1.
Which of the following is LEAST effective when hardening an operating system?
Correct Answer
C. Installing HIDS
Explanation
Installing HIDS (Host-based Intrusion Detection System) is the least effective when hardening an operating system. While HIDS can help detect and prevent intrusions, it is not as effective as the other options listed. Configuration baselines help establish a secure starting point for the system, limiting administrative privileges reduces the attack surface, and installing a software firewall adds an additional layer of protection. However, HIDS alone may not provide comprehensive protection and should be used in conjunction with other security measures.
2.
Which of the following provides the MOST control when deploying patches?
Correct Answer
C. Patch management
Explanation
Patch management provides the most control when deploying patches. Patch management refers to the process of acquiring, testing, and installing patches or updates for software applications or systems. It allows organizations to centrally manage and control the deployment of patches, ensuring that they are applied consistently and in a controlled manner. This level of control is not provided by other options such as hotfixes, remote desktop, or service packs, which may have limitations in terms of management and control over the patch deployment process.
3.
If a technician wants to know when a computer application is accessing the network, which of the following logs should be reviewed?
Correct Answer
D. Host firewall log
Explanation
The host firewall log should be reviewed if a technician wants to know when a computer application is accessing the network. The host firewall log contains information about incoming and outgoing network connections, including the applications that are initiating these connections. By reviewing the host firewall log, the technician can identify the specific times when the application is accessing the network and gather additional information about the connections made by the application.
4.
All of the following are components of IPSec EXCEPT:
Correct Answer
C. Temporal key interchange protocol
Explanation
The Temporal Key Interchange Protocol (TKIP) is not a component of IPSec. IPSec is a suite of protocols used for securing internet communications. The components of IPSec include the Encapsulating Security Payload (ESP), which provides confidentiality and integrity for IP packets, the Internet Key Exchange (IKE), which is responsible for establishing secure communication channels and negotiating cryptographic keys, and the Authentication Header (AH), which provides authentication and integrity for IP packets. However, TKIP is a protocol used in Wi-Fi networks to improve the security of WPA, but it is not part of IPSec.
5.
IPSec connection parameters are stored in which of the following?
Correct Answer
A. Security association database
Explanation
The correct answer is the security association database. The security association database is responsible for storing the parameters required for establishing and maintaining IPSec connections. This includes information such as the security parameter index, which identifies the specific security parameters to be used, and the security payload index, which keeps track of the order and delivery of IPSec packets. The certificate authority (CA) is not directly involved in storing IPSec connection parameters.
6.
Which of the following will provide a 128-bit hash?
Correct Answer
A. MD5
Explanation
MD5 (Message Digest Algorithm 5) is a widely used cryptographic hash function that produces a 128-bit hash value. It takes an input (message) of any length and produces a fixed-size (128-bit) hash value. MD5 is commonly used for checksums and data integrity verification, but it is considered to be insecure for cryptographic purposes due to its vulnerabilities to collision attacks. Nonetheless, it still remains in use for non-cryptographic purposes. AES128 (Advanced Encryption Standard) is a symmetric encryption algorithm that uses a 128-bit key, ROT13 is a simple letter substitution cipher, and SHA-1 (Secure Hash Algorithm 1) produces a 160-bit hash value.
7.
Which of the following describes a hash algorithms ability to avoid the same output from two guessed inputs?
Correct Answer
B. Collision resistance
Explanation
Collision resistance refers to the ability of a hash algorithm to prevent the occurrence of two different inputs producing the same output, also known as a collision. In other words, it ensures that it is computationally infeasible to find two different inputs that result in the same hash value. This property is crucial in cryptographic applications where the integrity and security of data are paramount. By having collision resistance, the hash algorithm provides a high level of assurance that different inputs will always produce different hash values, enhancing the overall security of the system.
8.
Which of the following should be included in a forensic toolkit?
Correct Answer
D. Digital camera
Explanation
A digital camera should be included in a forensic toolkit because it can be used to capture high-quality photographs of crime scenes, evidence, and other relevant materials. These photographs can be crucial in documenting the condition and location of evidence, as well as providing visual reference for analysis and presentation in court. Additionally, digital cameras often have features such as time stamps and GPS tagging, which can further enhance the accuracy and usefulness of the photographic evidence.
9.
Which of the following BEST describes the form used while transferring evidence?
Correct Answer
C. Chain of custody
Explanation
The form used while transferring evidence is referred to as the chain of custody. This process involves documenting and maintaining a record of the movement and handling of evidence from the time it is collected until it is presented in court. The chain of custody ensures the integrity and admissibility of the evidence by showing who had control over it and when. It is a crucial component in establishing the reliability and credibility of the evidence in legal proceedings.
10.
Which of the following is the primary incident response function of a first responder?
Correct Answer
B. To secure the scene and preserve evidence
Explanation
The primary incident response function of a first responder is to secure the scene and preserve evidence. This involves establishing a perimeter around the incident area to prevent unauthorized access and contamination of evidence. By securing the scene, first responders ensure the safety of individuals present and protect valuable evidence that may be crucial in determining the cause of the incident and identifying the responsible parties. Preserving evidence is essential for a thorough investigation and potential legal proceedings.
11.
Which of the following is the GREATEST problem with low humidity in a server room?
Correct Answer
A. Static electricity
Explanation
Low humidity in a server room can lead to an increase in static electricity. Static electricity can build up and discharge, causing damage to sensitive electronic equipment. This can result in malfunctions, data loss, or even permanent damage to the servers. Therefore, static electricity is the greatest problem associated with low humidity in a server room.
12.
Which of the following protocols is used to unsure secure transmissions on port 443?
Correct Answer
A. HTTPS
Explanation
HTTPS is the correct answer because it is a protocol that ensures secure transmissions over the internet. It uses encryption to protect the data being transmitted between a web browser and a web server. Port 443 is the standard port used for HTTPS communication, making it the appropriate protocol for secure transmissions on this port. Telnet, SFTP, and SHTTP are not specifically designed for secure transmissions on port 443.
13.
When should a technician perform disaster recovery testing?
Correct Answer
D. In accordance with the disaster recovery plan
Explanation
A technician should perform disaster recovery testing in accordance with the disaster recovery plan. This means that the testing should be conducted based on the guidelines and procedures outlined in the plan. Following the plan ensures that the testing is done at the appropriate time and in a systematic manner, allowing for the identification of any potential issues or weaknesses in the disaster recovery process. It also ensures that the testing is aligned with the overall goals and objectives of the organization's disaster recovery strategy.
14.
Which of the following is the BEST backup method to restore the entire operating system and all related software?
Correct Answer
C. Disk Image
Explanation
A disk image is the best backup method to restore the entire operating system and all related software. A disk image is a complete copy of the entire system, including the operating system, software, files, and settings. It captures the system in its entirety, allowing for a complete restoration of the system to its previous state. This method ensures that all components are backed up and can be easily restored, making it the most comprehensive and reliable option for restoring the entire operating system and related software.
15.
How many keys are utilized in symmetric cryptography?
Correct Answer
A. One
Explanation
In symmetric cryptography, only one key is utilized. This key is used for both encryption and decryption of the data. The same key is shared between the sender and receiver, ensuring that only authorized parties can access the encrypted information. This approach simplifies the encryption process as there is no need to manage multiple keys. However, it also poses a challenge in securely distributing the key to all authorized parties.
16.
Which of the following terms is BEST associated with public key infrastructure (PKI)?
Correct Answer
D. Digital signatures
Explanation
Public key infrastructure (PKI) is a system that uses digital certificates and cryptographic keys to secure communication and verify the authenticity of users. Digital signatures are a fundamental component of PKI as they provide a way to ensure the integrity and non-repudiation of digital documents or messages. By using asymmetric encryption, a digital signature is created using the sender's private key, which can then be verified by anyone who has access to the sender's public key. Therefore, digital signatures are the best term associated with PKI.
17.
Which of the following is the LAST step to granting access to specific domain resources?
Correct Answer
B. Authorize the user
Explanation
The last step to granting access to specific domain resources is to authorize the user. This means that after the user has been validated, verified, and authenticated, the system will determine if the user has the necessary permissions and privileges to access the specific domain resources. Authorization ensures that only authorized users can access the resources, providing an additional layer of security and control.
18.
After an attacker has successfully gained remote access to a server with minimal privileges, which of the following is their next step?
Correct Answer
A. Elevate system privileges
Explanation
After an attacker has gained remote access to a server with minimal privileges, their next step would be to elevate system privileges. This allows the attacker to gain higher levels of access and control over the server, enabling them to perform more malicious activities and potentially compromise the entire system. By elevating system privileges, the attacker can bypass security measures, gain access to sensitive data, install malware, or execute unauthorized commands on the server.
19.
Which of the following should the technician recommend as a way to logically separate various internal networks from each other?
Correct Answer
B. VLAN
Explanation
A VLAN (Virtual Local Area Network) is a recommended solution to logically separate various internal networks from each other. VLANs allow for the segmentation of a physical network into multiple virtual networks, enabling different groups of devices to communicate with each other while remaining isolated from other VLANs. This separation enhances network security and improves network performance by reducing broadcast traffic and increasing network efficiency. Therefore, VLANs are an effective way to logically separate internal networks.
20.
An organization has requested the ability to monitor all network traffic as it traverses their network. Which of the following should a technician implement?
Correct Answer
B. Protocol analyzer
Explanation
A protocol analyzer is a tool that allows the organization to monitor and analyze network traffic. It captures and examines data packets as they traverse the network, providing detailed information about the protocols being used, the source and destination addresses, and any potential issues or security threats. By implementing a protocol analyzer, the organization can gain visibility into their network traffic, identify any abnormalities or suspicious activity, and take appropriate actions to ensure network security and performance.
21.
A large amount of viruses have been found on numerous domain workstations. Which of the following should the technician implement?
Correct Answer
C. Centralized antivirus
Explanation
The technician should implement centralized antivirus. Centralized antivirus allows for the management and control of antivirus software across multiple domain workstations from a central location. This ensures that all workstations are protected and that any viruses or malware can be detected and removed efficiently. By using centralized antivirus, the technician can easily update virus definitions, schedule scans, and monitor the overall security of the network. This helps to prevent the spread of viruses and maintain a secure environment for the domain workstations.
22.
Which of the following is the MOST difficult security concern to detect when contractors enter a secured facility?
Correct Answer
B. Copying sensitive information with cellular pHones
Explanation
Copying sensitive information with cellular phones is the most difficult security concern to detect when contractors enter a secured facility because it can be done discreetly and without leaving any physical evidence. Unlike installing rogue access points or removing mass storage drives, which may require physical tampering and can potentially be detected through surveillance or monitoring systems, copying sensitive information with cellular phones can be done using various covert methods such as taking pictures or using data transfer apps, making it harder to detect and prevent.
23.
When are port scanners generally used on systems?
Correct Answer
B. At the beginning of a vulnerability assessment
Explanation
Port scanners are generally used at the beginning of a vulnerability assessment. This is because port scanning helps identify open ports on a system, which can then be assessed for potential vulnerabilities. By scanning ports at the beginning of the assessment, security professionals can gather information about the system's network services and determine if any ports are exposed and susceptible to attacks. This allows them to prioritize their efforts and focus on addressing the identified vulnerabilities during the assessment.
24.
The staff must be cross-trained in different functional areas so that fraud can be detected. Which of the following is this an example of?
Correct Answer
D. Job rotation
Explanation
Job rotation is the practice of moving employees through different roles and responsibilities within an organization. By cross-training staff in different functional areas, they gain exposure to various tasks and processes, including fraud detection. This allows them to develop a broader understanding of the organization's operations and increases the likelihood of detecting fraudulent activities. Job rotation also helps prevent fraud by reducing the risk of collusion and increasing accountability.
25.
Human Resources has requested that staff members be moved to different parts of the country into new positions. Which of the following is this an example of?
Correct Answer
D. Job rotation
Explanation
This scenario is an example of job rotation, where staff members are being moved to different parts of the country and into new positions. Job rotation involves periodically shifting employees to different roles or departments within an organization to enhance their skills, provide them with new experiences, and prevent monotony. By rotating employees, organizations can also ensure cross-training and knowledge sharing among their workforce.
26.
An administrator is worried about an attacker using a compromised user account to gain administrator access to a system. Which of the following is this an example of?
Correct Answer
C. Privilege escalation
Explanation
Privilege escalation refers to the unauthorized elevation of user privileges, allowing an attacker to gain higher levels of access than originally intended. In this scenario, the administrator is concerned about an attacker exploiting a compromised user account to gain administrator access to the system. This aligns with the concept of privilege escalation, as the attacker is attempting to escalate their privileges from a regular user to an administrator.
27.
Which of the following is used to deny authorized users access to services?
Correct Answer
A. Botnets
Explanation
Botnets are large networks of compromised computers that are controlled by a central attacker. They are used to carry out various malicious activities, including denying authorized users access to services. By overwhelming a targeted service or website with a flood of requests from multiple computers in the botnet, the service can be rendered inaccessible to legitimate users. This denial of service attack can disrupt the availability and functionality of the service, causing inconvenience or financial loss to the authorized users.
28.
An administrator recommends implementing whitelisting, blacklisting, closing-open relays, and strong authentication techniques to a server administrator. Which of the following threats are being addressed?
Correct Answer
C. Spam
Explanation
The recommended measures of implementing whitelisting, blacklisting, closing-open relays, and strong authentication techniques are aimed at addressing the threat of spam. These techniques help in filtering and blocking unwanted and unsolicited emails, reducing the amount of spam that reaches the server and the users. By implementing these measures, the server administrator can effectively combat the issue of spam and minimize its impact on the system and its users.
29.
An administrator is asked to improve the physical security of a data center located inside the office building. The data center already maintains a physical access log and has video surveillance system. Which of the following additional controls could be implemented?
Correct Answer
D. Mantrap
Explanation
A mantrap is a physical security control that can be implemented to improve the physical security of a data center. It is a small enclosed area with two separate doors, where one door must close and lock before the other door can be opened. This ensures that only one person can enter or exit the data center at a time, preventing unauthorized access. Implementing a mantrap adds an additional layer of security to the existing physical access log and video surveillance system, making it more difficult for unauthorized individuals to gain entry to the data center.
30.
In regards to physical security, which of the following BEST describes an access control system which implements a non-trusted but secure zone immediately outside of the secure zone?
Correct Answer
C. Mantrap
Explanation
A mantrap is a physical security system that consists of two or more interlocking doors or gates. It is designed to control access to a secure area by allowing only one person to enter or exit at a time. This creates a buffer zone between the non-trusted but secure zone and the secure zone, ensuring that unauthorized individuals cannot gain access easily. The use of a mantrap enhances physical security by preventing unauthorized access and providing a controlled environment for verifying the identity and intentions of individuals before granting them access to the secure zone.
31.
A technician notices delays in mail delivery on the mail server. Which of the following tools could be used to determine the cause of the service degradation?
Correct Answer
B. Performance monitor
Explanation
The performance monitor tool can be used to determine the cause of the service degradation. This tool allows the technician to monitor various performance metrics such as CPU usage, memory usage, disk activity, and network traffic. By analyzing these metrics, the technician can identify any bottlenecks or issues that may be causing delays in mail delivery on the mail server. The performance monitor provides real-time data and can help in troubleshooting and optimizing the server's performance.
32.
Penetration testing should only be used once which of the following items is in place?
Correct Answer
D. Written permission
Explanation
Penetration testing involves actively testing the security of a system or network to identify vulnerabilities. It is a sensitive and potentially disruptive activity, so it should only be conducted with proper authorization. Written permission ensures that the organization or individual responsible for the system or network is aware of and has approved the penetration testing. This helps to prevent any unauthorized or malicious activities and ensures that the testing is conducted within the boundaries and guidelines set by the organization.
33.
An administrator recommends that management establish a trusted third party central repository to maintain all employees private keys. Which of the following BEST describes the administrators recommendation?
Correct Answer
D. Key escrow
Explanation
The administrator's recommendation is to establish a trusted third party central repository to maintain all employees' private keys. This is known as key escrow, where the keys are securely stored with a trusted entity. This ensures that the keys can be accessed and recovered if needed, while maintaining their confidentiality and integrity.
34.
To combat transaction fraud, a bank has implemented a requirement that all bank customers enter a different, unique code to confirm every transaction. Which of the folowing is the MOST effective method to accomplish this?
Correct Answer
C. One-time password
Explanation
A one-time password is the most effective method to combat transaction fraud because it provides an additional layer of security. Unlike a static password or PIN code, a one-time password is valid for only a single login session or transaction, and it expires after a short period of time. This makes it extremely difficult for fraudsters to gain unauthorized access to a user's account or make fraudulent transactions, even if they manage to obtain the password. By requiring customers to enter a different, unique code for every transaction, the bank ensures that even if a password is compromised, it cannot be used for any future transactions.
35.
All of the following should be identified within the penetration testing scope of work EXCEPT:
Correct Answer
A. A complete list of all network vulnerabilities
Explanation
The correct answer is "A complete list of all network vulnerabilities." This is because the scope of work for penetration testing typically focuses on identifying vulnerabilities and assessing the security of a system or network. However, it is not necessary to provide a complete list of all network vulnerabilities as this would be impractical and time-consuming. Instead, the penetration testing team should focus on identifying and documenting the most critical vulnerabilities that pose a significant risk to the system or network.
36.
Which of the following is the MOST efficient way that an administrator can restrict network access to certain ports enterprise wide?
Correct Answer
D. ACL
Explanation
An ACL (Access Control List) is the most efficient way for an administrator to restrict network access to certain ports enterprise-wide. ACLs are a set of rules that determine what network traffic is allowed or denied based on various criteria, such as source IP address, destination IP address, and port number. By configuring ACLs on network devices, administrators can control access to specific ports, allowing only authorized traffic to pass through while blocking unauthorized traffic. This helps in enhancing network security and preventing unauthorized access to sensitive resources.
37.
An administrator is responsible for a server which has been attacked repeatedly in the past. The only recourse has been to reload the server from scratch. Which of the following techniques could be used to decrease the recovery time following an incident?
Correct Answer
B. Implement the server as a virtual server instance
Explanation
Implementing the server as a virtual server instance can decrease the recovery time following an incident. By using virtualization technology, the server can be easily backed up, replicated, and restored in case of an attack. This eliminates the need to reload the server from scratch, saving time and effort. Additionally, virtual server instances can be easily migrated or moved to different hardware, providing flexibility and scalability.
38.
Validating the users claimed identity is called which of the following?
Correct Answer
A. Authentication
Explanation
Authentication refers to the process of verifying the claimed identity of a user or entity. It involves confirming the authenticity of the provided credentials, such as username and password, to ensure that the user is who they claim to be. This process helps to establish trust and secure access to systems, data, or resources. Identification, on the other hand, is the act of identifying or recognizing a user or entity, while verification is the process of confirming the accuracy or truthfulness of something. Validation, in this context, is not the correct term as it refers to the process of checking if something is valid or compliant with certain criteria.
39.
Which of the following is planted on an infected system and deployed at a predetermined time?
Correct Answer
A. Logic bomb
Explanation
A logic bomb is a type of malicious code that is planted on a system and programmed to execute a specific action at a predetermined time or when certain conditions are met. It is typically used to cause harm or damage to the infected system or its data. Unlike a Trojan horse, which disguises itself as a legitimate program, or a worm, which replicates itself to spread, a logic bomb remains dormant until triggered, making it a covert and dangerous threat. A rootkit, on the other hand, is a type of malware that allows unauthorized access to a system while hiding its presence.
40.
Which of the following allows a user to float a domain registration for a maximum of five days?
Correct Answer
D. Kiting
Explanation
Kiting allows a user to float a domain registration for a maximum of five days. Kiting refers to the practice of intentionally delaying the payment for a domain registration, allowing the user to keep the domain active for a short period of time without actually paying for it. This can be used to exploit the system and gain temporary control over a domain without proper payment or authorization.
41.
According to company policy and administrator must logically keep the Human Resources department separated from the Accounting department. Which of the following would be the simplest way to accomplish this?
Correct Answer
D. VLAN
Explanation
A VLAN (Virtual Local Area Network) would be the simplest way to keep the Human Resources department separated from the Accounting department. VLANs allow for the creation of separate virtual networks within a physical network infrastructure, enabling different departments to have their own isolated network segments. By implementing VLANs, the administrator can ensure that the HR and Accounting departments are logically separated, preventing unauthorized access and maintaining the company policy of keeping these departments separate.
42.
Which of the following is an attack which is launched from multiple zombie machines in attempt to bring down a service?
Correct Answer
C. DDoS
Explanation
A DDoS (Distributed Denial of Service) attack is launched from multiple zombie machines in an attempt to bring down a service. In a DDoS attack, the attacker overwhelms the target system with a flood of traffic, making it unable to respond to legitimate requests. By using multiple zombie machines, the attacker can amplify the attack and make it harder to mitigate. This type of attack is commonly used to disrupt websites, online services, or network infrastructure.
43.
Which of the following will MOST likely allow an attacker to make a switch function like a hub?
Correct Answer
A. MAC flooding
Explanation
MAC flooding is a technique used by attackers to overload the MAC address table of a switch. By sending a large number of fake MAC addresses to the switch, the attacker can fill up the table, causing the switch to enter into a fail-open mode where it functions like a hub. In this mode, the switch broadcasts all incoming traffic to all connected devices, allowing the attacker to intercept and analyze the network traffic. Therefore, MAC flooding is the most likely method to make a switch function like a hub.
44.
Which of the following is commonly programmed into an application for ease of administration?
Correct Answer
A. Back door
Explanation
A back door is commonly programmed into an application for ease of administration. It is a hidden entry point that allows authorized individuals to bypass normal authentication and gain access to the application or system. This allows administrators to easily manage and maintain the application without going through the usual authentication process.
45.
Which of the following is a technique used by hackers to identify unsecured wireless network locations to other hackers?
Correct Answer
C. War chalking
Explanation
War chalking is a technique used by hackers to identify unsecured wireless network locations to other hackers. It involves marking physical locations, such as walls or pavements, with specific symbols or codes that indicate the presence of an unsecured network. These markings can be easily understood by other hackers, allowing them to locate and exploit these vulnerable networks. This technique is a form of information gathering and reconnaissance, enabling hackers to identify potential targets for unauthorized access or data theft.
46.
Which of the following authentication models uses a KDC?
Correct Answer
D. Kerberos
Explanation
Kerberos is the correct answer because it is an authentication model that uses a Key Distribution Center (KDC). The KDC acts as a trusted third party that issues tickets to clients and servers for authentication. These tickets are used to verify the identity of users and ensure secure communication within a network. Kerberos is commonly used in enterprise environments to provide strong authentication and secure access to resources.
47.
Which of the following disaster recovery components is a location that is completely empty, but allows the infrastructure to be built if the live site goes down?
Correct Answer
B. Cold site
Explanation
A cold site is a disaster recovery component that is an empty location, allowing the infrastructure to be built if the live site goes down. Unlike other sites, a cold site does not have any pre-configured equipment or systems. Instead, it provides the necessary space and utilities for the organization to set up their infrastructure in the event of a disaster. This allows for a cost-effective solution, as the organization only needs to invest in equipment and systems when they are actually needed.
48.
Which of the following should be done if an organization intends to prosecute an attacker once an attack has been completed?
Correct Answer
C. Apply proper forensic techniques
Explanation
When an organization intends to prosecute an attacker after an attack, it is crucial to apply proper forensic techniques. Forensic techniques involve collecting and analyzing digital evidence to identify the attacker, understand the attack methodology, and gather evidence that can be used in legal proceedings. This includes preserving and analyzing logs, examining system files, and conducting network forensics. By applying proper forensic techniques, the organization can ensure that the evidence is admissible in court and increase the chances of successful prosecution. Updating antivirus definitions, disconnecting the network, or restoring missing files may be important steps in incident response, but they do not directly contribute to prosecuting the attacker.
49.
Which of the following documents specifies the uptime guarantee of a web server?
Correct Answer
D. Service level agreement
Explanation
A Service Level Agreement (SLA) is a document that outlines the expectations and responsibilities of both the service provider and the client. It specifies the quality and level of service that will be provided, including guarantees such as uptime. Therefore, the correct answer is Service Level Agreement as it is the document that specifies the uptime guarantee of a web server.
50.
Which of the following authentication models uses a time stamp to prevent the risks associated with a replay attack?
Correct Answer
D. Kerberos
Explanation
Kerberos is the correct answer because it uses a time stamp to prevent the risks associated with a replay attack. A replay attack occurs when an attacker intercepts and retransmits a valid data transmission. By using a time stamp, Kerberos ensures that the authentication information is only valid for a specific period of time, making it difficult for an attacker to replay the authentication data and gain unauthorized access.