professor-messer-sy0-601-comptia-security-plus-practice-exams-v109.pdf

Full Transcript

 Professor Messer’s
CompTIA SY0-601
Security+
Practice Exams

by James “Professor” Messer

http://www.ProfessorMesser.com
Professor Messer’s CompTIA SY0-601 Security+ Practice Exams
Written by James “Professor” Messer
Copyright © 2021 by Messer Studios, LLC
https://www.ProfessorMesser.com
All rights reserved. No part of this book may be reproduced or transmitted in any form
or by any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from
the publisher.

First Edition: June 2021
This is version 1.09

Trademark Acknowledgments
All product names and trademarks are the property of their respective owners, and are
in no way associated or affiliated with Messer Studios LLC.

“Professor Messer” is a registered trademark of Messer Studios LLC.

“CompTIA” and “Security+” are registered trademarks of CompTIA, Inc.

Warning and Disclaimer
This book is designed to provide information about the CompTIA SY0­-601 Security+
certification exam. However, there may be typographical and/or content errors.
Therefore, this book should serve only as a general guide and not as the ultimate source
of subject information. The author shall have no liability or responsibility to any person
or entity regarding any loss or damage incurred, or alleged to have incurred, directly or
indirectly, by the information contained in this book.
Contents
Introduction
The CompTIA SY0-601
Security+ Certification 

i
How to Use This Book 

ii

Practice Exam A
Performance-Based Questions 

1
Multiple Choice Questions 

5
Multiple Choice Quick Answers 

33
Detailed Answers 

35

Practice Exam B
Performance-Based Questions 

131
Multiple Choice Questions 

135
Multiple Choice Quick Answers 

163
Detailed Answers 

165

Practice Exam C
Performance-Based Questions 

259
Multiple Choice Questions 

263
Multiple Choice Quick Answers 

291
Detailed Answers 

293
About the Author

James Messer is an information technology veteran whose career has
included supercomputer operations, system administration, network
management, and IT security.

James is also the founder and CEO of Messer Studios, a leading publisher
of training materials for IT certification exams. With over 110 million
videos viewed and over 500,000 subscribers, Professor Messer's training
has helped thousands of students realize their goals of a profession in
information technology.
Introduction
The process of answering a test question is our ultimate test of knowledge.
After hours of video watching, book reading, and note taking, do you really
know the material? If you're trying to prove yourself, nothing beats getting the
right answer.

This book contains three sample exams containing performance-based and
multiple-choice questions for the Security+ exam. I've personally curated every
question to make sure this Q&A matches the expectations of the SY0-601
Security+ exam.

I hope this book will help you be the smartest one in the room. Best of luck
with your studies!

- Professor Messer

The CompTIA SY0-601
Security+ Certification
CompTIA's Security+ certification is the entry point for IT security
professionals. If you're planning on securing the data and networks on the
world's largest networks, then you're in the right place.

Earning the Security+ certification requires the completion of one exam
covering a broad range of security topics. After completing the certification, a
CompTIA Security+ certified professional will have an understanding of attack
types, network security technologies, secure network architecture concepts,
cryptography, and much more.

Here's the breakdown of each domain and the percentage of each topic on the
SY0-601 exam:

Domain 1.0 - Threats, Attacks, and Vulnerabilities - 24%
Domain 2.0 - Architecture and Design - 21%
Domain 3.0 - Implementation - 25%
Domain 4.0 - Operations and Incident Response - 16%
Domain 5.0 - Governance, Risk, and Compliance - 14%

i
How to Use This Book
This book contains three separate 90-question practice exams; Exam A, Exam
B, and Exam C. The exams are designed to emulate the format and complexity
of the actual Security+ exam.

Take one exam at a time. The difficulty levels are similar between exam, so
it doesn't matter which exam you take first.

The actual Security+ exam is 90 minutes in length, so try setting a timer
when you start your practice exam. Time management is an important part
of the exam.

The first section of each practice exam is the list of questions. There's a link
after every question that will jump immediately to the quick answer page
or the detailed answer page. If you're using the digital version, your PDF
reader keys can quickly jump back to the question page. Adobe Reader
in Windows uses Alt-Left arrow and macOS Preview uses Command-[
to move back to the previous view. Be sure to check your PDF reader for
specific navigation options.

The quick answer page is a consolidated list of the answers without any
detail or explanation. If you want to quickly check your answer sheet, this is
the page for you.

A detailed answer is available for each exam question. This section repeats
the question, the possible answers, and shows the answer with a detailed
explanation. This section is formatted to show only one answer per page to
avoid giving away the answer to any other questions. Digital readers can use
your PDF reader's back button to quickly jump back to the questions.

As you go through the exam, write down the answers on a separate sheet
of paper or separate text editor window. Some PDF readers also support
on-screen annotation. You can check the answers after the 90 minutes have
elapsed.

You can grade your results against the quick answer page. For incorrect
responses, be sure to check the detailed answer pages for information on
why certain answers were considered correct or incorrect.

After each detailed answer, a video link is available for more information
on the topic. You can click the link in your PDF or use your camera to view
the QR (Quick Response) code on the page. Your camera app will provide
a notification message that will launch the video page in your browser. The
URL is also provided for manual entry.
ii
You have the option of using each practice test as a 90 minute timed exam, or
as a casual Q&A. Try stepping through each question, picking an answer, and
then jumping to the detailed explanation to learn more about each possible
answer.

Here's a scoring chart:

Less than 63 questions correct / 70% and lower - Use the exam objectives
at the end of each detailed answer to determine where you might need
some additional help.

63 to 72 questions correct / 70% to 80% - You're so close! Keep working
on the areas you're missing and fill in those gaps.

73 to 81 questions correct / 80% to 90% - This is a strong showing, but
some additional studying will help you earn points on the real exam.

Although the actual Security+ exam does not calculate the final score as
a percentage, getting an 85% on the practice exam can be considered a
passing grade.

More than 81 questions correct / over 90% - You're ready for the real
thing! Book your exam and earn your Security+ certification!

The detailed answer pages break down every correct answer and every incorrect
answer. Although it's useful to know when you got a question right, it's more
important if you understand exactly why a question was marked wrong. If you
understand all of the technologies on these sample exams, then you'll be ready
for the real thing.

iii
Practice Exam A
Performance-Based Questions
A1. Match the description with the most accurate attack type.
Not all attack types will be used.
Attack Types:

Hoax Social Engineering
Spam Spoofing
Vishing Supply Chain
On-path DDoS

Attacker obtains bank account number
and birth date by calling the victim

Select an Attack Type

Attacker modifies a legitimate DNS server to resolve
the IP address of a malicious site
Select an Attack Type

Attacker intercepts all communication between
a client and a web server
Select an Attack Type

Multiple attackers
overwhelm a web server
Select an Attack Type

A virus alert appears in your browser from Microsoft
with a phone number to call for support
Select an Attack Type
Answer Page: 35

Practice Exam A - Questions 1
A2. The security team at a local public library system is creating a set of
minimum security standards for the various computer systems.

Select the BEST security control for each available placeholder.
All of the available security controls will be used once.

Security Biometric Reader Environmental Sensors

Controls: Cable Lock Full-Disk Encryption

Video Surveillance Locking Cabinets Smart Card

Location Description Security Controls

Library Computer Room
Web Server and High security
Database Server

Library Offsite use
Employee
Contains PII
Laptops

Library
Manages the check-in
Lending
and check-out process
Systems

Open Area
Digital Newspaper No supervision
Reading Lab
Laptop computers

Answer Page: 37

2 Practice Exam A - Questions
A3. Fill in the blank with the BEST secure network protocol
for the description:

Accept customer purchases from your primary website

Synchronize the time across all of your devices

Access your switch using a CLI terminal screen

Talk with customers on scheduled conference calls

Gather metrics from routers at remote sites
Answer Page: 39

A4. Match the appropriate authentication reference to each description.
Each authentication factor or attribute will be used once.

Something you can do Somewhere you are

Something you have Something you know Something you are

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode

You enter your PIN to make
a deposit into an ATM

You must sign a check-in sheet
before entering a controlled area

You can use your fingerprint to unlock
the door to the data center

Your login will not work unless you are
connected to the VPN
Answer Page: 40

Practice Exam A - Questions 3
A5. Configure the following stateful firewall rules:
Allow the Web Server to access the Database Server using LDAP
Allow the Storage Server to transfer files to the Video Server over HTTPS
Allow the Management Server to use a secure terminal on the File Server

DMZ

File Server Video Server Web Server
10.1.1.3 10.1.1.7 10.1.1.2

DMZ
Switch

Internet Firewall

Internal
Switch

Internal Network

Storage Server Management Server Database Server
10.2.1.33 10.2.1.47 10.2.1.20

Protocol
Destination Allow/
Rule # Source IP (TCP/ Port #
IP Block
UDP)
1
2
3
Answer Page: 41
4 Practice Exam A - Questions
Practice Exam A
Multiple Choice Questions
A6. You’ve hired a third-party to gather information about
your company’s servers and data. The third-party will not
have direct access to your internal network but can gather
information from any other source.
Which of the following would BEST describe this
approach? Quick
❍ A. Backdoor testing Answer: 33

❍ B. Passive footprinting The Details: 43
❍ C. OS fingerprinting
❍ D. Partially known environment

A7. Which of these protocols use TLS to provide secure
communication? (Select TWO) Quick
Answer: 33
❍ A. HTTPS
❍ B. SSH The Details: 44
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP

A8. Which of these threat actors would be MOST likely to
attack systems for direct financial gain? Quick
Answer: 33
❍ A. Organized crime
❍ B. Hacktivist The Details: 45
❍ C. Nation state
❍ D. Competitor

A9. A security incident has occurred on a file server. Which of
the following data sources should be gathered to address
file storage volatility? (Select TWO) Quick
❍ A. Partition data Answer: 33
❍ B. Kernel statistics The Details: 46
❍ C. ROM data
❍ D. Temporary file systems
❍ E. Process table
Practice Exam A - Questions 5
A10. An IPS at your company has found a sharp increase
in traffic from all-in-one printers. After researching,
your security team has found a vulnerability associated
with these devices that allows the device to be remotely
controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT Quick
Answer: 33
❍ B. RTOS
❍ C. MFD The Details: 47

❍ D. SoC

A11. Which of the following standards provides information
on privacy and managing PII?
❍ A. ISO 31000 Quick
Answer: 33
❍ B. ISO 27002
❍ C. ISO 27701 The Details: 48

❍ D. ISO 27001

A12. Elizabeth, a security administrator, is concerned about
the potential for data exfiltration using external storage
drives. Which of the following would be the BEST way
to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to Quick
Answer: 33
prevent the use of removable media
❍ B. Monitor removable media usage in host-based The Details: 49
firewall logs
❍ C. Only allow applications that do not use
removable media
❍ D. Define a removable media block rule in the UTM

6 Practice Exam A - Questions
A13. A CISO (Chief Information Security Officer) would
like to decrease the response time when addressing
security incidents. Unfortunately, the company does not
have the budget to hire additional security engineers.
Which of the following would assist the CISO with this
requirement?
❍ A. ISO 27701 Quick
Answer: 33
❍ B. PKI
❍ C. IaaS The Details: 50
❍ D. SOAR

A14. An insurance company has created a set of policies to
handle data breaches. The security team has been given
this set of requirements based on these policies:
Access records from all devices must be
saved and archived
Any data access outside of normal working hours
must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a
single database
Which of the following should be implemented by the
security team to meet these requirements?
(Select THREE)
❍ A. Restrict login access by IP address and Quick
GPS location Answer: 33

❍ B. Require government-issued identification The Details: 51
during the onboarding process
❍ C. Add additional password complexity for accounts
that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled
accounts
❍ G. Enable time-of-day restrictions on the
authentication server

Practice Exam A - Questions 7
A15. Rodney, a security engineer, is viewing this record from
the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this
log information?
❍ A. The victim's IP address is 136.127.92.171 Quick
Answer: 33
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked The Details: 53

❍ D. The Trojan was blocked, but the file was not

A16. A user connects to a third-party website and receives this
message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST
likely reason
for this message?
❍ A. Brute force Quick
Answer: 33
❍ B. DoS
❍ C. On-path The Details: 54
❍ D. Disassociation

A17. Which of the following would be the BEST way to
provide a website login using existing credentials from a
third-party site?
❍ A. Federation Quick
Answer: 33
❍ B. 802.1X
❍ C. PEAP The Details: 55

❍ D. EAP-FAST

8 Practice Exam A - Questions
A18. A system administrator, Daniel, is working on a contract
that will specify a minimum required uptime for a set
of Internet-facing firewalls. Daniel needs to know how
often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe
this information?
❍ A. MTBF Quick
Answer: 33
❍ B. RTO
❍ C. MTTR The Details: 56
❍ D. MTTF

A19. An attacker calls into a company’s help desk
and pretends to be the director of the company’s
manufacturing department. The attacker states that they
have forgotten their password and they need to have the
password reset quickly for an important meeting. What
kind of attack would BEST describe this phone call?
❍ A. Social engineering Quick
Answer: 33
❍ B. Tailgating
❍ C. Watering hole The Details: 57
❍ D. On-path

A20. A security administrator has been using EAP-FAST
wireless authentication since the migration from WEP
to WPA2. The company’s network team now needs to
support additional authentication protocols inside of an
encrypted tunnel. Which of the following would meet
the network team’s requirements?
❍ A. EAP-TLS Quick
Answer: 33
❍ B. PEAP
❍ C. EAP-TTLS The Details: 58

❍ D. EAP-MSCHAPv2

Practice Exam A - Questions 9
A21. Which of the following would be commonly provided
by a CASB? (Select TWO)
❍ A. List of all internal Windows devices that have Quick
not installed the latest security patches Answer: 33
❍ B. List of applications in use The Details: 59
❍ C. Centralized log storage facility
❍ D. List of network outages for the previous month
❍ E. Verification of encrypted data transfers
❍ F. VPN connectivity for remote users

A22. The embedded OS in a company’s time clock appliance is
configured to reset the file system and reboot when a file
system error occurs. On one of the time clocks, this file
system error occurs during the startup process and causes
the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. DLL injection Quick
Answer: 33
❍ B. Resource exhaustion
❍ C. Race condition The Details: 60
❍ D. Weak configuration

A23. A recent audit has found that existing password policies
do not include any restrictions on password attempts,
and users are not required to periodically change their
passwords. Which of the following would correct these
policy issues? (Select TWO)
❍ A. Password complexity Quick
❍ B. Password expiration Answer: 33
❍ C. Password history The Details: 61
❍ D. Password lockout
❍ E. Password recovery

10 Practice Exam A - Questions
A24. What kind of security control is associated
with a login banner?
❍ A. Preventive Quick
Answer: 33
❍ B. Deterrent
❍ C. Corrective The Details: 62

❍ D. Detective
❍ E. Compensating
❍ F. Physical

A25. A security team has been provided with a non-
credentialed vulnerability scan report created by a third-
party. Which of the following would they expect to see
on this report?
❍ A. A summary of all files with invalid Quick
group assignments Answer: 33

❍ B. A list of all unpatched operating system files The Details: 63
❍ C. The version of web server software in use
❍ D. A list of local user accounts

A26. A business manager is documenting a set of steps for
processing orders if the primary Internet connection fails.
Which of these would BEST describe these steps?
❍ A. Communication plan Quick
❍ B. Continuity of operations Answer: 33

❍ C. Stakeholder management The Details: 64
❍ D. Tabletop exercise

A27. A security administrator is concerned about data
exfiltration resulting from the use of malicious phone
charging stations. Which of the following would be the
BEST way to protect against this threat?
❍ A. USB data blocker Quick
Answer: 33
❍ B. Personal firewall
The Details: 65
❍ C. MFA
❍ D. FDE

Practice Exam A - Questions 11
A28. A company would like to protect the data stored on
laptops used in the field. Which of the following would
be the BEST choice for this requirement?
❍ A. MAC Quick
Answer: 33
❍ B. SED
❍ C. CASB The Details: 66

❍ D. SOAR

A29. A file server has a full backup performed each Monday
at 1 AM. Incremental backups are performed at 1 AM
on Tuesday, Wednesday, Thursday, and Friday. The system
administrator needs to perform a full recovery of the file
server on Thursday afternoon. How many backup sets
would be required to complete the recovery?
❍ A. 2 Quick
Answer: 33
❍ B. 3
❍ C. 4 The Details: 67

❍ D. 1

A30. A company is creating a security policy that will protect
all corporate mobile devices:
All mobile devices must be automatically locked
after a predefined time period.
Some mobile devices will be used by the
remote sales teams, so the location of each device
needs to be traceable.
All of the user’s information should be completely
separated from company data.
Which of the following would be the BEST way to
establish these security policy rules?
❍ A. Containerization Quick
❍ B. Biometrics Answer: 33

❍ C. COPE The Details: 68
❍ D. VDI
❍ E. Geofencing
❍ F. MDM

12 Practice Exam A - Questions
A31. A security engineer runs a monthly vulnerability scan.
The scan doesn’t list any vulnerabilities for Windows
servers, but a significant vulnerability was announced last
week and none of the servers are patched yet. Which of
the following best describes this result?
❍ A. Exploit Quick
Answer: 33
❍ B. Credentialed
❍ C. Zero-day attack The Details: 70
❍ D. False negative

A32. A security administrator is adding additional
authentication controls to the existing infrastructure.
Which of the following should be added by the security Quick
Answer: 33
administrator? (Select TWO)
❍ A. TOTP The Details: 71

❍ B. Least privilege
❍ C. Role-based awareness training
❍ D. Separation of duties
❍ E. Job rotation
❍ F. Smart Card

A33. A network administrator would like each user to
authenticate with their personal username and
password when connecting to the company's wireless
network. Which of the following should the network
administrator configure on the wireless access points?
❍ A. WPA2-PSK Quick
Answer: 33
❍ B. 802.1X
❍ C. WPS The Details: 72
❍ D. WPA2-AES

Practice Exam A - Questions 13
A34. A security administrator needs to identify all references
to a Javascript file in the HTML of a web page. Which
of the following tools should be used to view the source
of the web page and search through the file for a specific
filename? (Select TWO)
❍ A. tail Quick
Answer: 33
❍ B. openssl
The Details: 73
❍ C. scanless
❍ D. grep
❍ E. Nmap
❍ F. curl
❍ G. head

A35. A user has assigned individual rights and permissions
to a file on their network drive. The user adds three
additional individuals to have read-only access to the
file. Which of the following would describe this access
control model?
❍ A. DAC Quick
Answer: 33
❍ B. MAC
The Details: 74
❍ C. ABAC
❍ D. RBAC

A36. A remote user has received a text message requesting
login details to the corporate VPN server. Which of the
following would BEST describe this message?
❍ A. Brute force Quick
❍ B. Prepending Answer: 33

❍ C. Typosquatting The Details: 75
❍ D. Smishing

14 Practice Exam A - Questions
A37. A department store policy requires that a floor manager
approves each transaction when a gift certificate is used
for payment. The security team has found that some
of these transactions have been processed without the
approval of a manager. Which of the following would
provide a separation of duties to enforce this store policy?
❍ A. Use a WAF to monitor all gift certificate
Quick
transactions Answer: 33
❍ B. Disable all gift certificate transactions for cashiers
❍ C. Implement a discretionary access control policy The Details: 76
❍ D. Require an approval PIN for the cashier and a
separate approval PIN for the manager

A38. Which of the following is true of a rainbow table?
(Select TWO)
❍ A. The rainbow table is built in real-time Quick
during the attack Answer: 33
❍ B. Rainbow tables are the most effective The Details: 77
online attack type
❍ C. Rainbow tables require significant CPU cycles
at attack time
❍ D. Different tables are required for different
hashing methods
❍ E. A rainbow table won’t be useful if the
passwords are salted

A39. A server administrator at a bank has noticed a decrease
in the number of visitors to the bank's website.
Additional research shows that users are being directed
to a different IP address than the bank's web server.
Which of the following would MOST likely describe
this attack?
❍ A. Disassociation Quick
Answer: 33
❍ B. DDoS
❍ C. Buffer overflow The Details: 78

❍ D. DNS poisoning

Practice Exam A - Questions 15
A40. Which of these cloud deployment models would share
resources between a private virtualized data center and
externally available cloud services?
❍ A. SaaS Quick
Answer: 33
❍ B. Community
❍ C. Hybrid The Details: 79
❍ D. Containerization

A41. A company hires a large number of seasonal employees,
and their system access should normally be disabled
when the employee leaves the company. The security
administrator would like to verify that their systems
cannot be accessed by any of the former employees.
Which of the following would be the BEST way to
provide this verification?
Quick
❍ A. Confirm that no unauthorized accounts have Answer: 33
administrator access
The Details: 80
❍ B. Validate the account lockout policy
❍ C. Validate the processes and procedures for all
outgoing employees
❍ D. Create a report that shows all authentications for a
24-hour period

A42. A network administrator has installed a new access point,
but only a portion of the wireless devices are able to
connect to the network. Other devices can see the access
point, but they are not able to connect even when using
the correct wireless settings. Which of the following
security features was MOST likely enabled? Quick
Answer: 33
❍ A. MAC filtering
❍ B. SSID broadcast suppression The Details: 81
❍ C. 802.1X authentication
❍ D. Anti-spoofing

16 Practice Exam A - Questions
A43. A security administrator has gathered this information:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT
tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED
tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED

Which of the following is being used to create
this information?
Quick
❍ A. tracert Answer: 33
❍ B. netstat
The Details: 82
❍ C. dig
❍ D. netcat

A44. An attacker has discovered a way to disable a server by
sending specially crafted packets from many remote
devices to the operating system. When the packet is
received, the system crashes and must be rebooted to
restore normal operations. Which of the following would
BEST describe this attack?
Quick
❍ A. Privilege escalation Answer: 33
❍ B. Spoofing
The Details: 83
❍ C. Replay attack
❍ D. DDoS

A45. A data breach has occurred in a large insurance company.
A security administrator is building new servers and
security systems to get all of the financial systems back
online. Which part of the incident response process
would BEST describe these actions?
Quick
❍ A. Lessons learned Answer: 33
❍ B. Isolation and containment
The Details: 84
❍ C. Reconstitution
❍ D. Precursors

Practice Exam A - Questions 17
A46. A manufacturing company has moved an inventory
application from their internal systems to a PaaS service.
Which of the following would be the BEST way to
manage security policies on this new service?
❍ A. DLP Quick
Answer: 33
❍ B. SIEM
The Details: 85
❍ C. IPS
❍ D. CASB

A47. An organization has identified a significant vulnerability
in a firewall that was recently installed for Internet
connectivity. The firewall company has stated there are
no plans to create a patch for this vulnerability. Which of
the following would BEST describe this issue?
❍ A. Lack of vendor support Quick
Answer: 33
❍ B. Improper input handling
❍ C. Improper key management The Details: 86
❍ D. End-of-life

A48. A company has decided to perform a disaster recovery
exercise during an annual meeting with the IT directors
and senior directors. A simulated disaster will be
presented, and the participants will discuss the logistics
and processes required to resolve the disaster. Which of
the following would BEST describe this exercise?
❍ A. After-action report Quick
Answer: 33
❍ B. Business impact analysis
The Details: 87
❍ C. Alternate business practice
❍ D. Tabletop exercise

18 Practice Exam A - Questions
A49. A security administrator needs to identify all computers
on the company network infected with a specific malware
variant. Which of the following would be the BEST way
to identify these systems?
❍ A. Honeynet Quick
Answer: 33
❍ B. Data masking
❍ C. DNS sinkhole The Details: 88

❍ D. DLP

A50. A system administrator has been called to a system
that is suspected to have a malware infection. The
administrator has removed the device from the network
and has disconnected all USB flash drives. Which
of these incident response steps is the administrator
following?
❍ A. Lessons learned Quick
Answer: 33
❍ B. Containment
❍ C. Detection The Details: 89

❍ D. Reconstitution

A51. How can a company ensure that all data on a mobile
device is unrecoverable if the device is lost or stolen?
❍ A. Containerization Quick
Answer: 33
❍ B. Geofencing
❍ C. Screen locks The Details: 90

❍ D. Remote wipe

A52. A security administrator is collecting information
associated with a ransomware infection on the company's
web servers. Which of the following log files would
provide information regarding the memory contents of
these servers?
Quick
❍ A. Web Answer: 33
❍ B. Packet
The Details: 91
❍ C. Dump
❍ D. DNS

Practice Exam A - Questions 19
A53. Which part of the PC startup process verifies the digital
signature of the OS kernel?
❍ A. Measured Boot
❍ B. Trusted Boot Quick
Answer: 33
❍ C. Secure Boot
❍ D. POST The Details: 92

A54. Which of these best describes two-factor authentication?
❍ A. A printer uses a password and a PIN
❍ B. The door to a building requires a fingerprint scan Quick
Answer: 33
❍ C. An application requires a TOTP code
❍ D. A Windows Domain requires a username, The Details: 93
password, and smart card

A55. A company is deploying a new mobile application to
all of its employees in the field. Some of the problems
associated with this rollout include:
The company does not have a way to manage the mobile
devices in the field
Company data on mobile devices in the field introduces
additional risk
Team members have many different kinds of mobile
devices
Which of the following deployment models would
address these concerns?
❍ A. Corporate-owned
Quick
❍ B. COPE
Answer: 33
❍ C. VDI
The Details: 94
❍ D. BYOD

20 Practice Exam A - Questions
A56. An organization is installing a UPS for their new data
center. Which of the following would BEST describe
this type of control?
❍ A. Compensating Quick
❍ B. Preventive Answer: 33

❍ C. Managerial The Details: 95
❍ D. Detective

A57. A manufacturing company would like to track the
progress of parts as they are used on an assembly line.
Which of the following technologies would be the
BEST choice for this task?
❍ A. Quantum computing Quick
Answer: 33
❍ B. Blockchain
The Details: 96
❍ C. Hashing
❍ D. Asymmetric encryption

A58. A security administrator has been asked to respond to
a potential security breach of the company’s databases,
and they need to gather the most volatile data before
powering down the database servers. In which order
should they collect this information?
❍ A. CPU registers, temporary files, memory, Quick
remote monitoring data Answer: 33

❍ B. Memory, CPU registers, remote monitoring data, The Details: 97
temporary files
❍ C. Memory, CPU registers, temporary files,
remote monitoring data
❍ D. CPU registers, memory, temporary files,
remote monitoring data

Practice Exam A - Questions 21
A59. A Linux administrator is downloading an updated
version of her Linux distribution. The download site
shows a link to the ISO and a SHA256 hash value.
Which of these would describe the use of this
hash value?
❍ A. Verifies that the file was not corrupted during Quick
the file transfer Answer: 33
❍ B. Provides a key for decrypting the ISO The Details: 98
after download
❍ C. Authenticates the site as an official ISO
distribution site
❍ D. Confirms that the file does not contain
any malware

A60. A company's security policy requires that login access
should only be available if a person is physically within
the same building as the server. Which of the following
would be the BEST way to provide this requirement?
❍ A. TOTP Quick
Answer: 33
❍ B. Biometric scanner
❍ C. PIN The Details: 99

❍ D. SMS

A61. Your development team has installed a new application
and database to a cloud service. After running a
vulnerability scanner on the application instance, you
find that the database is available for anyone to query
without providing any authentication. Which of these
vulnerabilities is MOST associated with this issue?
❍ A. Improper error handling Quick
Answer: 33
❍ B. Open permissions
❍ C. Race condition The Details: 100

❍ D. Memory leak

22 Practice Exam A - Questions
A62. Employees of an organization have received an email
offering a cash bonus for completing an internal training
course. The link in the email requires users to login
with their Windows Domain credentials, but the link
appears to be located on an external server. Which of the
following would BEST describe this email?
❍ A. Whaling Quick
Answer: 33
❍ B. Vishing
❍ C. Smishing The Details: 101

❍ D. Phishing

A63. Which of the following risk management strategies
would include the purchase and installation of
an NGFW?
❍ A. Transference Quick
Answer: 33
❍ B. Mitigation
The Details: 102
❍ C. Acceptance
❍ D. Risk-avoidance

A64. Which of the following would be the BEST way to
confirm the secure baseline of a deployed application
instance?
❍ A. Compare the production application to the Quick
Answer: 33
sandbox
❍ B. Perform an integrity measurement The Details: 103
❍ C. Compare the production application to
the previous version
❍ D. Perform QA testing on the application instance

A65. A member of the accounting team was out of the office
for two weeks, and an important financial transfer was
delayed until they returned. Which of the following
would have prevented this delay?
❍ A. Split knowledge Quick
Answer: 33
❍ B. Least privilege
❍ C. Job rotation The Details: 104

❍ D. Dual control

Practice Exam A - Questions 23
A66. A security analyst has identified a number of sessions
from a single IP address with a TTL equal to zero. One
of the sessions has a destination of the Internet firewall,
and a session immediately after has a destination of your
DMZ server. Which of the following BEST describes
this log information?
❍ A. Someone is performing a vulnerability scan Quick
against the firewall and DMZ server Answer: 33
❍ B. Users are performing DNS lookups The Details: 105
❍ C. A remote user is grabbing banners of the firewall
and DMZ server
❍ D. Someone is performing a traceroute to the
DMZ server

A67. An attacker has sent more information than expected
in a single API call, and this has allowed the execution
of arbitrary code. Which of the following would BEST
describe this attack?
❍ A. Buffer overflow
Quick
❍ B. Replay attack Answer: 33
❍ C. Session hijacking
The Details: 106
❍ D. DDoS

A68. A company encourages users to encrypt all of
their confidential materials on a central server. The
organization would like to enable key escrow as a backup.
Which of these keys should the organization place
into escrow?
❍ A. Private
Quick
❍ B. CA
Answer: 33
❍ C. Session
The Details: 107
❍ D. Public

24 Practice Exam A - Questions
A69. A security administrator is designing an authentication
process for a new remote site deployment. They would
like the users to provide their credentials when they
authenticate in the morning, and they do not want any
additional authentication requests to appear during the
rest of the day. Which of the following should be used to
meet this requirement?
❍ A. TACACS+ Quick
Answer: 33
❍ B. LDAPS
❍ C. Kerberos The Details: 108

❍ D. 802.1X

A70. A manufacturing company would like to use an
existing router to separate a corporate network and a
manufacturing floor that use the same physical switch.
The company does not want to install any additional
hardware. Which of the following would be the BEST
choice for this segmentation?
❍ A. Connect the corporate network and the
Quick
manufacturing floor with a VPN Answer: 33
❍ B. Build an air gapped manufacturing floor network
The Details: 109
❍ C. Use personal firewalls on each device
❍ D. Create separate VLANs for the corporate network
and the manufacturing floor

A71. When a home user connects to the corporate VPN, they
are no longer able to print to their local network printer.
Once the user disconnects from the VPN, the printer
works normally. Which of the following would be the
MOST likely reason for this issue?
❍ A. The VPN uses IPSec instead of SSL Quick
Answer: 33
❍ B. Printer traffic is filtered by the VPN client
❍ C. The VPN is stateful The Details: 110

❍ D. The VPN tunnel is configured for full tunnel

Practice Exam A - Questions 25
A72. A data center manager has built a Faraday cage in the
data center, and a set of application servers have been
placed into racks inside the Faraday cage. Which of
the following would be the MOST likely reason for
the data center manager to install this configuration of
equipment?
❍ A. Protect the servers against any unwanted Quick
electromagnetic fields Answer: 33

❍ B. Prevent physical access to the servers without The Details: 111
the proper credentials
❍ C. Provide additional cooling to all devices in the
cage
❍ D. Adds additional fire protection for the
application servers

A73. A recent report shows the return of a vulnerability
that was previously patched four months ago. After
researching this issue, the security team has found that
a recent patch has reintroduced this vulnerability on
the servers. Which of the following should the security
administrator implement to prevent this issue from
occurring in the future?
Quick
❍ A. Templates Answer: 33
❍ B. Elasticity
The Details: 112
❍ C. Master image
❍ D. Continuous monitoring

A74. A security manager would like to ensure that unique
hashes are used with an application login process. Which
of the following would be the BEST way to add random
data when generating a set of stored password hashes?
❍ A. Salting Quick
Answer: 33
❍ B. Obfuscation
❍ C. Key stretching The Details: 113

❍ D. Digital signature

26 Practice Exam A - Questions
A75. Which cryptographic method is used to add trust to a
digital certificate?
❍ A. X.509 Quick
Answer: 33
❍ B. Hash
The Details: 114
❍ C. Symmetric encryption
❍ D. Digital signature

A76. An MSP is designing a new server room for a large
company. Which of the following should be included in
the design to provide redundancy? (Select TWO)
❍ A. SIEM Quick
❍ B. Temperature monitors Answer: 33

❍ C. RAID arrays The Details: 115
❍ D. Dual power supplies
❍ E. Hot and cold aisles
❍ F. Biometric locks

A77. An organization maintains a large database of customer
information for sales tracking and customer support.
Which person in the organization would be responsible
for managing the access rights to this data?
❍ A. Data processor Quick
Answer: 33
❍ B. Data owner
❍ C. Privacy officer The Details: 116

❍ D. Data custodian

A78. An organization’s content management system (CMS)
currently labels files and documents as “Unclassified”
and “Restricted.” On a recent update to the CMS, a new
classification type of “PII” was added. Which of the
following would be the MOST likely reason for
this addition?
❍ A. Healthcare system integration Quick
Answer: 33
❍ B. Simplified categorization
❍ C. Expanded privacy compliance The Details: 117

❍ D. Decreased search time
Practice Exam A - Questions 27
A79. A corporate security team would like to consolidate and
protect the private keys across all of their web servers.
Which of these would be the BEST way to securely store
these keys?
❍ A. Use an HSM Quick
Answer: 33
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM The Details: 118

❍ D. Upgrade the web servers to use a UEFI BIOS

A80. Jennifer is reviewing this security log from her IPS:
ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String "-"
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token="" key="key7" value="alert(2)"
Which of the following can be determined from this log
information? (Select TWO)
❍ A. The alert was generated from a malformed Quick
User Agent header Answer: 33
❍ B. The alert was generated from an embedded script The Details: 119
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid
client port number

A81. Which of the following describes a monetary loss if one
event occurs?
❍ A. ALE Quick
Answer: 33
❍ B. SLE
The Details: 120
❍ C. RTO
❍ D. ARO

28 Practice Exam A - Questions
A82. A user with restricted access has typed this text in a
search field of an internal web-based application:

USER77' OR '1'='1

After submitting this search request, all of the database
records are displayed on the screen. Which of the
following would BEST describe this search?
Quick
❍ A. CSRF
Answer: 33
❍ B. Buffer overflow
The Details: 121
❍ C. SQL injection
❍ D. SSL stripping

A83. A user has opened a helpdesk ticket complaining of poor
system performance, excessive pop up messages, and
the cursor moving without anyone touching the mouse.
This issue began after they opened a spreadsheet from a
vendor containing part numbers and pricing information.
Which of the following is MOST likely the cause of this
user's issues?
Quick
❍ A. On-path
Answer: 33
❍ B. Worm
The Details: 122
❍ C. RAT
❍ D. Logic bomb

A84. A web-based manufacturing company processes
monthly charges to credit card information saved in the
customer's profile. Which of the following standards
would be required to maintain this payment information?
❍ A. GDPR Quick
Answer: 33
❍ B. ISO 27001
The Details: 123
❍ C. PCI DSS
❍ D. CSA CCM

Practice Exam A - Questions 29
A85. A security manager has created a report showing
intermittent network communication from external IP
addresses to certain workstations on the internal network.
These traffic patterns occur at random times during the
day. Which of the following would be the MOST likely
reason for these traffic patterns?
❍ A. ARP poisoning Quick
Answer: 33
❍ B. Backdoor
The Details: 124
❍ C. Polymorphic virus
❍ D. Trojan horse

A86. The security policies in a manufacturing company
prohibit the transmission of customer information.
However, a security administrator has received an alert
that credit card numbers were transmitted as an email
attachment. Which of the following was the MOST
likely source of this alert message?
❍ A. IPS Quick
Answer: 33
❍ B. DLP
The Details: 125
❍ C. SMTP
❍ D. IPsec

A87. A security administrator has configured a virtual machine
in a screened subnet with a guest login account and no
password. Which of the following would be the MOST
likely reason for this configuration?
❍ A. The server is a honeypot for attracting Quick
Answer: 33
potential attackers
❍ B. The server is a cloud storage service for The Details: 126
remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-
party programming projects

30 Practice Exam A - Questions
A88. A company's outgoing email server currently uses SMTP
with no encryption. The security administrator would like
to implement encryption between email clients without
changing the existing server-to-server communication.
Which of the following would be the BEST way to
implement this requirement?
Quick
❍ A. Implement Secure IMAP Answer: 33
❍ B. Require the use of S/MIME
The Details: 127
❍ C. Install an SSL certificate on the email server
❍ D. Use a VPN tunnel between email clients

A89. A company would like to securely deploy applications
without the overhead of installing a virtual machine for
each system. Which of the following would be the BEST
way to deploy these applications?
❍ A. Containerization Quick
Answer: 33
❍ B. IaaS
The Details: 128
❍ C. Proxies
❍ D. CASB

A90. A company has just purchased a new application server,
and the security director wants to determine if the
system is secure. The system is currently installed in a test
environment and will not be available to users until the
rollout to production next week. Which of the following
would be the BEST way to determine if any part of the
system can be exploited?
❍ A. Tabletop exercise Quick
Answer: 33
❍ B. Vulnerability scanner
The Details: 129
❍ C. Password cracker
❍ D. Penetration test

Practice Exam A - Questions 31
Practice Exam A
Multiple Choice Quick Answers
A6. B A36. D A66. D
A7. A and C A37. D A67. A
A8. A A38. D and E A68. A
A9. A and D A39. D A69. C
A10. C A40. C A70. D
A11. C A41. C A71. D
A12. A A42. A A72. A
A13. D A43. B A73. D
A14. A, E, and G A44. D A74. A
A15. B A45. C A75. D
A16. C A46. D A76. C and D
A17. A A47. A A77. D
A18. A A48. D A78. C
A19. A A49. C A79. A
A20. C A50. B A80. B and C
A21. B and E A51. D A81. B
A22. C A52. C A82. C
A23. B and D A53. B A83. C
A24. B A54. D A84. C
A25. C A55. C A85. B
A26. B A56. A A86. B
A27. A A57. B A87. A
A28. B A58. D A88. B
A29. C A59. A A89. A
A30. F A60. B A90. D
A31. D A61. B
A32. A and F A62. D
A33. B A63. B
A34. D and F A64. B
A35. A A65. C

Practice Exam A - Answers 33
Practice Exam A
Detailed Answers
A1. Match the description with the most accurate attack type.
Not all attack types will be used.

Attacker obtains bank account number
and birth date by calling the victim

Vishing
Social engineering over the telephone continues to be an effective attack vector,
and obtaining personal information such as a bank account or birth date would
be considered phishing over voice, or vishing.
More information:
SY0-601, Objective 1.1 - Phishing
https://professormesser.link/601010101

Attacker modifies a legitimate DNS server to resolve
the IP address of a malicious site
Spoofing
Spoofing happens any time a device pretends to be another device. If a DNS
server has been modified to hand out the IP address of a different server, then
it's spoofing the IP address of the attacker.
More information:
SY0-601, Objective 1.4 - DNS Attacks
https://professormesser.link/601010409

Attacker intercepts all communication between
a client and a web server
On-path
On-path attacks are quite effective because the attacker can often sit invisibly
between two devices and gather useful information or modify the data streams
in real-time.
More information:
SY0-601, Objective 1.4 - On-path Attacks
https://professormesser.link/601010407
Practice Exam A - Answers 35
 Multiple attackers
overwhelm a web server
DDoS
A DoS (Denial of Service) occurs when a service is unavailable due to the
effects of a third-party. A DDoS (Distributed Denial of Service) occurs when
multiple third-parties work together to create a service outage.
More information:
SY0-601, Objective 1.4 - Denial of Service
https://professormesser.link/601010410

A virus alert appears in your browser from Microsoft
with a phone number to call for support
Hoax
A threat that seems real but doesn't actually exist is a hoax. In this example, a
fake web site message is trying to convince you that this fake threat is actually a
real security issue.
More information:
SY0-601, Objective 1.1 - Hoaxes
https://professormesser.link/601010105

36 Practice Exam A - Answers
A2. The security team at a local public library system is creating a set of
minimum security standards for the various computer systems
used at the library. Select the BEST security control for each available
placeholder. All of the available security controls will be used once.

Location Description Security Controls

Locking Cabinets

Library Computer Room
Environmental Sensors
Web Server and High security
Database Server
Video Surveillance

The security in the computer room requires both physical security and ongoing
surveillance. The locking cabinets will secure the physical equipment, and the
video surveillance will provide a method to monitor the systems without being
physically present. Including an environmental sensor will provide information
about the temperature and humidity levels in the computer room.

Full-Disk Encryption
Library Offsite use
Employee
Contains PII
Laptops Biometric Reader

Since the laptops are used away from the main location, it's important to
protect the data and provide additional authentication options. The storage
drives on the laptop should be configured with FDE (full-disk encryption) and
a biometric reader on the laptop can ensure that the proper users have access.

Practice Exam A - Answers 37
 Library
Manages the check-in Smart Card
Lending
and check-out process
Systems

The lending library systems are only used inside of the library, and it would
be common for employees to always have their identification cards available.
When combined with a smart card, these identification cards can be used as a
method of authentication for the lending systems.

Open Area
Digital Newspaper No supervision Cable Lock
Reading Lab
Laptop computers

The reading lab computers are laptops that are used in a public area with no
supervision. To prevent these portable systems from becoming too portable,
they can be fitted with cable locks while in the reading lab.

More information:
SY0-601, Objective 2.7 - Physical Security Controls
https://professormesser.link/601020701

38 Practice Exam A - Answers
A3. Fill in the blank with the BEST secure network protocol
for the description:

HTTPS Accept customer purchases from your primary website

NTPsec Synchronize the time across all of your devices

SSH Access your switch using a CLI terminal screen

SRTP Talk with customers on scheduled conference calls

SNMPv3 Gather metrics from routers at remote sites

On today's networks, it's important to maintain confidentiality of data across
many different applications. The Security+ exam objectives include a list of
secure protocols, and it's useful to know both the insecure and secure versions
of each protocol type.

More information:
SY0-601, Objective 3.1 - Secure Protocols
https://professormesser.link/601030101

Practice Exam A - Answers 39
A4. Match the appropriate authentication reference to each description.
Each authentication factor or attribute will be used once.

Something you can do Somewhere you are

Something you have Something you know Something you are

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode Something you have

You enter your PIN to make
a deposit into an ATM Something you know

You must sign a check-in sheet
before entering a controlled area Something you can do

You can use your fingerprint to unlock
the door to the data center Something you are

Your login will not work unless you are
connected to the VPN Somewhere you are

Authentication factors are important to consider when developing applications
or designing network infrastructures. It's useful to know each authentication
factor and some examples of how that factor can be applied during the
authentication process.

More information:
SY0-601, Objective 2.4 - Multi-factor Authentication
https://professormesser.link/601020403

40 Practice Exam A - Answers
A5. Configure the following stateful firewall rules:
Allow the Web Server to access the Database Server using LDAP
Allow the Storage Server to transfer files to the Video Server over HTTPS
Allow the Management Server to use a secure terminal on the File Server

DMZ

File Server Video Server Web Server
10.1.1.3 10.1.1.7 10.1.1.2

DMZ
Switch

Internet Firewall

Internal
Switch

Internal Network

Storage Server Management Server Database Server
10.2.1.33 10.2.1.47 10.2.1.20

Protocol
Destination Allow/
Rule # Source IP (TCP/ Port #
IP Block
UDP)
1 10.1.1.2 10.2.1.20 TCP 389 Allow
2 10.2.1.33 10.1.1.7 TCP 443 Allow
3 10.2.1.47 10.1.1.3 TCP 22 Allow
Practice Exam A - Answers 41
Creating firewall policies is a foundational skill for any IT security professional.
Fortunately, the process is relatively straightforward if each part of the firewall
rule is broken down into individual pieces.

Allow the Web Server to access the Database Server using LDAP
The first step is to determine the source and destination of the firewall rule.
After referencing the diagram, we can see the source Web Server IP address
is 10.1.1.2 and the destination Database Server is 10.2.1.20. This question
requires a knowledge of TCP and UDP ports, and knowing the LDAP is
TCP/389 provides the next two fields in the firewall rule. Finally, the rule is
designed to permit traffic between these two devices, so the disposition is set to
Allow.
Since this firewall is stateful, the firewall rule allows the first packet in the
traffic flow and any return traffic in the flow will be automatically associated
with this rule. A stateful firewall does not require a separate firewall rule for
response traffic associated with the original traffic flow.

Allow the Storage Server to transfer files to the Video Server
over HTTPS
The Storage Server is 10.2.1.33, and the Video Server is 10.1.1.7. Notice that
the traffic flow moves through the firewall in a different direction than the first
rule, but these firewall rules are focused on the source and destination of the
traffic flow. This rule specifies HTTPS traffic, so TCP/443 will be listed in the
firewall rule. And finally, the firewall rule should allow these traffic flows.

Allow the Management Server to use a secure terminal on the
File Server
The management server IP address is 10.2.1.47, and the File Server is 10.1.1.3.
A secure terminal would use the SSH protocol over TCP/22, and the firewall
should be configured to allow this traffic.

More information:
SY0-601, Objective 3.3 - Firewalls
https://professormesser.link/601030306

42 Practice Exam A - Answers
A6. You’ve hired a third-party to gather information about your company’s
servers and data. The third-party will not have direct access to your
internal network but can gather information from any other source.
Which of the following would BEST describe this approach?
❍ A. Backdoor testing
❍ B. Passive footprinting
❍ C. OS fingerprinting
❍ D. Partially known environment

The Answer: B. Passive footprinting
Passive footprinting focuses on learning as much information from
open sources such as social media, corporate websites, and business
organizations.

The incorrect answers:
A. Backdoor testing
Some active reconnaissance tests will directly query systems to see if a
backdoor has been installed.

C. OS fingerprinting
To fingerprint an operating system, you must actively query and receive
responses across the network.

D. Partially known environment
A partially known environment penetration test is a focused approach
that usually provides detailed information about specific systems or
applications.

More information:
SY0-601, Objective 1.8 - Reconnaissance
https://professormesser.link/601010802

Practice Exam A - Answers 43
A7. Which of these protocols use TLS to provide secure communication?
(Select TWO)
❍ A. HTTPS
❍ B. SSH
❍ C. FTPS
❍ D. SNMPv2
❍ E. DNSSEC
❍ F. SRTP

The Answer: A. HTTPS and C. FTPS
TLS (Transport Layer Security) is a cryptographic protocol used to
encrypt network communication. HTTPS is the Hypertext Transfer
Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.

An earlier version of TLS is SSL (Secure Sockets Layer). Although
we don’t commonly see SSL in use any longer, you may see TLS
communication referenced as SSL.

The incorrect answers:
B. SSH
SSH (Secure Shell) can use symmetric or asymmetric encryption, but
those ciphers are not associated with TLS.

D. SNMPv2
SNMPv2 (Simple Network Management Protocol version 2) does not
implement TLS, or any encryption, within the network communication.

E. DNSSEC
DNSSEC (DNS security extensions) do not provide any confidentiality
of data.

F. SRTP
SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)
protocol used for encrypting conversations. SRTP protocol commonly uses
AES (Advanced Encryption Standard) for confidentiality.

More information:
SY0-601, Objective 3.1 - Secure Protocols
https://professormesser.link/601030101
44 Practice Exam A - Answers
A8. Which of these threat actors would be MOST likely to attack systems for
direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Competitor

The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.

The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.

C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.

D. Competitor
A competitor doesn’t have any direct financial gain by disrupting a
website or stealing customer lists, and often their objective is to disable
a competitor’s business or to harm their reputation. If there is a financial
gain, it would often be an indirect result of an attack.

More information:
SY0-601, Objective 1.5 - Threat Actors
https://professormesser.link/601010501

Practice Exam A - Answers 45
A9. A security incident has occurred on a file server. Which of the following
data sources should be gathered to address file storage volatility?
(Select TWO)
❍ A. Partition data
❍ B. Kernel statistics
❍ C. ROM data
❍ D. Temporary file systems
❍ E. Process table

The Answer: A. Partition data and D. Temporary file systems
Both temporary file system data and partition data are part of the file
storage subsystem.

The incorrect answers:
B. Kernel statistics
Kernel statistics are stored in memory.

C. ROM data
ROM data is a type of memory storage.

E. Process table
The process table keeps track of system processes, and it stores this
information in RAM.

More information:
SY0-601, Objective 4.5 - Forensics Data Acquisition
https://professormesser.link/601040502

46 Practice Exam A - Answers
A10. An IPS at your company has found a sharp increase in traffic from
all-in-one printers. After researching, your security team has found a
vulnerability associated with these devices that allows the device to be
remotely controlled by a third-party. Which category would BEST
describe these devices?
❍ A. IoT
❍ B. RTOS
❍ C. MFD
❍ D. SoC

The Answer: C. MFD
An all-in-one printer that can print, scan, and fax is often categorized as
an MFD (Multifunction Device).

The incorrect answers:
A. IoT
Wearable technology and home automation devices are commonly called
IoT (Internet of Things) devices.

B. RTOS
RTOS (Real-time Operating Systems) are commonly used in
manufacturing and automobiles.

D. SoC
Multiple components that run on a single chip are categorized as an SoC
(System on a Chip).

More information:
SY0-601, Objective 2.6 - Embedded Systems
https://professormesser.link/601020601

Practice Exam A - Answers 47
A11. Which of the following standards provides information on privacy and
managing PII?
❍ A. ISO 31000
❍ B. ISO 27002
❍ C. ISO 27701
❍ D. ISO 27001

The Answer: C. ISO 27701
The ISO (International Organization for Standardization) 27701
standard extends the ISO 27001 and 27002 standards to include detailed
management of PII (Personally Identifiable Information) and data privacy.

The incorrect answers:
A. ISO 31000
The ISO 31000 standard sets international standards for risk management
practices.

B. ISO 27002
Information security controls are the focus of the ISO 27002 standard.

D. ISO 27001
The ISO 27001 standard is the foundational standard for Information
Security Management Systems (ISMS).

More information:
SY0-601, Objective 5.2 - Security Frameworks
https://professormesser.link/601050202

48 Practice Exam A - Answers
A12. Elizabeth, a security administrator, is concerned about the potential for
data exfiltration using external storage drives. Which of the following
would be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to prevent
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

The Answer: A. Create an operating system security policy to prevent
the use of removable media

Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.

The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.

C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.

D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.

More information:
SY0-601, Objective 1.5 - Attack Vectors
https://professormesser.link/601010502

Practice Exam A - Answers 49
A13. A CISO (Chief Information Security Officer) would like to decrease
the response time when addressing security incidents. Unfortunately, the
company does not have the budget to hire additional security engineers.
Which of the following would assist the CISO with this requirement?
❍ A. ISO 27701
❍ B. PKI
❍ C. IaaS
❍ D. SOAR

The Answer: D. SOAR
SOAR (Security Orchestration, Automation, and Response) is designed
to make security teams more effective by automating processes and
integrating third-party security tools.

The incorrect answers:
A. ISO 27701
The ISO (International Organization for Standardization) 27701 standard
focuses on privacy and securing PII.

B. PKI
A PKI (Public Key Infrastructure) describes the processes and procedures
associated with maintaining digital certificates.

C. IaaS
IaaS (Infrastructure as a Service) describes a cloud service that provides
the hardware required for deploying application instances and other cloud-
based applications.

More information:
SY0-601, Objective 4.4 - Security Configurations
https://professormesser.link/601040402

50 Practice Exam A - Answers
A14. An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
Access records from all devices must be saved and archived
Any data access outside of normal working hours
must be immediately reported
Data access must only occur inside of the country
Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server

Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.

Practice Exam A - Answers 51
 The incorrect answers:
B. Require government-issued identification during the
onboarding process

Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.

C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.

D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.

F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.

More information:
SY0-601, Objective 3.7 - Account Policies
https://professormesser.link/601030703

52 Practice Exam A - Answers
A15. Rodney, a security engineer, is viewing this record from the firewall logs:
UTC 04/05/2018 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim's IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.

The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.

C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.

D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.

More information:
SY0-601, Objective 4.3 - Log Files
https://professormesser.link/601040303

Practice Exam A - Answers 53
A16. A user connects to a third-party website and receives this message:

Your connection is not private.
NET::ERR_CERT_INVALID

Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Disassociation

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.

The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.

B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.

D. Disassociation
Disassociation attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.

More information:
SY0-601, Objective 1.4 - On-Path Attacks
https://professormesser.link/601010407

54 Practice Exam A - Answers
A17. Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. PEAP
❍ D. EAP-FAST

The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.

The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.

C. PEAP
PEAP (Protected Extensible Authentication Protocol) provides a method
of authentication over a protected TLS (Transport Layer Security) tunnel,
but it doesn’t provide the federation needed for these requirements.

D. EAP-FAST
EAP-FAST (Extensible Authentication Protocol - Flexible
Authentication via Secure Tunneling) is an updated version of LEAP
(Lightweight EAP) that was commonly used after WEP (Wired
Equivalent Privacy) was replaced with WPA (Wi-Fi Protected Access).

More information:
SY0-601, Objective 2.4 - Authentication Methods
https://professormesser.link/601020401

Practice Exam A - Answers 55
A18. A system administrator, Daniel, is working on a contract that will specify
a minimum required uptime for a set of Internet-facing firewalls. Daniel
needs to know how often the firewall hardware is expected to fail between
repairs. Which of the following would BEST describe this information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. MTTF

The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.

The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.

C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.

D. MTTF
MTTF (Mean Time to Failure) is the expected lifetime of a non-
repairable product or system.

More information:
SY0-601, Objective 5.4 - Business Impact Analysis
https://professormesser.link/601050403

56 Practice Exam A - Answers
A19. An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Tailgating
❍ C. Watering hole
❍ D. On-path

The Answer: A. Social engineering
A social engineering attack takes advantage of authority and urgency
principles in an effort to convince someone else to circumvent normal
security controls.

The incorrect answers:
B. Tailgating
A tailgating attack follows someone else with proper credentials through a
door. This allows the attack to gain access to an area that’s normally locked.

C. Watering hole
A watering hole attack uses a third-party site to perform attacks outside of
a user's local (and usually more secure) network.

D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.

More information:
SY0-601, Objective 1.1 - Principles of Social Engineering
https://professormesser.link/601010110

Practice Exam A - Answers 57
A20. A security administrator has been using EAP-FAST wireless
authentication since the migration from WEP to WPA2. The company’s
network team now needs to support additional authentication protocols
inside of an encrypted tunnel. Which of the following would meet the
network team’s requirements?
❍ A. EAP-TLS
❍ B. PEAP
❍ C. EAP-TTLS
❍ D. EAP-MSCHAPv2

The Answer: C. EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport
Layer Security) allows the use of multiple authentication protocols
transported inside of an encrypted TLS (Transport Layer Security) tunnel.
This allows the use of any authentication while maintaining confidentiality
with TLS.

The incorrect answers:
A. EAP-TLS
EAP-TLS does not provide a mechanism for using multiple
authentication types within a TLS tunnel.

B. PEAP
PEAP (Protected Extensible Authentication Protocol) encapsulates EAP
within a TLS tunnel, but does not provide a method of encapsulating