Module 4-6-8-9-12 Review Questions Solutions PDF

Module 4 1. An IOC occurs when what metric exceeds its normal bounds? a. IRR b. LRG c. EXR d. KRI Analysis: a. Incorrect. This is fictitious for the context of this question. b. Incorrect. This is fictitious for the context of this question. c. Incorrect. This is fictitious for the context of this question. d. Correct. A KRI is a metric of the upper and lower bounds of specific indicators of normal network activity. These indicators may include the total network logs per second, \number of failed remote logins, network bandwidth, and outbound email traffic. Once a KRI exceeds its normal bounds, this could be (but is not always) evidence of an indicator of compromise (IOC). An IOC shows a malicious activity is occurring but is still in the early stages of an attack. 2. What are the two concerns about using public information sharing centers? a. Cost and availability b. Privacy and speed c. Security and privacy d. Regulatory approval and sharing Analysis: a. Incorrect. This is fictitious for the context of this question. b. Correct. There are generally two concerns around public information sharing centers. These are the privacy of shared information and the speed at which the information is shared. c. Incorrect. This is fictitious for the context of this question. d. Incorrect. This is fictitious for the context of this question. 3. Which privacy protection uses four colors to indicate the expected sharing limitations that are to be applied by recipients of the information? a. CISA b. FOIA c. TLP d. PCII Analysis: a. Incorrect. CISA is a federal law pass in 2015 that provides authority for cybersecurity information sharing between the private sector, state and local governments, and the federal government. b. Incorrect. FOIA was passed in 1967 and provides the public the right to request access to records from any federal agency. c. Correct. TLP uses four colors (red, amber, green, and white) to indicate the expected sharing limitations that applied by the recipients. d. Incorrect. To qualify for PCII protections, information must be related to the security of the critical infrastructure and is voluntarily submitted and not submitted in place of compliance with a regulatory requirement. 4. Oskar has been receiving emails about critical threat intelligence information from a public information sharing center. His team leader has asked him to look into how the process can be automated so that the information can feed directly into their technology security. What technology will Oskar recommend? a. Automated Indicator Sharing (AIS) b. Bidirectional Security Protocol (BSP) c. Linefeed Access d. Lightwire JSON Control Analysis: a. Correct. Critical threat intelligence information should be distributed as quickly as possible to others. To rely on email alerts that require a human to read them and then react takes far too much time. As an alternative, Automated Indicator Sharing (AIS) can be used instead. AIS enables the exchange of cyberthreat indicators between parties through computer-to-computer communication and not email communication. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 5. Which of the following is an application protocol for exchanging cyberthreat intelligence over HTTPS? a. STIX b. AIP-TAR c. TAXII d. TCP-Over-Secure (ToP) Analysis: a. Incorrect. Structured Threat Information Expression (STIX) is a language and format used to exchange cyberthreat intelligence. All information about a threat can be represented with objects and descriptive relationships. STIX information can be visually represented for a security analyst to view or stored in a lightweight format to be utilized by a computer. b. Incorrect. This is fictitious and does not exist. c. Correct. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging cyberthreat intelligence over Hypertext Transfer Protocol Secure (HTTPS). TAXII defines an application protocol interface (API) and a set of requirements for TAXII clients and servers. d. Incorrect. This is fictitious and does not exist. 6. What are the two limitations of private information sharing centers? a. Access to data and participation b. Government approval and cost c. Timing of reports and remote access d. Bandwidth and CPU Analysis: a. Correct. Organizations that are participants in closed source information are part of private information sharing centers that restrict both access to data and participation. b. Incorrect. This is fictitious for the context of this question. c. Incorrect. This is fictitious for the context of this question. d. Incorrect. This is fictitious for the context of this question. 7. Which of the following is NOT a limitation of a threat map? a. Many maps claim that they show data in real time, but most are simply a playback of previous attacks. b. Because threat maps show anonymized data it is impossible to know the identity of the attackers or the victims. c. They can be difficult to visualize. d. Threat actors usually mask their real locations so what is displayed on a threat map is incorrect. Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Correct. A cybersecurity threat map illustrates cyberthreats overlaid on a diagrammatic representation of a geographical area. d. Incorrect. This statement is accurate. 8. Luka has been asked by his supervisor to monitor the dark web for any IOCs concerning their organization. The next week, Luca reports back that he was unable to find anything due to how looking for information on the dark web is different from using the regular web. Which of the following is not different about looking for information on the dark web? a. It is necessary to use Tor or IP2. b. Dark web search engines are identical to regular search engines. c. Dark web merchants open and close their sites without warning. d. The naming structure is different on the dark web. Analysis: a. Incorrect. This statement is accurate. b. Correct. Dark web search engines are very different from regular search engines. c. Incorrect. This statement is accurate. d. Incorrect. This statement is accurate. 9. Which of the following is not an improvement of UEFI over BIOS? a. Stronger boot security b. Networking functionality in UEFI c. Access larger hard drives d. Support of USB 3.0 Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Correct. USB 3.0 is not dependent on UEFI. 10. Which boot security mode sends information on the boot process to a remote server? a. UEFI Native Mode b. Secure Boot c. Trusted Boot d. Measured Boot Analysis: a. Incorrect. There is no validation or protection of the boot process in this mode. b. Incorrect. All system firmware, bootloaders, kernels, and other boot-time executables are validated in Secure Boot. c. Incorrect. Windows OS checks the integrity of every component of boot process before loading it in Trusted Boot. d. Correct. Computer’s firmware logs the boot process so OS can send it to a trusted server to assess the security for the highest degree of security in Measured Boot. 11. Which of the following is NOT an important OS security configuration? a. Employing least functionality b. Disabling default accounts c. Disabling unnecessary services d. Restricting patch management Analysis: a. Incorrect. The concept of “least functionality” states a user should only be given the minimum set of permissions required to perform necessary tasks; all other permissions should be configured as not available to the user. b. Incorrect. Another important disabling function is disabling default accounts/passwords. Some OSs include unnecessary accounts. For example, Microsoft Windows 10 includes a built-in Administrator account that can be used for those building new computers to run programs and applications before a user account is created. In addition, some accounts may come with default passwords that should be changed. c. Incorrect. One of the primary OS security configurations involves disabling unnecessary open ports and services, or “turning off” any service that is not being used. In addition, closing any unnecessary TCP ports can also enhance security. d. Correct. Patch management should not be restricted on an OS. 12. Which stage conducts a test that will verify the code functions as intended? a. Production stage b. Testing stage c. Staging stage d. Development stage Analysis: a. Incorrect. In the production stage, the application is released to be used in its actual setting. b. Incorrect. The testing stage thoroughly tests the application for any errors that could result in a security vulnerability. c. Correct. The staging stage tests to verify that the code functions as intended. d. Incorrect. At the development stage, the requirements for the application are established and it is confirmed that the application meets the intended business needs before the actual coding begins. 13. Which model uses a sequential design process? a. Secure model b. Agile model c. Rigid model d. Waterfall model Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. The agile model was designed to overcome the disadvantages of the waterfall model. Instead of following a rigid sequential design process, the agile model follows an incremental approach. Developers might start with a simplistic project design and begin to work on small modules. The work on these modules is done in short (weekly or monthly) “sprints,” and at the end of each sprint, the project’s priorities are again evaluated as tests are being run. c. Incorrect. This is fictitious and does not exist. d. Correct. The waterfall model uses a sequential design process: as each stage is fully completed, the developers then move on to the next stage. This means that once a stage is finished, developers cannot go back to a previous stage without starting all over again. 14. Which of the following is NOT an advantage to an automated patch update service? a. Downloading patches from a local server instead of using the vendor’s online update service can save bandwidth and time because each computer does not have to connect to an external server. b. Specific types of updates that the organization does not test, such as hotfixes, can be automatically installed whenever they become available. c. Users can disable or circumvent updates just as they can if their computer is configured to use the vendor’s online update service. d. Administrators can approve or decline updates for client systems, force updates to install by a specific date, and obtain reports on what updates each computer needs. Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Correct. It is not an advantage to disable downloading patches. d. Incorrect. This statement is accurate. 15. What type of analysis is heuristic monitoring based on? a. Dynamic analysis b. Static analysis c. Code analysis d. Input analysis Analysis: a. Correct. A newer approach to AV is heuristic monitoring (called dynamic analysis), which uses a variety of techniques to spot the characteristics of a virus instead of attempting to make matches. b. Incorrect. Some AV products use signature-based monitoring, also called static analysis. The AV software scans files by attempting to match known virus patterns against potentially infected files (called string scanning). c. Incorrect. This is fictitious for the context of this question. d. Incorrect. This is fictitious for the context of this question. 16. Which of these is a list of preapproved applications? a. Greenlist b. Redlist c. Blacklist d. Whitelist Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. This is fictitious and does not exist. c. Incorrect. Blacklisting is creating a list of unapproved software so that any item not on the list of blacklisted applications can run. d. Correct. Whitelisting is approving in advance only specific applications to run on the OS so that any item not approved is either restricted or denied. 17. What is the advantage of a secure cookie? a. It cannot be stored on the local computer without the user’s express permission. b. It is sent to the server over HTTPS. c. It is analyzed by AV before it is transmitted. d. It only exists in RAM and is deleted once the web browser is closed. Analysis: a. Incorrect. Secure cookies do not require the user’s express permission. b. Correct. This cookie is only sent to the server with an encrypted request over the secure HTTPS protocol. This prevents an unauthorized person from intercepting a cookie that is being transmitted between the browser and the web server. c. Incorrect. Secure cookies are not analyzed by AV for transmission. d. Incorrect. A session cookie is stored in random-access memory (RAM), instead of on the hard drive, and only lasts for the duration of visiting the website. 18. Which of the following tries to detect and stop an attack? a. HIDS b. HIPS c. RDE d. SOMA Analysis: a. Incorrect. A host intrusion detection system (HIDS) is a software-based application that runs on an endpoint computer that can detect that an attack has occurred. The primary function of a HIDS is automated detection, which saves someone from sorting through log files to find an indication of unusual behavior. HIDS can quickly detect evidence that an intrusion has occurred. b. Correct. A host intrusion prevention system (HIPS) monitors endpoint activity to immediately react to block a malicious attack by following specific rules. Activity that a HIPS watches for includes an event that attempts to control other programs, terminate programs, and install devices and drivers. When a HIPS blocks action it then alerts the user so an appropriate decision about what to do can be made. c. Incorrect. This is fictitious for the context of this question. d. Incorrect. This is fictitious and does not exist. 19. What does Windows 10 Tamper Protection do? a. Limits access to the registry b. Prevents any updates to the registry until the user approves the update. c. Compresses and locks the registry d. Creates a secure backup copy of the registry Analysis: a. Correct. The Windows 10 Tamper Protection security feature prevents Windows security settings from being changed or disabled by a threat actor who modifies the registry. Instead, the security settings can only be accessed directly through the Windows 10 user interface or through enterprise management software. b. Incorrect. Tamper Protection does not ask the users for permission to update the registry. c. Incorrect. Tamper Protection does not compress the registry. d. Incorrect. Tamper Protection does not backup the registry. 20. Which of the following is FALSE about a quarantine process? a. It holds a suspicious application until the user gives approval. b. It can send a sanitized version of the attachment. c. It can send a URL to the document that is on a restricted computer. d. It is most often used with email attachments. Analysis: a. Correct. The quarantine process does not ask the user for approval. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Incorrect. This statement is accurate. Module 6 1. Which of the following hides the existence of information? a. Encryption b. Decryption c. Steganography d. Ciphering Analysis: a. Incorrect. The process of changing the original text into a scrambled message is encryption. b. Incorrect. Decryption is changing a ciphertext message back to its original form. c. Correct. Steganography hides the existence of information. Today steganography often hides data in a harmless image file, an audio file, or even a video file. d. Incorrect. This is fictitious and does not exist. 2. Cryptography can prevent an individual from fraudulently reneging on an action. What is this known as? a. Repudiation b. Nonrepudiation c. Obfuscation d. Integrity Analysis: a. Incorrect. Repudiation is defined as denial. b. Correct. Nonrepudiation is the process of proving that a user performed an action, such as sending an email message. Nonrepudiation prevents an individual from fraudulently reneging on an action. c. Incorrect. Obfuscation is making something obscure or unclear. d. Incorrect. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data. 3. Brielle is researching substitution ciphers. She came across a cipher in which the entire alphabet was rotated 13 steps. What type of cipher is this? a. XOR b. XAND13 c. ROT13 d. Alphabetic Analysis: a. Incorrect. The XOR cipher is based on the binary operation eXclusive OR that compares two bits: if the bits are different, a 1 is returned, but if they are identical, then a 0 is returned. b. Incorrect. This is fictitious and does not exist. c. Correct. One type of substitution cipher is ROT13, in which the entire alphabet is rotated 13 steps (A = N, B = O, etc.). d. Incorrect. This is fictitious and does not exist. 4. Which of the following is FALSE about "security through obscurity"? a. It attempts to hide the existence from outsiders. b. It can only provide limited security. c. It is essentially impossible. d. Proprietary cryptographic algorithms are an example. Analysis: a. Incorrect. By making it obscure, the original information cannot be determined. b. Correct. Obfuscation cannot by itself be used as a general cybersecurity protection because it does not provide security, even limited security. c. Incorrect. Because it is essentially impossible to keep secrets from everyone, it will eventually be discovered, and the security compromised. d. Incorrect. Some organizations attempt to apply security by obscurity to cryptography. These organizations create their own proprietary cryptographic algorithms (touted as "military-grade" cryptography) and suggest that, because the algorithm is "secret," it is secure. 5. What is low latency? a. A low-power source requirement of a sensor. b. The time between when a byte is input into a cryptographic cipher and when the output is obtained. c. The requirements for an IoT device that is using a specific network. d. The delay between when a substitution cipher decrypts the first block and when it finishes with the last block. Analysis: a. Incorrect. Low latency is not a power source requirement. b. Correct. A cryptographic algorithm should have low latency, or a small amount of time that occurs between the time a byte is input into a cryptographic algorithm and the time the output is obtained. c. Incorrect. Low latency is not a requirement for an IoT device on a network but involves the time to compute the ciphertext. d. Incorrect. Low latency is based on the time for encrypting bytes, and not blocks. 6. What are public key systems that generate different random public keys for each session? a. Public Key Exchange (PKE) b. perfect forward secrecy c. Elliptic Curve Diffie-Hellman (ECDH) d. Diffie-Hellman (DH) Analysis: a. Incorrect. This is fictitious and does not exist. b. Correct. Public key systems that generate different random public keys for each session are called perfect forward secrecy. The value of perfect forward secrecy is that if the secret key is compromised, it cannot reveal the contents of more than one message. c. Incorrect. Elliptic Curve Diffie–Hellman (ECDH) uses elliptic curve cryptography instead of prime numbers in its computation. d. Incorrect. This is fictitious and does not exist. 7. What is data called that is to be encrypted by inputting it into a cryptographic algorithm? a. Plaintext b. Byte-text c. Cleartext d. Ciphertext Analysis: a. Correct. Unencrypted data that is input for encryption or is the output of decryption is called plaintext. b. Incorrect. This is fictitious and does not exist. c. Incorrect. Unencrypted data that is not intended to be encrypted is cleartext (it is "in the clear"). d. Incorrect. Ciphertext is the scrambled and unreadable output of encryption. 8. Which of these is NOT a basic security protection for information that cryptography can provide? a. Integrity b. Authenticity c. Risk d. Confidentiality Analysis: a. Incorrect. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data, so it is a protection. b. Incorrect. The authentication of the sender can be verified through cryptography, which makes it a protection. c. Correct. Risk is not a protection; rather, risk is mitigated by cryptography. d. Incorrect. Cryptography can protect the confidentiality of information by ensuring that only authorized parties can view it. 9. Cicero is researching hash algorithms. Which algorithm would produce the longest and most secure digest? a. SHA-256 b. MD5 c. SHA3-512 d. SHA6-6 Analysis: a. Incorrect. SHA-256 only produces a digest of 256 bits (the last number indicates the length in bits of the digest that is generated). b. Incorrect. MD5 has been proven to be vulnerable and is not the most secure. c. Correct. SHA3-512 produces a strong digest of 512 bits. d. Incorrect. This is fictitious and does not exist. 10. Which of the following is NOT a symmetric cryptographic algorithm? a. DES b. SHA c. Blowfish d. 3DES Analysis: a. Incorrect. DES is a valid symmetric cryptographic algorithm. b. Correct. SHA is a hash algorithm. c. Incorrect. Blowfish is a valid symmetric cryptographic algorithm. d. Incorrect. 3DES is a valid symmetric cryptographic algorithm. 11. Which of the following is not to be decrypted but is only used for comparison purposes? a. Digest b. Key c. Stream d. Algorithm Analysis: a. Correct. Although hashing is a cryptographic algorithm, its purpose is not to create ciphertext that can later be decrypted. Instead, hashing is intended to be one-way in that its digest cannot be reversed to reveal the original set of data. b. Incorrect. A key is a value used in a cryptographic algorithm. c. Incorrect. This is incorrect for this context. d. Incorrect. An algorithm is a cipher used to encrypt and decrypt plaintext. 12. Which of these is NOT a characteristic of a secure hash algorithm? a. The results of a hash function should not be reversed. b. Collisions should occur no more than 15 percent of the time. c. A message cannot be produced from a predefined hash. d. The hash should always be the same fixed size. Analysis: a. Incorrect. This is a correct characteristic. b. Correct. Collisions should never occur with a secure hash algorithm. c. Incorrect. This is a correct characteristic. d. Incorrect. This is a correct characteristic. 13. Deo has been asked to explain RSA to his colleague. After his explanation, Deo is asked what, if any, weaknesses RSA has. How would Deo respond? a. RSA has no known weaknesses. b. As computers become more powerful, the ability to compute factoring has increased. c. RSA weaknesses are based on ECC. d. The digest produced by the RSA algorithm is too short to be secure. Analysis: a. Incorrect. RSA has weaknesses that have been identified. b. Correct. The basis of the security of RSA is on factoring, which can be compromised by more powerful computers. c. Incorrect. ECC is a solution to RSA’s weaknesses. d. Incorrect. RSA does not produce a digest like a hash function. 14. Which of these is the strongest symmetric cryptographic algorithm? a. Data Encryption Standard b. Advanced Encryption Standard c. Triple Data Encryption Standard d. RC1 Analysis: a. Incorrect. Although DES was once widely implemented, it is no longer considered suitable for use. b. Correct. To date, no attacks have been successful against AES. c. Incorrect. Although 3DES addresses several of the key weaknesses of DES, it is no longer considered the most secure symmetric cryptographic algorithm. d. Incorrect. RC1 is not the strongest algorithm. 15. If Bob wants to send a secure message to Alice using an asymmetric cryptographic algorithm, which key does he use to encrypt the message? a. Alice’s private key b. Alice’s public key c. Bob’s public key d. Bob’s private key Analysis: a. Incorrect. Bob would not know Alice’s private key. b. Correct. Alice’s public key is used to encrypt the message. c. Incorrect. Bob would not use his public key because Alice would not know his private key. d. Incorrect. Alice would have no way of decrypting a message encrypted by Bob’s private key. 16. Egor wanted to use a digital signature. Which of the following benefits will the digital signature NOT provide? a. Verify the sender b. Verify the receiver c. Prove the integrity of the message d. Enforce nonrepudiation Analysis: a. Incorrect. A digital signature can verify the sender. b. Correct. A digital signature cannot verify the receiver but only the sender. c. Incorrect. A digital signature can prove the integrity of the message. d. Incorrect. A digital signature can prevent the sender from claiming the signature was forged. 17. Basil was reading about a new attack that forces the system to abandon a higher cryptographic security mode of operation and instead fall back to an older and less secure mode. What type of attack is this? a. Deprecation attack b. Pullback attack c. Downgrade attack d. Obfuscation attack Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. This is fictitious and does not exist. c. Correct. In a downgrade attack, an attacker forces the system to abandon the current higher security mode of operation and instead "fall back" to implementing an older and less secure mode. This then allows the threat actor to attack the weaker mode d. Incorrect. This is fictitious and does not exist. 18. What is a collision? a. Two files produce the same digest. b. Two ciphertexts have the same length. c. Two algorithms have the same key. d. Two keys are the same length. Analysis: a. Correct. When two files have the same digest, this is known as a collision. A collision attack is an attempt to find two input strings of a hash function that produce the same hash result. b. Incorrect. It is not unusual for two ciphertexts to have the same length. c. Incorrect. This is not a collision. d. Incorrect. This is not a collision. 19. Which of the following is NOT a characteristic of the Trusted Platform Module (TPM)? a. It provides cryptographic services in hardware instead of software. b. It can generate asymmetric cryptographic public and private keys. c. It can easily be transported to another computer. d. It includes a pseudorandom number generator (PRNG). Analysis: a. Incorrect. This is correct. b. Incorrect. This is correct. c. Incorrect. This is correct. d. Correct. Correct. The TPM includes a true random number generator. 20. Which of these provides cryptographic services and is external to the device? a. Trusted Platform Module (TPM) b. Hardware Security Module (HSM) c. self-encrypting hard disk drives (SED) d. encrypted hardware-based USB devices Analysis: a. Incorrect. A TPM is a chip on the motherboard. b. Correct. HSM are external and can be portable. c. Incorrect. SEDs provide no cryptographic services. d. Incorrect. These devices provide no services. Module 8 1. Which attack intercepts communications between a web browser and the underlying OS? a. Interception b. Man-in-the-browser (MITB) c. DIG d. ARP poisoning Analysis: a. Incorrect. Interception is a category of attacks but is not an attack itself. b. Correct. Like an MITM attack, a man-in-the-browser (MITB) attack intercepts communication between parties to steal or manipulate the data. Whereas an MITM attack occurs between two endpoints—such as between two user laptops or a user’s computer and a web server—an MITB attack occurs between a browser and the underlying computer. Specifically, an MITB attack seeks to intercept and then manipulate the communication between the web browser and the security mechanisms of the computer. c. Incorrect. This is fictitious and does not exist. d. Incorrect. Threat actors take advantage of a MAC address stored in a software ARP cache to change the data so that an IP address points to a different device. This attack is known as ARP poisoning. 2. Calix was asked to protect a system from a potential attack on DNS. What are the locations he would need to protect? a. Web server buffer and host DNS server b. Reply referrer and domain buffer c. Web browser and browser add-on d. Host table and external DNS server Analysis: a. Incorrect. An attack on DNS does not focus on a web server buffer. b. Incorrect. Reply referrer is fictitious and does not exist. c. Incorrect. An attack on DNS is not directed at a browser add-on. d. Correct. DNS poisoning modifies a local lookup table on a device to point to a different domain. DNS hijacking is intended to infect an external DNS server with IP addresses that point to malicious sites. 3. What is the result of an ARP poisoning attack? a. The ARP cache is compromised. b. Users cannot reach a DNS server. c. MAC addresses are altered. d. An internal DNS must be used instead of an external DNS. Analysis: a. Correct. Threat actors take advantage of a MAC address stored in a software ARP cache to compromise the data so that an IP address points to a different device. This attack is known as ARP poisoning. b. Incorrect. An ARP poisoning attack does not prevent users from reaching a DNS server. c. Incorrect. MAC addresses are not altered, but IP addresses are altered. d. Incorrect. A HOSTS table is always consulted first. 4. Deacon has observed that the switch is broadcasting all packets to all devices. He suspects it is the result of an attack that has overflowed the switch MAC address table. Which type of attack is this? a. MAC spoofing attack b. MAC cloning attack c. MAC flooding attack d. MAC overflow attack Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. In a MAC cloning attack, a threat actor will discover a valid MAC address of a device connected to a switch. He will then spoof that MAC address on his device and send a packet onto the network. The switch will change its MAC address table to reflect this new association of that MAC address with the port to which the attacker's device is connected. All packets intended for the victim’s device will now be sent to the attacker’s device. c. Correct. A threat actor will overflow the switch with Ethernet packets that have been spoofed so that every packet contains a different source MAC address, each appearing to come from a different endpoint. This can quickly consume all the memory (called the content addressable memory or CAM) for the MAC address table. Once the MAC address table is full and is unable to store any additional MAC address, the switch enters a fail-open mode and functions like a network hub, broadcasting frames to all ports. d. Incorrect. This is fictitious and does not exist. 5. Tomaso is explaining to a colleague the different types DNS attacks. Which DNS attack would only impact a single user? a. DNS hijack attack b. DNS poisoning attack c. DNS overflow attack d. DNS resource attack Analysis: a. Incorrect. DNS hijacking is intended to infect an external DNS server with IP addresses that point to malicious sites. This has the advantage of all users accessing this server to be redirected. b. Correct. In a DNS poisoning attack, the local HOSTS file contains an entry to a malicious DNS server. This allows the threat actor to control all websites that a user attempts to visit. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 6. Proteus has been asked to secure endpoints that can be programmed and have an IP address so that they cannot be used in a DDoS attack. What is the name for this source of DDoS attack? a. Network b. Application c. IoT d. Operational Technology Analysis: a. Incorrect. A network attack has as its source desktop, laptop, and tablet computers. b. Incorrect. An application attack has as its source IoT devices. c. Incorrect. This is fictitious and does not exist. d. Correct. An Operational Technology attack uses endpoints that can be programmed and have an IP address. 7. Which of the following is NOT a reason that threat actors use PowerShell for attacks? a. It cannot be detected by antimalware running on the computer. b. It leaves behind no evidence on a hard drive. c. It can be invoked prior to system boot. d. Most applications flag it as a trusted application. Analysis: a. Incorrect. This statement is accurate. b. Incorrect. PowerShell allows attackers to perform code injection from the PowerShell environment into other processes without first storing any malicious code to the hard disk. This allows the commands to execute while bypassing security protections and leave virtually no evidence left behind. c. Correct. PowerShell is not invoked prior to system boot. d. Incorrect. This statement is accurate. 8. What is the difference between a DoS and a DDoS attack? a. DoS attacks are faster than DDoS attacks. b. DoS attacks use fewer computers than DDoS attacks. c. DoS attacks do not use DNS servers as DDoS attacks do. d. DoS attacks use more memory than DDoS attacks. Analysis: a. Incorrect. DoS attacks are no faster than DDoS attacks. b. Correct. DoS attacks today are distributed denial of service (DDoS) attacks: instead of only one source making a bogus request, a DDoS involves hundreds, thousands, or even millions of sources producing a torrent of fake requests. c. Incorrect. This statement is incorrect. d. Incorrect. DoS attacks do not use more memory than a DDoS attack. 9. Which of the following is NOT true about VBA? a. It is commonly used to create macros. b. It is built into most Microsoft Office applications. c. It is included in select non-Microsoft products. d. It is being phased out and replaced by PowerShell. Analysis: a. Incorrect. VBA is most often used to create macros. A macro is a series of instructions that can be grouped together as a single command. Macros are used to automate a complex or repeated series of tasks. b. Incorrect. VBA is built into most Microsoft Office applications (Word, Excel, PowerPoint, etc.) for both Windows and Apple macOS platforms. c. Incorrect. It is also included in select non-Microsoft products, such as AutoCAD, CorelDraw, and LibreOffice. d. Correct. VBA is not being phased out. 10. Which of the following is NOT a Microsoft defense against macros? a. Protected View b. Trusted documents c. Trusted domain d. Trusted location Analysis: a. Incorrect. Protected View is a read-only mode for an Office file in which most editing functions are disabled and macros will not launch. b. Incorrect. A trusted document is a file that contains active content but will open without a warning. Users can designate files in the Office Trust Center as trusted. c. Correct. This is fictitious and does not exist. d. Incorrect. Files that are retrieved from a trusted location can be designated as safe and will not open in Protected View. 11. Theo uses the Python programming language and does not want his code to contain vulnerabilities. Which of the following best practices would Theo NOT use? a. Only use compiled and not interpreted Python code. b. Use the latest version of Python. c. Use caution when formatting strings. d. Download only vetted libraries. Analysis: a. Correct. Using compiled Python will not impact its vulnerabilities. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Incorrect. This statement is accurate. 12. What is Bash? a. The command-language interpreter for Linux/UNIX OSs b. The open source scripting language that contains many vulnerabilities c. A substitute for SSH d. The underlying platform on which macOS is built Analysis: a. Correct. Bash is the command language interpreter for Linux/UNIX. b. Incorrect. Bash is not open source. c. Incorrect. Bash is not a substitute for SSH. d. Incorrect. The macOS is built on UNIX and not Bash. 13. Gregory wants to look at the details about the patch a packet takes from his Linux computer to another device. Which Linux command-line utility will he use? a. tracepacket b. trace c. tracert d. traceroute Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. This is fictitious and does not exist. c. Incorrect. Tracert is the Windows and not Linux equivalent. d. Correct. Traceroute is the Linux utility that would provide these details. 14. Which utility sends custom TCP/IP packets? a. curl b. hping c. shape d. pingpacket Analysis: a. Incorrect. Curl is used to transfer data to or from a server. b. Correct. Hping sends custom TCP/IP packets. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 15. Which of the following is a third-party OS penetration testing tool? a. theHarvester b. scanless c. Nessus d. sn1per Analysis: a. Incorrect. This provides information about email accounts, user names, and hostnames/subdomains from different public sources. b. Incorrect. Scanless is a tool for using websites to perform a port scan. c. Incorrect. Nessus is a vulnerability assessment tool. d. Correct. This is the tool for penetration testing that is a third-party tool. 16. Eros wants to change a configuration file on his Linux computer. He first wants to display the entire file contents. Which tool would he use? a. head b. show c. display d. cat Analysis: a. Incorrect. Head displays the first 10 lines of a file. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Correct. Cat will display an entire file in Linux. 17. Which of the following is a tool for editing packets and then putting the packets back onto the network to observe their behavior? a. Tcpreplay b. Tcpdump c. Wireshark d. Packetdump Analysis: a. Correct. Tcpreplay is a tool for editing packets and then “replaying” the packets back onto the network to observe their behavior. b. Incorrect. Tcpdump is a command-line packet analyzer. It displays TCP/IP packets and other packets being transmitted or received over a network and operates on UNIX and Linux operating systems, and various forks of it are available for Windows computers. c. Incorrect. Wireshark is a popular GUI packet capture and analysis tool. d. Incorrect. This is fictitious and does not exist. 18. Estevan has recommended that the organization hire and deploy two security guards in the control room to limit the effect if one of the guards has been compromised. What is Estevan proposing? a. Dual observation protocol (DOP) b. Compromise mitigation assessment (CMA) c. Two-person integrity/control d. Multiplayer recognition Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. This is fictitious and does not exist. c. Correct. Using two security guards is called two-person integrity/control. d. Incorrect. This is fictitious and does not exist. 19. Which of the following sensors can detect an object that enters the sensor’s field? a. Proximity b. Field detection c. IR verification d. Object recognition Analysis: a. Correct. A sensor that detects the presence of an object (“target”) when the target enters the sensor’s field. Depending on the type of proximity sensor, sound, light, infrared radiation (IR), or electromagnetic fields may be utilized by the sensor to detect a target. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. High-end video surveillance cameras can identify a suspicious objective and sound an alert, such as a backpack left in a chair, known as object detection. 20. Which of the following does NOT describe an area that separates threat actors from defenders? a. DMZ b. Air gap c. Secure area d. Containment space Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Correct. This is fictitious and does not exist. Module 9 1. Which of the following is NOT a firewall rule parameter? a. Visibility b. Time c. Context d. Action Analysis: a. Correct. There is no visibility firewall parameter. b. Incorrect. Rules can be set to only be active during a scheduled time. c. Incorrect. A rule can be created that is unique for specific circumstances (contexts). For example, different rules may be in effect depending on whether a laptop is on-site or is remote (sometimes called geographical consideration). d. Incorrect. The action setting indicates what the firewall should do when the conditions of the rule are met. 2. Which firewall rule action implicitly denies all other traffic unless explicitly allowed? a. Force Allow b. Force Deny c. Bypass d. Allow Analysis: a. Incorrect. Force Allow permits traffic that would normally be denied by other rules. b. Incorrect. This is fictitious and does not exist. c. Incorrect. Bypass allows all traffic to bypass the firewall. d. Correct. Allow implicitly denies all other traffic unless explicitly allowed. 3. Leah is researching information on firewalls. She needs a firewall that allows for more generic statements instead of creating specific rules. What type of firewall should Leah consider purchasing that supports her need? a. Content/URL filtering firewall b. Policy-based firewall c. Hardware firewall d. Proprietary firewall Analysis: a. Incorrect. Firewalls can also apply content/URL filtering. The firewall can be used to monitor websites accessed through HTTP to create custom filtering profiles. The filtering can be performed by assessing webpages by their content category, and then create whitelists and blacklists of specific URLs. b. Correct. A more flexible type of firewall than a rule-based firewall is a policy-based firewall. This type of firewall allows for more generic statements to be used instead of specific rules. c. Incorrect. Hardware firewalls are specialized separate devices that inspect traffic. Because they are specialized devices, hardware firewalls tend to have more features but are more expensive and can require more effort to configure and manage. d. Incorrect. Firewalls that are owned by an entity that has an exclusive right to them are called proprietary firewalls. 4. Emilie is reviewing a log file of a new firewall. She notes that the log indicates packets are being dropped for incoming packets for which the internal endpoint did not initially create the request. What kind of firewall is this? a. Stateful packet filtering b. Connection-aware firewall c. Proxy firewall d. Packet filtering firewall Analysis: a. Correct. Stateful packet filtering uses both the firewall rules and the state of the connection: that is, whether the internal device requested each packet. A stateful packet filtering firewall keeps a record of the state of a connection between an internal endpoint and an external device. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 5. What is a virtual firewall? a. A firewall that runs in the cloud b. A firewall that runs in an endpoint virtual machine c. A firewall that blocks only incoming traffic d. A firewall appliance that runs on a LAN Analysis: a. Correct. A virtual firewall is one that runs in the cloud. Virtual firewalls are designed for settings, such as public cloud environments, in which deploying an appliance firewall would be difficult or even impossible. b. Incorrect. A firewall that runs in an endpoint virtual machine is a host firewall. c. Incorrect. Firewalls block both incoming and outgoing traffic. d. Incorrect. An appliance firewall is typically a separate hardware device designed to protect an entire network. 6. Which of these appliances provides the broadest protection by combining several security functions? a. NAT b. WAF c. UTM d. NGFW Analysis: a. Incorrect. Network address translation (NAT) is a technique that allows private IP addresses to be used on the public Internet. It does this by replacing a private IP address with a public IP address: as a packet leaves a network, NAT removes the private IP address from the sender’s packet, replaces it with an alias IP public address, and then maintains a record of the substitution; when a packet is returned, the process is reversed. b. Incorrect. One specialized firewall is a web application firewall (WAF) that looks at the applications using HTTP. A web application firewall, which can be a separate hardware appliance or a software plug- in, can block specific websites or attacks that attempt to exploit known vulnerabilities in specific client software and can even block cross-site scripting and SQL injection attacks. c. Correct. Unified threat management (UTM) is a device that combines several security functions. These include packet filtering, antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering. d. Incorrect. A next generation firewall (NGFW) has additional functionality beyond a traditional firewall. NGFWs can filter packets based on applications. NGFWs have visibility of applications by using deep packet inspection and thus can examine the payloads of packets and determine if they are carrying malware. In addition to basic firewall protections, filtering by applications, and deep packet inspection, NGFWs can also perform URL filtering and intrusion prevention services. 7. Which of the following contains honeyfiles and fake telemetry? a. High-interaction honeypot b. Attacker-interaction honeypot c. Honeypotnet d. Honeyserver Analysis: a. Correct. A high-interaction honeypot is designed for capturing much more information from the threat actor. Usually, it is configured with a default login and loaded with software, data files that appear to be authentic but are actually imitations of real data files (honeyfiles), and fake telemetry. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 8. Maja has been asked to investigate DDoS mitigations. Which of the following should Maja consider? a. DDoS Prevention System (DPS) b. DNS sinkhole c. MAC pit d. IP denier Analysis: a. Incorrect. This is fictitious and does not exist. b. Correct. A DNS sinkhole changes a normal DNS request to a pre-configured IP address that points to a firewall that has a rule of Deny set for all packets so that every packet is dropped with no return information provided to the sender. DNS sinkholes are commonly used to counteract DDoS attacks. Many enterprises contract with a DDoS mitigation service that helps identify DDoS traffic so that it is sent to a sinkhole while allowing legitimate traffic to reach its destination. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 9. Which type of monitoring methodology looks for statistical deviations from a baseline? a. Behavioral monitoring b. Signature-based monitoring c. Anomaly monitoring d. Heuristic monitoring Analysis: a. Incorrect. Behavioral monitoring attempts to overcome the limitations of both anomaly-based monitoring and signature-based monitoring by being adaptive and proactive instead of reactive. Rather than using statistics or signatures as the standard by which comparisons are made, behavior-based monitoring uses the “normal” processes and actions as the standard. Behavior-based monitoring continuously analyzes the behavior of processes and programs on a system and alerts the user if it detects any abnormal actions, at which point the user can decide whether to allow or block the activity. b. Incorrect. Signature-based monitoring compares activities against a predefined signature. Signature- based monitoring requires access to an updated database of signatures along with a means to actively compare and match current behavior against a collection of signatures. c. Correct. Anomaly monitoring is designed for detecting statistical anomalies. d. Incorrect. Heuristic monitoring attempts to answer the question, will this do something harmful if it is allowed to execute? 10. Which statement regarding a demilitarized zone (DMZ) is NOT true? a. It can be configured to have one or two firewalls. b. It typically includes an email or web server. c. It provides an extra degree of security. d. It contains servers that are used only by internal network users. Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Correct. It contains servers that are used only by external and not internal network users. 11. Which of the following functions does a network hardware security module NOT perform? a. Fingerprint authentication b. Key management c. Key exchange d. Random number generator Analysis: a. Correct. A network HSM does not perform authentication. b. Incorrect. This statement is accurate. c. Incorrect. This statement is accurate. d. Incorrect. This statement is accurate. 12. Which of these is NOT used in scheduling a load balancer? a. The IP address of the destination packet b. Data within the application message itself c. Round-robin d. Affinity Analysis: a. Incorrect. This is used in scheduling a load balancer. b. Correct. A load balancer does not consider the contents of the payload in scheduling. c. Incorrect. This is used in scheduling a load balancer. d. Incorrect. This is used in scheduling a load balancer. 13. In which of the following configurations are all the load balancers always active? a. Active-active b. Active-passive c. Passive-active-passive d. Active-load-passive-load Analysis: a. Correct. In an active-active configuration, all load balancers are always active. Network traffic is combined, and the load balancers then work together as a team. b. Incorrect. In an active-passive configuration, the primary load balancer distributes the network traffic to the most suitable server while the secondary load balancer operates in a “listening mode.” This second load balancer constantly monitors the performance of the primary load balancer and will step in and take over the load-balancing duties should the primary load balancer start to experience difficulties or fail. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 14. Which device intercepts internal user requests and then processes those requests on behalf of the users? a. Forward proxy server b. Reverse proxy server c. Host detection server d. Intrusion prevention device Analysis: a. Correct. A forward proxy is a computer or an application program that intercepts user requests from the internal secure network and then processes that request on behalf of the user. b. Incorrect. A reverse proxy routes requests coming from an external network to the correct internal server. c. Incorrect. This is fictitious and does not exist. d. Incorrect. An IPS does not process requests on behalf of a user. 15. Sofie needs to configure the VPN to preserve bandwidth. Which configuration would she choose? a. Narrow tunnel b. Split tunnel c. Full tunnel d. Wide tunnel Analysis: a. Incorrect. When all traffic is sent to the VPN concentrator and protected, this is called a full tunnel. b. Correct. Not all traffic—such as web surfing or reading personal email—needs to be protected through a VPN. In this case, a split tunnel, or routing only some traffic over the secure VPN while other traffic directly accesses the Internet, may be used instead. This can help to preserve bandwidth and reduce the load on the VPN concentrator. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 16. Which of the following is not a basic configuration management tool? a. Baseline configuration b. Standard naming convention c. Diagrams d. MAC address schema Analysis: a. Incorrect. A secure baseline configuration for security appliances has two purposes. First, it is the starting point for configuring a device. While many security appliance configurations will go beyond the baseline, the baseline is the core fundamentals of how the device should be initially configured before the specific configurations are applied. Second, the baseline configuration can be considered as the bare minimum configuration: no configuration should be less than the secure baseline configuration. b. Incorrect. Using the same conventions for assigning names to appliances (standard naming conventions) can eliminate confusion regarding the various appliances. c. Incorrect. Creating a visual mapping (diagram) of security appliances can likewise be valuable when new appliances are added or when troubleshooting is required. d. Correct. An Internet Protocol schema (not a MAC address schema) is a standard guide for assigning IP addresses to devices. This makes it easier to set up and troubleshoot devices and helps to eliminate overlapping or duplicate subnets and IP address device assignments, avoid unnecessary complexity, and not waste IP address space. 17. Which of the following is NOT correct about L2TP? a. It is used as a VPN protocol. b. It must be used on HTML5 compliant devices. c. It does not offer encryption. d. It is paired with IPSec. Analysis: a. Incorrect. This statement is accurate. b. Correct. L2TP does not have to be used in conjunction with HTML5. c. Incorrect. This statement is accurate. d. Incorrect. This statement is accurate. 18. Which of the following is NOT a NAC option when it detects a vulnerable endpoint? a. Deny access to the network. b. Give restricted access to the network. c. Update Active Directory to indicate the device is vulnerable. d. Connect to a quarantine network. Analysis: a. Incorrect. This statement is accurate. b. Incorrect. This statement is accurate. c. Correct. NAC does not update Active Directory. d. Incorrect. This statement is accurate. 19. Hanna has received a request for a data set of actual data for testing a new app that is being developed. She does not want the sensitive elements of the data to be exposed. What technology should she use? a. Masking b. Tokenization c. Data Object Obfuscation (DOO) d. PII Hiding Analysis: a. Correct. When the data is used only for testing purposes, such as determining if a new app functions properly, masking may be used. Data masking involves creating a copy of the original data but obfuscating (making unintelligible) any sensitive elements such as a user’s name or Social Security number. b. Incorrect. Tokenization obfuscates sensitive data elements, such as an account number, into a random string of characters (token). The original sensitive data element and the corresponding token are then stored in a database called a token vault so that if the actual data element is needed, it can be retired as necessary. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 20. How does BPDU guard provide protection? a. It detects when a BPDU is received from an endpoint. b. It sends BPDU updates to all routers. c. BPDUs are encrypted so that attackers cannot see their contents. d. All firewalls are configured to let BPDUs pass to the external network. Analysis: a. Correct. This statement is accurate. b. Incorrect. BPDU updates are sent to routers, but this does not provide BPDU guard protection. c. Incorrect. BPDUs are not encrypted. d. Incorrect. Firewalls are not configured for BPDUs. Module 12 1. How is the Security Assertion Markup Language (SAML) used? a. It serves as a backup to a RADIUS server. b. It allows secure web domains to exchange user authentication and authorization data. c. It is an authenticator in IEEE 802.1x. d. It is no longer used because it has been replaced by LDAP. Analysis: a. Incorrect. SAML is not associated with a RADIUS server. b. Correct. Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. This allows a user’s login credentials to be stored with a single identity provider instead of being stored on each web service provider’s server. c. Incorrect. SAML is not associated with IEEE 802.1x. d. Incorrect. SAML is still being used. 2. Which of the following is the Microsoft version of EAP? a. EAP-MS b. AD-EAP c. PAP-Microsoft d. MS-CHAP Analysis: a. Incorrect. This is fictitious and does not exist. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Correct. EAP was created as a more secure alternative than the weak Challenge-Handshake Authentication Protocol (CHAP), and the Microsoft version of CHAP is MS-CHAP. 3. Which of the following is NOT used for authentication? a. Somewhere you are b. Something you exhibit c. Something you can do d. Something you can find Analysis: a. Incorrect. A restricted location can be used for authentication. b. Incorrect. Genetically determined characteristics can be used for authentication. c. Incorrect. Performing an activity that cannot be copied exactly can be used for authentication. d. Correct. Something you can find is not used for authentication. 4. Ilya has been asked to recommend a federation system technology that is an open source federation framework that can support the development of authorization protocols. Which of these technologies would he recommend? a. OAuth b. Open ID c. Shibboleth d. NTLM Analysis: a. Correct. OAuth is a federation system technology that is an open source federation framework that can support the development of authorization protocols. b. Incorrect. Open ID is the authentication protocol that can be used with OAuth. c. Incorrect. Shibboleth is an open source software package for designing SSO. d. Incorrect. This is fictitious for the context of this question. 5. How is key stretching effective in resisting password attacks? a. It takes more time to generate candidate password digests. b. It requires the use of GPUs. c. It does not require the use of salts. d. The license fees are very expensive to purchase and use it. Analysis: a. Correct. Using general-purpose hash algorithms like MD5 and SHA is not considered secure for creating digests because these hashing algorithms are designed to create a digest as quickly as possible. The fast speed of general-purpose hash algorithms works in an attacker’s favor. When an attacker is creating candidate digests, a general-purpose hashing algorithm can rapidly create a very large number of passwords for matching purposes. A more secure approach for creating password digests is to use a specialized password hash algorithm that is intentionally designed to be slower. b. Incorrect. Key stretching does not require a GPU. c. Incorrect. Key stretching does not require salts. d. Incorrect. There are no license fees associated with key stretching. 6. Which of these is NOT a reason that users create weak passwords? a. A lengthy and complex password can be difficult to memorize. b. A security policy requires a password to be changed regularly. c. Having multiple passwords makes it hard to remember all of them. d. The length and complexity required force users to circumvent creating strong passwords. Analysis: a. Incorrect. This statement accurately reflects why users create weak passwords. b. Incorrect. This statement accurately reflects why users create weak passwords. c. Incorrect. This statement accurately reflects why users create weak passwords. d. Correct. Length and complexity do not force users to circumvent creating strong passwords. 7. Fernando is explaining to a colleague how a password cracker works. Which of the following is a valid statement about password crackers? a. Most states prohibit password crackers unless they are used to retrieve a lost password. b. Due to their advanced capabilities, they require only a small amount of computing power. c. A password cracker attempts to uncover the type of hash algorithm that created the digest because once it is known, the password is broken. d. Password crackers differ as to how candidates are created. Analysis: a. Incorrect. States do not prohibit the use of password crackers. b. Incorrect. Password crackers require a significant amount of computing power. c. Incorrect. Password crackers cannot "break" a hash. d. Correct. These programs create known digests (called candidates) and then compare them against the stolen digests. When a match occurs, then the attacker knows the underlying password. Password crackers differ as to how these candidates are created. 8. Which attack uses one or a small number of commonly used passwords to attempt to log in to several different user accounts? a. Online brute force attack b. Offline brute force attack c. Password spraying attack d. Role attack Analysis: a. Incorrect. Unlike a password spraying attack in which one password is used on multiple accounts, in an online brute force attack, the same account is continuously attacked (called pounded) by entering different passwords. b. Incorrect. An offline brute force attack begins with a stolen digest file. Attackers load this onto their computer and then use password cracking software to create candidate digests of every possible combination of letters, numbers, and characters. c. Correct. A password spraying attack uses one or a small number of commonly used passwords (Password1 or 123456) and then uses this same password when trying to log in to several different user accounts. Because this targeted guess is spread across many different accounts instead of attempting multiple password variations on a single account, it is much less likely to raise any alarms or lock out the user account from too many failed password attempts. d. Incorrect. This is fictitious and does not exist. 9. Why are dictionary attacks successful? a. Password crackers using a dictionary attack require less RAM than other types of password crackers. b. They link known words together in a "string" for faster processing. c. Users often create passwords from dictionary words. d. They use pregenerated rules to speed up the processing. Analysis: a. Incorrect. Dictionary attacks do not require less RAM. b. Incorrect. Dictionary attacks do not link together words. c. Correct. Because users often create passwords from dictionary words, this makes the attack successful. d. Incorrect. Dictionary attacks do not use pregenerated rules. 10. Which of these attacks is the last-resort effort in cracking a stolen password digest file? a. Hybrid b. Mask c. Rule list d. Brute force Analysis: a. Incorrect. Hybrid is not the last resort. b. Incorrect. Mask is not the last resort. c. Incorrect. A rule list is not the last resort. d. Correct. As the slowest attack, a brute force attack is the last resort. 11. Which of the following should NOT be stored in a secure password database? a. Iterations b. Password digest c. Salt d. Plaintext password Analysis: a. Incorrect. The number of iterations can be stored in a password database. b. Incorrect. The digest of a password is stored in the database. c. Incorrect. A salt is stored in the database. d. Correct. Passwords should never be stored in plaintext. 12. Which of the following is NOT an MFA using a smartphone? a. Authentication app b. Biometric gait analysis c. SMS text message d. Automated phone call Analysis: a. Incorrect. An authentication app can be used for multifactor authentication on a smartphone. b. Correct. Gait analysis requires more technology than a smartphone to measure. c. Incorrect. A text message can be used for multifactor authentication on a smartphone. d. Incorrect. An automated phone call can be used for multifactor authentication on a smartphone. 13. Timur was making a presentation regarding how attackers break passwords. His presentation demonstrated the attack technique that is the slowest yet most thorough attack that is used against passwords. Which of these password attacks did he demonstrate? a. Dictionary attack b. Hybrid attack c. Custom attack d. Brute force attack Analysis: a. Incorrect. This is not the slowest attack. b. Incorrect. This is not the slowest attack. c. Incorrect. This is not the slowest attack. d. Correct. A brute force attack is the slowest yet most thorough type. 14. Which human characteristic is NOT used for biometric identification? a. Retina b. Iris c. Height d. Fingerprint Analysis: a. Incorrect. Retina is used for biometric identification. b. Incorrect. Iris is used for biometric identification. c. Correct. Height cannot be used for biometric identification because many people share the same height. d. Incorrect. Fingerprints are the most common type of biometric identification. 15. _____ biometrics is related to the perception, thought processes, and understanding of the user. a. Cognitive b. Standard c. Intelligent d. Behavioral Analysis: a. Correct. Cognitive biometrics is considered to be much easier for the user to remember because it is based on the user's life experiences. This also makes it more difficult for an attacker to imitate. Cognitive biometrics is also called knowledge-based authentication. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. One type of authentication is based on actions that the user is uniquely qualified to perform, or something you do. This is called behavioral biometrics. 16. Which of the following is an authentication credential used to access multiple accounts or applications? a. Single sign-on b. Credentialization c. Identification authentication d. Federal login Analysis: a. Correct. One application of federation is single sign-on (SSO) or using one authentication credential to access multiple accounts or applications. SSO holds the promise of reducing the number of usernames and passwords that users must memorize. b. Incorrect. This is fictitious and does not exist. c. Incorrect. This is fictitious and does not exist. d. Incorrect. This is fictitious and does not exist. 17. What is a disadvantage of biometric readers? a. Speed b. Cost c. Weight d. Standards Analysis: a. Incorrect. Biometric readers are very fast, and speed is not a disadvantage. b. Correct. Biometric readers can be very expensive. c. Incorrect. The weight is not a drawback to these readers. d. Incorrect. Standards do not exist for biometric readers. 18. Which of these creates a format of the candidate password to significantly reduce the time needed to crack a password? a. Rainbow b. Mask c. Overlay d. Pass the hash Analysis: a. Incorrect. A rainbow does not create a format. b. Correct. A mask can reduce the time needed to crack a password by creating a format. c. Incorrect. An overlay does not create a format. d. Incorrect. This is fictitious for the context of this question. 19. Pablo has been asked to look into security keys that have a feature of a key pair that is "burned" into the security key during manufacturing time and is specific to a device model. What feature is this? a. Authorization b. Authentication c. Attestation d. Accountability Analysis: a. Incorrect. This is fictitious for the context of this question. b. Incorrect. This is fictitious for the context of this question. c. Correct. Attestation is a key pair that is "burned" into the security key during manufacturing and is specific to a device model. It can be used to cryptographically prove that a user has a specific model of device when it is registered. d. Incorrect. This is fictitious for the context of this question. 20. Which one-time password is event driven? a. HOTP b. TOTP c. ROTP d. POTP Analysis: a. Correct. Instead of changing after a set number of seconds, an HMAC-based one-time password (HOTP) password is "event driven" and changes when a specific event occurs, such as when a user enters a personal identification number (PIN) on the token’s keypad, which triggers the token to create a random code. b. Incorrect. A time-based one-time password (TOTP) changes after a set period of time. c. Incorrect. This is fictitious for the context of this question. d. Incorrect. This is fictitious for the context of this question.

Module 4-6-8-9-12 Review Questions Solutions PDF

Document Details

Tags

Related

Summary

Full Transcript