective control
C
Preventive control
D
Deterrent control

Explanation Details

Correct answer: Deterrent control

Deterrent controls attempt to discourage someone from taking a specific action. A high fence with lights
at night is a physical deterrent control. A strict security policy stating severe consequences for
employees if it is violated is an example of an administrative deterrent control. A proxy server that
redirects a user to a warning page when a user attempts to access a restricted site is an example of a
technical deterrent control.

Preventive controls attempt to prevent incidents before they occur. A firewall is a technical preventive
control because it can prevent malicious traffic from entering a network. A guard is a physical
preventive control. Administrative preventive controls include access reviews and audits.

Corrective controls attempt to modify the environment after an incident to return it to normal. Antivirus
software that quarantines a virus is an example of a technical corrective control. A fire extinguisher is an
example of a physical corrective control.

Recovery controls provide methods to recover from an incident.

Question 79

Which answer will BEST satisfy the following goals?

 Reduce unauthorized devices

 Enforce security policy throughout the network
 Use identities to perform network management
A
Network access control (NAC)
B
Network segmentation
C
Firewalls
D
Virtual private network (VPN)

Explanation Details

Correct answer: Network access control (NAC)

Network access control is the concept of controlling access to a network by authenticating and
approving all devices allowed on a network. A common method to do this is through 802.1X. NAC can
require that devices maintain a minimum patch or antivirus level before being allowed on the network.

A well designed NAC program can help achieve the following:

 Reduce unauthorized devices

 Enforce security policy throughout the network
 Use identities to perform network management

Question 80

Why were early attempts to prosecute cybercrime challenging?

A
Traditional criminal laws were written before cybercrime existed
B
Data is not tangible and can be confusing in court cases
C
Computer crime evidence is usually removed
D
Experts in computer science make poor court witnesses
Explanation Details

Correct answer: Traditional criminal laws were written before cybercrime existed

Until laws were written to specifically address cybercrime, prosecutions were attempted under
traditional criminal laws, which often applied only loosely or indirectly. The Comprehensive Crime
Control Act (CCCA) of 1984 was the first United States law with language specifically relating to
computer crimes.

Question 81

Of the following, which is the BEST example of risk transfer?

A
Cybersecurity insurance
B
Software patching
C
Performing a Business Impact Analysis
D
Taking no action

Explanation Details

Correct answer: Cybersecurity insurance

Risk transfer is when you transfer the risk to someone else. When you pay an insurance company, they
become responsible for paying out if the risk is realized.

Software patching is an example of risk mitigation. Taking no action is an example of risk acceptance.
However, a cost-benefit analysis should be performed prior to accepting risk. Conducting a Business
Impact Analysis (BIA) is a step in building a Business Continuity Plan (BCP).

Question 82

An Acceptable Use Policy's role is BEST described by which of the following?

A
Explaining the role of a policy
B
Defining the reasoning behind the integration of a specific policy's use
C
Defining what is acceptable use for hardware or software
D
Ascertaining whether a policy is acceptable to the users in an organization

Explanation Details

Correct answer: Defining what is acceptable use for hardware or software

An Acceptable Use Policy (AUP) outlines the intended use of a system and what is acceptable to the
organization. At a minimum, an organization should require that all employees sign an Acceptable Use
Policy that outlines what is and is not acceptable behavior when using an information system.

Question 83

A manager would like to create a system to allow for the simple inventorying of all hardware and
software within the workplace, which would allow the organization to keep track of all hardware,
software, and intangible assets. What is the MOST likely long-term solution to resolve this
matter?
A
Asset inventory
B
Creating a spreadsheet to manually enter and edit values as needed
C
Nmap scans
D
The latest vulnerability scans

Explanation Details

Correct answer: Asset inventory

An asset inventory will allow all hardware, software, and intangible assets to be accounted for. This
includes property owned and used by the organization every day, such as workstation computers or
perhaps hardware being sold to the public. Software could be a software key or program that is sold to
the public, or relied upon for the function of the organization every day. Organizations would want to
keep track of their software keys to prevent them from being stolen, used elsewhere, and potentially
deactivated by the publisher. Intangible assets could include the organization's reputation, patents, or
copyrights that either bring value directly to the company or to their products. Through an asset
inventory, we can implement programs to allow assets to be monitored with radio frequency
identification (RFID) tags, which automatically interacts with software to update the asset inventory
when an item is purchased.

The latest vulnerability scans would only identify hosts with potential vulnerabilities and remediation
techniques, not a representation of the total assets associated with a company. Nmap scans would only
provide open ports of hosts in an organization's network. While a spreadsheet would be great for asset
inventory, manually entering everything would be extremely tedious and would likely damage an
organization over time by reducing efficiency.

Question 84

Alex has been asked to deploy biometric technology and he knows that health conditions can
affect some methods. With an individual's health conditions in mind, which of the following
should Alex choose as the most accurate biometric technology?
A
Retina scan
B
Fingerprint scan
C
Face scan
D
Iris scan

Explanation Details

Correct answer: Iris scan

Iris scanning would be the best choice when considering an individual's health conditions. There is some
debate as to whether retinal or iris scanning is the most accurate form of standard biometric
identification technology. However, retinal is also considered to be the most invasive type of biometric
scanning and, unlike the iris, the blood vessels in the retina can be affected by health conditions. Retinal
scans may also conflict with privacy laws because they can contain certain aspects of an individual’s
health, such as diabetes or high blood pressure.

Tegridy Inc. has just conducted a vulnerability test via a third party, finding that all their PS-100
point-of-sale systems from Maple Leaf Industries have a major vulnerability. The data at rest in
the point-of-sale systems is not becoming encrypted and data masking is not done until receipts
are printed. Tegridy Inc. contacted the vendor about the issue and wants to reach out to
competitors in the area who may use similar systems, as a means to protect their customers too.

Why might Tegridy Inc. want to wait until the vendor can release a patch?
A
The vulnerability is not serious
B
To avoid the information getting in the wrong hands
C
There was no threat at that time
D
It would look better if they told customers first-hand

Explanation Details

Correct answer: To avoid the information getting in the wrong hands

Tegridy Inc. should avoid information getting in the wrong hands by not telling the public or even those
in their industry until the situation is resolved. Tegridy Inc. has an ethical duty to inform the vendor
immediately and allow for reasonable time for the incident to be resolved. Otherwise, they may present
an opportunity to the competitor or another potential threat actor to conduct an attack and affect Tegridy
Inc.

While it may seem nice of Tegridy Inc. to tell customers first-hand and let them know how the company
plans to resolve the issue, customers could spread this information or may simply lack the technical
knowledge to understand. As the question states, the vulnerability is considered serious because it
affects all their point-of-sale systems, and unauthorized access could pose a major threat to customer
data, resulting in potential legal and financial issues for Tegridy Inc. Although there is no threat at this
time, that is not a valid reason for a company to avoid being proactive.
Question 86

In an e-commerce database, sensitive credit card numbers are each mapped to and replaced with
a unique random number which serves as an identifier. When a transaction is processed, that
identifier is used to temporarily recover the sensitive credit number it was mapped to, but only for
the duration needed to complete the transaction.

Which of the following data protection methods is being utilized in this scenario?
A
Anonymization
B
Tokenization
C
Hashing
D
Encryption

Explanation Details

Correct answer: Tokenization

Tokenization is being utilized in the described scenario. Tokenization refers to the technique of mapping
sensitive data elements to, and replacing them with, an identifying token that is not itself sensitive if
revealed. Only the tokenization solution (or applications authorized by it) can recover the underlying
data element from the identifying token. In the described scenario, because sensitive credit card numbers
in the e-commerce database were replaced with random numbers to serve as identifying tokens, if that
database were hacked, only the random number tokens (not the sensitive credit card numbers) would be
compromised.

Anonymization refers to the technique of removing the fields in a data set which associate that data with
a particular person (i.e., personally identifiable information fields) so that the balance of data in that set
can be analyzed and shared without any risk to the privacy of those from whom the data was collected.
Unlike tokenized data fields, anonymized data fields cannot be recovered. Encryption is a method to
provide data confidentiality (customarily through the use of an algorithm and key, which encode
plaintext into ciphertext and decode ciphertext back into plaintext). Hashing is a technique used in
cryptography in which an algorithm is applied to the content of a message or file to produce a unique,
fixed-length output (message digest) derived from that content.

Question 87

Viruses represent a threat to systems and software applications. Which of the following is NOT
true regarding viruses?
A
Viruses are dangerous because of their ability to spread and damage the security integrity of a system.
B
Each year, thousands of new viruses are introduced to computers around the world.
C
Viruses never seen in the wild are called zero-day viruses.
D
Viruses can reproduce without a legitimate host application.

Explanation Details

Correct answer: Viruses can reproduce without a legitimate host application.

Viruses cannot reproduce with a legitimate host application. Viruses infect legitimate files or programs
and use them to spread themselves.

A worm is a type of malware that can reproduce without a legitimate host application.

Question 88

When performing strategic alignment, all of the following types of plans are created EXCEPT:
A
Tactical plans
B
Strategic plans
C
Auditing plans
D
Operational plans

Explanation Details

Correct answer: Auditing plans

Strategic alignment means that security policy aligns and supports the business's objectives, goals, and
mission. This is done through the use of Strategic plans, Tactical plans, and Operational plans.

 Strategic plans are long-term plans. Example: Create a disaster recovery location within five
years.
 Tactical plans are more detailed than strategic plans and cover a shorter amount of time.
Example: Install servers in the third quarter and set up backups in the fourth quarter.
 Operational plans are short, detailed plans. Example: Use Network File System (NFS) with a
storage area network (SAN) to attach storage to the servers next week.

Question 89

As a cybersecurity analyst, the CISO requests that a vulnerability scan be conducted on all
workstations. During this scan, an Apache web vulnerability is found on an employee's
workstation computer.

What term BEST describes this vulnerability finding?

A
False negative
B
False positive
C
True positive
D
True negative

Explanation Details

Correct answer: False positive

A false positive is the false identification of a vulnerability. In this instance, a web server vulnerability
was found on a workstation computer. Depending on the type of scan, whether credentialed or non-
credentialed, a false positive can be detected. This is due to a non-credentialed scan being unable to gain
full details on a system or network due to a firewall.

A true positive would involve a legitimate vulnerability being discovered in a scan. A false negative
would also be considered a missed vulnerability that was not detected, while a true negative would
accurately inform an analyst that a vulnerability does not exist.

Question 90

Maple Leaf Industries wants to implement an approach to their software development practices
in which employees from security and development join together to create software-defined
security. Which term BEST describes this approach?
A
DevOps
B
DevSecOps
C
Agile methodology
D
SecOps

Explanation Details

Correct answer: DevSecOps

In DevSecOps, the security team is integrated into the development of software very early. Typically,
the security team will follow software and work with the developers during every step of the
development phase. This helps to ensure secure practices occur at every stage of the software
development life cycle, instead of potentially allowing things to be missed at the end of the
development. Additionally, this can make the development of software more efficient. In DevSecOps,
the work will be checked for security flaws while its being created, not after.

SecOps is a term for the security department playing their individual role, while DevOps completes their
role separately. The Agile methodology is a method of the software development lifecycle, which may
play a role in DevSecOps revisiting a part of the software development lifecycle. However, Agile
methodology does not explicitly describe the development and security operations team coming
together.

Question 91

Which of the following BEST describes integrity?

A
Keep information from being disclosed to unauthorized individuals
B
Ensure systems are resilient to single points of failure
C
Ensure data is made available in a timely manner
D
Ensure the accuracy and reliability of data and systems

Explanation Details

Correct answer: Ensure the accuracy and reliability of data and systems

Integrity ensures the accuracy and reliability of data and systems. The purpose of integrity is to maintain
confidence that data is accurate and has not been modified by unauthorized users. Integrity mechanisms
include authentication, authorization, accounting (AAA), hashing, and digital signatures.

Question 92

Of the following, what BEST describes 802.1X?

A
A standard that defines Ethernet
B
A VLAN tagging standard
C
A wireless protocol standard
D
A network-level authentication standard

Explanation Details

Correct answer: A network-level authentication standard

802.1X is an Institute of Electrical and Electronics Engineers (IEEE) standard that requires network
devices to be authenticated before accessing network resources. 802.1X can be used to dynamically
assign a device to the correct virtual LAN (VLAN). It can be implemented on wired and wireless
networks. Administrators can implement 802.1X using RADIUS, DIAMETER, or TACACS+.

Question 93

A growing business wants to identify various situations that would be key risk indicators (KRIs)
and allow for a more proactive approach to cybersecurity. Which of these situations would be
LEAST likely to indicate a key risk indicator?
A
Increase in global phishing campaigns
B
Supply chain issues
C
Hardware and software entering their EOS
D
Increase in network traffic

Explanation Details

Correct answer: Increase in network traffic

Increasing network traffic would be least likely to indicate a key risk indicator, as this is something
expected of a growing business. Instead, the business should expect and ensure they are prepared for this
before expanding.

Hardware and software entering their EOS state could be a KRI, as this naturally increases risk over
time since there are no future patches.
With phishing campaigns on the rise and many businesses using e-mail, it is safe to say this would be a
major security risk and an indication that the use of SPF (sender policy framework) records and DKIM
(Domain Keys Identify Mail) should be used as a mitigation strategy.

Supply chain issues are a risk to a business, as they can naturally increase costs or jeopardize the
reputation of a company that isn't conducting quality control. Understanding a supply chain and
potential issues can ensure an understanding of current supply and demand, and the likelihood of
untrusted or counterfeit products. A way to mitigate this is to reduce the company's scope of purchase
from less-trusted third parties and closer quality control upon delivery of items.

Question 94

Which of the following BEST ensures that access to an object is denied unless it has been explicitly
allowed?
A
Implicit deny
B
Explicit deny
C
Access control matrix
D
Least privilege

Explanation Details

Correct answer: Implicit deny

A fundamental principle of access control is implicit deny. The implicit deny principle ensures that
access to an object is rejected unless it has been explicitly granted to a subject. It is very common for
firewalls to use implicit deny to block network access to resources that have not been granted.

Question 95

Which of the following is the correct listing of the four basic network topologies?
A
Star, mesh, link-local, ladder
B
Ring, bus, star, mesh
C
Expressway, ring, data link, physical
D
Mesh, bridge, ring, bus

Explanation Details

Correct answer: Ring, bus, star, mesh

Network topology refers to the physical layout and design of a network. Topologies are a part of the
physical layer in the OSI model.

 Ring: A ring topology connects all computers together in a ring or a circle.

 Bus: Bus topology contains one trunk cable and each computer is connected to this one trunk.
 Star: A central router or hub connects all computers in one location.
 Mesh: Each computer is connected to every other computer with a cable for each connection.
Mesh topologies are the most complicated and expensive.

Question 96

A data custodian at Apipa Pi Inc. has been asked to stay late on a Friday to update company
routers with the latest security patches and ensure they are functional by Monday. The data
custodian stays late, but is in a hurry to get home and enjoy the weekend. During this rushed
effort, the patches are installed and are causing issues with network connectivity. The data
custodian does not know why these issues are occurring and now must stay even later to resolve a
major issue.

What should the data custodian have done to ensure the business could be ready for operation on
Monday?
A
Asked a coworker to split the work
B
Refused to stay late due to a lack of qualifications
C
Created a backup configuration template to roll back to
D
Patched the routers on Saturday instead

Explanation Details

Correct answer: Created a backup configuration template to roll back to

Whenever a system of any sort is being patched, it is always important to have a version to roll back to
in the event patches cause issues, and also to test the patch in a sandboxed environment. This ensures
that if we attempt to do right by patching and encounter issues, we can still roll back to a production
state and bide time to resolve the vulnerabilities. This is a major aspect of the planning and preparation
phase of change management and would limit potential downtime.

This issue would still be present even if the employee refused to stay late, patched the routers on
Saturday, or split the work with a fellow employee. This is likely the best time to implement a patch in a
production environment, as this provides maximum recovery time without interfering directly with the
production environment during peak hours.

Host Alpha sends a TCP synchronized packet to Host Beta, and Host Beta receives and responds
by sending out a synchronize acknowledgment. After Host Alpha gets this, it responds with an
acknowledgment. This is known as what?
A
TCP socket alignment
B
TCP sliding window
C
TCP 2-way handshake
D
TCP 3-way handshake

Explanation Details

Correct answer: TCP 3-way handshake

A 3-way handshake is used to establish a Transmission Control Protocol (TCP) connection. A client
establishing a connection with a server initiates the connection by sending a TCP SYN packet as the first
part of the handshake. In the second part of the handshake, the server replies to the client with an SYN-
ACK packet, which synchronizes it. In the third part of the handshake, the client responds with an ACK
packet back to the server.

Question 98

An IT administrator reviews all the servers in the organization and notices that a server is missing
crucial patches against a recently discovered exploit. Which BEST describes what the
administrator has just found?
A
A breach
B

An exposure
C
A threat
D
A vulnerability

Explanation Details

Correct answer: A vulnerability

The weakness in an asset or the absence or weakness of a safeguard or countermeasure is a

vulnerability. A vulnerability is a flaw, loophole, oversight, error, limitation, frailty, or susceptibility in
the IT infrastructure or any other process.

The threat is incorrect because it is what exploits the vulnerability. Exposures and breaches are incorrect
because they may be the result if a vulnerability is exploited.

Question 99

Originally, voice networks were considered to be which of the following?

A
Router-switched
B
Circuit-switched
C
Packet-switched
D
Network-switched

Explanation Details

Correct answer: Circuit-switched

Voice networks were originally circuit-switched. They used a dedicated physical circuit path. This did,
however, create a major drawback in efficiency. Circuit switching uses a dedicated physical pathway
between callers and the central office. Most voice networks are now packet-switched

Question 100

Which software development method has an emphasis on risk analysis and is used for rapid
production and prototyping?
A
Joint analysis development
B
Clean room
C
Spiral model
D
Waterfall model

Explanation Details

Correct answer: Spiral model

The spiral model has an emphasis on risk analysis and prototyping. This is used for rapid production and
prototyping systems. The spiral model is derived from the waterfall model. Each loop in the spiral is one
full iteration of the waterfall method.
Waterfall model is incorrect because it is a sequential design process used in software development
where progress is seen as flowing steadily downward. Joint analysis development is incorrect because it
uses prototyping in the life cycle area of the Dynamic Systems Development Method. Clean room is
incorrect because it is a software development process intended to produce software with a level of
reliability that can be certified.

Question 101

Tegridy Inc. is performing an audit before their required audit in accordance with PCI-DSS.
Which of the following MOST likely describes the prior audit Tegridy Inc. is conducting?
A
External audit
B
Preparatory audit
C
Third-party audit
D
Internal audit

Explanation Details

Correct answer: Internal audit

This would be an example of an internal audit. Internal audits are conducted from within a company,
typically prior to an official audit from an outside company. Internal audits are a great way for
companies to identify vulnerabilities before being faced with an official on-the-record audit.

External and third-party audits are conducted by outside companies. A third-party audit is best described
as a company conducting an audit on behalf of an external auditor. For example, if KPMG was
scheduled to conduct an external audit and didn't have the employees needed to conduct the audit that
day, they could outsource the work to a third-party auditor. Preparatory audit is a fabricated term.

Question 102
Which of the following security solutions utilizes machine learning to evaluate log and event data
it has collected and combined from multiple devices in the environment in order to detect
advanced persistent threats?
A
SIEM
B
EDR
C
NIDS
D
Web security gateway

Explanation Details

Correct answer: SIEM

SIEM (Security Information and Event Management) is a security solution which utilizes machine
learning to evaluate log and event data that it has collected and combined from multiple devices in the
environment in order to detect advanced persistent threats.

EDR (Endpoint Detection and Response) is an endpoint protection solution also designed to detect
advanced persistent threats. While sometimes having machine learning capabilities similar to those of a
SIEM, an EDR solution only evaluates the activity of the endpoint it has been installed on, while a
SIEM solution evaluates log and event data it has collected and combined from multiple devices in the
environment. A NIDS (network-based intrusion detection system) monitors network communications
for anomalous traffic and indicators of compromise. A web security gateway blocks access to certain
websites based on their URL or content, which can often be set by content category (e.g., gambling,
social media, games).

Question 103

Which of the following refers to the ability to automatically expand or contract resources
according to demand?
A
Serverless architecture
B
Immutable architecture
C
Infrastructure as Code
D
Elasticity

Explanation Details

Correct answer: Elasticity

Elasticity refers to the ability to automatically expand or contract resources according to demand.
Elasticity is commonly utilized in virtual and cloud environments to support the peaks and valleys of
service demands by allocating resources when they are needed.

Immutable architecture is an approach to architecture management that relies on cloned device

templates to deliver a standardized environment. Infrastructure as Code (IaC) refers to the emerging
practice of using code templates as a method to deploy and configure infrastructure in virtual and cloud
environments. Serverless architecture is a cloud computing model where server and database
functionalities are abstracted and offered by the provider as a service, on a pay-for-what-you-use basis.

Question 104

Which of the following is NOT used for centralized authentication?

A
RADIUS
B
Diameter
C
TACACS+
D
OWASP

Explanation Details

Correct answer: OWASP

The Open Web Application Security Project (OWASP) is an organization that publishes articles for
developers. It has nothing to do with centralized authentication.

Remote Authentication Dial-In User Service (RADIUS) is used for centralized authentication, typically
for organizations with more than one network access server. Terminal Access Controller Access-Control
System Plus (TACACS+) was released after RADIUS and offers several improvements. Diameter was
built to enhance TACACS+ by supporting a wide range of additional protocols.

Question 105

Which of the following is NOT a valid software development lifecycle (SDLC) model?
A
Spiral model
B
Adaptive model
C
Waterfall model
D
Agile model

Explanation Details

Correct answer: Adaptive model

The waterfall model reflects a linear, structured, and somewhat rigid approach to development. The
spiral model utilizes a risk-based approach to incorporate the development model (or models) that is best
suited for a particular development project step. The agile model abandons a rigid development structure
to focus on incremental, iterative development that quickly meets customer or business needs.

Adaptive model is a fabricated term.

Question 106

The STRIDE threat model is used for assessing threats against applications or operating systems.
Which of the following is part of STRIDE?
A
Spoofing
B
Discover
C
Spamming
D
Replay

Explanation Details

Correct answer: Spoofing

Microsoft developed STRIDE, a way of categorizing threats. STRIDE stands for Spoofing, Tampering,
Repudiation, Information disclosure, Denial of service (DoS), Elevation of privilege.

A spoofing attack tries to imitate a trusted user, thereby fooling the system to accept the imposter as the
original entity. An example is an IP spoofing attack. In IP spoofing, hackers replace a valid IP address
with a phony one to impersonate a genuine system or keep their identity a secret.

The other options are not part of the STRIDE threat model. Spamming is a continual form of security
risk that uses repetition by way of email. Replay attacks involve capturing a legitimate authentication
attempt and replaying it for malicious purposes. Discover is not relevant.

Question 107

In testing the Disaster Recovery Plan, which of the following involves performing all the steps of a
real recovery, except that you keep the real, live production systems running in the original
location during the test?
A
Structured walk-through
B
Checklist test
C
Parallel test
D
Simulation

Explanation Details

Correct answer: Parallel test

A parallel test includes performing all steps of a real recovery, except that you keep the live production
systems running in the original location during the test. The actual production systems run in parallel
with the disaster recovery systems.

APIs can be very useful in allowing various systems to integrate and communicate with each
other. However, there are some security vulnerabilities associated with them.

What is one major security vulnerability common with APIs?

A
They have key exchange mechanisms
B
They use internet protocols and language
C
They are considered old and deprecated technology
D
There is no way to secure them

Explanation Details

Correct answer: They use internet protocols and language

APIs use a common web language, which means many features associated with the API can be utilized
with that very language. This can be a good or a bad thing, as attackers can take advantage of this just as
much as a user can.

APIs are modern and used quite often, especially with containerization and even cybersecurity threat
feeds. One way to make these APIs secure is implementing good coding practices such as input
validation and sanitization. There are also many ways to conduct an out-of-band key exchange through
web applications instead of the API itself, which is very secure.
Question 109

Tegridy Inc. wants to implement a formal inspection of all software before any time is spent on
dynamic analysis testing. What would be the MOST formal and in-depth approach to conducting
such an inspection?
A
Static testing
B
Fagan inspection
C
Peer review
D
Fuzz testing

Explanation Details

Correct answer: Fagan inspection

A Fagan inspection is a formal step-by-step process of code review. It is considered the most in-depth
code review in the industry and involves specific criteria for evaluation.

A peer review would be a good alternative, but not as in depth as a Fagan inspection. There is no set
criteria or standard with a peer review. Additionally, you're relying on the knowledge of another person
instead of a standardized and proven formal approach to reviewing code.

Static testing and fuzz testing would allow for testing code at a microscopic or active level, but would
not be a formal methodical approach. Additionally, these processes may involve fewer people and
provide less opportunity to observe errors and provide adequate feedback.

Ultimately, a Fagan inspection involves planning, overview, preparation, inspection, reworks, and
follow-ups. None of these other review processes match that.

Question 110

In relation to biometric devices, Crossover Error Rate (CER) indicates what?

A
It indicates the inaccuracy of the device - the lower the better
B
It indicates the failure rate of the device
C
It indicates the point where false rejection is equivalent to the false acceptance rate
D
It indicates the acceptance rate of the device

Explanation Details

Correct answer: It indicates the point where false rejection is equivalent to the false acceptance rate

The point at which biometric type 1 errors (false rejection rate) and type 2 errors (false acceptance rate)
are equal is the Crossover Error Rate (CER). When a biometric device is too sensitive, type 1 errors
(false negatives) are more common. When a biometric device is not sensitive enough, type 2 errors
(false positives) are more common.

Question 111

From the perspective of cybersecurity, which of the following is the BEST motivation to create
system images and baselines?
A
Central inventory management
B
Create a uniformed naming convention
C
System hardening
D
Decrease the time needed to deploy new systems

Explanation Details

Correct answer: System hardening

System hardening reduces the overall risk of a system by removing unnecessary software and
implementing best security practices. Once a secure baseline has been established on a particular
system, administrators can capture the system's state, called an "image", and deploy it to other systems.
This process is known as "imaging." Imaging can be used to decrease the time needed to deploy new
systems. However, the best motivation is to ensure that all systems are deployed with a hardened image.

Question 112

Which of these is NOT one of the primary goals of integrity?

A
To prevent unauthorized users from making system modifications
B
To prevent authorized users from making improper modifications
C
To maintain internal and external consistency
D
To prevent unauthorized data access

Explanation Details

Correct answer: To prevent unauthorized data access

Preventing unauthorized data access is not an integrity goal, but a confidentiality goal. Integrity goals
include the consistency of data and the prevention of unauthorized modifications by unauthorized and
authorized users.

Question 113

Modern cryptography algorithms can be categorized into one of the following EXCEPT:
A
Dashing algorithms
B
Hashing algorithms
C
Asymmetric encryption
D
Symmetric encryption

Explanation Details

Correct answer: Dashing algorithms

Dashing is a fabricated term.

Modern cryptography can be divided into three types of algorithms: symmetric encryption algorithms,
asymmetric encryption algorithms, and hashing algorithms.

Symmetric encryption is the oldest and most well-known technique. A secret key, which can be a
number, a word, or just a string of random letters, is applied to the text of a message to change the
content in a particular way. This might be as simple as shifting each letter by a number of places in the
alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all
messages that use this key. The main disadvantage of the symmetric key encryption is that all parties
involved have to exchange the key used to encrypt the data before they can decrypt it.

Asymmetric encryption includes two related keys, or a key pair. A public key is made freely available to
anyone who might want to send you a message. A second, private key is kept secret, so that only you
know it. Any messages (text, binary files, or documents) that are encrypted using the public key can
only be decrypted by applying the same algorithm, but by using the matching private key. Any message
that is encrypted using the private key can only be decrypted by using the matching public key.

Hashing is a method of cryptography that converts any form of data into a unique string of text. Any
piece of data can be hashed, no matter its size or type. In traditional hashing, regardless of the data’s
size, type, or length, the hash that any data produces is always the same length. A hash is designed to act
as a one-way function — you can put data into a hashing algorithm and get a unique string, but if you
come upon a new hash, you cannot decipher the input data it represents. A unique piece of data will
always produce the same hash. Hashing is a mathematical operation that is easy to perform, but
extremely difficult, if not impossible, to reverse.

Question 114

Which of the following software development models is BEST characterized by rigid linear
progression?
A
Waterfall model
B
Scrum model
C
Agile
D
Software Capability Maturity Model (SCMM)

Explanation Details

Correct answer: Waterfall model

When software development follows a staggered approach of rigid, well-defined stages, this is
considered the waterfall model. A waterfall model of system development contains all the steps required
to take a project from conception to completion. Generally, you cannot skip or go back steps using the
waterfall model.

Question 115

What is the MOST effective control at preventing piggybacking?

A
Mantraps
B
Identification badges
C
Administrative policy
D
Bollards

Explanation Details

Correct answer: Mantraps

Mantraps force individuals into a small room with an ingress and egress door. Before the person can exit
through the egress door, the ingress door must be closed and locked. If the individual is authorized, the
egress door will unlock, and they can proceed. If they are not authorized, both doors remain locked until
a security guard or police officer arrives and escorts them off the property or arrests them for
trespassing. It is common for mantraps to have a weight scale across the floor to ensure only one person
is in the room.

Question 116

Which of the following is NOT a way to protect data with symmetric encryption?
A
AES
B
Blowfish
C
Triple DES
D
RSA

Explanation Details

Correct answer: RSA

The Advanced Encryption Standard (AES) is the most common symmetric encryption algorithm, and it
uses 128-, 192-, and 256-bit key sizes. Triple DES is a symmetric encryption algorithm that runs data
encryption standard (DES) multiple times with different keys. Blowfish is a symmetric encryption
algorithm that uses key sizes from 32 to 448 bits.

RSA is an asymmetric encryption algorithm.

Question 117

What is one key difference between attribute-based access control (ABAC) and discretionary
access control (DAC)?
A
DAC is simpler to implement and, therefore, more secure because it takes less information into account
than ABAC.
B
DAC can take time of day, location, and fiscal year into consideration, whereas ABAC cannot.
C
ABAC is simpler to implement and, therefore, more secure because it takes less information into
account than DAC.
D
ABAC can take time of day, location, and fiscal year into consideration, whereas DAC cannot.

Explanation Details

Correct answer: ABAC can take time of day, location, and fiscal year into consideration, whereas DAC
cannot.

ABAC is the most detailed form of access control and can take location, network, time of day, device,
and even more into consideration. This form of access control is more difficult to implement at the
beginning, but can be extremely beneficial in the long run.

DAC cannot do this in such great detail and, as a result, is considered less secure. For instance, a
workstation containing a user account with specific permissions can be infected with malware, opening
up the entire network to being affected if privilege escalation were to occur. With ABAC implemented,
this malware would be restricted from sending and receiving data to other networks as long as the
administrator's account was not affected. With this, an organization can avoid losing important data,
which could ordinarily result in a serious financial loss.

Question 118

Sean is a new IT manager and has been asked to begin developing a Disaster Recovery Plan
(DRP). Of the following, which is MOST LIKELY the most important step in creating a DRP?
A
Collecting employee contact information
B
Acquiring a cold site
C
Conducting a penetration test
D
Performing a risk assessment

Explanation Details
Correct answer: Collecting employee contact information

An organization's employee contact information should be contained in the disaster recovery plan for
potential emergencies. This is also referred to as a Crisis Communications Plan. The plan may also
provide a priority list to establish a chain of command. Employee contact information is used to ensure
their safety.

Question 119

Which of the following will MOST LIKELY reduce an organization's liability should a breach
happen?
A
Due care
B
Liability assessment
C
Standard care
D
Due process

xplanation Details

Correct answer: Due care

Due care is best defined as taking and making decisions that a reasonable and competent person would
make. Due care helps shield an organization from liability should a breach happen. If an organization
can prove they practiced due care, they are less likely to be found liable for the incident

Question 120

From the following options, identify the formula used for residual risk:
A
Asset risk x threat - control gap
B
(Threat x vulnerability x asset value) - control gap
C
(Threat x risk) x asset value
D
(Vulnerability x threat) x asset value

Explanation Details

Correct answer: (Threat x vulnerability x asset value) - control gap

This formula is total risk - control gap = residual risk.

Total risk = (threats x vulnerability x asset value). The control gap factor is a safeguard that controls
risk, so it reduces the residual risk of a system.

Question 121

Which of the following describes a control type that relies on a hardware or software mechanism?
A
Physical
B
Change
C
Technical
D
Administrative

Explanation Details

Correct answer: Technical

Technical controls rely on hardware or software mechanisms to function. Examples of technical controls
include encryption, firewalls, and access control lists.

Administrative and physical controls do not rely on hardware or software mechanisms to function.
Examples of administrative controls include policy and training, while examples of physical controls
include fences and locks. Change control is not a control type but refers to the administrative processes
an organization has adopted to evaluate prospective changes for approval.
Question 122

Which of the following BEST describes what a chain of custody is?

A
Identifies the initialization vector (IV) used in cipher block chaining (CBC)
B
legal procedure to prove ownership of a stolen asset
C
Documents everyone who handled evidence
D
List of all authorized individuals with write access to a secure system

Explanation Details

Correct answer: Documents everyone who handled evidence

The chain of custody is chronological documentation or a paper trail showing the seizure, custody,
control, transfer, analysis, and disposal of evidence. The chain of custody (also called the chain of
evidence) documents all individuals who handled the evidence and helps ensure that evidence can be
used in court proceedings.

Question 123

When file encryption is strong, it is said to have increased which level?

A
The diffusion factor level
B
The work factor level
C
The substitution level
D
The transposition level

Explanation Details

Correct answer: The work factor level

When file encryption is strong, it is said to have increased the work factor level. Work factor refers to
the difficulty of breaking an encrypted file. It also refers to the increasing complexity with which the
product is encrypted. Therefore, it takes significantly more time to hack.

Question 124

Which of the following is specific to legally securing protection for inventions?

A
Licenses
B
Patents
C
Trademarks
D
Trade secrets

Explanation Details

Correct answer: Patents

Patents legally secure protection for inventions. Patents must be unique ideas that provide useful
processes to complete a task. Third parties can purchase patents and have them transferred to the new
owner. The patent holder can also collect royalties from an organization using its ideas.

Question 125

When determining if users should be granted read access, which principle is MOST LIKELY to
be used?
A
The principle of least privilege
B
Kerckhoff's Principle
C
Need to know principle
D
Split knowledge principle
Explanation Details

Correct answer: Need to know principle

The need to know principle is used to determine if a user’s access to certain information is necessary to
perform their job role sufficiently. If a user does not need read access to data to carry out their job role,
they should not be granted access. The need to know principle differs from least privilege because the
need to know principle is only concerned with read access.

Question 126

What is the BEST motive for an organization to create a Business Continuity Plann (BCP) or
Disaster Recovery Plan (DRP)?
A
Members of the IT department are concerned with their ability to recover from a disaster
B
To reduce disaster-related risks to an acceptable level
C
Regulatory compliance
D
To eliminate all disaster-related risks

Explanation Details

Correct answer: To reduce disaster-related risks to an acceptable level

The best motive to develop a Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) is to
reduce disaster-related risks to an acceptable level. Senior management should be involved because they
set the risk appetite of the organization, and they should be the driving force behind the creation of a
BCP. Senior management is accountable to the stakeholders for the effectiveness of the plan.
Organizations that try to create a BCP or DRP without senior management often do not align the goals
of the BCP or DRP with the organization's risk appetite.

Regulatory compliance is incorrect because while it's a good motive, it's not the best motive. To
eliminate all disaster-related risks is incorrect because it is not possible to eliminate all risk. Members of
the IT department are concerned with their ability to recover from a disaster is incorrect because this is a
bottom-up approach. BCP and DRP creation should have senior management buy-in to ensure the risk
levels align with senior management's risk appetite.
Question 127

What U.S. law fines criminals up to $500,000 for stealing trade secrets that could benefit a foreign
government?
A
Economic Espionage Act of 1996
B
Digital Millennium Copyright Act
C
Uniform Computer Information Transactions Act
D
Privacy Act of 1974

Explanation Details

Correct answer: Economic Espionage Act of 1996

The Economic Espionage Act was introduced to protect trade secrets, also known as an organization's
intellectual property, from being stolen from foreign and domestic entities. Stealing trade secrets with
the intention of giving them to a foreign government has a fine of up to $500,000. Stealing trade secrets
for any other reason has a fine of up to $250,000.

Question 128

Of the following, which BEST describes the objective of Information Technology Infrastructure
Library (ITIL)?
A
To produce a culture that welcomes change and delivers results in shorter timeframes
B
To reduce organizational risk
C
Align IT services with the needs of the business
D
Identify and simplify repeatable tasks

Explanation Details
Correct answer: Align IT services with the needs of the business

Information Technology Infrastructure Library (ITIL) is focused on aligning IT services with the needs
of the business. ITIL specifies processes and procedures that an organization’s IT department can take to
serve business needs better.

Question 129

Stealthy Security Suites & Beats is looking to identify key performance indicators (KPIs) within
their organization's firewalls. Which of the following would MOST likely be a reliable KPI?
A
Number of total IP addresses blocked
B
Amount of firewall log entries each day
C
Number of times a malicious IP address is blocked before and after a new security rule is implemented
D
Number of Snort alerts

Explanation Details

Correct answer: Number of times a malicious IP address is blocked before and after a new security rule
is implemented

A malicious IP address being blocked after a new security rule is implemented shows a direct
correlation between the two events and would indicate the security technique worked. Making
observations before and after implementing any sort of control is common practice and smart to do.
After all, you would never fix a door handle and simply hope it works the next time you need to get into
your house.

The number of firewall log entries, IP addresses being blocked, or Snort alerts are not sufficient KPIs.
The number of total IP addresses being blocked only tells us that those IP addresses are being blocked,
but does not tell us what IP addresses are still connecting or if we need to continue configuring our
firewall. Measuring this way leads to a false sense of security.

Question 130
Hugo is a penetration tester who has been hired to find vulnerabilities on a file server. He wants to
test if it is possible to open a protected file by requesting access to an unprotected file and then
replace it with the protected file before the system attempts to open the file.

Which of the following BEST describes this attack?

A
TOC/TOU attack
B
Fuzz attack
C
Process attack
D
Buffer overflow attack

Explanation Details

Correct answer: TOC/TOU attack

A time-of-check/time-of-use (TOC/TOU) attack, sometimes called a "race condition", occurs when an

attacker exploits the gap in time that exists between the processing of different instructions in an ordered
set to circumvent security controls.

A fuzz attack tries to manipulate or crash a process by supplying invalid, unexpected, or random input.
A buffer overflow attack attempts to overflow a process's memory boundary, causing it to overwrite
adjacent memory locations. Process attack is a fabricated term.

Question 131

What is the BEST way to reduce false positive and false negative reports when performing a
vulnerability scan?
A
Running the scan on a central server
B
Running multiple scans and comparing results
C
Running an authenticated scan
D
Throttling the scan to avoid detection

Explanation Details

Correct answer: Running an authenticated scan

In an authenticated scan, the scanner has credentials to log in to the target and read configuration
information from the scanned system and use it to find additional vulnerabilities.

Question 132

Which type of storage includes hard drives, flash drives, and CDs/DVDs?
A
Random access storage
B
Volatile storage
C
Secondary storage
D
Primary memory

Explanation Details

Correct answer: Secondary storage

Secondary storage is inexpensive and nonvolatile and includes items such as hard drives, flash drives,
and CDs/DVDs.

Primary memory and random access storage are incorrect because these types of storage are volatile
(e.g., RAM). Volatile storage is incorrect because CDs and DVDs are nonvolatile.

Question 133

What is the recommended height of a security fence?

A
8 feet
B
6 feet
C
9 feet
D
7 feet

Explanation Details

Correct answer: 8 feet

A fence is a physical environmental security measure since it provides security from outside threats. 8
feet (with barbed wire) is considered the preferred height for a security fence to keep most intruders out.

Question 134

Which issue would MOST likely be associated with a CPU that was EOL?
A
Lack of customer support
B
Immediate increase in patching vulnerabilities
C
Immediate end of patching and security support
D
Reduction of replacement parts

Explanation Details

Correct answer: Reduction of replacement parts

A CPU that is end of life (EOL) will immediately experience a reduction of replacement parts, since
there are no more CPUs being produced. This means a company can no longer immediately be promised
a replacement by a manufacturer and will therefore have to rely on used parts and/or those still in stock
by retailers. As time goes on, this supply will also decrease.

Customer support would still exist upon an asset entering end of life, as the CPU in this example is still
within its service lifetime or EOSL. With that said, patching and security support will still exist.
However, this does not necessarily mean there will be an immediate increase in vulnerabilities or that a
rise in vulnerabilities will ever occur.

Question 135

When discussing quantitative risk analysis, which of the following BEST represents an asset?
A
AV x EF
B
ARO
C
AV
D
SLE x ARO

Explanation Details

Correct answer: AV

AV stands for "asset value" and is a simple bottom-line balance total of an asset's value. Obtaining an
asset's value is one of the first steps in risk assessment.

Question 136

Which motion detector senses changes in the electromagnetic field surrounding a monitored
object?
A
A capacitance motion detector
B
An infrared motion detector
C
A passive audio motion detector
D
A wave pattern motion detector
Explanation Details

Correct answer: A capacitance motion detector

A capacitance motion detector contains an electromagnetic field surrounding the device. When an object
is present, changes to that field are detected and trigger an alarm.

An infrared motion detector is incorrect because it monitors for significant or meaningful changes in an
area's infrared lighting pattern. A wave pattern motion detector is incorrect because it transmits a
consistent low ultrasonic frequency signal into a monitored area to discover significant or meaningful
changes or disturbances in the reflected pattern. A passive audio motion detector is incorrect because it
detects abnormal sounds in the monitored area.

Question 137

The CISO of an organization must determine which cloud provider to use for backing up all data
associated with the respective business. With many things to consider, which of the following is
LEAST likely to influence this decision?
A
Cost
B
Location
C
Company reputation
D
Graphical user interface and accessibility

Explanation Details

Correct answer: Graphical user interface and accessibility

Graphical user interface and accessibility would be of least concern, since the most important aspect of
this decision is determining how to ensure the preservation of reliable data. There is likely
documentation to assist data custodians with transferring data and navigating a graphical user interface,
while the company holding the backups likely has customer service representatives to assist as well.

Location is an important issue for backup data, as preserving it near an area with frequent natural
disasters could be troublesome. Cost would be of consideration, as it would impact net income.
Company reputation would reduce or increase risk with the company being backed up depending on
what that reputation was. An organization may seek to incur greater costs to avoid the risk of associating
with a company that has a poor reputation.

Question 138

Ralph is performing a security assessment for management and is using Nmap to discover all
devices on a network. He runs a scan with 192.168.0.0/16 as the target. What range of usable IP
addresses will this scan?
A
192.168.0.1 to 192.255.255.254
B
192.168.0.1 to 192.168.255.254
C
192.168.0.1 to 192.168.32.254
D
192.168.0.1 to 192.168.0.254

Explanation Details

Correct answer: 192.168.0.1 to 192.168.255.254

A Nmap scan can be instructed to use a valid IP range as a target to ensure it scans the entire network.
Request for Comments (RFC) 1918 reserves the following IPv4 address ranges for private networks:

 10.0.0.0/8 IP addresses: 10.0.0.0 – 10.255.255.255

 172.16.0.0/12 IP addresses: 172.16.0.0 – 172.31.255.255
 192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255

Question 139

The payment card industry data security standard (PCI-DSS) was developed by and primarily
enforced by who?
A
State legislatures
B
The securities and exchange commission
C
The payment card industry security standards council
D
Consumer financial protection bureau

Explanation Details

Correct answer: The payment card industry security standards council

The payment card industry data security standard (PCI-DSS) was developed by the payment card
industry security standards council. The five major credit card companies, American Express, Discover,
JCB, Mastercard, and Visa created the council in 2006. The council enforces compliance with PCI-DSS
with fines and revocation of merchant status.

Question 140

Of the following, which is NOT a valid role when using the OpenID standard?
A
Relying Party
B
Controller
C
End-User
D
OpenID Provider

Explanation Details

Correct answer: Controller

Controller is not a valid role for the OpenID standard.

OpenID is a standard that allows an organization to leverage a third-party identity provider to manage
user identification and authentication. An example of this would be logging into a website that lets you
use your Google credentials. OpenID has the following roles:

 End-User: The user attempting to log in

 Relying Party: The resource or server the end-user is trying to access
 OpenID Provider: The identity provider that identifies and authenticates the end-user
Question 141

Of the following features, which would be LEAST likely to be included within the GDPR?
A
Data maximization
B
Accountability
C
Purpose limitation
D
Fairness

Explanation Details

Correct answer: Data maximization

Data maximization is the exact opposite of data minimization, which is a tenet of GDPR. Data
minimization is collecting the least amount of data possible to reduce liability and maintenance, while
performing necessary functions.

Fairness is processing data without misleading potential customers. Purpose limitation is using data
collected only for the purposes disclosed to the customers. Accountability is holding your organization
accountable for all data collected and how it is used.

Question 142

Which of the following data protection methods BEST allows a data set to be analyzed and shared
without any risk to the privacy of those from whom the data was collected?
A
Hashing
B
Encryption
C
Anonymization
D
Tokenization
Explanation Details

Correct answer: Anonymization

Anonymization refers to the technique of removing the fields in a data set which associate that data with
a particular person (i.e., personally identifiable information fields) so that the balance of data in that set
can be analyzed and shared without any risk to the privacy of those from whom the data was collected.
Unlike tokenized data fields, anonymized data fields cannot be recovered, making it the best method for
privacy.

Encryption is a method that is applied to provide data confidentiality (customarily through the use of an
algorithm and key, which encode plaintext into ciphertext and decode ciphertext back into plaintext).
Hashing is a technique used in cryptography in which an algorithm is applied to the content of a
message or file to produce a unique, fixed-length output (message digest) derived from that content.
Tokenization refers to the technique of mapping sensitive data elements to, and replacing them with, an
identifying token that is not itself sensitive if revealed. Only the tokenization solution (or applications
authorized by it) can recover the underlying data element from the identifying token.

Question 143

Each morning, employees are required to log in to their workstations by using a tokenized
keycard, username, and static password. Whether remote or in-office, this process is the same for
all employees as a security precaution.

Which security measure would BEST meet the requirements of a Type 2 authentication factor?
A
The specific username of the employee
B
A smart card that may be combined with a programmed token
C
None of these meet the requirements for a Type 2 authentication factor
D
A static password known only to the employee

Explanation Details

Correct answer: A smart card that may be combined with a programmed token
Smart cards can use programmable tokens and RFID to authenticate personnel and would be considered
a form of Type 2 authentication.

Static passwords are considered Type 1 authentication because they are simpler and considered weaker
compared to their Type 2 and Type 3 biometrics counterparts. A username would identify, not
authenticate a user.

Question 144

Which of these is NOT a security model?

A
Diffie Hellman
B
Clark Wilson
C
Brewer and Nash
D
Bell-LaPadula

Explanation Details

Correct answer: Diffie Hellman

Diffie Hellman is a key exchange method, not a security model.

Security models are used to help design security programs by setting goals and defining techniques and
data-structures. Bell-LaPadula, Brewer and Nash, and Clark Wilson are all examples of security models.

Question 145

Which of the following is a military term referring to the study of electromagnetic emissions that
can be intercepted by a system attacker?
A
TEMPEST
B
COMSEC
C
Tracker
D
CONAttack

Explanation Details

Correct answer: TEMPEST

TEMPEST is a military term referring to the study of electromagnetic emissions that can be intercepted
by a system attacker. The emissions are intercepted from a distance because devices emit
electromagnetic frequencies as they transmit data. Shielded cabling reduces the risk of attackers
intercepting electronic emissions because they stop the "leakage" of electromagnetic impulses.

Question 146

At this time, which political governing body is considered to have the strictest information privacy
laws?
A
The European Union
B
Mexico
C
The United States of America
D
North Atlantic Treaty Organization

Explanation Details

Correct answer: The European Union

The United States has been a leader in many privacy laws, but the European Union is considered to be
the leader in strict observance and enforcement of the rights and usage of personal information. The
EU's General Data Protection Regulation (GDPR) is intended to protect an individual's personal
information and set specific rules for how it can be transferred and used. It's a part of several
government privacy laws used to protect private information gathered and stored by organizations.
Question 147

Access control is classified as which kind of mechanism?

A
Recovery
B
Restoration
C
Corrective
D
Preventative

Explanation Details

Correct answer: Preventative

An access control's purpose is to prevent unauthorized access. When corrective, recovery, or restoration
mechanisms are needed, it is usually due to the access control system's failure to prevent damaging
intrusion.

Access control systems include preventative, detective, and corrective measures. Corrective is incorrect
because corrective controls are used for remedying violations and incidents. Recovery controls is
incorrect because recovery controls are used for restoring systems after an incident has occurred.
Restoration is incorrect because it is not an access control category or type.

Question 148

Which secure protocol is the latest, providing enhanced Wi-Fi security with the inclusion of the
Diffie-Hellman key exchange and a secret session key?
A
WPA3E
B
WPA2
C
WEP
D
WPA3

Explanation Details

Correct answer: WPA3

WPA3 is the latest secure protocol, providing enhanced Wi-Fi security with the inclusion of the Diffie-
Hellman key exchange and a secret session key. This process is also known as the Simultaneous
Authentication of Equals (SAE).

WPA2 uses AES encryption and is still widely used today, but was enhanced with WPA3 due to the
increase of attacks during the key exchange process. WEP uses the RC4 secret key, which today takes
just minutes to crack. Due to this, WEP is considered insecure. WPA3E is fabricated.

Question 149

How many principles does the Agile Manifesto have?

A
12
B
7
C
5
D
3

Explanation Details

Correct answer: 12

The Agile Manifesto is a document created in 2001 that defines the core philosophy of the Agile
development model.

The 12 principles are:

 1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable
software.
2. Welcome changing requirements, even late in development. Agile processes harness change for
the customer’s competitive advantage.
3. Deliver working software frequently, from a couple of weeks to a couple of months, with a
preference to the shorter timescale.
4. Business people and developers must work together daily throughout the project.
5. Build projects around motivated individuals. Give them the environment and support they need,
and trust them to get the job done.
6. The most efficient and effective method of conveying information to and within a development
team is face-to-face conversation.
7. Working software is the primary measure of progress.
8. Agile processes promote sustainable development. The sponsors, developers, and users should
be able to maintain a constant pace indefinitely.
9. Continuous attention to technical excellence and good design enhances agility.
10. Simplicity—the art of maximizing the amount of work not done—is essential.
11. The best architectures, requirements, and designs emerge from self-organizing teams.
12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts
its behavior accordingly.

You can view the principles on the Agile website: https://agilemanifesto.org/principles.html

Question 150

Carbines Steaks Inc. is seeking a cost-effective way to ensure a quick response to potential
cybersecurity incidents. The company wants to implement a system into their production network
that would allow for automated incident response using playbooks and runbooks.

Which technology would BEST suit the company's needs?

A
SOAR
B
SOC
C
SIEM
D
IDS
Explanation Details

Correct answer: SOAR

SOAR, or security orchestration, automation, and response allows for a means by which cybersecurity
incidents receive a quick automated response. These threats are recognized by the system, allowing for
playbooks to match patterns of attack behavior with pre-determined responses or runbooks. An example
would be Splunk.

SIEM, or security integration and event management, will remotely log all actions occurring on a
network, but will not have an automated response to incidents. An example would be Security Onion,
which is an open source SIEM. A SOC or security operations center is comprised of people, not systems
acting in an automated fashion. An IDS, or intrusion detection system, would detect intrusion, but would
not act upon these security issues and stop anything from occurring.

Question 151

The (ISC)² Code of Ethics Canons includes all of the following EXCEPT:
A
Protect society, the common good, necessary public trust and confidence, and the infrastructure
B
Advance and protect the profession
C
Act honorably, honestly, justly, responsibly, and legally
D
Practice due diligence, and due care, in accordance with professional standards

Explanation Details

Correct answer: Practice due diligence, and due care, in accordance with professional standards

The Code of Ethics Preamble:

The safety and welfare of society and the common good, duty to our principals, and to each other,
requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

 Protect society, the common good, necessary public trust and confidence, and the infrastructure.
 Act honorably, honestly, justly, responsibly, and legally.
 Provide diligent and competent service to principals.
 Advance and protect the profession.

Question 152

Which fire suppressant system will not inflict harm on computers or humans and works by
discharging gas onto the surface of the materials on fire, absorbing the heat and lowering the
temperature to sub-ignition levels?
A
Halon
B
FM-200
C
CO2
D
Nitrogen

Explanation Details

Correct answer: FM-200

FM-200 uses HFC-227ea, leaves no residue, and does not require costly cleanup. FM-200 systems
replace halon, which was banned in the US in 1994 as an environmental hazard.

CO2 is incorrect because CO2 will harm computers and humans. Nitrogen is incorrect because it has no
impact on a fire. Halon is incorrect because it is harmful to humans and is an environmental hazard

Question 153

Which of the following access controls are also referred to as management controls?
A
Administrative controls
B
Technical controls
C
Physical controls
D
Logical controls

Explanation Details

Correct answer: Administrative controls

Administrative controls are sometimes referred to as management controls. They are the policies or
procedures defined by an organization's security program. Administrative controls include hiring
processes, background checks, data classification requirements, data labeling, security awareness, and
training.

Question 154

Which of the following BEST describes a hash that has been encrypted using a sender’s private
key?
A
Cipher text
B
Digital signature
C
Kerberos ticket
D
Key exchange

Explanation Details

Correct answer: Digital signature

A digital signature is a hash of the message that is encrypted with the sender's private key. The receiver
can decrypt the hash using the sender's public key. Since the sender is the only entity with a copy of the
private key, digital signatures are used to sign documents and verify the sender's identity. Digital
signatures assure the recipient that the message has not been tampered with during transmission by
comparing the decrypted hash with the hash generated by the receiver.
Question 155

Which software validation check ensures that values outputted by software fall within the
specified boundaries?
A
Reasonableness check
B
Limit check
C
Boundary check
D
Accuracy check
Explanation Details

Correct answer: Reasonableness check

A reasonableness check ensures that data outputted from software falls within the specified boundaries.
For example, ensuring that a person's height is not negative or more than 10 feet.

Limit check, boundary check, and accuracy check are all fabricated terms.

Question 156

"Assembly" is what type of language?

A
Generation two
B
Generation one
C
Generation three
D
Generation four
Explanation Details

Correct answer: Generation two

Assembly is a generation two language. Assembly is a very low-level language that requires intricate
knowledge of the system’s architecture. Programs written in Assembly are hardware-specific and are not
compatible between different central processing unit (CPU) types.

Question 157

Consider the following scenario: An employee is transferred to another position and their
previous access is not revoked or reviewed.

What BEST describes what has happened?

A
Privilege creep
B
A security breach
C
Split knowledge
D
M of N control

Explanation Details

Correct answer: Privilege creep

Privilege creep happens when a user’s permissions are not revoked during role changes. This gives
employees permission to systems and resources they no longer need to do their job. This violates the
principle of least privilege.

158

Which of the following ports is commonly used for database servers?

A
TCP 23
B
TCP 1433-1434
C
UDP 161-162
D
TCP 443

Explanation Details

Correct answer: TCP 1433-1434

Microsoft SQL Server operates on transmission control protocol (TCP) ports 1433 and 1434.

HTTPS runs on TCP port 443. Telnet runs on TCP port 23. SNMP runs on UDP ports 161-162

159

A legal document used to protect an organization's sensitive information and signed by its
employees is MOST LIKELY called what?
A
Terms and conditions
B
Nondisclosure agreement
C
Work commencement
D
Noncompete agreement

Explanation Details

Correct answer: Nondisclosure agreement

Organizations often require a nondisclosure agreement (NDA) to be signed by an employee prior to

giving them access to sensitive information. The nondisclosure agreement reinforces trust between the
organization and the employee. The nondisclosure agreement ensures that confidential materials and
ideas used by the organization are not disclosed to third parties without consent.
160

Which of the following protocols uses port 22?

A
Telnet
B
FTP
C
SSH
D
DNS

Explanation Details

Correct answer: SSH

Secure Shell (SSH) uses port 22.

Telnet uses port 23. File Transfer Protocol (FTP) uses ports 20 and 21. Domain Name System (DNS)
uses port 53.

161

When file encryption is strong, it is said to have increased which level?

A
The diffusion factor level
B
The work factor level
C
The substitution level
D
The transposition level

Explanation Details

Correct answer: The work factor level

When file encryption is strong, it is said to have increased the work factor level. Work factor refers to
the difficulty of breaking an encrypted file. It also refers to the increasing complexity with which the
product is encrypted. Therefore, it takes significantly more time to hack.

162

What are Class C fires extinguished with?

A
Carbon dioxide
B
Liquid nitrogen
C
Soda acid
D
Water

Explanation Details

Correct answer: Carbon dioxide

Fires are classified according to what material is burning. Class C fires are electrical fires. Class C fires
require carbon dioxide or dry powders to extinguish them. Using water on a Class C fire can cause
electrocution.

 Class A: Common combustibles, such as wood or paper

 Class B: Liquids, such as fuels and oils
 Class C: Electrical, such as wiring and equipment
 Class D: Combustible metals, such as magnesium or sodium

163

What is a benefit of using a program, such as Google Docs, for document editing within a
department-wide project?
A
Encrypted files
B
Only available internally to a company
C
Auditing and logging of changes
D
Confidentiality of data

Explanation Details

Correct answer: Auditing and logging of changes

Google Docs is excellent at allowing many users at once to edit a document, tracking all actions, and
residing on the cloud.

This would be accessible by Google as well, so it's not necessarily available internally only to the
company. Google Docs doesn't provide confidentiality any more than anything else, as it resides on the
cloud and could be accessible to almost anyone if breached. File encryption can be done with many
open-source programs and some are available for free through Windows, so whether or not Google
Docs encrypts the data in the cloud is not necessarily a benefit it holds over other programs.

164

Which of the following is typically used in software development to manage source code and
maintain versions?
A
Certificate store
B
Data warehouse
C
Code repository
D
Bastion host

Explanation Details
Correct answer: Code repository

A code repository is typically used in software development to manage source code and maintain
versions. Common code repositories include Github and Sourceforge.

A data warehouse aggregates and centrally stores data distributed across multiple applications and
locations to support its use in analytics and business intelligence. The certificate store refers to the
Microsoft Windows operating system location where certificates, such as those issued from certification
authorities (CAs), are maintained. A bastion host is a security-hardened host commonly placed in an
insecure network location to serve as a secure gateway or to securely support key services (e.g., email,
FTP). None of these are typically used in software development to manage source code and maintain
versions.

165

Which of the following is specific to legally securing protection for inventions?

A
Trademarks
B
Patents
C
Trade secrets
D
Licenses

Explanation Details

Correct answer: Patents

Patents legally secure protection for inventions. Patents must be unique ideas that provide useful
processes to complete a task. Third parties can purchase patents and have them transferred to the new
owner. The patent holder can also collect royalties from an organization using its ideas

166
A data custodian has been asked to conduct backup verification within the company and create a
report to detail any potential issues to ensure availability and integrity. What has this data
custodian been asked to do?
A
Back up all data without a backup
B
Create backups of all data
C
Ensure all backups can function completely and accurately as needed
D
Create a hash of all backup files

Explanation Details

Correct answer: Ensure all backups can function completely and accurately as needed

Backup verification involves ensuring when a backup file needs to be replaced, that backup can be relied
upon. This means ensuring that all data is both present and accurate.

Creating backups of data is only part of backup verification. If they sit for years without being tested, we
may never know whether the drivers need to be updated in our production environment or whether we
should move those backups to different drives. Backing up all data that is not backed up is important,
but again, we run into the same issue as initially backing the data up if we never test it. Creating a hash
of data is important for integrity's sake, but it doesn't ensure that data will be easily integrated into our
production environment when needed. For this reason, it's always important to remember the CIA triad
when dealing with data. Ensuring backups function completely and accurately as needed is the option
that covers the greatest portion of the CIA triad.

167

Of the following, which protocol has native payload encryption?

A
L2TP
B
L2F
C
PPTP
D
IPSec

Explanation Details

Correct answer: IPSec

Internet protocol security (IPsec) is a suite of protocols that provides protection at the network layer of
the open system interconnection (OSI) model. IPsec is frequently used to establish a virtual private
network (VPN) between two routers. IPsec protects the original IP packet by encrypting or hashing the
IP packet and adding a new AH or ESP header with a new IP header. Layer 2 tunneling protocol (L2TP)
uses IPsec to encrypt its tunnels. IPsec specific protocols are:

 Authentication header (AH) provides integrity of the packet and adds an AH header.
 Encapsulating security payload (ESP) provides the confidentiality of the packet and adds an
ESP header.
 Internet key exchange (IKE) is used to negotiate tunnel parameters.

168

Of the following, which block cipher modes do NOT utilize an initialization vector (IV)?
A
ECB & CBC
B
OFB & CTR
C
CBC & CFB
D
ECB & CTR

Explanation Details

Correct answer: ECB & CTR

Electronic Code Book (ECB) and Counter Mode (CTR) do not utilize an initialization vector (IV).

ECB encrypts each block using the key with no additional random input. This means that the same
plaintext patterns will be found in the ciphertext. If block A and block B both have the plaintext word
"Monkey", they will both show identical ciphertext for the portion of the block with the word
"Monkey".

CTR does not use an IV; however, it does use a counter that increments for each block. This is
commonly used for network transmissions where packets may arrive out of order. If a chaining mode
was used, the application would need to wait for each packet to arrive before it could decrypt the
message, since blocks cannot be decrypted until the preceding block's output is calculated.

169

Sam is setting up a Redundant Array of Independent Disks (RAID) for a critical file server. He
has four drives that are each 100GB in size. He must support 250GB of user data and remain
fault-tolerant. What RAID level should he select?
A
0
B
5
C
6
D
10

Explanation Details

Correct answer: 5

When using RAID-5, your usable storage is only reduced by one drive worth of storage. RAID-5 also
provides fault-tolerance.

If four drives at 100GB each are used, you get the following results for each RAID level:

 RAID-0 – 400GB of usable space with no fault-tolerance.

 RAID-1 – 100GB of usable space with fault-tolerance.
 RAID-10 – 200GB of usable space with fault-tolerance.
 RAID-5 – 300GB of usable space with fault-tolerance.
 RAID-6 – 200GB of usable space with fault-tolerance.
170

A CISO visits a local college to educate students on the importance of open-source software and
how beneficial it can be to their learning experience. Aside from cost, what is another major
benefit of open-source products the CISO can mention to encourage their use?
A
They are always better than proprietary products
B
Their variety of integration options and relation to enterprise use
C
They never include any paid additional features. Everything is free.
D
They are generally safer from a cybersecurity stance

Explanation Details

Correct answer: Their variety of integration options and relation to enterprise use

Open-source products can have a wide variety of integrations and many times can still integrate with
proprietary items. Additionally, they are often free or may have some paid features. Ultimately,
however, you will find these products to be free for the most part.

While not always necessarily better than proprietary products, there are so many open-source products
available for a variety of reasons that compete with their more expensive counterparts. However,
products that are open-source and created by those not associated with well-known companies can have
dire consequences. If you aren't careful, you could potentially be using a malicious program.

171

Which of the following documents would MOST LIKELY reference the importance of following
institutional policies and outline sanctions for violating them?
A
Playbook
B
Compliance policy
C
Service Level Agreement (SLA)
D
Runbook

Explanation Details

Correct answer: Compliance policy

A compliance policy would most likely reference the importance of following institutional policies and
outline sanctions for violating them. Compliance policies are an essential addition to policy portfolios.
Employees' compliance with institutional policies is vital for organizations to maintain consistency in
the goods and services they provide while further ensuring that the organization itself remains compliant
with laws, regulations, and contractual obligations.

Service Level Agreements (SLAs) use agreed-upon standards of measurement to establish minimum
thresholds for acceptable service performance. SLAs are typically made between service providers and
clients, whether internal (e.g., between different business units in an organization) or external (i.e.,
between the organization and a third-party provider), to ensure the quality of the services they have
contracted to receive. While SLAs sometimes define sanctions if acceptable performance isn't met, they
do not highlight the importance of following other policies. Playbooks & runbooks do not relate to
policy compliance but are utilized to support incident response automation. Playbooks and runbooks
document the step-by-step activities required to verify whether a detected security event is an actual
incident and the step-by-step response activities needed to contain any such incidents.

172

Which of the following is NOT a valid step in creating a Business Continuity Plan (BCP) as
established by NIST?
A
Business Impact Analysis
B
Project budgeting
C
Developing the continuity policy planning statement
D
Scope the project

Explanation Details

Correct answer: Project budgeting

Project budgeting is not considered to be one of the standard high-profile steps set forth by NIST for
disaster recovery. NIST helps businesses establish standards and procedures to protect assets and avoid
risk.

173

If the system administrator assigns access to specific job titles rather than multiple individuals,
what access control system is being used?
A
None of these
B
Mandatory Access Control (MAC)
C
Discretionary Access Control (DAC)
D
Role-Based Access Control (RBAC)

Explanation Details

Correct answer: Role-Based access Control (RBAC)

Access control is used to identify an individual who does a specific job, authenticate them, and then
proceed to give that individual only the key to the door or workstation that they need access to and
nothing more. Access control systems come in three variations: Discretionary Access Control (DAC),
Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).
174

Which of the following attacks BEST exploit a flaw in a system’s ability to reassemble oversized
fragmented packets?
A
Buffer overflow attack
B
ARP poisoning attack
C
Teardrop attack
D
Birthday attack

Explanation Details

Correct answer: Teardrop attack

A teardrop attack exploits a flaw in a system’s ability to reassemble oversized fragmented packets.
Attackers intentionally send oversized fragmented packets that cause the victim system to crash when
they are reassembled.

175

Which of the following would MOST LIKELY be categorized as Personally Identifiable

Information (PII)?
A
Browser type
B
Aggregated survey results
C
Time zone
D
Criminal record

Explanation Details
Correct answer: Criminal record

An individual's criminal record should be categorized as personally identifiable information (PII).

The National Institute of Standards and Technology (NIST) in Special Publication 800-122 states that
PII is any information about an individual maintained by an agency, including the following:

1. Any information that can be used to distinguish or trace an individual's identity, such as name,
Social Security number, date, and place of birth, mother's maiden name, or biometric records;
and
2. Any other information that is linked or linkable to an individual, such as medical, educational,
financial, and employment information.

176

Which secure protocol is the latest, providing enhanced Wi-Fi security with the inclusion of the
Diffie-Hellman key exchange and a secret session key?
A
WPA3
B
WPA2
C
WPA3E
D
WEP

Explanation Details

Correct answer: WPA3

WPA3 is the latest secure protocol, providing enhanced Wi-Fi security with the inclusion of the Diffie-
Hellman key exchange and a secret session key. This process is also known as the Simultaneous
Authentication of Equals (SAE).
WPA2 uses AES encryption and is still widely used today, but was enhanced with WPA3 due to the
increase of attacks during the key exchange process. WEP uses the RC4 secret key, which today takes
just minutes to crack. Due to this, WEP is considered insecure. WPA3E is fabricated.

177

Which of the following access control models allows the Data Owner to define access to resources?
A
RBAC
B
DAC
C
MAC
D
ABAC

Explanation Details

Correct answer: DAC

A system that employs Discretionary Access Controls (DACs) allows the owner to control and define
access to that object. All objects have owners, and access control is based on the discretion or decision
of the owner.

Mandatory Access Control (MAC) uses classification and labels to define user access. Role-Based
Access Control (RBAC) maps a subject’s role with their needed operations and tasks. Attribute-Based
Access Control (ABAC) makes decisions based on attributes for either the subject, object, or actions

178

An attacker has gained access to a credit card processing database and siphons off and sells credit
card numbers on the dark web. This event is BEST described as what?
A
An attack
B
An exposure
C
A penetration
D
A breach

Explanation Details

Correct answer: A breach

A breach is a security event that results in the actual or potential disclosure of protected information. In
this case, credit card data was stolen and sold in an unauthorized manner.

179

Which of the following BEST describes a star network topology?

A
All nodes are connected to a central device
B
All nodes are connected to a cable in a closed loop
C
All nodes are connected to a single cable
D
All nodes have a connection to all nodes

Explanation Details

Correct answer: All nodes are connected to a central device

In a star network topology, all nodes are connected to a central device like a switch or router. This
allows nodes to fail without impacting other nodes on the network.
180

Which of the following BEST describes a logic bomb?

A
A rootkit
B
A program that executes when certain conditions are met
C
A type of buffer overflow attack
D
A virus

Explanation Details

Correct answer: A program that executes when certain conditions are met

Logic bombs are programs or code that execute when certain conditions are met. It is common for IT or
development personnel to hide malicious programs somewhere in a computer network that executes if
their user account is ever disabled.

181

Of the following, a Data Custodian is LEAST LIKELY to do what?

A
Backup the data
B
Record user activities involving the data
C
Set access permissions
D
Classify data

Explanation Details

Correct answer: Classify data

Data Custodians generally don’t classify data. The Data Owner is responsible for data classification.

Data Custodians are responsible for maintaining the data and ensuring its availability for the data owner.
Data Custodians are responsible for backing up data.

182

Which of the following statements regarding wireless security is NOT true?

A
WPA2 can downgrade to use Temporal Key Integrity Protocol (TKIP)
B
WEP uses RC4
C
WPA uses Triple Data Encryption Standard (Triple DES)
D
WPA2 uses Advanced Encryption Standard (AES

Explanation Details

Correct answer: WPA uses Triple Data Encryption Standard (Triple DES)

WPA does not use Triple Data Encryption Standard (Triple DES). WPA uses the Temporal Key
Integrity Protocol (TKIP) to generate a unique key for each frame transmitted. TKIP generated keys are
fed into the RC4 encryption algorithm to encrypt traffic. This combination of TKIP and RC4 improves
the original standard Wired Equivalent Privacy (WEP).

WPA2 uses AES to encrypt traffic; however, it can be downgraded to use TKIP and RC4 to maintain
compatibility with older devices.

183

Lee manages a Security Information and Event Management (SIEM) system. Of the following,
what type of input does the SIEM system MOST LIKELY accept?
A
Access control lists (ACLs)
B
User credentials
C
Malware signatures
D
System logs

Explanation Details

Correct answer: System logs

A security information and event management (SIEM) system is an aggregation of system logs from
multiple systems. Using a SIEM, an administrator can create reports that show access history and are
useful for security personnel to verify physical or logical access. A SIEM can be configured to generate
alerts if certain logs or patterns are observed.

184

Which of the following is a legitimate disadvantage of a host-based intrusion detection system

(HIDS)?
A
The host-based intrusion detection system (HIDS) is an old computing system
B
A host-based intrusion detection system (HIDS) is only suited for threats that target an entire network
C
The host-based intrusion detection system (HIDS) can be configured for every host monitored
D
A host-based intrusion detection system (HIDS) is unable to detect anomalies across an entire network

Explanation Details

Correct answer: A host-based intrusion detection system (HIDS) is unable to detect anomalies across an
entire network

A host-based intrusion detection system (HIDS) only monitors individual computers. It monitors the
computer’s system logs, processes, requests, and application activity. It can examine events in more
detail for each individual computer than a Network-based Intrusion Detection System (NIDS). HIDSs
are unable to detect anomalies that occur on other systems on the network.
185

What technique would you use to mask or hide the presence of real information or drown out
meaningful information?
A
Emanation cage
B
White noise
C
Faraday cage
D
Control zone

Explanation Details

Correct answer: White noise

White noise is false traffic used to mask or hide the presence of real traffic. White noise includes a real
signal mixed in with false information. It can be continuously transmitted or at a specific variable length.

Faraday cage is incorrect because Faraday cages are used as absorbing capacitors to prevent the release
of electromagnetic signals. Emanation cage is incorrect because it would have the same application as a
Faraday cage. A control zone is incorrect because it would be an area that is monitored by physical
security and not an application to drown out a signal.

186

When referring to a Disaster Recovery Plan (DRP), a reciprocal agreement is an:

A
Agreement between two organizations that allows for utilization of their datacenter during a disaster
B
Agreement between an organization and bank that provides a line of credit that the organization can
draw on during the disaster
C
Agreement with a third party to provide office space for employees
D
Agreement between two organizations that prevents each other from competing should a disaster happen

Explanation Details

Correct answer: Agreement between two organizations that allows for utilization of their datacenter
during a disaster

A reciprocal agreement, also called a mutual assistance agreement (MAA), is an agreement or a

memorandum of understanding where two companies pledge the availability of their organization's data
center during a disaster. This allows company A to utilize company B's datacenter or vice versa. They
are rarely used in the real world but are quite often discussed in disaster recovery literature.

187

Which of the following is an example of a perimeter defense control?

A
Mantrap
B
Intrusion detection system
C
Biometric access
D
Access logs

Explanation Details

Correct answer: Mantrap

Mantraps force individuals into a small room with an ingress and egress door. Before the person can exit
through the egress door, the ingress door must be closed and locked. If the individual is authorized, the
egress door will unlock, and they can proceed. If they are not authorized, both doors remain locked until
a security guard or police officer arrives and escorts them off the property or arrests them for
trespassing. It is common for mantraps to have a weight scale across the floor to ensure only one person
is in the room.
188
Which of the following defines a cloud model that is hosted for the benefit of a single organization
and is accessible only to that organization?
A
Private cloud
B
Public cloud
C
Community cloud
D
Hybrid cloud

Explanation Details

Correct answer: Private cloud

A private cloud is hosted for the benefit of a single organization and is only accessible to that
organization.

Public cloud is incorrect because this model has assets that are available for rent by anyone. Community
cloud is incorrect because this model provides assets to two or more organizations. Hybrid cloud is
incorrect because this model is a combination of two or more clouds and is not usable by a single
organization.

189

When deleting a file is not enough to satisfy an organization's data destruction policy, what BEST
ensures the data cannot be restored, but the media can be reused?
A
Destruction
B
Purging
C
Clearing
D
Erasing

Explanation Details

Correct answer: Purging

Purging is the process of overwriting the original data over and over. It should be repeated many times
and can be combined with degaussing to ensure the original data cannot be recovered.

Erasing is another word for delete. Clearing is the process of overwriting data multiple times; however,
it is not considered as thorough as purging. Destruction is the most secure method; however, it destroys
the media and cannot be reused.

190

Which of the following is a connectionless packet switching protocol?

A
SPX
B
HTTP
C
UDP
D
TCP

Explanation Details

Correct answer: UDP

User Datagram Protocol (UDP) is a connectionless packet switching protocol. It's used for
communication when there is no need to guarantee that the packet was received. For instance, chat
programs, video streaming, and voice communication commonly use the UDP protocol.

Transmission Control Protocol (TCP) and Sequenced Packet Exchange (SPX) are connection-oriented
protocols. Connection-oriented protocols establish and manage a direct virtual connection to the remote
device. Connection-oriented protocols do not pre-establish a communication circuit with the destination
network.

191

Confidentiality is the primary function of which security model?

A
Clark-Wilson
B
Biba
C
Lattice
D
Bell-LaPadula

Explanation Details

Correct answer: Bell-LaPadula

The Bell-LaPadula model is lattice-based and is a highly specialized security model whose sole function
is confidentiality and limiting access; it has no other substantial functions. The Bell-LaPadula model
was developed to formalize the U.S. Department of Defense's (DoD) multi-level security policy.

Clark-Wilson is incorrect because it is an integrity model that relies on the separation of duties and
separation of subjects from objects. Subjects access and modify objects indirectly through an interface
or program. This is known as the "access triple."

Biba it incorrect because it is an integrity model that prevents subjects with lower security levels from
writing to objects at higher security levels.

Lattice is incorrect because it while prevents illegal information flow. It is too broad of a term and is not
a standalone model.

192
Jessica works as an IT security professional at Acme Inc. She applies a policy to a payment
processing system where, in the event of failure, the system puts itself into a high level of
protection and becomes inaccessible until she can review it. This is an example of which type of
failure handling?
A
Fail-secure
B
Fail-off
C
Fail mitigation
D
Fail-open

Explanation Details

Correct answer: Fail-secure

The fail-secure failure state puts the system into a high level of security (and, in some cases, disables it
entirely) until an administrator has the chance to diagnose the issue and restore the device to regular
operation. This prevents attackers from causing the system to fail and gaining access afterwards.

An example of fail-secure would be if a network switch blocked all devices from authenticating if the
authentication server became unavailable. If the network switch allowed devices to connect even if the
authentication server was offline, it would be classified as fail-open.

193

Of the following, which supersedes SSL and has stronger authentication and encryption
protocols?
A
TLS
B
S/MIME
C
IKE
D
S-RPC

Explanation Details

Correct answer: TLS

Transport layer security (TLS) uses asymmetric encryption and public key infrastructure (PKI) to
securely exchange a client-generated session key, after which all traffic is encrypted using symmetric
encryption. TLS superseded secure sockets layer (SSL). TLS is used to encrypt traffic in transit between
the client and the server. TLS is used in web browsers, voice over IP (VoIP), email, and other network
communications.

194

What does the CVSS 3.1 score of 3.8 indicate?

A
Critical vulnerability
B
High vulnerability
C
Importance of the vulnerability scan
D
Low vulnerability

Explanation Details

Correct answer: Low vulnerability

The CVSS 3.1 scoring system rates vulnerabilities on a low, medium, high, or critical scale. They are
defined by the following range:

 0.1-3.9 (Low)
 4.0-6.9 (Medium)
 7-8.9 (High)
 9-10 (Critical)
195

What do you call an attack where an attacker alters a Domain Name System (DNS) cache?
A
DNS poisoning
B
Man in the middle attack
C
DNS redirection
D
Address resolution protocol (ARP) poisoning

Explanation Details

Correct answer: DNS poisoning

Domain Name System (DNS) poisoning occurs when an attacker is able to manipulate a DNS cache and
replace legitimate records with malicious records. This can cause the client to access malicious servers
when attempting to query legitimate DNS records. Attackers can target a client’s local cache or the DNS
server’s cache.

196

Coworkers at Stealthy Security Suites & Beats are discussing runtime environments and how they
can be beneficial in the workplace. What is a runtime environment?
A
An environment for developing code
B
An environment exclusively for the dynamic analysis of malware
C
An environment dedicated to maximum efficiency in the workplace
D
A pre-created environment capable of running various types of operating systems
Explanation Details

Correct answer: A pre-created environment capable of running various types of operating systems

Runtime environments are pre-created environments capable of running various types of operating
systems. This is beneficial to customers, employees, and anyone who uses computers every day. With a
runtime environment, an environment can be created quickly that will cater to the needs of any software
or other purpose needed.

While these environments can be used for malware analysis, developing code, or creating a more
efficient workplace, at the most basic level, they were designed for seamless integration of many use
cases—not just one specific case.

197

Which of the following terms commonly refers to the process of user account creation and
permissions assignment?
A
Offboarding
B
Deprovisioning
C
Provisioning
D
Onboarding

Explanation Details

Correct answer: Provisioning

The process of user account creation and permissions assignment is commonly referred to as
provisioning. The provisioning process is a subset of (and typically completed during) the onboarding
process.

Onboarding refers to a collection of activities performed by (or for the benefit of) new hires to meet
legal or policy compliance, and orient the employees to the policies and processes of the organization.
Deprovisioning refers to the deactivation or revocation of a user account. The deprovisioning process is
a subset of (and typically completed during) the offboarding process. Offboarding refers to a collection
of activities performed by (or for the benefit of) separating employees to meet legal or policy
compliance, and recover any company devices, keys, or tokens that were issued during the term of
employment.

198

What type of service is Python BEST described as?

A
Anything as a service (XaaS)
B
Infrastructure as a service (IaaS)
C
Platform as a service (PaaS)
D
Software as a service (SaaS)

Explanation Details

Correct answer: Platform as a service (PaaS)

Python is a platform as a service (PaaS) because it's a programming tool serving as a platform off of
which to design other programs and applications. Today, Python is one of the most popular coding
platforms in use.

Infrastructure as a service (IaaS) is any hardware provided by a company to a customer. An example

would be the physical servers available for purchase from AWS.

Software as a service (SaaS) is a service where the cloud provider provides everything, including the
application to access services. An example of SaaS would be Netflix, in which an application is simply
available via the internet and all services are right there.

Anything as a service (XaaS) is a reference to anything provided by a cloud provider.

199
When is privilege creep MOST LIKELY to occur?
A
When an employee is transferred from one position to another
B
When an employee is hired
C
When an employee refuses to take vacation
D
When an employee is fired

Explanation Details

Correct answer: When an employee is transferred from one position to another

Privilege creep happens when a user’s permissions are not revoked during role changes. This gives
employees permissions to systems and resources they no longer need to do their job. This violates the
principle of least privilege.

200

Which of the following refers to the practice of registering common misspellings or variations of a
domain name?
A
Baiting
B
Clickjacking
C
Typosquatting
D
Vishing

Explanation Details

Correct answer: Typosquatting

The practice of registering common misspellings or variations of a domain name (e.g. facebok.com,
apples.com) is referred to as typosquatting. Such registrations typically direct traffic to destinations that
advantage the squatter, rather than to the domain originally intended.
Clickjacking occurs when the user interface of a website is manipulated to misdirect intended click-
throughs. Vishing refers to voice-based (rather than email-based) phishing. Baiting refers to the practice
of leaving compromised portable media in a public location in a manner that entices its use from a
secure, nonpublic location (for example, leaving an infected USB drive labelled "staff salaries" in the
lobby of an office building).

201

Which of the following terms is used to describe a product or solution

that is no longer actively offered for sale by its manufacturer?
A
EOS
B
EOSL
C
RIP
D
EOL

Explanation Details

Correct answer: EOL

The term used to describe a product or solution that is no longer actively offered for
sale by its manufacturer is end-of-life (EOL).

EOS (end-of-support) and EOSL (end-of-service-life) are synonymous terms used to

describe a product or solution that is no longer actively supported by its manufacturer.
RIP (Routing Information Protocol) is an application layer distance vector routing
protocol in the TCP/IP suite.

202

A cipher lock uses which of the following?

A
Key token
B
Physical key
C
Keypad
D
Encrypted keys

Explanation Details

Correct answer: Keypad

A cipher lock is characterized by a keypad, requiring a specific numerical sequence on

the keypad to unlock an entrance. Keypads are used in data centers or even within
restricted areas to add an extra level of security.

203

Amanda is a security analyst and believes a crime has taken place. She
logs into the suspected endpoint to begin investigating the crime. She
notices the time clock on the computer is wrong and corrects it. She
copies all the system logs to an external hard drive and gives them to her
assistant.

Of the following, what is the BIGGEST mistake Amanda made?

A
Logging into the endpoint
B
Making copies of the system logs
C
Forgetting to create a Chain of Custody
D
Correcting the time

Explanation Details

Correct answer: Logging into the endpoint

When investigating computer crimes, an investigator should never use the original
evidence. Instead, a bit-by-bit copy of the original drive should be created and used for
the investigation. If an investigator taints the original evidence, it may be dismissed in
court. Original evidence should always be collected and documented using a Chain of
Custody. However, tainting the original evidence is more detrimental to a criminal case
than forgetting to create a Chain of Custody.

204

Which of the following is typically performed pre-employment and BEST

helps to ensure a level of ethical assurance?
A
Medical evaluation
B
Blood test
C
Non-disclosure agreement
D
Background check

Explanation Details

Correct answer: Background check

Background checks give HR a report on an applicant's criminal history in an attempt to

determine ethical and trust factors before allowing any level of access to the
organization's sensitive information. Some background checks include credit history,
employment history, and education history.

205

What do you call the IPv4 address assigned on a Windows system in the
event of a Dynamic Host Configuration Protocol (DHCP) assignment
failure?
A
link-local address
B
Loopback address
C
APIPA
D
Broadcast address

Explanation Details

Correct answer: APIPA

Automatic private IP addressing (APIPA) is primarily a feature of Windows and is

assigned in the event of a Dynamic Host Configuration Protocol (DHCP) assignment
failure. Each failed DHCP client will receive an IP address in the range of 169.254.0.1
to 169.254.255.254.

206

Ramesh is a penetration tester and has been hired to assess a facility's

physical access controls. He successfully picks a door lock. Of the
following, what BEST describes picking?
A
Re-creating a key by analyzing the bite marks left by a lock on a blank key
B
Wedging material between the shackle and the locking mechanism
C
Manipulating cylinder pins to open the lock
D
Applying enough tension to the cylinder that it causes the pins to shear

Explanation Details

Correct answer: Manipulating cylinder pins to open the lock

Picking is the process of manipulating the cylinder pins to allow the attacker to open
the lock. Picking exploits mechanical imperfections that allow the attacker to set each
pin one at a time by applying tension to the cylinder.

Shimming is wedging material between the shackle and the locking mechanism.
Impressioning is re-creating a key by analyzing the bite marks left by a lock on a blank
key. Brute force is applying enough tension to the cylinder that it causes the pins to
shear.
207

Tegridy Inc. has determined that one of its security vulnerabilities is

failing to think as an attacker to mitigate risk. The CISO wants to compare
the company's asset inventory with potential threats and then reduce
each risk in a step-by-step manner.

Which of the following would MOST likely benefit the CISO for this
project?
A
MITRE ATT&CK Matrix
B
Current event podcasts
C
Vulnerability scans
D
Honey nets

Explanation Details

Correct answer: MITRE ATT&CK Matrix

The MITRE ATT&CK Matrix would most likely benefit the CISO, as it would provide a
step-by-step guide on how attackers exploit vulnerabilities and can be easily
compared with the company's vulnerabilities. With that, the CISO can then go step-by-
step through attack phases and mitigate those, perhaps doing so in an order based on
the most critical aspects first.

Honey nets would be great to see what attackers are after when they do in fact
breach, but we won't learn until a breach occurs. Even then, what we learn is restricted
based on what the attacker actually does.

Podcasts may be interesting and informative areas for information, but they may not
have the same credibility as a national database or other proven methods of mitigating
attacks.

Vulnerability scans would certainly be informative, but would potentially provide false
positives or be misconfigured. Vulnerability scanners may also be inaccurate if they
cannot see certain ports or services due to a firewall, so it's important to combine this
technique with the knowledge of the practitioner and the MITRE ATT&CK Matrix.

208

A major paper company wants to create a single controlling account in

which all workstations within its group can be granted technical access,
share files, and administer patching and new programs from one location
with ease. What program would be LEAST likely to suit the needs of the
company?
A
Open LDAP
B
Microsoft Active Directory
C
FTPS server
D
FreeIPA

Explanation Details

Correct answer: FTPS server

An FTPS server will allow for secure file transfers across the internet. However, it is
not a program meant for the administration of a network.

Open LDAP, Microsoft Active Directory, and FreeIPA are all programs built to meet the
needs of central administration for many workstations. Open LDAP and FreeIPA are
essentially open-source versions of Microsoft Active Directory. Each program allows
for the administration of any workstation within the domain, granting or denying access
to resources, and the administration of patching from one administrator workstation.

209

An employee at Tegridy Inc. receives a suspicious e-mail containing a link

to what appears to be files pertaining to an upcoming workplace
education training seminar. Curious and eager to complete the training as
soon as possible, the employee clicks the link to the files within the e-
mail. Immediately after, the employee downloads the files and notices
multiple command prompt windows flash onto the screen and quickly
disappear. The documents in these files appear to be workplace training,
so the employee doesn't think anything of it. A few weeks later, Carbines
Steaks, LLC. began a new line of food products that appear to have very
similar ingredients to some of the foods that have existed at Tegridy Inc.
for years.

What practice would MOST likely have prevented this issue from
occurring?
A
Asking other employees about the training first
B
Proper asset handling and management
C
Forwarding the e-mail to a supervisor
D
Replying to the e-mail

Explanation Details

Correct answer: Proper asset handling and management

Proper asset handling and management involves not only educating anyone involved
in the process, but setting up safety mechanisms as well. Although this is a clear
indicator of a lack of security training on behalf of the employee, it's equally important
to know that even the most trained personnel make mistakes sometimes. To ultimately
prevent this from happening, the proprietary information should not have been stored
on or accessible from the same network employees operate on for normal activities.
Additionally, the information should have been encrypted to prevent the information
from even being readable by outsiders. This is a prime example of how proper asset
handling and management can go a long way. Hopefully, Tegridy Inc. has a means to
prove their trade secret was created by them first and is the same as what is being
used by Carbines Steaks.

Forwarding the e-mail to a supervisor, asking other employees about the training first,
and replying to the e-mail might assist the employee in ensuring the e-mail is
legitimate. However, reaching out to the supervisor may not be helpful if the supervisor
isn't the only one able to schedule and distribute training notifications. Other
employees may not have any more knowledge about the information than you do.
Replying to the e-mail would involve the targeted employee trusting the attacker.

210

George is a network administrator for a hospital. He configures all the

switch interfaces to dynamically detect and create trunk or tagged
interfaces if another switch is detected. Of the following, what type of
attack is George's network MOST LIKELY vulnerable to?
A
Address Resolution Protocol (ARP) poisoning attack
B
VLAN hopping attack
C
Spanning Tree Protocol (STP) attack
D
Link Layer Discovery Protocol (LLDP) spoofing

Explanation Details

Correct answer: VLAN hopping attack

VLAN hopping occurs when an attacker manipulates a frame, so the switch moves it
to a different VLAN. VLAN hopping can happen by spoofing a switch, setting up a
dynamic trunk or tagged interface, or creating a double-encapsulated 802.1Q tag.
Network administrators should disable dynamic trunk or tagged interfaces and use
separate VLANs for access interfaces.

211

When using a Redundant Array of Independent Disks (RAID), which RAID

level both stripes and mirrors data across a set of drives?
A
1
B
0
C
5
D
10

Explanation Details

Correct answer: 10

RAID-10 is a combination of RAID 1 and 0. Sets of drives are grouped into two
separate RAID-1 groups. Each RAID-1 group is viewed as a volume in a RAID-0. This
creates striping across the RAID-1 groups.

RAID levels:

 RAID-0 - Data is striped between a set of drives without parity. This increases
your risk of data loss. If one drive fails, the entire RAID will fail; however, it
increases your usable storage and writes speed.
 RAID-1 - Data is mirrored between two identical drives. This provides
redundancy. However, your usable storage is reduced by 50% of your total
storage.
 RAID-5 - Data is striped between a set of drives, but parity is also written to
each drive. This allows for a single drive to fail without causing the RAID to fail.
This provides redundancy, but your usable storage is reduced by one drive
worth of storage.
 RAID-6 - Similar to RAID-5, however, two sets of parity are written to each
drive. This allows for two drives to fail without causing the RAID to fail. This
provides redundancy, but your usable storage is reduced by two drives worth of
storage.
 RAID-10 – Combination of RAID-1 and RAID-0. Your usable storage is reduced
by 50% of your total storage.

212
Which of the following security solutions utilizes machine learning to
evaluate log and event data it has collected and combined from multiple
devices in the environment in order to detect advanced persistent
threats?
A
Web security gateway
B
NIDS
C
SIEM
D
EDR

Explanation Details

Correct answer: SIEM

SIEM (Security Information and Event Management) is a security solution which

utilizes machine learning to evaluate log and event data that it has collected and
combined from multiple devices in the environment in order to detect advanced
persistent threats.

EDR (Endpoint Detection and Response) is an endpoint protection solution also

designed to detect advanced persistent threats. While sometimes having machine
learning capabilities similar to those of a SIEM, an EDR solution only evaluates the
activity of the endpoint it has been installed on, while a SIEM solution evaluates log
and event data it has collected and combined from multiple devices in the
environment. A NIDS (network-based intrusion detection system) monitors network
communications for anomalous traffic and indicators of compromise. A web security
gateway blocks access to certain websites based on their URL or content, which can
often be set by content category (e.g., gambling, social media, games).

213

The TCP/IP model consists of how many layers?

A
Two
B
Four
C
Three
D
Seven

Explanation Details

Correct answer: Four

The Transmission Control Protocol/Internet Protocol (TCP/IP) model consists of four

layers. The four layers are Application, Transport or Host-to-Host, Internet, and
Network Access or Link. They correspond to layers within the Open Systems
Interconnection (OSI) model.

214
Which of the following would MOST likely be suitable to assist in
preparing for a security audit?
A
Reviewing SIEM output
B
Asking other companies about their experiences
C
DAST
D
BAS

Explanation Details

Correct answer: BAS

A breach and attack simulation (BAS) would assist in preparing for a security audit.
This system would simulate an attack, exploiting and highlighting vulnerabilities to be
remediated prior to an official audit.

Asking other companies about their experiences wouldn't be as advantageous, as

their audits are likely to be graded on the same guidelines and standards.
Reviewing SIEM output would identify potentially malicious traffic, but would not
simulate attacks and put us in the perspective of an attacker. It would simply tell us
what people were doing in our network at that given time.

Dynamic application security testing (DAST) would only evaluate software. It wouldn't
take into consideration open ports or insecure practices, and the suggested
remediation would be mostly software-based. This is only a small portion of the overall
security in an organization.

215

Network segmentation has numerous benefits, such as increased

network security and boosting performance by reducing congestion. Of
the following, which is NOT a direct form of network segmentation?
A
VPN
B
DMZ
C
Air gap
D
VLAN

Explanation Details

Correct answer: VPN

A virtual private network (VPN) is ultimately a tunnel between two endpoints. The
communication between the two endpoints is encapsulated and travels through
another network medium. A VPN does not segment two networks; however, it does
provide a method for endpoints in different networks to tunnel through another network
medium.

Virtual local area networks (VLAN) provide segmentation at the data link layer of the
Open System Interconnection (OSI) model; this is accomplished by assigning a VLAN
tag to switch interfaces. Air gap networks are physically separated, meaning they
physically have no connections between them. A demilitarized zone (DMZ) is
segmented away from other networks using firewalls.

216

As defined within Business Continuity planning, a disaster is any event

that:
A
Causes downtime
B
Results from a security event
C
Causes a financial loss
D
Disrupts a mission-critical business process
Explanation Details

Correct answer: Disrupts a mission-critical business process

Within Business Continuity planning, a disaster is an event that disrupts a mission-

critical business process. Downtime, security events, and financial losses may
accompany a disaster, but by themselves they are not considered disasters. The
effects of a disaster can be mitigated by a well designed Disaster Recovery Plan
(DRP).

217

Cable locks are used on workstations and laptops to:

A
Show ownership
B
Cable locks are not used on these devices
C
Prevent theft of the device
D
Fasten the device down so it does not slide
Explanation Details

Correct answer: Prevent theft of the device

Cable locks are used on a variety of devices to secure them against theft. These locks
are an added security measure in case an intruder is able to overcome other physical
security. The intruder would need proper tools to cut the lock.

218

Which of the following is LEAST likely to be a benefit of virtualizing

backup data?
A
Speed
B
Security
C
Less internal resource usage
D
Convenience

Explanation Details

Correct answer: Security

While taking advantage of trending technology may seem like a good idea, spreading
data to a virtualized environment, on- or off-site, can actually increase a potential
attack surface. Moving data from one drive or environment to another provides more
opportunity for it to be stolen. Before moving data, ensure it is encrypted at rest,
transit, and use. Also, keep data remanence in mind when moving the data.

Having data available anywhere via the cloud can certainly be convenient, especially
when backing up or migrating data for personal or professional use. If properly
handled, it can also alleviate some of the security burden an enterprise would have to
deal with. In some instances, it may be faster to obtain the data via the cloud instead
of a physical site. One of the greatest benefits of virtualizing data seen today is
reducing overall storage space. That said, despite the appeal of virtualizing our data
for many reasons, sometimes simpler is in fact safer.

219

The Clark-Wilson model primarily deals with:

A
Authentication
B
Availability
C
Confidentiality
D
Integrity

Explanation Details

Correct answer: Integrity

The Clark-Wilson model focuses on data integrity. It relies on the separation of duties
and the separation of subjects from objects. Subjects access and modify objects
indirectly through an interface or program. This is known as the "access triple" and is
made up of the subject/program/object. The Clark-Wilson model defines constrained
data items (CDI) and integrity verification procedures and confirms transformation
procedures.

220

Which of the following protocols is used to pull email messages from an

email server to an email client's inbox?
A
File Transfer Protocol (FTP)
B
Telnet
C
Post Office Protocol 3 (POP3)
D
Simple Mail Transfer Protocol (SMTP)

Explanation Details

Correct answer: Post Office Protocol 3 (POP3)

Post Office Protocol 3 (POP3) is used to pull email messages from an email server to
an email client's inbox. With POP3, the email is generally deleted from the server after
it's downloaded to the local inbox.

Simple Mail Transfer Protocol is incorrect because it is primarily used to transfer email
between servers. File Transfer Protocol is incorrect because it is used specifically for
file transfer. Telnet is incorrect because it is used for remote logins.

221

Which of the following technologies will MOST LIKELY prevent sensitive

data from being transmitted to removable media?
A
Network DLP
B
Endpoint DLP
C
Forced media encryption
D
Antimalware

Explanation Details

Correct answer: Endpoint DLP

Endpoint data loss prevention (DLP) is an agent/program installed on an endpoint. It

applies protection for data at rest and in use. It can block a user from saving sensitive
data to a removable media device or printing sensitive information.
222

When performing strategic alignment, all of the following types of plans

are created EXCEPT:
A
Auditing plans
B
Strategic plans
C
Tactical plans
D
Operational plans

Explanation Details

Correct answer: Auditing plans

Strategic alignment means that security policy aligns and supports the business's
objectives, goals, and mission. This is done through the use of Strategic plans,
Tactical plans, and Operational plans.

 Strategic plans are long-term plans. Example: Create a disaster recovery

location within five years.
 Tactical plans are more detailed than strategic plans and cover a shorter
amount of time. Example: Install servers in the third quarter and set up backups
in the fourth quarter.
 Operational plans are short, detailed plans. Example: Use Network File System
(NFS) with a storage area network (SAN) to attach storage to the servers next
week.

223

What terminology means that subjects only need one set of credentials to
access multiple resources?
A
Lightweight Directory Access Protocol (LDAP)
B
Decentralized access control
C
Single Sign-On (SSO)
D
Kerberos

Explanation Details

Correct answer: Single Sign-On (SSO)

SSO is a terminology that means that subjects only need one set of credentials to
access multiple resources.

Decentralized access control is incorrect because it requires a user to sign on

individually to each system they need to access. LDAP can be used for SSO, but it is
a protocol. Kerberos is also used for SSO but is a suite of protocols.

224

Of the following, which is MOST LIKELY used to exchange symmetric

encryption keys securely?
A
Diffie-Hellman
B
Secure Hash Algorithm (SHA)
C
Advanced Encryption Standard (AES)
D
Kerberos

Explanation Details

Correct answer: Diffie-Hellman

Diffie-Hellman is an asymmetric algorithm used to exchange symmetric keys between

devices with no prior relationship or trust. Diffie-Hellman allows devices to derive the
same symmetric key without actually sending it across the network.
225

What type of memory addressing is used by applications?

A
Relative
B
Logical
C
Virtual
D
Physical

Explanation Details

Correct answer: Logical

The logical address is used by applications to assign and allocate memory. The logical
address is mapped to a physical memory location by the memory mapper. The Central
Processing Unit (CPU) can access physical memory directly, unlike an application.

Relative is incorrect because it is expressed as a location relative to a known point.

Physical is incorrect because it is based on an actual address or location and is
dependent on the current assignment.

226

Which answer will BEST satisfy the following goals?

 Reduce unauthorized devices

 Enforce security policy throughout the network
 Use identities to perform network management

A
Network access control (NAC)
B
Virtual private network (VPN)
C
Network segmentation
D
Firewalls

Explanation Details

Correct answer: Network access control (NAC)

Network access control is the concept of controlling access to a network by

authenticating and approving all devices allowed on a network. A common method to
do this is through 802.1X. NAC can require that devices maintain a minimum patch or
antivirus level before being allowed on the network.

A well designed NAC program can help achieve the following:

 Reduce unauthorized devices

 Enforce security policy throughout the network
 Use identities to perform network management

227

Which of the following should be performed before outsourcing or

offshoring sensitive data?
A
Risk analysis
B
Foreign national awareness training
C
A socioeconomic evaluation
D
A regulatory issue scan

Explanation Details

Correct answer: Risk analysis

Risk analysis should be performed before outsourcing or offshoring sensitive data.
The analysis is performed to ensure that the party is storing the data safely and
securely. It must be determined if outsourcing the data createsa greater risk than the
organization's risk appetite.

228

The process of identifying, understanding, and categorizing potential

threats is known as which of the following?
A
Threat modeling
B
Vulnerability scanning
C
Table-top exercise
D
Penetration test

Explanation Details

Correct answer: Threat modeling

In order to ensure the highest level of security, organizations must identify possible
threats to the organization's systems. This is done through threat modeling. Threat
modeling refers to the process of identifying, understanding, and categorizing potential
threats. The goal of threat modeling is to identify a potential list of threats and analyze
those threats.

229

Which of the following is a common authorization-only framework that

exchanges information using APIs and utilizes access tokens for
authorization?
A
OIDC
B
OAuth
C
SAML
D
OpenID

Explanation Details

Correct answer: OAuth

OAuth is a common authorization-only framework that exchanges information using

APIs and utilizes access tokens for authorization. The OAuth framework is defined in
RFC 6749 and maintained by the Internet Engineering Task Force (IETF).

SAML (Security Assertion Markup Language) is a popular Single Sign-On (SSO)

solution that exchanges authentication and authorization information between
federated organizations using XML. OpenID provides decentralized authentication
services through use of a credential (called an OpenID identifier) which is created,
maintained and authenticated by an OpenID provider. OIDC (OpenID Connect) is an
authentication layer built upon the OAuth authorization framework, extending it to
provide both authentication and authorization services. OIDC exchanges service data
in JavaScript Object Notation (JSON) format using REST HTTP APIs. Both the
OpenID standard and the OIDC specification are maintained by the OpenID
Foundation.

230

Which of the following, if performed before initiating a vulnerability scan,

will reduce false negative results?
A
Configure random order host scanning
B
Update the vulnerability database
C
Configure authenticated scanning
D
Configure sequential order host scanning
Explanation Details

Correct answer: Update the vulnerability database

Vulnerability scanners rely on a database of known vulnerabilities for detection. If this

database is outdated, vulnerabilities that are present may go undetected (which is
referred to as false negative results). Therefore, the database should be updated
before each scan.

Authenticated scanning utilizes credentials for a more complete (and accurate) scan of
the device. This may reduce false positive results (where a vulnerability that isn't
present is reported as being present); however, it will not reduce false negative
results. The order in which hosts are scanned is unlikely to have any impact on false
negative results