Professor Messer's CompTIA SY0-601 Security+ Practice Exams PDF
Document Details
Uploaded by GoodlyYew6069
2021
CompTIA
James "Professor" Messer
Tags
Related
Summary
Professor Messer's CompTIA SY0-601 Security+ Practice Exams is a comprehensive study guide for the CompTIA Security+ certification. The book features three practice exams, each containing performance-based and multiple-choice questions, designed to mimic the actual exam format and complexity.
Full Transcript
Professor Messer’s CompTIA SY0-601 Security+ Practice Exams by James “Professor” Messer http://www.ProfessorMesser.com Professor Messer’s CompTIA SY0-601 Security+ Practice Exams Written by James “Professor” Messer Copyright © 2021 by Messer Studios, LLC https://www.ProfessorMesser.com...
Professor Messer’s CompTIA SY0-601 Security+ Practice Exams by James “Professor” Messer http://www.ProfessorMesser.com Professor Messer’s CompTIA SY0-601 Security+ Practice Exams Written by James “Professor” Messer Copyright © 2021 by Messer Studios, LLC https://www.ProfessorMesser.com All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher. First Edition: June 2021 This is version 1.09 Trademark Acknowledgments All product names and trademarks are the property of their respective owners, and are in no way associated or affiliated with Messer Studios LLC. “Professor Messer” is a registered trademark of Messer Studios LLC. “CompTIA” and “Security+” are registered trademarks of CompTIA, Inc. Warning and Disclaimer This book is designed to provide information about the CompTIA SY0-601 Security+ certification exam. However, there may be typographical and/or content errors. Therefore, this book should serve only as a general guide and not as the ultimate source of subject information. The author shall have no liability or responsibility to any person or entity regarding any loss or damage incurred, or alleged to have incurred, directly or indirectly, by the information contained in this book. Contents Introduction The CompTIA SY0-601 Security+ Certification i How to Use This Book ii Practice Exam A Performance-Based Questions 1 Multiple Choice Questions 5 Multiple Choice Quick Answers 33 Detailed Answers 35 Practice Exam B Performance-Based Questions 131 Multiple Choice Questions 135 Multiple Choice Quick Answers 163 Detailed Answers 165 Practice Exam C Performance-Based Questions 259 Multiple Choice Questions 263 Multiple Choice Quick Answers 291 Detailed Answers 293 About the Author James Messer is an information technology veteran whose career has included supercomputer operations, system administration, network management, and IT security. James is also the founder and CEO of Messer Studios, a leading publisher of training materials for IT certification exams. With over 110 million videos viewed and over 500,000 subscribers, Professor Messer's training has helped thousands of students realize their goals of a profession in information technology. Introduction The process of answering a test question is our ultimate test of knowledge. After hours of video watching, book reading, and note taking, do you really know the material? If you're trying to prove yourself, nothing beats getting the right answer. This book contains three sample exams containing performance-based and multiple-choice questions for the Security+ exam. I've personally curated every question to make sure this Q&A matches the expectations of the SY0-601 Security+ exam. I hope this book will help you be the smartest one in the room. Best of luck with your studies! - Professor Messer The CompTIA SY0-601 Security+ Certification CompTIA's Security+ certification is the entry point for IT security professionals. If you're planning on securing the data and networks on the world's largest networks, then you're in the right place. Earning the Security+ certification requires the completion of one exam covering a broad range of security topics. After completing the certification, a CompTIA Security+ certified professional will have an understanding of attack types, network security technologies, secure network architecture concepts, cryptography, and much more. Here's the breakdown of each domain and the percentage of each topic on the SY0-601 exam: Domain 1.0 - Threats, Attacks, and Vulnerabilities - 24% Domain 2.0 - Architecture and Design - 21% Domain 3.0 - Implementation - 25% Domain 4.0 - Operations and Incident Response - 16% Domain 5.0 - Governance, Risk, and Compliance - 14% i How to Use This Book This book contains three separate 90-question practice exams; Exam A, Exam B, and Exam C. The exams are designed to emulate the format and complexity of the actual Security+ exam. Take one exam at a time. The difficulty levels are similar between exam, so it doesn't matter which exam you take first. The actual Security+ exam is 90 minutes in length, so try setting a timer when you start your practice exam. Time management is an important part of the exam. The first section of each practice exam is the list of questions. There's a link after every question that will jump immediately to the quick answer page or the detailed answer page. If you're using the digital version, your PDF reader keys can quickly jump back to the question page. Adobe Reader in Windows uses Alt-Left arrow and macOS Preview uses Command-[ to move back to the previous view. Be sure to check your PDF reader for specific navigation options. The quick answer page is a consolidated list of the answers without any detail or explanation. If you want to quickly check your answer sheet, this is the page for you. A detailed answer is available for each exam question. This section repeats the question, the possible answers, and shows the answer with a detailed explanation. This section is formatted to show only one answer per page to avoid giving away the answer to any other questions. Digital readers can use your PDF reader's back button to quickly jump back to the questions. As you go through the exam, write down the answers on a separate sheet of paper or separate text editor window. Some PDF readers also support on-screen annotation. You can check the answers after the 90 minutes have elapsed. You can grade your results against the quick answer page. For incorrect responses, be sure to check the detailed answer pages for information on why certain answers were considered correct or incorrect. After each detailed answer, a video link is available for more information on the topic. You can click the link in your PDF or use your camera to view the QR (Quick Response) code on the page. Your camera app will provide a notification message that will launch the video page in your browser. The URL is also provided for manual entry. ii You have the option of using each practice test as a 90 minute timed exam, or as a casual Q&A. Try stepping through each question, picking an answer, and then jumping to the detailed explanation to learn more about each possible answer. Here's a scoring chart: Less than 63 questions correct / 70% and lower - Use the exam objectives at the end of each detailed answer to determine where you might need some additional help. 63 to 72 questions correct / 70% to 80% - You're so close! Keep working on the areas you're missing and fill in those gaps. 73 to 81 questions correct / 80% to 90% - This is a strong showing, but some additional studying will help you earn points on the real exam. Although the actual Security+ exam does not calculate the final score as a percentage, getting an 85% on the practice exam can be considered a passing grade. More than 81 questions correct / over 90% - You're ready for the real thing! Book your exam and earn your Security+ certification! The detailed answer pages break down every correct answer and every incorrect answer. Although it's useful to know when you got a question right, it's more important if you understand exactly why a question was marked wrong. If you understand all of the technologies on these sample exams, then you'll be ready for the real thing. iii Practice Exam A Performance-Based Questions A1. Match the description with the most accurate attack type. Not all attack types will be used. Attack Types: Hoax Social Engineering Spam Spoofing Vishing Supply Chain On-path DDoS Attacker obtains bank account number and birth date by calling the victim Select an Attack Type Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site Select an Attack Type Attacker intercepts all communication between a client and a web server Select an Attack Type Multiple attackers overwhelm a web server Select an Attack Type A virus alert appears in your browser from Microsoft with a phone number to call for support Select an Attack Type Answer Page: 35 Practice Exam A - Questions 1 A2. The security team at a local public library system is creating a set of minimum security standards for the various computer systems. Select the BEST security control for each available placeholder. All of the available security controls will be used once. Security Biometric Reader Environmental Sensors Controls: Cable Lock Full-Disk Encryption Video Surveillance Locking Cabinets Smart Card Location Description Security Controls Library Computer Room Web Server and High security Database Server Library Offsite use Employee Contains PII Laptops Library Manages the check-in Lending and check-out process Systems Open Area Digital Newspaper No supervision Reading Lab Laptop computers Answer Page: 37 2 Practice Exam A - Questions A3. Fill in the blank with the BEST secure network protocol for the description: Accept customer purchases from your primary website Synchronize the time across all of your devices Access your switch using a CLI terminal screen Talk with customers on scheduled conference calls Gather metrics from routers at remote sites Answer Page: 39 A4. Match the appropriate authentication reference to each description. Each authentication factor or attribute will be used once. Something you can do Somewhere you are Something you have Something you know Something you are Description Authentication Factor During the login process, your phone receives a text message with a one-time passcode You enter your PIN to make a deposit into an ATM You must sign a check-in sheet before entering a controlled area You can use your fingerprint to unlock the door to the data center Your login will not work unless you are connected to the VPN Answer Page: 40 Practice Exam A - Questions 3 A5. Configure the following stateful firewall rules: Allow the Web Server to access the Database Server using LDAP Allow the Storage Server to transfer files to the Video Server over HTTPS Allow the Management Server to use a secure terminal on the File Server DMZ File Server Video Server Web Server 10.1.1.3 10.1.1.7 10.1.1.2 DMZ Switch Internet Firewall Internal Switch Internal Network Storage Server Management Server Database Server 10.2.1.33 10.2.1.47 10.2.1.20 Protocol Destination Allow/ Rule # Source IP (TCP/ Port # IP Block UDP) 1 2 3 Answer Page: 41 4 Practice Exam A - Questions Practice Exam A Multiple Choice Questions A6. You’ve hired a third-party to gather information about your company’s servers and data. The third-party will not have direct access to your internal network but can gather information from any other source. Which of the following would BEST describe this approach? Quick ❍ A. Backdoor testing Answer: 33 ❍ B. Passive footprinting The Details: 43 ❍ C. OS fingerprinting ❍ D. Partially known environment A7. Which of these protocols use TLS to provide secure communication? (Select TWO) Quick Answer: 33 ❍ A. HTTPS ❍ B. SSH The Details: 44 ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP A8. Which of these threat actors would be MOST likely to attack systems for direct financial gain? Quick Answer: 33 ❍ A. Organized crime ❍ B. Hacktivist The Details: 45 ❍ C. Nation state ❍ D. Competitor A9. A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) Quick ❍ A. Partition data Answer: 33 ❍ B. Kernel statistics The Details: 46 ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table Practice Exam A - Questions 5 A10. An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party. Which category would BEST describe these devices? ❍ A. IoT Quick Answer: 33 ❍ B. RTOS ❍ C. MFD The Details: 47 ❍ D. SoC A11. Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 Quick Answer: 33 ❍ B. ISO 27002 ❍ C. ISO 27701 The Details: 48 ❍ D. ISO 27001 A12. Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration? ❍ A. Create an operating system security policy to Quick Answer: 33 prevent the use of removable media ❍ B. Monitor removable media usage in host-based The Details: 49 firewall logs ❍ C. Only allow applications that do not use removable media ❍ D. Define a removable media block rule in the UTM 6 Practice Exam A - Questions A13. A CISO (Chief Information Security Officer) would like to decrease the response time when addressing security incidents. Unfortunately, the company does not have the budget to hire additional security engineers. Which of the following would assist the CISO with this requirement? ❍ A. ISO 27701 Quick Answer: 33 ❍ B. PKI ❍ C. IaaS The Details: 50 ❍ D. SOAR A14. An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies: Access records from all devices must be saved and archived Any data access outside of normal working hours must be immediately reported Data access must only occur inside of the country Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE) ❍ A. Restrict login access by IP address and Quick GPS location Answer: 33 ❍ B. Require government-issued identification The Details: 51 during the onboarding process ❍ C. Add additional password complexity for accounts that access data ❍ D. Conduct monthly permission auditing ❍ E. Consolidate all logs on a SIEM ❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server Practice Exam A - Questions 7 A15. Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2018 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 Quick Answer: 33 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked The Details: 53 ❍ D. The Trojan was blocked, but the file was not A16. A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force Quick Answer: 33 ❍ B. DoS ❍ C. On-path The Details: 54 ❍ D. Disassociation A17. Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site? ❍ A. Federation Quick Answer: 33 ❍ B. 802.1X ❍ C. PEAP The Details: 55 ❍ D. EAP-FAST 8 Practice Exam A - Questions A18. A system administrator, Daniel, is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. Daniel needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF Quick Answer: 33 ❍ B. RTO ❍ C. MTTR The Details: 56 ❍ D. MTTF A19. An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call? ❍ A. Social engineering Quick Answer: 33 ❍ B. Tailgating ❍ C. Watering hole The Details: 57 ❍ D. On-path A20. A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company’s network team now needs to support additional authentication protocols inside of an encrypted tunnel. Which of the following would meet the network team’s requirements? ❍ A. EAP-TLS Quick Answer: 33 ❍ B. PEAP ❍ C. EAP-TTLS The Details: 58 ❍ D. EAP-MSCHAPv2 Practice Exam A - Questions 9 A21. Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have Quick not installed the latest security patches Answer: 33 ❍ B. List of applications in use The Details: 59 ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users A22. The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following BEST describes this issue? ❍ A. DLL injection Quick Answer: 33 ❍ B. Resource exhaustion ❍ C. Race condition The Details: 60 ❍ D. Weak configuration A23. A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would correct these policy issues? (Select TWO) ❍ A. Password complexity Quick ❍ B. Password expiration Answer: 33 ❍ C. Password history The Details: 61 ❍ D. Password lockout ❍ E. Password recovery 10 Practice Exam A - Questions A24. What kind of security control is associated with a login banner? ❍ A. Preventive Quick Answer: 33 ❍ B. Deterrent ❍ C. Corrective The Details: 62 ❍ D. Detective ❍ E. Compensating ❍ F. Physical A25. A security team has been provided with a non- credentialed vulnerability scan report created by a third- party. Which of the following would they expect to see on this report? ❍ A. A summary of all files with invalid Quick group assignments Answer: 33 ❍ B. A list of all unpatched operating system files The Details: 63 ❍ C. The version of web server software in use ❍ D. A list of local user accounts A26. A business manager is documenting a set of steps for processing orders if the primary Internet connection fails. Which of these would BEST describe these steps? ❍ A. Communication plan Quick ❍ B. Continuity of operations Answer: 33 ❍ C. Stakeholder management The Details: 64 ❍ D. Tabletop exercise A27. A security administrator is concerned about data exfiltration resulting from the use of malicious phone charging stations. Which of the following would be the BEST way to protect against this threat? ❍ A. USB data blocker Quick Answer: 33 ❍ B. Personal firewall The Details: 65 ❍ C. MFA ❍ D. FDE Practice Exam A - Questions 11 A28. A company would like to protect the data stored on laptops used in the field. Which of the following would be the BEST choice for this requirement? ❍ A. MAC Quick Answer: 33 ❍ B. SED ❍ C. CASB The Details: 66 ❍ D. SOAR A29. A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? ❍ A. 2 Quick Answer: 33 ❍ B. 3 ❍ C. 4 The Details: 67 ❍ D. 1 A30. A company is creating a security policy that will protect all corporate mobile devices: All mobile devices must be automatically locked after a predefined time period. Some mobile devices will be used by the remote sales teams, so the location of each device needs to be traceable. All of the user’s information should be completely separated from company data. Which of the following would be the BEST way to establish these security policy rules? ❍ A. Containerization Quick ❍ B. Biometrics Answer: 33 ❍ C. COPE The Details: 68 ❍ D. VDI ❍ E. Geofencing ❍ F. MDM 12 Practice Exam A - Questions A31. A security engineer runs a monthly vulnerability scan. The scan doesn’t list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result? ❍ A. Exploit Quick Answer: 33 ❍ B. Credentialed ❍ C. Zero-day attack The Details: 70 ❍ D. False negative A32. A security administrator is adding additional authentication controls to the existing infrastructure. Which of the following should be added by the security Quick Answer: 33 administrator? (Select TWO) ❍ A. TOTP The Details: 71 ❍ B. Least privilege ❍ C. Role-based awareness training ❍ D. Separation of duties ❍ E. Job rotation ❍ F. Smart Card A33. A network administrator would like each user to authenticate with their personal username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA2-PSK Quick Answer: 33 ❍ B. 802.1X ❍ C. WPS The Details: 72 ❍ D. WPA2-AES Practice Exam A - Questions 13 A34. A security administrator needs to identify all references to a Javascript file in the HTML of a web page. Which of the following tools should be used to view the source of the web page and search through the file for a specific filename? (Select TWO) ❍ A. tail Quick Answer: 33 ❍ B. openssl The Details: 73 ❍ C. scanless ❍ D. grep ❍ E. Nmap ❍ F. curl ❍ G. head A35. A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have read-only access to the file. Which of the following would describe this access control model? ❍ A. DAC Quick Answer: 33 ❍ B. MAC The Details: 74 ❍ C. ABAC ❍ D. RBAC A36. A remote user has received a text message requesting login details to the corporate VPN server. Which of the following would BEST describe this message? ❍ A. Brute force Quick ❍ B. Prepending Answer: 33 ❍ C. Typosquatting The Details: 75 ❍ D. Smishing 14 Practice Exam A - Questions A37. A department store policy requires that a floor manager approves each transaction when a gift certificate is used for payment. The security team has found that some of these transactions have been processed without the approval of a manager. Which of the following would provide a separation of duties to enforce this store policy? ❍ A. Use a WAF to monitor all gift certificate Quick transactions Answer: 33 ❍ B. Disable all gift certificate transactions for cashiers ❍ C. Implement a discretionary access control policy The Details: 76 ❍ D. Require an approval PIN for the cashier and a separate approval PIN for the manager A38. Which of the following is true of a rainbow table? (Select TWO) ❍ A. The rainbow table is built in real-time Quick during the attack Answer: 33 ❍ B. Rainbow tables are the most effective The Details: 77 online attack type ❍ C. Rainbow tables require significant CPU cycles at attack time ❍ D. Different tables are required for different hashing methods ❍ E. A rainbow table won’t be useful if the passwords are salted A39. A server administrator at a bank has noticed a decrease in the number of visitors to the bank's website. Additional research shows that users are being directed to a different IP address than the bank's web server. Which of the following would MOST likely describe this attack? ❍ A. Disassociation Quick Answer: 33 ❍ B. DDoS ❍ C. Buffer overflow The Details: 78 ❍ D. DNS poisoning Practice Exam A - Questions 15 A40. Which of these cloud deployment models would share resources between a private virtualized data center and externally available cloud services? ❍ A. SaaS Quick Answer: 33 ❍ B. Community ❍ C. Hybrid The Details: 79 ❍ D. Containerization A41. A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification? Quick ❍ A. Confirm that no unauthorized accounts have Answer: 33 administrator access The Details: 80 ❍ B. Validate the account lockout policy ❍ C. Validate the processes and procedures for all outgoing employees ❍ D. Create a report that shows all authentications for a 24-hour period A42. A network administrator has installed a new access point, but only a portion of the wireless devices are able to connect to the network. Other devices can see the access point, but they are not able to connect even when using the correct wireless settings. Which of the following security features was MOST likely enabled? Quick Answer: 33 ❍ A. MAC filtering ❍ B. SSID broadcast suppression The Details: 81 ❍ C. 802.1X authentication ❍ D. Anti-spoofing 16 Practice Exam A - Questions A43. A security administrator has gathered this information: Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 416 0 2601:4c3:4080:82.63976 yv-in-x5e.1e100..https CLOSE_WAIT tcp6 0 0 2601:4c3:4080:82.63908 atl14s80-in-x0a..https ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.36253 fe80::38b0:a2b1:.1025 ESTABLISHED tcp6 0 0 fe80::4de1:1d4:8.1024 fe80::38b0:a2b1:.1024 ESTABLISHED Which of the following is being used to create this information? Quick ❍ A. tracert Answer: 33 ❍ B. netstat The Details: 82 ❍ C. dig ❍ D. netcat A44. An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack? Quick ❍ A. Privilege escalation Answer: 33 ❍ B. Spoofing The Details: 83 ❍ C. Replay attack ❍ D. DDoS A45. A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions? Quick ❍ A. Lessons learned Answer: 33 ❍ B. Isolation and containment The Details: 84 ❍ C. Reconstitution ❍ D. Precursors Practice Exam A - Questions 17 A46. A manufacturing company has moved an inventory application from their internal systems to a PaaS service. Which of the following would be the BEST way to manage security policies on this new service? ❍ A. DLP Quick Answer: 33 ❍ B. SIEM The Details: 85 ❍ C. IPS ❍ D. CASB A47. An organization has identified a significant vulnerability in a firewall that was recently installed for Internet connectivity. The firewall company has stated there are no plans to create a patch for this vulnerability. Which of the following would BEST describe this issue? ❍ A. Lack of vendor support Quick Answer: 33 ❍ B. Improper input handling ❍ C. Improper key management The Details: 86 ❍ D. End-of-life A48. A company has decided to perform a disaster recovery exercise during an annual meeting with the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes required to resolve the disaster. Which of the following would BEST describe this exercise? ❍ A. After-action report Quick Answer: 33 ❍ B. Business impact analysis The Details: 87 ❍ C. Alternate business practice ❍ D. Tabletop exercise 18 Practice Exam A - Questions A49. A security administrator needs to identify all computers on the company network infected with a specific malware variant. Which of the following would be the BEST way to identify these systems? ❍ A. Honeynet Quick Answer: 33 ❍ B. Data masking ❍ C. DNS sinkhole The Details: 88 ❍ D. DLP A50. A system administrator has been called to a system that is suspected to have a malware infection. The administrator has removed the device from the network and has disconnected all USB flash drives. Which of these incident response steps is the administrator following? ❍ A. Lessons learned Quick Answer: 33 ❍ B. Containment ❍ C. Detection The Details: 89 ❍ D. Reconstitution A51. How can a company ensure that all data on a mobile device is unrecoverable if the device is lost or stolen? ❍ A. Containerization Quick Answer: 33 ❍ B. Geofencing ❍ C. Screen locks The Details: 90 ❍ D. Remote wipe A52. A security administrator is collecting information associated with a ransomware infection on the company's web servers. Which of the following log files would provide information regarding the memory contents of these servers? Quick ❍ A. Web Answer: 33 ❍ B. Packet The Details: 91 ❍ C. Dump ❍ D. DNS Practice Exam A - Questions 19 A53. Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot Quick Answer: 33 ❍ C. Secure Boot ❍ D. POST The Details: 92 A54. Which of these best describes two-factor authentication? ❍ A. A printer uses a password and a PIN ❍ B. The door to a building requires a fingerprint scan Quick Answer: 33 ❍ C. An application requires a TOTP code ❍ D. A Windows Domain requires a username, The Details: 93 password, and smart card A55. A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include: The company does not have a way to manage the mobile devices in the field Company data on mobile devices in the field introduces additional risk Team members have many different kinds of mobile devices Which of the following deployment models would address these concerns? ❍ A. Corporate-owned Quick ❍ B. COPE Answer: 33 ❍ C. VDI The Details: 94 ❍ D. BYOD 20 Practice Exam A - Questions A56. An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating Quick ❍ B. Preventive Answer: 33 ❍ C. Managerial The Details: 95 ❍ D. Detective A57. A manufacturing company would like to track the progress of parts as they are used on an assembly line. Which of the following technologies would be the BEST choice for this task? ❍ A. Quantum computing Quick Answer: 33 ❍ B. Blockchain The Details: 96 ❍ C. Hashing ❍ D. Asymmetric encryption A58. A security administrator has been asked to respond to a potential security breach of the company’s databases, and they need to gather the most volatile data before powering down the database servers. In which order should they collect this information? ❍ A. CPU registers, temporary files, memory, Quick remote monitoring data Answer: 33 ❍ B. Memory, CPU registers, remote monitoring data, The Details: 97 temporary files ❍ C. Memory, CPU registers, temporary files, remote monitoring data ❍ D. CPU registers, memory, temporary files, remote monitoring data Practice Exam A - Questions 21 A59. A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value? ❍ A. Verifies that the file was not corrupted during Quick the file transfer Answer: 33 ❍ B. Provides a key for decrypting the ISO The Details: 98 after download ❍ C. Authenticates the site as an official ISO distribution site ❍ D. Confirms that the file does not contain any malware A60. A company's security policy requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement? ❍ A. TOTP Quick Answer: 33 ❍ B. Biometric scanner ❍ C. PIN The Details: 99 ❍ D. SMS A61. Your development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, you find that the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue? ❍ A. Improper error handling Quick Answer: 33 ❍ B. Open permissions ❍ C. Race condition The Details: 100 ❍ D. Memory leak 22 Practice Exam A - Questions A62. Employees of an organization have received an email offering a cash bonus for completing an internal training course. The link in the email requires users to login with their Windows Domain credentials, but the link appears to be located on an external server. Which of the following would BEST describe this email? ❍ A. Whaling Quick Answer: 33 ❍ B. Vishing ❍ C. Smishing The Details: 101 ❍ D. Phishing A63. Which of the following risk management strategies would include the purchase and installation of an NGFW? ❍ A. Transference Quick Answer: 33 ❍ B. Mitigation The Details: 102 ❍ C. Acceptance ❍ D. Risk-avoidance A64. Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? ❍ A. Compare the production application to the Quick Answer: 33 sandbox ❍ B. Perform an integrity measurement The Details: 103 ❍ C. Compare the production application to the previous version ❍ D. Perform QA testing on the application instance A65. A member of the accounting team was out of the office for two weeks, and an important financial transfer was delayed until they returned. Which of the following would have prevented this delay? ❍ A. Split knowledge Quick Answer: 33 ❍ B. Least privilege ❍ C. Job rotation The Details: 104 ❍ D. Dual control Practice Exam A - Questions 23 A66. A security analyst has identified a number of sessions from a single IP address with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan Quick against the firewall and DMZ server Answer: 33 ❍ B. Users are performing DNS lookups The Details: 105 ❍ C. A remote user is grabbing banners of the firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server A67. An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack? ❍ A. Buffer overflow Quick ❍ B. Replay attack Answer: 33 ❍ C. Session hijacking The Details: 106 ❍ D. DDoS A68. A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup. Which of these keys should the organization place into escrow? ❍ A. Private Quick ❍ B. CA Answer: 33 ❍ C. Session The Details: 107 ❍ D. Public 24 Practice Exam A - Questions A69. A security administrator is designing an authentication process for a new remote site deployment. They would like the users to provide their credentials when they authenticate in the morning, and they do not want any additional authentication requests to appear during the rest of the day. Which of the following should be used to meet this requirement? ❍ A. TACACS+ Quick Answer: 33 ❍ B. LDAPS ❍ C. Kerberos The Details: 108 ❍ D. 802.1X A70. A manufacturing company would like to use an existing router to separate a corporate network and a manufacturing floor that use the same physical switch. The company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation? ❍ A. Connect the corporate network and the Quick manufacturing floor with a VPN Answer: 33 ❍ B. Build an air gapped manufacturing floor network The Details: 109 ❍ C. Use personal firewalls on each device ❍ D. Create separate VLANs for the corporate network and the manufacturing floor A71. When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL Quick Answer: 33 ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful The Details: 110 ❍ D. The VPN tunnel is configured for full tunnel Practice Exam A - Questions 25 A72. A data center manager has built a Faraday cage in the data center, and a set of application servers have been placed into racks inside the Faraday cage. Which of the following would be the MOST likely reason for the data center manager to install this configuration of equipment? ❍ A. Protect the servers against any unwanted Quick electromagnetic fields Answer: 33 ❍ B. Prevent physical access to the servers without The Details: 111 the proper credentials ❍ C. Provide additional cooling to all devices in the cage ❍ D. Adds additional fire protection for the application servers A73. A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found that a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future? Quick ❍ A. Templates Answer: 33 ❍ B. Elasticity The Details: 112 ❍ C. Master image ❍ D. Continuous monitoring A74. A security manager would like to ensure that unique hashes are used with an application login process. Which of the following would be the BEST way to add random data when generating a set of stored password hashes? ❍ A. Salting Quick Answer: 33 ❍ B. Obfuscation ❍ C. Key stretching The Details: 113 ❍ D. Digital signature 26 Practice Exam A - Questions A75. Which cryptographic method is used to add trust to a digital certificate? ❍ A. X.509 Quick Answer: 33 ❍ B. Hash The Details: 114 ❍ C. Symmetric encryption ❍ D. Digital signature A76. An MSP is designing a new server room for a large company. Which of the following should be included in the design to provide redundancy? (Select TWO) ❍ A. SIEM Quick ❍ B. Temperature monitors Answer: 33 ❍ C. RAID arrays The Details: 115 ❍ D. Dual power supplies ❍ E. Hot and cold aisles ❍ F. Biometric locks A77. An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data processor Quick Answer: 33 ❍ B. Data owner ❍ C. Privacy officer The Details: 116 ❍ D. Data custodian A78. An organization’s content management system (CMS) currently labels files and documents as “Unclassified” and “Restricted.” On a recent update to the CMS, a new classification type of “PII” was added. Which of the following would be the MOST likely reason for this addition? ❍ A. Healthcare system integration Quick Answer: 33 ❍ B. Simplified categorization ❍ C. Expanded privacy compliance The Details: 117 ❍ D. Decreased search time Practice Exam A - Questions 27 A79. A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys? ❍ A. Use an HSM Quick Answer: 33 ❍ B. Implement full disk encryption on the web servers ❍ C. Use a TPM The Details: 118 ❍ D. Upgrade the web servers to use a UEFI BIOS A80. Jennifer is reviewing this security log from her IPS: ALERT 2018-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" key="key7" value="alert(2)" Which of the following can be determined from this log information? (Select TWO) ❍ A. The alert was generated from a malformed Quick User Agent header Answer: 33 ❍ B. The alert was generated from an embedded script The Details: 119 ❍ C. The attacker’s IP address is 222.43.112.74 ❍ D. The attacker’s IP address is 64.235.145.35 ❍ E. The alert was generated due to an invalid client port number A81. Which of the following describes a monetary loss if one event occurs? ❍ A. ALE Quick Answer: 33 ❍ B. SLE The Details: 120 ❍ C. RTO ❍ D. ARO 28 Practice Exam A - Questions A82. A user with restricted access has typed this text in a search field of an internal web-based application: USER77' OR '1'='1 After submitting this search request, all of the database records are displayed on the screen. Which of the following would BEST describe this search? Quick ❍ A. CSRF Answer: 33 ❍ B. Buffer overflow The Details: 121 ❍ C. SQL injection ❍ D. SSL stripping A83. A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues? Quick ❍ A. On-path Answer: 33 ❍ B. Worm The Details: 122 ❍ C. RAT ❍ D. Logic bomb A84. A web-based manufacturing company processes monthly charges to credit card information saved in the customer's profile. Which of the following standards would be required to maintain this payment information? ❍ A. GDPR Quick Answer: 33 ❍ B. ISO 27001 The Details: 123 ❍ C. PCI DSS ❍ D. CSA CCM Practice Exam A - Questions 29 A85. A security manager has created a report showing intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning Quick Answer: 33 ❍ B. Backdoor The Details: 124 ❍ C. Polymorphic virus ❍ D. Trojan horse A86. The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message? ❍ A. IPS Quick Answer: 33 ❍ B. DLP The Details: 125 ❍ C. SMTP ❍ D. IPsec A87. A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration? ❍ A. The server is a honeypot for attracting Quick Answer: 33 potential attackers ❍ B. The server is a cloud storage service for The Details: 126 remote users ❍ C. The server will be used as a VPN concentrator ❍ D. The server is a development sandbox for third- party programming projects 30 Practice Exam A - Questions A88. A company's outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement? Quick ❍ A. Implement Secure IMAP Answer: 33 ❍ B. Require the use of S/MIME The Details: 127 ❍ C. Install an SSL certificate on the email server ❍ D. Use a VPN tunnel between email clients A89. A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications? ❍ A. Containerization Quick Answer: 33 ❍ B. IaaS The Details: 128 ❍ C. Proxies ❍ D. CASB A90. A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the rollout to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited? ❍ A. Tabletop exercise Quick Answer: 33 ❍ B. Vulnerability scanner The Details: 129 ❍ C. Password cracker ❍ D. Penetration test Practice Exam A - Questions 31 Practice Exam A Multiple Choice Quick Answers A6. B A36. D A66. D A7. A and C A37. D A67. A A8. A A38. D and E A68. A A9. A and D A39. D A69. C A10. C A40. C A70. D A11. C A41. C A71. D A12. A A42. A A72. A A13. D A43. B A73. D A14. A, E, and G A44. D A74. A A15. B A45. C A75. D A16. C A46. D A76. C and D A17. A A47. A A77. D A18. A A48. D A78. C A19. A A49. C A79. A A20. C A50. B A80. B and C A21. B and E A51. D A81. B A22. C A52. C A82. C A23. B and D A53. B A83. C A24. B A54. D A84. C A25. C A55. C A85. B A26. B A56. A A86. B A27. A A57. B A87. A A28. B A58. D A88. B A29. C A59. A A89. A A30. F A60. B A90. D A31. D A61. B A32. A and F A62. D A33. B A63. B A34. D and F A64. B A35. A A65. C Practice Exam A - Answers 33 Practice Exam A Detailed Answers A1. Match the description with the most accurate attack type. Not all attack types will be used. Attacker obtains bank account number and birth date by calling the victim Vishing Social engineering over the telephone continues to be an effective attack vector, and obtaining personal information such as a bank account or birth date would be considered phishing over voice, or vishing. More information: SY0-601, Objective 1.1 - Phishing https://professormesser.link/601010101 Attacker modifies a legitimate DNS server to resolve the IP address of a malicious site Spoofing Spoofing happens any time a device pretends to be another device. If a DNS server has been modified to hand out the IP address of a different server, then it's spoofing the IP address of the attacker. More information: SY0-601, Objective 1.4 - DNS Attacks https://professormesser.link/601010409 Attacker intercepts all communication between a client and a web server On-path On-path attacks are quite effective because the attacker can often sit invisibly between two devices and gather useful information or modify the data streams in real-time. More information: SY0-601, Objective 1.4 - On-path Attacks https://professormesser.link/601010407 Practice Exam A - Answers 35 Multiple attackers overwhelm a web server DDoS A DoS (Denial of Service) occurs when a service is unavailable due to the effects of a third-party. A DDoS (Distributed Denial of Service) occurs when multiple third-parties work together to create a service outage. More information: SY0-601, Objective 1.4 - Denial of Service https://professormesser.link/601010410 A virus alert appears in your browser from Microsoft with a phone number to call for support Hoax A threat that seems real but doesn't actually exist is a hoax. In this example, a fake web site message is trying to convince you that this fake threat is actually a real security issue. More information: SY0-601, Objective 1.1 - Hoaxes https://professormesser.link/601010105 36 Practice Exam A - Answers A2. The security team at a local public library system is creating a set of minimum security standards for the various computer systems used at the library. Select the BEST security control for each available placeholder. All of the available security controls will be used once. Location Description Security Controls Locking Cabinets Library Computer Room Environmental Sensors Web Server and High security Database Server Video Surveillance The security in the computer room requires both physical security and ongoing surveillance. The locking cabinets will secure the physical equipment, and the video surveillance will provide a method to monitor the systems without being physically present. Including an environmental sensor will provide information about the temperature and humidity levels in the computer room. Full-Disk Encryption Library Offsite use Employee Contains PII Laptops Biometric Reader Since the laptops are used away from the main location, it's important to protect the data and provide additional authentication options. The storage drives on the laptop should be configured with FDE (full-disk encryption) and a biometric reader on the laptop can ensure that the proper users have access. Practice Exam A - Answers 37 Library Manages the check-in Smart Card Lending and check-out process Systems The lending library systems are only used inside of the library, and it would be common for employees to always have their identification cards available. When combined with a smart card, these identification cards can be used as a method of authentication for the lending systems. Open Area Digital Newspaper No supervision Cable Lock Reading Lab Laptop computers The reading lab computers are laptops that are used in a public area with no supervision. To prevent these portable systems from becoming too portable, they can be fitted with cable locks while in the reading lab. More information: SY0-601, Objective 2.7 - Physical Security Controls https://professormesser.link/601020701 38 Practice Exam A - Answers A3. Fill in the blank with the BEST secure network protocol for the description: HTTPS Accept customer purchases from your primary website NTPsec Synchronize the time across all of your devices SSH Access your switch using a CLI terminal screen SRTP Talk with customers on scheduled conference calls SNMPv3 Gather metrics from routers at remote sites On today's networks, it's important to maintain confidentiality of data across many different applications. The Security+ exam objectives include a list of secure protocols, and it's useful to know both the insecure and secure versions of each protocol type. More information: SY0-601, Objective 3.1 - Secure Protocols https://professormesser.link/601030101 Practice Exam A - Answers 39 A4. Match the appropriate authentication reference to each description. Each authentication factor or attribute will be used once. Something you can do Somewhere you are Something you have Something you know Something you are Description Authentication Factor During the login process, your phone receives a text message with a one-time passcode Something you have You enter your PIN to make a deposit into an ATM Something you know You must sign a check-in sheet before entering a controlled area Something you can do You can use your fingerprint to unlock the door to the data center Something you are Your login will not work unless you are connected to the VPN Somewhere you are Authentication factors are important to consider when developing applications or designing network infrastructures. It's useful to know each authentication factor and some examples of how that factor can be applied during the authentication process. More information: SY0-601, Objective 2.4 - Multi-factor Authentication https://professormesser.link/601020403 40 Practice Exam A - Answers A5. Configure the following stateful firewall rules: Allow the Web Server to access the Database Server using LDAP Allow the Storage Server to transfer files to the Video Server over HTTPS Allow the Management Server to use a secure terminal on the File Server DMZ File Server Video Server Web Server 10.1.1.3 10.1.1.7 10.1.1.2 DMZ Switch Internet Firewall Internal Switch Internal Network Storage Server Management Server Database Server 10.2.1.33 10.2.1.47 10.2.1.20 Protocol Destination Allow/ Rule # Source IP (TCP/ Port # IP Block UDP) 1 10.1.1.2 10.2.1.20 TCP 389 Allow 2 10.2.1.33 10.1.1.7 TCP 443 Allow 3 10.2.1.47 10.1.1.3 TCP 22 Allow Practice Exam A - Answers 41 Creating firewall policies is a foundational skill for any IT security professional. Fortunately, the process is relatively straightforward if each part of the firewall rule is broken down into individual pieces. Allow the Web Server to access the Database Server using LDAP The first step is to determine the source and destination of the firewall rule. After referencing the diagram, we can see the source Web Server IP address is 10.1.1.2 and the destination Database Server is 10.2.1.20. This question requires a knowledge of TCP and UDP ports, and knowing the LDAP is TCP/389 provides the next two fields in the firewall rule. Finally, the rule is designed to permit traffic between these two devices, so the disposition is set to Allow. Since this firewall is stateful, the firewall rule allows the first packet in the traffic flow and any return traffic in the flow will be automatically associated with this rule. A stateful firewall does not require a separate firewall rule for response traffic associated with the original traffic flow. Allow the Storage Server to transfer files to the Video Server over HTTPS The Storage Server is 10.2.1.33, and the Video Server is 10.1.1.7. Notice that the traffic flow moves through the firewall in a different direction than the first rule, but these firewall rules are focused on the source and destination of the traffic flow. This rule specifies HTTPS traffic, so TCP/443 will be listed in the firewall rule. And finally, the firewall rule should allow these traffic flows. Allow the Management Server to use a secure terminal on the File Server The management server IP address is 10.2.1.47, and the File Server is 10.1.1.3. A secure terminal would use the SSH protocol over TCP/22, and the firewall should be configured to allow this traffic. More information: SY0-601, Objective 3.3 - Firewalls https://professormesser.link/601030306 42 Practice Exam A - Answers A6. You’ve hired a third-party to gather information about your company’s servers and data. The third-party will not have direct access to your internal network but can gather information from any other source. Which of the following would BEST describe this approach? ❍ A. Backdoor testing ❍ B. Passive footprinting ❍ C. OS fingerprinting ❍ D. Partially known environment The Answer: B. Passive footprinting Passive footprinting focuses on learning as much information from open sources such as social media, corporate websites, and business organizations. The incorrect answers: A. Backdoor testing Some active reconnaissance tests will directly query systems to see if a backdoor has been installed. C. OS fingerprinting To fingerprint an operating system, you must actively query and receive responses across the network. D. Partially known environment A partially known environment penetration test is a focused approach that usually provides detailed information about specific systems or applications. More information: SY0-601, Objective 1.8 - Reconnaissance https://professormesser.link/601010802 Practice Exam A - Answers 43 A7. Which of these protocols use TLS to provide secure communication? (Select TWO) ❍ A. HTTPS ❍ B. SSH ❍ C. FTPS ❍ D. SNMPv2 ❍ E. DNSSEC ❍ F. SRTP The Answer: A. HTTPS and C. FTPS TLS (Transport Layer Security) is a cryptographic protocol used to encrypt network communication. HTTPS is the Hypertext Transfer Protocol over TLS, and FTPS is the File Transfer Protocol over TLS. An earlier version of TLS is SSL (Secure Sockets Layer). Although we don’t commonly see SSL in use any longer, you may see TLS communication referenced as SSL. The incorrect answers: B. SSH SSH (Secure Shell) can use symmetric or asymmetric encryption, but those ciphers are not associated with TLS. D. SNMPv2 SNMPv2 (Simple Network Management Protocol version 2) does not implement TLS, or any encryption, within the network communication. E. DNSSEC DNSSEC (DNS security extensions) do not provide any confidentiality of data. F. SRTP SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP) protocol used for encrypting conversations. SRTP protocol commonly uses AES (Advanced Encryption Standard) for confidentiality. More information: SY0-601, Objective 3.1 - Secure Protocols https://professormesser.link/601030101 44 Practice Exam A - Answers A8. Which of these threat actors would be MOST likely to attack systems for direct financial gain? ❍ A. Organized crime ❍ B. Hacktivist ❍ C. Nation state ❍ D. Competitor The Answer: A. Organized crime An organized crime actor is motivated by money, and their hacking objectives are usually based around objectives that can be easily exchanged for financial capital. The incorrect answers: B. Hacktivist A hacktivist is focused on a political agenda and not commonly on a financial gain. C. Nation state Nation states are already well funded, and their primary objective is not usually based on revenue or income. D. Competitor A competitor doesn’t have any direct financial gain by disrupting a website or stealing customer lists, and often their objective is to disable a competitor’s business or to harm their reputation. If there is a financial gain, it would often be an indirect result of an attack. More information: SY0-601, Objective 1.5 - Threat Actors https://professormesser.link/601010501 Practice Exam A - Answers 45 A9. A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table The Answer: A. Partition data and D. Temporary file systems Both temporary file system data and partition data are part of the file storage subsystem. The incorrect answers: B. Kernel statistics Kernel statistics are stored in memory. C. ROM data ROM data is a type of memory storage. E. Process table The process table keeps track of system processes, and it stores this information in RAM. More information: SY0-601, Objective 4.5 - Forensics Data Acquisition https://professormesser.link/601040502 46 Practice Exam A - Answers A10. An IPS at your company has found a sharp increase in traffic from all-in-one printers. After researching, your security team has found a vulnerability associated with these devices that allows the device to be remotely controlled by a third-party. Which category would BEST describe these devices? ❍ A. IoT ❍ B. RTOS ❍ C. MFD ❍ D. SoC The Answer: C. MFD An all-in-one printer that can print, scan, and fax is often categorized as an MFD (Multifunction Device). The incorrect answers: A. IoT Wearable technology and home automation devices are commonly called IoT (Internet of Things) devices. B. RTOS RTOS (Real-time Operating Systems) are commonly used in manufacturing and automobiles. D. SoC Multiple components that run on a single chip are categorized as an SoC (System on a Chip). More information: SY0-601, Objective 2.6 - Embedded Systems https://professormesser.link/601020601 Practice Exam A - Answers 47 A11. Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 ❍ B. ISO 27002 ❍ C. ISO 27701 ❍ D. ISO 27001 The Answer: C. ISO 27701 The ISO (International Organization for Standardization) 27701 standard extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy. The incorrect answers: A. ISO 31000 The ISO 31000 standard sets international standards for risk management practices. B. ISO 27002 Information security controls are the focus of the ISO 27002 standard. D. ISO 27001 The ISO 27001 standard is the foundational standard for Information Security Management Systems (ISMS). More information: SY0-601, Objective 5.2 - Security Frameworks https://professormesser.link/601050202 48 Practice Exam A - Answers A12. Elizabeth, a security administrator, is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration? ❍ A. Create an operating system security policy to prevent the use of removable media ❍ B. Monitor removable media usage in host-based firewall logs ❍ C. Only allow applications that do not use removable media ❍ D. Define a removable media block rule in the UTM The Answer: A. Create an operating system security policy to prevent the use of removable media Removable media uses hot-pluggable interfaces such as USB to connect storage drives. A security policy in the operating system can prevent any files from being written to a removable drive. The incorrect answers: B. Monitor removable media usage in host-based firewall logs A host-based firewall monitors traffic flows and does not commonly log hardware or USB drive access. C. Only allow applications that do not use removable media File storage access options are not associated with applications, so it’s not possible to allow based on external storage drive usage. D. Define a removable media block rule in the UTM A UTM (Unified Threat Manager) watches traffic flows across the network and does not commonly manage the storage options on individual computers. More information: SY0-601, Objective 1.5 - Attack Vectors https://professormesser.link/601010502 Practice Exam A - Answers 49 A13. A CISO (Chief Information Security Officer) would like to decrease the response time when addressing security incidents. Unfortunately, the company does not have the budget to hire additional security engineers. Which of the following would assist the CISO with this requirement? ❍ A. ISO 27701 ❍ B. PKI ❍ C. IaaS ❍ D. SOAR The Answer: D. SOAR SOAR (Security Orchestration, Automation, and Response) is designed to make security teams more effective by automating processes and integrating third-party security tools. The incorrect answers: A. ISO 27701 The ISO (International Organization for Standardization) 27701 standard focuses on privacy and securing PII. B. PKI A PKI (Public Key Infrastructure) describes the processes and procedures associated with maintaining digital certificates. C. IaaS IaaS (Infrastructure as a Service) describes a cloud service that provides the hardware required for deploying application instances and other cloud- based applications. More information: SY0-601, Objective 4.4 - Security Configurations https://professormesser.link/601040402 50 Practice Exam A - Answers A14. An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies: Access records from all devices must be saved and archived Any data access outside of normal working hours must be immediately reported Data access must only occur inside of the country Access logs and audit reports must be created from a single database Which of the following should be implemented by the security team to meet these requirements? (Select THREE) ❍ A. Restrict login access by IP address and GPS location ❍ B. Require government-issued identification during the onboarding process ❍ C. Add additional password complexity for accounts that access data ❍ D. Conduct monthly permission auditing ❍ E. Consolidate all logs on a SIEM ❍ F. Archive the encryption keys of all disabled accounts ❍ G. Enable time-of-day restrictions on the authentication server The Answer: A. Restrict login access by IP address and GPS location, E. Consolidate all logs on a SIEM, and G. Enable time-of-day restrictions on the authentication server Adding location-based policies will prevent direct data access from outside of the country. Saving log information from all devices and creating audit reports from a single database can be implemented through the use of a SIEM (Security Information and Event Manager). Adding a check for the time-of-day will report any access that occurs during non-working hours. Practice Exam A - Answers 51 The incorrect answers: B. Require government-issued identification during the onboarding process Requiring proper identification is always a good idea, but it’s not one of the listed requirements. C. Add additional password complexity for accounts that access data Additional password complexity is another good best practice, but it’s not part of the provided requirements. D. Conduct monthly permission auditing No requirements for ongoing auditing were included in the requirements, but ongoing auditing is always an important consideration. F. Archive the encryption keys of all disabled accounts If an account is disabled, there may still be encrypted data that needs to be recovered later. Archiving the encryption keys will allow access to that data after the account is no longer in use. More information: SY0-601, Objective 3.7 - Account Policies https://professormesser.link/601030703 52 Practice Exam A - Answers A15. Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2018 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked ❍ D. The Trojan was blocked, but the file was not The Answer: B. A download was blocked from a web server A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked. The incorrect answers: A. The victim’s IP address is 136.127.92.171 The format for this log entry uses an arrow to differentiate between the attacker and the victim. The attacker IP address is 136.127.92.171, and the victim’s IP address is 10.16.10.14. C. A botnet DDoS attack was blocked A botnet attack would not commonly include a Trojan horse as part of a distributed denial of service (DDoS) attack. D. The Trojan was blocked, but the file was not A Trojan horse attack involves malware that is disguised as legitimate software. The Trojan malware and the file are the same entity, so there isn’t a way to decouple the malware from the file. More information: SY0-601, Objective 4.3 - Log Files https://professormesser.link/601040303 Practice Exam A - Answers 53 A16. A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Disassociation The Answer: C. On-path An on-path attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error would appear in the browser as a warning. The incorrect answers: A. Brute force A brute force attack is commonly associated with password hacks. Brute force attacks would not cause the certificate on a website to be invalid. B. DoS A DoS (Denial of Service) attack would prevent communication to a server and most likely provide a timeout error. This error is not related to a service availability issue. D. Disassociation Disassociation attacks are commonly associated with wireless networks, and they usually cause disconnects and lack of connectivity. The error message in this example does not appear to be associated with a network outage or disconnection. More information: SY0-601, Objective 1.4 - On-Path Attacks https://professormesser.link/601010407 54 Practice Exam A - Answers A17. Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site? ❍ A. Federation ❍ B. 802.1X ❍ C. PEAP ❍ D. EAP-FAST The Answer: A. Federation Federation would allow members of one organization to authenticate using the credentials of another organization. The incorrect answers: B. 802.1X 802.1X is a useful authentication protocol, but it needs additional functionality to authenticate across multiple user databases. C. PEAP PEAP (Protected Extensible Authentication Protocol) provides a method of authentication over a protected TLS (Transport Layer Security) tunnel, but it doesn’t provide the federation needed for these requirements. D. EAP-FAST EAP-FAST (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling) is an updated version of LEAP (Lightweight EAP) that was commonly used after WEP (Wired Equivalent Privacy) was replaced with WPA (Wi-Fi Protected Access). More information: SY0-601, Objective 2.4 - Authentication Methods https://professormesser.link/601020401 Practice Exam A - Answers 55 A18. A system administrator, Daniel, is working on a contract that will specify a minimum required uptime for a set of Internet-facing firewalls. Daniel needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information? ❍ A. MTBF ❍ B. RTO ❍ C. MTTR ❍ D. MTTF The Answer: A. MTBF The MTBF (Mean Time Between Failures) is a prediction of how often a repairable system will fail. The incorrect answers: B. RTO RTO (Recovery Time Objectives) define a set of objectives needed to restore a particular service level. C. MTTR MTTR (Mean Time to Restore) is the amount of time it takes to repair a component. D. MTTF MTTF (Mean Time to Failure) is the expected lifetime of a non- repairable product or system. More information: SY0-601, Objective 5.4 - Business Impact Analysis https://professormesser.link/601050403 56 Practice Exam A - Answers A19. An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call? ❍ A. Social engineering ❍ B. Tailgating ❍ C. Watering hole ❍ D. On-path The Answer: A. Social engineering A social engineering attack takes advantage of authority and urgency principles in an effort to convince someone else to circumvent normal security controls. The incorrect answers: B. Tailgating A tailgating attack follows someone else with proper credentials through a door. This allows the attack to gain access to an area that’s normally locked. C. Watering hole A watering hole attack uses a third-party site to perform attacks outside of a user's local (and usually more secure) network. D. On-path An on-path attack commonly occurs without any knowledge to the parties involved, and there’s usually no additional notification that an attack is underway. In this question, the attacker contacted the help desk engineer directly. More information: SY0-601, Objective 1.1 - Principles of Social Engineering https://professormesser.link/601010110 Practice Exam A - Answers 57 A20. A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company’s network team now needs to support additional authentication protocols inside of an encrypted tunnel. Which of the following would meet the network team’s requirements? ❍ A. EAP-TLS ❍ B. PEAP ❍ C. EAP-TTLS ❍ D. EAP-MSCHAPv2 The Answer: C. EAP-TTLS EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows the use of any authentication while maintaining confidentiality with TLS. The incorrect answers: A. EAP-TLS EAP-TLS does not provide a mechanism for using multiple authentication types within a TLS tunnel. B. PEAP PEAP (Protected Extensible Authentication Protocol) encapsulates EAP within a TLS tunnel, but does not provide a method of encapsulating