0% found this document useful (0 votes)

49 views

(FreeCourseWeb - Com) B08HHSY83JEBOK

The document describes a book titled "CompTIA Security+ SY0-601 Practice Tests 2020" published by Examsdigest LLC. It contains 5 chapters of practice questions and answers to help readers prepare for the CompTIA Security+ certification exam. The introduction provides exam details and recommendations for using the book effectively as a study guide.

Uploaded by

fatme

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

49 views

(FreeCourseWeb - Com) B08HHSY83JEBOK

Uploaded by

fatme

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 273

1

by Examsdigest®

2
CompTIA Security+ SY0-601 Practice Tests 2020®
Published by: Examsdigest LLC., Holzmarktstraße 73, Berlin, Germany,
www.examsdigest.com Copyright © 2020 by Examsdigest LLC.

No part of this publication may be reproduced, stored in a retrieval system or

transmitted in any form, electronic, mechanical, photocopying, recording, scan-
ning or otherwise, except as permitted under Sections 107 or 108 of the 1976
United States Copyright Act, without the prior written permission of the Pub-
lisher. Requests to the Publisher for permission should be addressed to the
Permissions Department, Examsdigest, LLC., Holzmarktstraße 73, Berlin,
Germany or online at https://www.examsdigest.com/contact.

Trademarks: Examsdigest, examsdigest.com and related trade dress are trademarks

or registered trademarks of Examsdigest LLC. and may not be used without written
permission. Amazon is a registered trademark of Amazon, Inc. All other trademarks
are the property of their respective owners. Examsdigest, LLC. is not associated with
any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE

AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO
THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND
SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITA-
TION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRAN-
TY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERI-
ALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUIT-
ABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTAND-
ING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, AC-
COUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL AS-
SISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AU-
THOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT
THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A
CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION
DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR REC-
OMMENDATIONS IT MAY MAKE.

Examsdigest publishes in a variety of print and electronic formats and by print-on-

demand. Some material included with standard print versions of this book may not
be included in e-books or in print-on-demand. If this book refers to media such as a
CD or DVD that is not included in the version you purchased, you may find this ma-
terial at https://examsdigest.com

3
CONTENTS AT A GLANCE

Contents at a glance .................................................................4

Introduction .................................................................................5
Chapter 1 Architecture and Design .......................................10
Questions 1-35 ............................................................................10
Answers 1-35 ...............................................................................24
Chapter 2 Attacks, Threats, and Vulnerabilities ...............85
Questions 36-71 .........................................................................85
Answers 36-71 ............................................................................99
Chapter 3 Implementation ......................................................157
Questions 72-106.......................................................................157
Answer 72-106............................................................................171
Chapter 4 Operations and Incident Response .................235
Questions 107-116 ......................................................................235
Answers 107-116 .........................................................................239
Chapter 5 Governance, Risk and Compliance .................253
Questions 117-125 ......................................................................253
Answers 117-125 .........................................................................257
THE END ......................................................................................272

4
INTRODUCTION
The CompTIA Security+ SY0-601 examination is a global certi-
fication that validates the baseline skills you need to perform
core security functions and pursue an IT security career.

About This Book

CompTIA Security+ SY0-601 Practice Tests 2020 by Examsdi-

gest is designed to be a practical practice exam guide that will
help you prepare for the CompTIA Security+ SY0-601 exams.
As the book title says, it includes 125+ questions, organized by
exam so that you can prepare for the final exam.

This book has been designed to help you prepare for the style
of questions you will receive on the CompTIA Security+
SY0-601 exams. It also helps you understand the topics you
can expect to be tested on for each exam.

In order to properly prepare for the CompTIA Security+

SY0-601, I recommend that you:

✓ Review a reference book: CompTIA Security+ SY0-601 by

Examsdigest is designed to give you sample questions to help
5
you prepare for the style of questions you will receive on the
real certification exam. However, it is not a reference book that
teaches the concepts in detail. That said, I recommend that you
review a reference book before attacking these questions so
that the theory is fresh in your mind.

✓ Get some practical, hands-on experience: After you re-

view the theory, I highly recommend getting your hands on us-
ing tools such us packet tracer or GNS3. Also use the com-
mand line tools from your OS to get a better understanding
about ping, tracert, netstat and more commands. The more
hands-on experience you have, the easier the exams will be.

✓ Do practice test questions: After you review a reference

book and perform some hands-on work, attack the questions
in this book to get you “exam ready”! Also claim your free 1-
month access on our platform to dive into to more questions,
flashcards and much much more.

Beyond The Book

This book gives you plenty of CompTIA Security+ SY0-601

questions to work on, but maybe you want to track your
progress as you tackle the questions, or maybe you’re having
trouble with certain types of questions and wish they were all
6
presented in one place where you could methodically make
your way through them. You’re in luck. Your book purchase
comes with a free one-month subscription to all practice ques-
tions online and more. You get on-the-go access any way you
want it — from your computer, smartphone, or tablet. Track
your progress and view personalized reports that show where
you need to study the most. Study what, where, when, and
how you want!

What you’ll find online

The online practice that comes free with this book offers you
the same questions and answers that are available here and
more.

The beauty of the online questions is that you can customize

your online practice to focus on the topic areas that give you
the most trouble.

So if you need help with the domain Network Security, then se-
lect questions related to this topic online and start practicing.

Whether you practice a few hundred problems in one sitting or

a couple dozen, and whether you focus on a few types of prob-
lems or practice every type, the online program keeps track of
7
the questions you get right and wrong so that you can monitor
your progress and spend time studying exactly what you need.

You can access these online tools by sending an email to the

[email protected] to claim access on our platform. Once
we confirm the purchase you can enjoy your free access.

CompTIA Security+ SY0-601 Exam Details

The online practice that comes free with this book offers you
the same questions and answers that are available here and
more.

✓ Format - Multiple choice, multiple answer and performance-

based
✓ Type - Associate
✓ Delivery Method - Testing center or online proctored exam
✓ Time - 90 minutes to complete the exam
✓ Cost - $349
✓ Language - Available in English, Japanese

8
Exam Content

Content Outline
The CompTIA Security+ certification exam will verify the suc-
cessful candidate has the knowledge and skills required to:
• Assess the security posture of an enterprise environment and
recommend and implement appropriate security solutions
• Monitor and secure hybrid environments, including cloud,
mobile, and IoT
• Operate with an awareness of applicable laws and policies,
including principles of governance, risk, and compliance
• Identify, analyze, and respond to security events and inci-
dents

The table below lists the domains measured by this examina-

tion and the extent to which they are represented:

1.0: Attacks, Threats, and Vulnerabilities (24%)

2.0: Architecture and Design (21%)
3.0: Implementation (25%)
4.0: Operations and Incident Response (16%)
5.0: Governance, Risk, and Compliance (14%)

9
CHAPTER 1
ARCHITECTURE AND DESIGN

Questions 1-35

Question 1. You have been hired by a company to identify and

document all aspects of an asset’s configurations in order to
create a secure template against which all subsequent configu-
rations will be measured. What type of configuration manage-
ment will you implement?
(A) Standard naming conventions
(B) Internet protocol (IP) schema
(C) Configuration template
(D) Baseline configurations

Question 2. Which of the following process is designed to trig-

ger automatic code integration in the main code base instead
of developing in isolation and then integrating them at the end
of the development cycle?
(A) Continuous integration
(B) Continuous delivery
(C) Continuous monitoring
(D) Continuous deployment

10
Question 3. Authentication, ______________, and Accounting is
the term for intelligently controlling access to computer re-
sources, enforcing policies, auditing usage, and providing the
information necessary to bill for services.
(A) Controlling
(B) Authorization
(C) Auditing
(D) Enforcing

Question 4. A company hired you as a security expert. You

have been tasked to implement a solution to deceive and at-
tract hackers who attempt to gain unauthorized access to their
network in order to gain information about how they operate.
Which of the following technique will you implement to meet
this requirement as cost-effective as possible?
(A) Honeyfile
(B) Honeypots
(C) DNS Sinkholing
(D) Honeynet

Question 5. What type of architecture developers use to build

and run applications and services without having to manage in-
frastructure?
(A) Software-Defined Networking
(B) Serverless
11
(C) Software-Defined visibility
(D) Transit gateway

Question 6. Your company due to a strict budget migrating to

the cloud. The primary reason is to avoid spending money on
purchasing hardware and time on maintaining it. The company
needs to pay only for the cloud computing resources it uses.
Which of the following cloud computing architecture your com-
pany will use to deploy the cloud services?
(A) Public Cloud
(B) Private Cloud
(C) Hybrid Cloud
(D) Community Cloud

Question 7. The developers of your company thinking to

switch the development process to the cloud, so they don’t
need to start from scratch when creating applications with the
purpose of saving a lot of time and money on writing code.
Which of the following cloud service models developers will
use to create unique, customizable software on the Cloud?
(A) PaaS
(B) IaaS
(C) XaaS
(D) SaaS

12
Question 8. Which of the following companies is not a cloud
service provider?
(A) Amazon Web Services
(B) Microsoft Azure
(C) Examsdigest
(D) Google Cloud Platform

Question 9. You are developing a new system that requires

users to be authenticated using temporary passcode which is
generated by an algorithm that uses the current time of day.
Which of the following authentication methods will you use to
authenticate the users?
(A) HOTP
(B) SMS
(C) Push notifications
(D) TOTP

Question 10. Version _______________ keeps track of every modi-

fication to the code in a special kind of database. If a mistake is
made, you can turn back the clock and compare earlier ver-
sions of the code to help fix the mistake.
(A) Scalability
(B) Elasticity
(C) Control
(D) Compiler
13
Question 11. You are working for a client as a web developer
and your client asked you to check the new update of the app
without making the updates live for the users. In which envi-
ronment will you push the update so your client can look it over
in a stable format before it gets pushed to the users?
(A) Development
(B) Quality Assurance
(C) Production
(D) Staging

Question 12. The solution to the problem of how to get the

software to run reliably when moved from one computing envi-
ronment to another is known as:
(A) Containers
(B) Microservice
(C) API
(D) Thin Client

Question 13. A decentralized computing infrastructure in

which data, compute, storage, and applications are located be-
tween the data source and the cloud is called _________________
computing. In this environment, intelligence is at the local area
network (LAN) and data is transmitted from endpoints only.
(A) Fog
14
(B) Edge
(C) Distributed
(D) Cloud

Question 14. Which of the following types of disaster recovery

sites doesn’t have any pre-installed equipment and it takes a lot
of time to properly set it up so as to fully resume business op-
erations?
(A) Cold Site
(B) Hot Site
(C) Normal Site
(D) Warm Site

Question 15. The security process that relies on the unique

traits such as retinas, irises, voices, facial characteristics, and
fingerprints of an individual to verify that he is who says he is, is
called:
(A) Trait authentication
(B) Characteristics authentication
(C) Personalized authentication
(D) Biometric authentication

Question 16. Which of the following options is a network archi-

tecture approach that enables the network to be intelligently
and centrally controlled, or programmed using software ap-
15
plications and helps operators manage the entire network con-
sistently, regardless of the underlying network technology?
(A) Serverless
(B) Transit gateway
(C) SDN
(D) SDV

Question 17. Your organization is working with a contractor to

build a database. You need to find a way to hide the actual data
from being exposed to the contractor. Which of the following
technique will you use in order to allow the contractor to test
the database environment without having access to actual
sensitive customer information?
(A) Data Masking
(B) Tokenization
(C) Encryption
(D) Data at rest

Question 18. The software that monitoring user activity and

automatically preventing malware between cloud service users
and cloud applications is known as:
(A) Cloud access security broker
(B) Hashing
(C) Hardware security modules
(D) SSL/TLS inspection
16
Question 19. A managed service provider (MSP) is a company
that remotely manages a customer’s IT infrastructure and/or
end-user systems, typically on a proactive basis and under a
subscription model.
(A) TRUE
(B) FALSE

Question 20. Which of the following types of disaster recovery

sites allows a company to continue normal business opera-
tions, within a very short period of time after a disaster?
(A) Warm Site
(B) Hot Site
(C) Cold Site
(D) Normal Site

Question 21. Recently the physical network adapter card from

your company’s server broke. As a result, your co-workers
couldn’t access important resources for hours. You have been
instructed to implement a solution to eliminate this from hap-
pening again in the event of a network adapter failure. Which of
the following solutions will you implement to meet the require-
ment?
(A) NIC teaming
(B) UPS
(C) PDU
17
(D) Power generator

Question 22. Which of the following cryptographic technique

will you use to validate the authenticity and integrity of a mes-
sage or digital document?
(A) Key stretching
(B) Digital signatures
(C) Salting
(D) Hashing

Question 23. Which of the following products using Software

as a Service cloud model? (Choose all the apply.)
(A) Google Apps
(B) Dropbox
(C) Google Compute Engine
(D) Mailchimp
(E) AWS EC2
(F) Slack

Question 24. You are working for a startup and recently the
application you are developing experienced a large amount of
traffic. As a result, the performance of the application was de-
creased. You have been instructed to implement a solution to
efficiently distributing incoming network traffic across a group
of backend servers to increase the performance of the APP.
18
Which of the following solutions will you implement to meet the
requirement?
(A) Load balancers
(B) Network interface card teaming
(C) Multipath
(D) Redundant array of inexpensive disks

Question 25. You have been instructed to connect a storage

device that allows storage and retrieval of data from a central
location for authorized network users and varied clients. Which
of the following storage type will you use to meet the require-
ment?
(A) Storage area network
(B) Tape storage
(C) Network-attached storage
(D) Disk storage

Question 26. Continuous ______________ is a software develop-

ment method that releases or deploys software automatically
into the production environment. In this model, no one manually
checks the code and pushes it into your app.
(A) Integration
(B) Deployment
(C) Monitoring
(D) Delivery
19
Question 27. Which of the following options allows your appli-
cation to interact with an external service using a simple set of
commands rather than having to create complex processes
yourself?
(A) Thin Client
(B) API
(C) Microservice
(D) Containers

Question 28. Cloud backup is a strategy for sending a copy of

files or database to a secondary server which is usually hosted
by a third-party service provider, for preservation in case of
equipment failure or catastrophe. (True/False)
(A) TRUE
(B) FALSE

Question 29. Asymmetrical encryption uses a single key that

needs to be shared among the people who need to receive the
message while symmetric encryption uses a pair of a public
key and a private key to encrypt and decrypt messages when
communicating. (True/False)
(A) TRUE
(B) FALSE

20
Question 30. Which of the following technique will you use to
hide secret data within a non-secret file or message with the
purpose of avoiding data detection?
(A) Elliptical curve cryptography
(B) Homomorphic encryption
(C) Lightweight cryptography
(D) Steganography

Question 31. You have been tasked to find a way to transform

a plain text sensitive file into a non-readable form and send it
through the web. Which of the following technique will you use
to send the file through the web and only authorized parties
can understand the information?
(A) Encryption
(B) Data masking
(C) Tokenization
(D) Data at rest

Question 32. Which of the following backup types only back

up the data that has changed since the previous backup?
(A) Full backup
(B) Incremental backup
(C) Differential backup
(D) Snapshot backup

21
Question 33. Which of the following part(s) of the Authentica-
tion, Authorization, and Accounting (AAA) is responsible for
measuring the resources a user consumes during access to a
system?
(A) Accounting
(B) Authorization
(C) Authentication
(D) Authentication & Authorization

Question 34. Which of the following actions should be taken

to increase the security of SCADA networks? (Choose all that
apply)
(A) Identify all connections to SCADA networks
(B) Disconnect unnecessary connections to the SCADA
network
(C) Enable unnecessary services
(D) Implement internal and external intrusion detection sys-
tems
(E) Conduct physical security surveys and assess all remote
sites connected to the SCADA network

Question 35. Your company migrates its infrastructure to the

public cloud because of the advantages the cloud offers.
Which of the following options are considered advantages for
using public cloud services? (Choose all that apply.)
22
(A) Lower costs
(B) No maintenance
(C) Full-control
(D) Near-unlimited scalability
(E) High reliability
(F) Secure data

23
Answers 1-35

Question 1. You have been hired by a company to identify and

Explanation 1. Baseline configurations is the correct an-

swer. Baseline configuration is the process of identifying and
documenting all aspects of an asset’s configurations to create a
secure template against which all subsequent configurations
are measured. Change control—monitoring for changes and
comparing changes against the established baseline.

Standard naming conventions is incorrect. A naming con-

vention is a convention for naming things.

Examples of naming conventions may include:

1. Children’s names may be alphabetical by birth order.
2. School courses: an abbreviation for the subject area and

24
then a number ordered by increasing level of difficulty.

Internet protocol (IP) schema is incorrect. Internet protocol

(IP) schema is a requirement for communications in a computer
network. With an addressing scheme, packets are forwarded
from one location to another.

Configuration template is incorrect. The configuration tem-

plate is a fictitious configuration management implementation.

Question 2. Which of the following process is designed to trig-

Explanation 2. Continuous integration is the correct an-

swer. Continuous Integration (CI) is a development practice
where developers integrate code into a shared repository fre-
quently, preferably several times a day.

Each integration can then be verified by an automated build

25
and automated tests. While automated testing is not strictly
part of CI it is typically implied.

Continuous integration is designed to trigger automatic code

integration in the main code base instead of developing in iso-
lation and then integrating them at the end of the development
cycle.

Continuous deployment is incorrect. Continuous deploy-

ment is a software development method that releases or de-
ploys software automatically into the production environment.
In this model, no one manually checks the code and pushes it
into your app.

Obviously, you have to know whether or not the code being

deployed is free from bugs and errors before it’s in the hands of
end users — your customers. But this, too, can be done by
software. Code is automatically tested for issues, and if none
are found, then the code is deployed.

Continuous monitoring is incorrect. Continuous monitoring

provides security and operations analysts with real-time feed-
back on the overall health of IT infrastructure, including net-
works and applications deployed in the cloud.

26
The goal of continuous monitoring is to increase the visibility
and transparency of network activity, especially suspicious
network activity that could indicate a security breach, and to
mitigate the risk of cyber attacks with a timely alert system that
triggers a rapid incident response.

Continuous delivery is incorrect. Continuous delivery is an

ongoing DevOps practice of building, testing, and delivering
improvements to software code and user environments with
the help of automated tools. The key outcome of the continu-
ous delivery (CD) paradigm is code that is always in a deploy-
able state.

Question 3. Authentication, ______________, and Accounting is

the term for intelligently controlling access to computer re-
sources, enforcing policies, auditing usage, and providing the
information necessary to bill for services.
(A) Controlling
(B) Authorization
(C) Auditing
(D) Enforcing

Explanation 3. Authorization is the correct answer. Authen-

tication, Authorization and Accounting is the term for intelli-
gently controlling access to computer resources, enforcing
27
policies, auditing usage, and providing the information neces-
sary to bill for services.

As the first process, authentication provides a way of identify-

ing a user, typically by having the user enter a valid user name
and valid password before access is granted.

Following authentication, a user must gain authorization for

doing certain tasks. After logging into a system, for instance,
the user may try to issue commands. The authorization process
determines whether the user has the authority to issue such
commands.

The final plank in the AAA framework is accounting, which

measures the resources a user consumes during access. This
can include the amount of system time or the amount of data a
user has sent and/or received during a session.

Question 4. A company hired you as a security expert. You

have been tasked to implement a solution to deceive and at-
tract hackers who attempt to gain unauthorized access to their
network in order to gain information about how they operate.

Which of the following technique will you implement to meet

this requirement as cost-effective as possible?
28
(A) Honeyfile
(B) Honeypots
(C) DNS Sinkholing
(D) Honeynet

Explanation 4. Honeypots is the correct answer. A honeypot

is essentially bait (passwords, vulnerabilities, fake sensitive
data) that’s intentionally made very tempting and accessible.
The goal is to deceive and attract a hacker who attempts to
gain unauthorized access to your network. The honeypot is in
turn being monitored by IT security. Anyone caught dipping
their paws into the honeypot is often assumed to be an intrud-
er.

It can be used to detect attacks or deflect them from a legiti-

mate target. It can also be used to gain information about how
cybercriminals operate.

Honeyfile is incorrect. A honeyfile is a fake file located on a

network file share. Honey files are designed to detect attackers
who are accessing and potentially removing data from your
network. Attackers will often find a file share on a network, zip
the contents of the share into a folder, and dump the data for
offline analysis.

29
DNS Sinkholing is incorrect. DNS sinkhole or black hole DNS
is used to spoof DNS servers to prevent resolving host names
of specified URLs. This can be achieved by configuring the
DNS forwarder to return a false IP address to a specific URL.

DNS sinkholing can be used to prevent access of malicious

URLs in an enterprise level. The malicious URLs can be blocked
by adding a false entry in the DNS and thus there will be a sec-
ond level of protection.

Honeynet can be considered as correct but the question

said to implement the most cost-effective solution so is in-
correct. A honeynet is a decoy network that contains one or
more honeypots. It looks like a real network and contains multi-
ple systems but is hosted on one or only a few servers, each
representing one environment.

Question 5. What type of architecture developers use to build

and run applications and services without having to manage in-
frastructure?
(A) Software-Defined Networking
(B) Serverless
(C) Software-Defined visibility
(D) Transit gateway

30
Explanation 5. Serverless is the correct answer. Serverless
architecture is a way to build and run applications and services
without having to manage infrastructure. Your application still
runs on servers, but all the server management is done by
AWS. You no longer have to provision, scale, and maintain
servers to run your applications, databases, and storage sys-
tems.

Software-Defined Networking (SDN) is incorrect. SDN is a

network architecture approach that enables the network to be
intelligently and centrally controlled, or ‘programmed,’ using
software applications. This helps operators manage the entire
network consistently and holistically, regardless of the underly-
ing network technology.

Software-Defined visibility (SDV) is incorrect. Software-De-

fined Visibility is a framework that allows users to control and
program Gigamon’s Visibility Fabric via REST-based Application
Program Interfaces (APIs).

By writing programs that utilize Gigamon’s APIs, critical func-

tions previously requiring manual intervention can be automat-
ed to improve responsiveness, enhance analysis and increase
the protection of key resources and information assets. With
Software-Defined Visibility, your staff can develop programs to
31
automate Policy Management, simplify Provisioning and Ticket-
ing, and improve Security.

Transit gateway is incorrect. A transit gateway is a network

transit hub that you can use to interconnect your virtual private
clouds (VPC) and on-premises networks.

Question 6. Your company due to a strict budget migrating to

Explanation 6. Public Cloud is the correct answer. Public

clouds are the most common way of deploying cloud comput-
ing. The cloud resources like servers and storage are owned
and operated by a third-party cloud service provider and deliv-
ered over the Internet. With a public cloud, all hardware, soft-
ware, and other supporting infrastructure is owned and man-
aged by the cloud provider.
32
Advantages of public clouds:
1. Lower costs—no need to purchase hardware or software,
and you pay only for the service you use.
2. No maintenance—your service provider provides the main-
tenance.
3. Near-unlimited scalability—on-demand resources are avail-
able to meet your business needs.
4. High reliability—a vast network of servers ensures against
failure

Private cloud is incorrect. A private cloud consists of comput-

ing resources used exclusively by one business or organization.
The private cloud can be physically located at your organiza-
tion’s on-site datacenter, or it can be hosted by a third-party
service provider. But in a private cloud, the services and in-
frastructure are always maintained on a private network and the
hardware and software are dedicated solely to your organiza-
tion.

In this way, a private cloud can make it easier for an organiza-

tion to customize its resources to meet specific IT require-
ments. Private clouds are often used by government agencies,
financial institutions, any other mid- to large-size organizations
with business-critical operations seeking enhanced control
33
over their environment.

Advantages of a private cloud:

1. More flexibility—your organization can customize its cloud
environment to meet specific business needs.
2. Improved security—resources are not shared with others, so
higher levels of control and security are possible.
3. High scalability—private clouds still afford the scalability and
efficiency of a public cloud.

Hybrid cloud is incorrect. Hybrid clouds combine on-premis-

es infrastructure, or private clouds, with public clouds so orga-
nizations can reap the advantages of both. In a hybrid cloud,
data and applications can move between private and public
clouds for greater flexibility and more deployment options.

For instance, you can use the public cloud for high-volume,
lower-security needs such as web-based email, and the private
cloud (or other on-premises infrastructure) for sensitive, busi-
ness-critical operations like financial reporting.

In a hybrid cloud, “cloud bursting” is also an option. This is

when an application or resource runs in the private cloud until
there is a spike in demand (such as seasonal event like online
shopping or tax filing), at which point the organization can
34
“burst through” to the public cloud to tap into additional com-
puting resources.

Advantages of hybrid clouds:

1. Control—your organization can maintain a private in-
frastructure for sensitive assets.

2. Flexibility—you can take advantage of additional resources

in the public cloud when you need them.

3. Cost-effectiveness—with the ability to scale to the public

cloud, you pay for extra computing power only when needed.

4. Ease—transitioning to the cloud doesn’t have to be over-

whelming because you can migrate gradually—phasing in
workloads over time.

Community cloud is incorrect. The Community cloud shares

the cloud infrastructure across several organizations to support
specific community having common concerns.

Community cloud takes benefits of both public cloud (e.g. min-

imal shared infrastructure costs, pay per use basis billing) as
well as the private cloud (e.g. added privacy level, policy com-
pliance ).
35
Question 7. The developers of your company thinking to
switch the development process to the cloud, so they don’t
need to start from scratch when creating applications with the
purpose of saving a lot of time and money on writing code.
Which of the following cloud service models developers will
use to create unique, customizable software on the Cloud?
(A) PaaS
(B) IaaS
(C) XaaS
(D) SaaS

Explanation 7. PasS is the correct answer. Platform as a

Service (PaaS), provides cloud components to certain soft-
ware while being used mainly for applications.

PaaS delivers a framework for developers that they can build

upon and use to create customized applications. All servers,
storage, and networking can be managed by the enterprise or a
third-party provider while the developers can maintain the
management of the applications.

PaaS is primarily used by developers who are building software

or applications and provides the platform for developers to cre-
ate unique, customizable software. This means developers
36
don’t need to start from scratch when creating applications,
saving them a lot of time (and money) on writing extensive
code.

SaaS is incorrect. Software as a Service (SaaS) utilizes the in-

ternet to deliver applications, which are managed by a third-
party vendor, to its users. With SaaS, you don’t need to install
and run software applications on your computer (or any com-
puter). Everything is available over the internet when you log in
to your account online. You can usually access the software
from any device, anytime (as long as there is an internet con-
nection).

IaaS is incorrect. Infrastructure as a Service (IaaS) gives users

cloud-based alternatives to on-premise infrastructure, so busi-
nesses can avoid investing in expensive on-site resources.

IaaS delivers cloud computing infrastructure, including servers,

network, operating systems, and storage, through virtualization
technology.

These cloud servers are typically provided to the organization

through a dashboard or an API, giving IaaS clients complete
control over the entire infrastructure.

37
XaaS is incorrect. Anything as a service (XaaS) describes a
general category of services related to cloud computing and
remote access. It recognizes the vast number of products,
tools, and technologies that are now delivered to users as a
service over the internet.

Essentially, any IT function can be transformed into a service for

enterprise consumption. The service is paid for in a flexible
consumption model rather than as an upfront purchase or li-
cense.

Question 8. Which of the following companies is not a cloud

service provider?
(A) Amazon Web Services
(B) Microsoft Azure
(C) Examsdigest
(D) Google Cloud Platform

Explanation 8. Examsdigest is the correct answer. Exams-

digest is not a cloud service provider but an educational service
provider.

The rest answers are incorrect because they are cloud ser-
vice providers.

38
Question 9. You are developing a new system that requires
users to be authenticated using temporary passcode which is
generated by an algorithm that uses the current time of day.
Which of the following authentication methods will you use to
authenticate the users?
(A) HOTP
(B) SMS
(C) Push notifications
(D) TOTP

Explanation 9. TOTP is the correct answer. A time-based

one-time password (TOTP) is a temporary passcode generat-
ed by an algorithm that uses the current time of day as one of
its authentication factors. Time-based one-time passwords are
commonly used for two-factor authentication and have seen
growing adoption by cloud application providers.

In two-factor authentication scenarios, a user must enter a tra-

ditional, static password as well as a time-based one-time
password to gain access to digital information or a computing
system. Typically, the temporary passcode expires after 30, 60,
120, or 240 seconds.

39
HOTP is incorrect. Event-based OTP (also called HOTP mean-
ing HMAC-based One-Time Password) is the original One-Time
Password algorithm and relies on two pieces of information.
The first is the secret key, called the “seed”, which is known
only by the token and the server that validates submitted OTP
codes.

The second piece of information is the moving factor which, in

event-based OTP, is a counter. The counter is stored in the to-
ken and on the server. The counter in the token increments
when the button on the token is pressed, while the counter on
the server is incremented only when an OTP is successfully val-
idated.

SMS is incorrect. SMS Authentication is a kind of identity

proof often used for two-factor authentication (2FA) or multi-
factor authentication (MFA). In SMS authentication, the user
provides a code that has sent to their phone via SMS as proof
of their identity.

In theory, SMS authentication provides a second identity factor.

While usernames and passwords represent something that
only the right user knows, an SMS code delivered to a particular
mobile device is evidence of the possession of something (a
particular mobile phone) that only the right user should have.
40
Push notifications is incorrect. Push notifications is not an
authenticated method but is a way of alerting users to informa-
tion that they have opted-in to from apps and services. Notifi-
cations encompass nearly every possible use case and type of
service, including other communications mediums like email,
SMS, and VoIP.

Question 10. Version _______________ keeps track of every modi-

Explanation 10. Control is the correct answer. Version con-

trol systems are a category of software tools that help a soft-
ware team manage changes to source code over time. Version
control software keeps track of every modification to the code
in a special kind of database. If a mistake is made, developers
can turn back the clock and compare earlier versions of the
code to help fix the mistake while minimizing disruption to all
team members.

41
Elasticity is incorrect. Elasticity is the ability of an IT in-
frastructure to quickly expand or cut back capacity and ser-
vices without hindering or jeopardizing the infrastructure's sta-
bility, performance, or security.

Scalability is incorrect. Scalability is the ability of a computer

application or product to continue to function well when it is
changed in size or volume in order to meet a user's need.

Compiler is incorrect. A compiler is a software program that

transforms high-level source code that is written by a develop-
er in a high-level programming language into a low-level object
code (binary code) in machine language, which can be under-
stood by the processor. The process of converting high-level
programming into machine language is known as compilation.

Question 11. You are working for a client as a web developer

and your client asked you to check the new update of the app
without making the updates live for the users. In which envi-
ronment will you push the update so your client can look it over
in a stable format before it gets pushed to the users?
(A) Development
(B) Quality Assurance
(C) Production
(D) Staging
42
Explanation 11. Staging is the correct answer. The staging
server is where you deploy your work for folks to look at – be-
fore it goes to production. Think of it as the place you show
your client your work. You don’t want to show them your dev
machine as they may not have time to look at your work right
when you know things are stable. By pushing your updates to
staging, the client can look it over in a stable format before it
gets pushed to production.

Development is incorrect. This is the environment that’s on

your computer. Here is where you’ll do all of your code updates.
It’s where all of your commits and branches live along with
those of your co-workers. The development environment is
usually configured differently from the environment that users
work in.

Nothing you do in the development environment affects what

users currently see when they pull up the website. This is just
for you and the other web devs to see how new features will
work and to try out improvements.

Quality assurance is incorrect. Quality assurance (QA) envi-

ronment is where you test your upgrade procedure against
data, hardware, and software that closely simulate the produc-
43
tion environment and where you allow intended users to test
the resulting application.

Production is incorrect. The production environment is where

users access the final code after all of the updates and testing.
Of all the environments, this one is the most important. This is
where companies make their money so you can’t have any
crippling mistakes here. That’s why you have to go through the
other two environments with all of the testings first.

Question 12. The solution to the problem of how to get the

software to run reliably when moved from one computing envi-
ronment to another is known as:
(A) Containers
(B) Microservice
(C) API
(D) Thin Client

Explanation 12. Containers is the correct answer. Contain-

ers are a solution to the problem of how to get the software to
run reliably when moved from one computing environment to
another. A container is a standard unit of software that pack-
ages up code and all its dependencies so the application runs
quickly and reliably from one computing environment to anoth-
er.
44
Thin Client is incorrect. Thin clients function as regular PCs,
but lack hard drives and typically do not have extra I/O ports or
other unnecessary features. Since they do not have hard dri-
ves, thin clients do not have any software installed on them. In-
stead, they run programs and access data from a server.

Thin clients can be a cost-effective solution for businesses or

organizations that need several computers that all do the same
thing.

API is incorrect. An API, or Application Programming Interface,

allows your application to interact with an external service using
a simple set of commands. Rather than having to create com-
plex processes yourself, you can use APIs to access the under-
lying services of another application which can save you time
and resources.

Many applications that you use every day rely on APIs in some
capacity to function, since there are APIs for almost every cate-
gory imaginable.

Microservice is incorrect. A microservice architectural pattern

is a modular application development technique that organizes
loosely coupled services. Microservice architecture is like an
45
assembly line, where every service has a specialized role. To-
gether, the services create a complete application.

These services can be independently deployed and tend to

serve a specific purpose. For example, an eCommerce website
might have a service for customer information, a service for
payments, and a service for shipping logistics.

Question 13. A decentralized computing infrastructure in

Explanation 13. Fog is the correct answer. A decentralized

computing infrastructure in which data, compute, storage, and
applications are located between the data source and the cloud
is called Fog computing. In this environment, intelligence is at
the local area network (LAN) and data is transmitted from end-
points only.

46
Fog computing is a decentralized computing infrastructure in
which data, compute, storage and applications are located be-
tween the data source and the cloud. Like edge computing, fog
computing brings the advantages and power of the cloud clos-
er to where data is created and acted upon.

The key difference between edge and fog computing is where

intelligence and compute power are placed. In a strictly foggy
environment, intelligence is at the local area network (LAN) and
data is transmitted from endpoints to a fog gateway, where it is
then transmitted to sources for processing and return transmis-
sion.

In edge computing, intelligence and power can be located in ei-

ther the endpoint or a gateway.

Edge computing is incorrect. Edge computing is a distributed

information technology (IT) architecture in which client data is
processed at the periphery of the network, as close to the orig-
inating source as possible. One simple way to understand the
basic concept of edge computing is by comparing it to cloud
computing. In cloud computing, data from a variety of disparate
sources is sent to a large centralized data center that is often
geographically far away from the source of the data.

47
Cloud computing is incorrect. Cloud computing is the deliv-
ery of different services through the Internet. These resources
include tools and applications like data storage, servers, data-
bases, networking, and software.

Cluster computing is incorrect. Cluster computing refers that

many of the computers connected on a network and they per-
form like a single entity. Each computer that is connected to the
network is called a node. Cluster computing offers solutions to
solve complicated problems by providing faster computational
speed, and enhanced data integrity.

Question 14. Which of the following types of disaster recovery

sites doesn’t have any pre-installed equipment and it takes a lot
of time to properly set it up so as to fully resume business op-
erations?
(A) Cold Site
(B) Hot Site
(C) Normal Site
(D) Warm Site

Explanation 14. Cold Site is the correct answer. A cold site

is a backup facility with little or no hardware equipment in-
stalled. A cold site is essentially an office space with basic utili-
ties such as power, cooling system, air conditioning, and com-
48
munication equipment.

A cold site is the most cost-effective option among the three

disaster recovery sites. However, due to the fact that a cold site
doesn’t have any pre-installed equipment, it takes a lot of time
to properly set it up so as to fully resume business operations.

Hot Site is incorrect. A Hot Site can be defined as a backup

site, which is up and running continuously. A Hot Site allows a
company to continue normal business operations, within a very
short period of time after a disaster. Hot Site must be online
and must be available immediately.

The hot site must be equipped with all the necessary hardware,
software, network, and Internet connectivity. Data is regularly
backed up or replicated to the hot site so that it can be made
fully operational in a minimal amount of time in the event of a
disaster at the original site.

Warm Site is incorrect. A warm site is considered the middle

ground between the cold site and the hot site. A warm site is a
backup facility that has the network connectivity and the nec-
essary hardware equipment already pre-installed. However, a
warm site cannot perform on the same level as the production
center because they are not equipped in the same way. There-
49
fore, a warm site has less operational capacity than the primary
site.

Normal Site is incorrect. The normal site is a fictitious type of

disaster recovery site.

Question 15. The security process that relies on the unique

Explanation 15. Biometric authentication is the correct an-

swer. Biometric authentication is the security process that re-
lies on the unique traits such as retinas, irises, voices, facial
characteristics, and fingerprints of an individual to verify that he
is who says he is.

Types of biometric authentication technologies:

1. Retina scans produce an image of the blood vessel pattern in
the light-sensitive surface lining the individual’s inner eye.
2. Iris recognition is used to identify individuals based on
50
unique patterns within the ring-shaped region surrounding the
pupil of the eye.
3. Finger scanning, the digital version of the ink-and-paper fin-
gerprinting process, works with details in the pattern of raised
areas and branches in a human finger image.
4. Finger vein ID is based on the unique vascular pattern in an
individual’s finger.
5. Facial recognition systems work with numeric codes called
faceprints, which identify 80 nodal points on a human face.

Question 16. Which of the following options is a network archi-

tecture approach that enables the network to be intelligently
and centrally controlled, or programmed using software ap-
plications and helps operators manage the entire network con-
sistently, regardless of the underlying network technology?
(A) Serverless
(B) Transit gateway
(C) SDN
(D) SDV

Explanation 16. SDN is the correct answer. Software-De-

fined Networking (SDN) is a network architecture approach
that enables the network to be intelligently and centrally con-
trolled, or ‘programmed,’ using software applications. This
helps operators manage the entire network consistently and
51
holistically, regardless of the underlying network technology.

Serverless is incorrect. Serverless architecture is a way to

build and run applications and services without having to man-
age infrastructure. Your application still runs on servers, but all
the server management is done by AWS. You no longer have to
provision, scale, and maintain servers to run your applications,
databases, and storage systems.

Software-defined visibility (SDV) is incorrect. Software-De-

fined Visibility is a framework that allows users to control and
program Gigamon’s Visibility Fabric via REST-based Application
Program Interfaces (APIs).

By writing programs that utilize Gigamon’s APIs, critical func-

tions previously requiring manual intervention can be automat-
ed to improve responsiveness, enhance analysis and increase
the protection of key resources and information assets.

With Software-Defined Visibility, your staff can develop pro-

grams to automate Policy Management, simplify Provisioning
and Ticketing, and improve Security.

Transit gateway is incorrect. A transit gateway is a network

transit hub that you can use to interconnect your virtual private
52
clouds (VPC) and on-premises networks.

Question 17. Your organization is working with a contractor to

Explanation 17. Data Masking is the correct answer. Data

masking is a method of creating a structurally similar but inau-
thentic version of an organization’s data that can be used for
purposes such as software testing and user training. The pur-
pose is to protect the actual data while having a functional sub-
stitute for occasions when the real data is not required.

Overall, the primary function of masking data is to protect sen-

sitive, private information in situations where it might be visible
to someone without clearance to the information.

Tokenization is incorrect. Tokenization is the process of turn-

53
ing a meaningful piece of data, such as an account number,
into a random string of characters called a token that has no
meaningful value if breached. Tokens serve as a reference to
the original data, but cannot be used to guess those values.
That’s because, unlike encryption, tokenization does not use a
mathematical process to transform sensitive information into
the token.

There is no key or algorithm, that can be used to derive the

original data for a token. Instead, tokenization uses a database,
called a token vault, which stores the relationship between the
sensitive value and the token. The real data in the vault is then
secured, often via encryption.

Encryption is incorrect. Encryption is the process of using an

algorithm to transform plain text information into a non-read-
able form called ciphertext. An algorithm and an encryption key
are required to decrypt the information and return it to its origi-
nal plain text format. Today, SSL encryption is commonly used
to protect information as it’s transmitted on the Internet.

Data at rest is incorrect. Data at rest is data that is not actively

moving from device to device or network to network such as
data stored on a hard drive, laptop, flash drive, or archived/
stored in some other way. Data protection at rest aims to secure
54
inactive data stored on any device or network. While data at
rest is sometimes considered to be less vulnerable than data in
transit, attackers often find data at rest a more valuable target
than data in motion.

Question 18. The software that monitoring user activity and

automatically preventing malware between cloud service users
and cloud applications is known as:
(A) Cloud access security broker
(B) Hashing
(C) Hardware security modules
(D) SSL/TLS inspection

Explanation 18. Cloud access security broker is the correct

answer. A cloud access security broker (CASB) is an on-
premises or cloud-based software that sits between cloud ser-
vice users and cloud applications, and monitors all activity and
enforces security policies. A CASB can offer a variety of ser-
vices such as monitoring user activity, warning administrators
about potentially hazardous actions, enforcing security policy
compliance, and automatically preventing malware.

Hashing is incorrect. Hashing is the transformation of a string

of characters into a usually shorter fixed-length value or key
that represents the original string. Hashing is used to index and
55
retrieve items in a database because it is faster to find the item
using the shorter hashed key than to find it using the original
value. It is also used in many encryption algorithms.

In addition to faster data retrieval, hashing is also used to en-

crypt and decrypt digital signatures (used to authenticate mes-
sage senders and receivers). The digital signature is trans-
formed with the hash function and then both the hashed value
(known as a message-digest) and the signature are sent in
separate transmissions to the receiver. Using the same hash
function as the sender, the receiver derives a message-digest
from the signature and compares it with the message-digest it
also received. (They should be the same.)

A hardware security module (HSM) is incorrect. A hardware

security module is a dedicated crypto processor that is specifi-
cally designed for the protection of the crypto key lifecycle.
Hardware security modules act as trust anchors that protect
the cryptographic infrastructure of some of the most security-
conscious organizations in the world by securely managing,
processing, and storing cryptographic keys inside a hardened,
tamper-resistant device.

The hardware security module is used to protect transactions,

identities, and applications, as HSMs excel at securing crypto-
56
graphic keys and provisioning encryption, decryption, authenti-
cation, and digital signing services for a wide range of ap-
plications.

SSL/TLS Inspection is incorrect. SSL/TLS Inspection is a

man-in-the-middle attack executed to filter out malicious con-
tent. SSL Inspection or TLS Interception is done by means of an
interception device. This interceptor sits in between the client
and server, with all the traffic passing through it.

When the connection is made over HTTPS, the inspector inter-

cepts all traffic, decrypts it and scans it. First, the interceptor
establishes an SSL connection with the web server. Here, it de-
crypts and examines the data. Once the scanning is done, it
creates another SSL connection—this time with the client
(browser). This way, the data gets to the client in an encrypted
format—the way it was intended originally.

Question 19. A managed service provider (MSP) is a company

that remotely manages a customer’s IT infrastructure and/or
end-user systems, typically on a proactive basis and under a
subscription model. (True/False)
(A) TRUE
(B) FALSE

57
Explanation 19. TRUE is the correct answer.
A managed service provider (MSP) is a company that remotely
manages a customer’s IT infrastructure and/or end-user sys-
tems, typically on a proactive basis and under a subscription
model.

In other words, a managed service provider (MSP) is an out-

sourced third-party company that manages and assumes the
responsibility of a defined set of day-to-day management ser-
vices to its customers. It is a strategic method of improving op-
erations that is commonplace among large corporations as well
as small and medium-sized businesses, non-profit organiza-
tions, and governments.

Question 20. Which of the following types of disaster recovery

sites allows a company to continue normal business opera-
tions, within a very short period of time after a disaster?
(A) Warm Site
(B) Hot Site
(C) Cold Site
(D) Normal Site

Explanation 20. Hot Site is the correct answer. A Hot Site

can be defined as a backup site, which is up and running con-
tinuously. A Hot Site allows a company to continue normal
58
business operations, within a very short period of time after a
disaster. Hot Site must be online and must be available imme-
diately.

Warm Site is incorrect. A warm site is considered the middle

ground between the cold site and the hot site. A warm site is a
backup facility that has the network connectivity and the nec-
essary hardware equipment already pre-installed. However, a
warm site cannot perform on the same level as the production
center because they are not equipped in the same way. There-
fore, a warm site has less operational capacity than the primary
site.

Cold Site is incorrect. A cold site is a backup facility with little

or no hardware equipment installed. A cold site is essentially an
office space with basic utilities such as power, cooling system,
air conditioning, and communication equipment.

A cold site is the most cost-effective option among the three

59
disaster recovery sites. However, due to the fact that a cold site
doesn’t have any pre-installed equipment, it takes a lot of time
to properly set it up so as to fully resume business operations.

Normal Site is incorrect. The normal site is a fictitious type of

disaster recovery site.

Question 21. Recently the physical network adapter card from

Explanation 21. NIC teaming is the correct answer. Network

interface card teaming, also known as Load Balancing/
Failover (LBFO) in the Microsoft world, is a mechanism that en-
ables multiple physical network adapter cards in the same
physical host/server to be bound together and placed into a
“team” in the form of a single logical NIC. The connected net-
60
work adapters, shown as one or more virtual adapters. These
virtual network adapters provide fast performance and fault tol-
erance in the event of a network adapter failure.

UPS is incorrect. An uninterruptible power supply (UPS) is a

device that allows a computer to keep running for at least a
short time when the primary power source is lost. UPS devices
also provide protection from power surges.

PDU is incorrect. A PDU, or Power Distribution Unit, is a device

used in data centers to control and distribute electric power.
The most basic form of a PDU is a large power strip without
surge protection. This is designed to provide standard electrical
outlets for use within a variety of settings that don’t require
monitoring or remote access capabilities.

Power generator is incorrect. A power generator is, as its

name implies, a device capable of generating energy. This is
responsible for converting any type of energy (e.g. chemical,
mechanical, etc.) into electrical energy.

Question 22. Which of the following cryptographic technique

will you use to validate the authenticity and integrity of a mes-
sage or digital document?
(A) Key stretching
61
(B) Digital signatures
(C) Salting
(D) Hashing

Explanation 22. Digital signatures is the correct answer. A

digital signature is a mathematical technique used to validate
the authenticity and integrity of a message, software or digital
document. As the digital equivalent of a handwritten signature
or stamped seal, a digital signature offers far more inherent se-
curity, and it is intended to solve the problem of tampering and
impersonation in digital communications

Key stretching is incorrect. Key stretching algorithms take a

relatively insecure value, such as a password, and manipulates
it in a way that makes it stronger and more resilient to threats
like dictionary attacks.

Hashing is incorrect. Hashing is the practice of using an algo-

rithm to map data of any size to a fixed length. This is called a
hash value (or sometimes hash code or hash sums or even a
hash digest if you’re feeling fancy). Hashing is meant to verify
that a file or piece of data hasn’t been altered.

Salting is incorrect. Salting is a random string of data used to

modify a password hash. Salt can be added to the hash to pre-
62
vent a collision by uniquely identifying a user’s password, even
if another user in the system has selected the same password.
Salt can also be added to make it more difficult for an attacker
to break into a system by using password hash-matching
strategies because adding salt to a password hash prevents an
attacker from testing known dictionary words across the entire
system.

Question 23. Which of the following products using Software

as a Service cloud model? (Choose all the apply.)
(A) Google Apps
(B) Dropbox
(C) Google Compute Engine
(D) Mailchimp
(E) AWS EC2
(F) Slack

Explanation 23. A, B, D, F are the correct answers. SaaS

platforms make software available to users over the internet,
usually for a monthly subscription fee.

With SaaS, you don’t need to install and run software ap-
plications on your computer (or any computer). Everything is
available over the internet when you log in to your account on-
line.
63
SaaS platforms are:
1. Available over the internet.
2. Hosted on a remote server by a third-party provider.
3. Scalable, with different tiers for small, medium, and enter-
prise-level businesses.
4. Inclusive, offering security, compliance, and maintenance as
part of the cost.

Products using SaaS cloud models are:

1. Google Apps
2. Dropbox
3. MailChimp
4. Slack

The rest options are using Infrastructure as a Service (IaaS)

cloud model.

Question 24. You are working for a startup and recently the
application you are developing experienced a large amount of
traffic. As a result, the performance of the application was de-
creased. You have been instructed to implement a solution to
efficiently distributing incoming network traffic across a group
of backend servers to increase the performance of the APP.
Which of the following solutions will you implement to meet the
requirement?
64
(A) Load balancers
(B) Network interface card teaming
(C) Multipath
(D) Redundant array of inexpensive disks

Explanation 24. Load balancers is the correct answer. Load

balancing is defined as the methodical and efficient distribu-
tion of network or application traffic across multiple servers in a
server farm. Each load balancer sits between client devices and
backend servers, receiving and then distributing incoming re-
quests to any available server capable of fulfilling them.

A load balancer acts as the “traffic cop” sitting in front of your

servers and routing client requests across all servers capable of
fulfilling those requests in a manner that maximizes speed and
capacity utilization and ensures that no one server is over-
worked, which could degrade performance.

Network interface card teaming is incorrect. NIC teaming,

also known as Load Balancing/Failover (LBFO) in the Microsoft
world, is a mechanism that enables multiple physical network
adapter cards in the same physical host/server to be bound to-
gether and placed into a “team” in the form of a single logical
NIC.

65
The connected network adapters, shown as one or more virtual
adapters. These virtual network adapters provide fast perfor-
mance and fault tolerance in the event of a network adapter
failure.

Multipath is incorrect. Multipathing also called SAN multi-

pathing or I/O multipathing is the establishment of multiple
physical routes between a server and the storage device that
supports it.

In storage networking, the physical path between a server and

the storage device that supports it can sometimes fail. When
there’s only one physical path between the two devices, there
is a single point of failure (SPoF), which can be a problem if a
cable breaks or someone accidentally unplugs the wrong cable.
Because SAN multipathing establishes multiple routes between
the hardware, however, if someone accidentally unplugged the
wrong cable and one path failed, I/O would simply be routed
through another path.

Redundant array of independent disks is incorrect. A re-

dundant array of independent disks (RAID) is a method of stor-
ing duplicate data on two or more hard drives. It is used for data
backup, fault tolerance, to improve throughput, increase stor-
age functions, and to enhance performance.
66
Question 25. You have been instructed to connect a storage
device that allows storage and retrieval of data from a central
location for authorized network users and varied clients. Which
of the following storage type will you use to meet the require-
ment?
(A) Storage area network
(B) Tape storage
(C) Network-attached storage
(D) Disk storage

Explanation 25. Network-attached storage is the correct

answer. A Network-attached storage (NAS) device is a storage
device connected to a network that allows storage and retrieval
of data from a central location for authorized network users and
varied clients.

NAS devices are flexible and scale-out, meaning that as you

need additional storage, you can add to what you have. NAS is
like having a private cloud in the office. It’s faster, less expen-
sive, and provides all the benefits of a public cloud on-site, giv-
ing you complete control.

Storage area network is incorrect. A storage area network

(SAN) is a dedicated high-speed network or subnetwork that
67
interconnects and presents shared pools of storage devices to
multiple servers.

A SAN moves storage resources off the common user network

and reorganizes them into an independent, high-performance
network. This enables each server to access shared storage as
if it were a drive directly attached to the server. When a host
wants to access a storage device on the SAN, it sends out a
block-based access request for the storage device.

Tape storage is incorrect. Tape storage is a system in which

magnetic tape is used as a recording media to store data. With
data volumes growing rapidly worldwide, tape storage is the
most suitable system for data storage requiring large capacity.
Tape storage is not used only for backup in case of system fail-
ure, but also for archiving data for long-term storage.

Disk storage is incorrect. Disk storage is a general category of

storage mechanisms where data are recorded by various elec-
tronic, magnetic, optical, or mechanical changes to a surface
layer of one or more rotating disks. A disk drive is a device im-
plementing such a storage mechanism.

Notable types are the hard disk drive (HDD) containing a non-
removable disk, the floppy disk drive (FDD) and its removable
68
floppy disk, and various optical disc drives (ODD) and associat-
ed optical disc media.

Question 26. Continuous ______________ is a software develop-

Explanation 26. Deployment is the correct answer. Contin-

uous deployment is a software development method that re-
leases or deploys software automatically into the production
environment. In this model, no one manually checks the code
and pushes it into your app.

Continuous integration is incorrect. Continuous Integration

(CI) is a development practice where developers integrate code
into a shared repository frequently, preferably several times a
day.

Each integration can then be verified by an automated build

and automated tests. While automated testing is not strictly
69
part of CI it is typically implied.

Continuous integration is designed to trigger automatic code

integration in the main code base instead of developing in iso-
lation and then integrating them at the end of the development
cycle.

Continuous monitoring is incorrect. Continuous monitoring

provides security and operations analysts with real-time feed-
back on the overall health of IT infrastructure, including net-
works and applications deployed in the cloud.

The goal of continuous monitoring is to increase the visibility

and transparency of network activity, especially suspicious
network activity that could indicate a security breach, and to
mitigate the risk of cyber attacks with a timely alert system that
triggers a rapid incident response.

Continuous delivery is incorrect. Continuous delivery is an

ongoing DevOps practice of building, testing, and delivering
improvements to software code and user environments with
the help of automated tools.

The key outcome of the continuous delivery (CD) paradigm is

code that is always in a deployable state.
70
Question 27. Which of the following options allows your appli-
cation to interact with an external service using a simple set of
commands rather than having to create complex processes
yourself?
(A) Thin Client
(B) API
(C) Micro-service
(D) Containers

Explanation 27. API is the correct answer. An API, or Appli-

cation Programming Interface, allows your application to in-
teract with an external service using a simple set of commands.
Rather than having to create complex processes yourself, you
can use APIs to access the underlying services of another ap-
plication which can save you time and resources.

Many applications that you use every day rely on APIs in some
capacity to function, since there are APIs for almost every cate-
gory imaginable.

Thin Client is incorrect. Thin clients function as regular PCs,

but lack hard drives and typically do not have extra I/O ports or
other unnecessary features. Since they do not have hard dri-
ves, thin clients do not have any software installed on them. In-
71
stead, they run programs and access data from a server.

Thin clients can be a cost-effective solution for businesses or

organizations that need several computers that all do the same
thing.

Microservice is incorrect. A microservice architectural pattern

is a modular application development technique that organizes
loosely coupled services. Microservice architecture is like an
assembly line, where every service has a specialized role. To-
gether, the services create a complete application.

These services can be independently deployed and tend to

serve a specific purpose. For example, an eCommerce website
might have a service for customer information, a service for
payments, and a service for shipping logistics.

Containers is incorrect. Containers are a solution to the prob-

lem of how to get the software to run reliably when moved from
one computing environment to another.

A container is a standard unit of software that packages up

code and all its dependencies so the application runs quickly
and reliably from one computing environment to another.

72
Question 28. Cloud backup is a strategy for sending a copy of
files or database to a secondary server which is usually hosted
by a third-party service provider, for preservation in case of
equipment failure or catastrophe. (True/False)
(A) TRUE
(B) FALSE

Explanation 28. TRUE is the correct answer.

Cloud backup, also known as online backup or remote back-
up, is a strategy for sending a copy of a physical or virtual file or
database to a secondary, off-site location for preservation in
case of equipment failure or catastrophe.

The secondary server and storage systems are usually hosted

by a third-party service provider, who charges the backup cus-
tomer a fee based on storage space or capacity used, data
transmission bandwidth, number of users, number of servers or
number of times data is accessed.

Question 29. Asymmetrical encryption uses a single key that

Explanation 29. FALSE is the correct answer.

Symmetric encryption uses a single key that needs to be
shared among the people who need to receive the message.
It’s a simple technique, and because of this, the encryption
process can be carried out quickly.

It’s mostly used when large chunks of data need to be trans-

ferred. The secret key is shared. Consequently, the risk of com-
promise is higher.

Asymmetrical encryption uses a pair of a public key and a pri-

vate key to encrypt and decrypt messages when communicat-
ing. It’s a much more complicated process than symmetric key
encryption, and the process is slower.

It’s used in smaller transactions, primarily to authenticate and

establish a secure communication channel prior to the actual
data transfer.

The private key is not shared, and the overall process is more
secure as compared to symmetric encryption.

74
Question 30. Which of the following technique will you use to
hide secret data within a non-secret file or message with the
purpose of avoiding data detection?
(A) Elliptical curve cryptography
(B) Homomorphic encryption
(C) Lightweight cryptography
(D) Steganography

Explanation 30. Steganography is the correct answer.

Steganography is the technique of hiding secret data within
an ordinary, non-secret, file or message in order to avoid detec-
tion; the secret data is then extracted at its destination. The use
of steganography can be combined with encryption as an extra
step for hiding or protecting data.

Steganography can be used to conceal almost any type of digi-

tal content, including text, image, video or audio content; the
data to be hidden can be hidden inside almost any other type
of digital content.

Lightweight cryptography is incorrect. Lightweight cryptog-

raphy is a cryptographic algorithm or protocol tailored for im-
plementation in constrained environments including RFID tags,
sensors, contactless smart cards and health-care devices.

75
It is very difficult for a resource-limited environment to imple-
ment the standard cryptographic algorithms due to the imple-
mentation size, speed, or throughput and energy consumption.
The lightweight cryptography trade-offs implementation cost,
speed, security, performance, and energy consumption on re-
source-limited devices. The motivation of lightweight cryptog-
raphy is to use less memory, less computing resource, and less
power supply to provide security solutions that can work over
resource-limited devices.

Homomorphic encryption is incorrect. The purpose of ho-

momorphic encryption is to allow computation on encrypted
data. Thus data can remain confidential while it is processed,
enabling useful tasks to be accomplished with data residing in
untrusted environments. In a world of distributed computation
and heterogeneous networking, this is a hugely valuable capa-
bility.

A homomorphic cryptosystem is like other forms of public en-

cryption in that it uses a public key to encrypt data and allows
only the individual with the matching private key to access its
unencrypted data. However, what sets it apart from other forms
of encryption is that it uses an algebraic system to allow you or
others to perform a variety of computations (or operations) on
the encrypted data.
76
Elliptical curve cryptography is incorrect. Elliptical curve
cryptography (ECC) is a public key encryption technique based
on the elliptic curve theory that can be used to create faster,
smaller, and more efficient cryptographic keys. ECC generates
keys through the properties of the elliptic curve equation in-
stead of the traditional method of generation as the product of
very large prime numbers. The technology can be used in con-
junction with most public-key encryption methods, such as
RSA, and Diffie-Hellman.

Question 31. You have been tasked to find a way to transform

Explanation 31. Encryption is the correct answer.

Encryption is the process of using an algorithm to transform
plain text information into a non-readable form called cipher-
text. An algorithm and an encryption key are required to de-
77
crypt the information and return it to its original plain text for-
mat. Today, SSL encryption is commonly used to protect infor-
mation as it’s transmitted on the Internet.

In other words, Encryption is a way of scrambling data so that

only authorized parties can understand the information. In
technical terms, it is the process of converting plaintext to ci-
phertext.

In simpler terms, encryption takes readable data and alters it so

that it appears random. Encryption requires the use of an en-
cryption key: a set of mathematical values that both the sender
and the recipient of an encrypted message know.

Data masking is incorrect. Data masking is a method of cre-

ating a structurally similar but inauthentic version of an organi-
zation’s data that can be used for purposes such as software
testing and user training. The purpose is to protect the actual
data while having a functional substitute for occasions when
the real data is not required.

Overall, the primary function of masking data is to protect sen-

sitive, private information in situations where it might be visible
to someone without clearance to the information.

78
Tokenization is incorrect. Tokenization is the process of turn-
ing a meaningful piece of data, such as an account number,
into a random string of characters called a token that has no
meaningful value if breached. Tokens serve as a reference to
the original data, but cannot be used to guess those values.
That’s because, unlike encryption, tokenization does not use a
mathematical process to transform sensitive information into
the token.

There is no key or algorithm, that can be used to derive the

Data at rest is incorrect. Data at rest is data that is not actively

moving from device to device or network to network such as
data stored on a hard drive, laptop, flash drive, or archived/
stored in some other way.

Data protection at rest aims to secure inactive data stored on

any device or network. While data at rest is sometimes consid-
ered to be less vulnerable than data in transit, attackers often
find data at rest a more valuable target than data in motion.

79
Question 32. Which of the following backup types only back
up the data that has changed since the previous backup?
(A) Full backup
(B) Incremental backup
(C) Differential backup
(D) Snapshot backup

Explanation 32. Incremental backup is the correct answer.

Incremental backups were introduced as a way to decrease
the amount of time and storage space that it takes to do a full
backup. Incremental backups only back up the data that has
changed since the previous backup.

Full backup is incorrect. A full backup is exactly what the

name implies, it is a full copy of your entire data set.

Differential backup is incorrect. A differential backup is simi-

lar to an incremental backup in that it starts with a full backup
and subsequent backups only contain data that has changed.

The difference in incremental vs. differential backup is that,

while an incremental backup only includes the data that has
changed since the previous backup, a differential backup con-
tains all of the data that has changed since the last full backup.

80
Snapshot backup is incorrect. A snapshot backup is a type of
backup copy used to create the entire architectural instance/
copy of an application, disk or system. It is used in backup pro-
cesses to restore the system or disk of a particular device at a
specific time. A snapshot backup can also be referred to as im-
age backup.

Question 33. Which of the following part(s) of the Authentica-

tion, Authorization, and Accounting (AAA) is responsible for
measuring the resources a user consumes during access to a
system?
(A) Accounting
(B) Authorization
(C) Authentication
(D) Authentication & Authorization

Explanation 33. Accounting is the correct answer.

Authentication, Authorization and Accounting is the term for
intelligently controlling access to computer resources, enforc-
ing policies, auditing usage, and providing the information nec-
essary to bill for services.

As the first process, authentication provides a way of identify-

ing a user, typically by having the user enter a valid user name
and valid password before access is granted.
81
Following authentication, a user must gain authorization for
doing certain tasks. After logging into a system, for instance,
the user may try to issue commands. The authorization process
determines whether the user has the authority to issue such
commands.

The final plank in the AAA framework is accounting, which

measures the resources a user consumes during access. This
can include the amount of system time or the amount of data a
user has sent and/or received during a session.

Question 34. Which of the following actions should be taken

to increase the security of SCADA networks? (Choose all that
apply)
(A) Identify all connections to SCADA networks
(B) Disconnect unnecessary connections to the SCADA
network
(C) Enable unnecessary services
(D) Implement internal and external intrusion detection
systems
(E) Conduct physical security surveys and assess all
remote sites connected to the SCADA network

82
Explanation 34. A, B, D, and E are the correct answers.
The actions that should be taken to increase the security of
SCADA networks are:
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Implement internal and external intrusion detection systems
4. Conduct physical security surveys and assess all remote
sites connected to the SCADA network
5. Disable unnecessary services

Question 35. Your company migrates its infrastructure to the

public cloud because of the advantages the cloud offers.
Which of the following options are considered advantages for
using public cloud services? (Choose all that apply.)
(A) Lower costs
(B) No maintenance
(C) Full-control
(D) Near-unlimited scalability
(E) High reliability
(F) Secure data

Explanation 35. A, B, D, and E are the correct answers.

Public clouds are the most common way of deploying cloud
computing. The cloud resources like servers and storage are
owned and operated by a third-party cloud service provider
83
and delivered over the Internet. With a public cloud, all hard-
ware, software, and other supporting infrastructure is owned
and managed by the cloud provider.

Advantages of public clouds:

1. Lower costs—no need to purchase hardware or software,
and you pay only for the service you use.
2. No maintenance—your service provider provides the main-
tenance.
3. Near-unlimited scalability—on-demand resources are avail-
able to meet your business needs.
4. High reliability—a vast network of servers ensures against
failure.

Disadvantages of public clouds:

1. Loss of Control-When you outsource your technology to the
public cloud, it’s out of your hands.
2. Insecure Data-When you entrust your data and applications
to the public cloud, you have no real assurances that they will
be safe.

84
CHAPTER 2
ATTACKS, THREATS,
AND VULNERABILITIES

Questions 36-71

Question 36. Given the following injection attacks, which one

allows an attacker to interfere with the queries that an applica-
tion makes to its database?
(A) SQL injection
(B) DLL Injection
(C) LDAP Injection
(D) XML Injection

Question 37. A member of the company asks for a financial

transfer by sending an encrypted message to the financial ad-
ministrator. An attacker eavesdrops on this message, captures
it, and is now in a position to resend it. Because it's an authen-
tic message that has simply been resent, the message is al-
ready correctly encrypted and looks legitimate to the financial
administrator. Then the financial administrator is likely to re-
spond to this new request, that response could include sending
a large sum of money to the attacker's bank account. Which of
the following type of attack does the scenario describe?
85
(A) Ιmproper Input Handling
(B) Pass the hash attack
(C) Replay attack
(D) SSL Stripping

Question 38. The type of malicious code or software that

looks legitimate but can take control of your computer is known
as ______________ . It is designed to damage, disrupt, steal, or in
general, inflict some other harmful action on your data or net-
work.
(A) Worm
(B) Spyware
(C) Ransomware
(D) Trojan

Question 39. __________________ attacks are a subset of denial

of service (DoS) attacks in which malicious nodes block legiti-
mate communication by causing intentional interference in
networks.
(A) Disassociation
(B) Bluesnarfing
(C) Bluejacking
(D) Jamming

86
Question 40. There are two main techniques for driver manip-
ulating: Shimming and Refactoring. Shiming is the process of
changing a computer program’s internal structure without mod-
ifying its external functional behavior or existing functionality.
(A) TRUE
(B) FALSE

Question 41. In which of the following attacks the attacker

submitting many passwords or passphrases with the hope of
eventually guessing correctly?
(A) Brute force attack
(B) Rainbow table attack
(C) Dictionary attack
(D) Plaintext Attack

Question 42. Which of the following attacks is a type of hack-

ing wherein the perpetrator tries to crack the passwords stored
in a database system?
(A) Brute force attack
(B) Rainbow table attack
(C) Dictionary attack
(D) Plaintext Attack

87
Question 43. Which of the following attack occurs when
someone infiltrates a system through an outside partner or
provider with access to the systems and data?
(A) Supply-chain attack
(B) Skimming
(C) Remote Access Trojan
(D) Command and control

Question 44. Which of the following types of social engineer-

ing is a method in which the attacker seeks to compromise a
specific group of end-users by infecting websites that mem-
bers of that group are known to visit?
(A) Credential Harvesting
(B) Shoulder surfing
(C) Watering hole attack
(D) Dumpster diving

Question 45. In which of the following wireless network at-

tacks the attacker set up a fraudulent Wi-Fi access point that
appears to be legitimate but it is used to eavesdrop wireless
communications?
(A) Rogue Access Point
(B) Evil Twin
(C) Initialization Vector
(D) Near-field Communication
88
Question 46. Which of the following types of social engineer-
ing techniques is the use of messaging systems to send an un-
solicited message to large numbers of recipients for the pur-
pose of commercial advertising, or for the purpose of non-
commercial proselytizing?
(A) Tailgating
(B) Whaling
(C) Pharming
(D) Spamming

Question 47. Which of the following attacks is known as URL

hijacking?
(A) Impersonation attack
(B) Hoax
(C) Identity fraud
(D) Typosquatting attack

Question 48. Adversarial machine learning is a machine learn-

ing technique that attempts to fool models by supplying decep-
tive input.
(A) TRUE
(B) FALSE

89
Question 49. What type of attack is when an attacker takes
over a regular user account on a network and attempts to gain
administrative permissions?
(A) Cross-site scripting
(B) Directory traversal
(C) Privilege escalation
(D) Buffer overflow

Question 50. A method by which authorized and unauthorized

Question 51. In which of the following social engineering tech-

niques the user is tricked into downloading a Trojan horse, virus
or other malware onto his cellular phone or other mobile de-
vices?
(A) Smishing
(B) Phising
(C) Spear phishing
(D) Vishing
90
Question 52. The attacker connects to a switch port and start
sending a very large number of Ethernet frames with a different
fake source MAC address. The switch’s MAC address table be-
comes full and now it’s not able to save more MAC address,
which means it enters into a fail-open mode and starts behav-
ing like a network Hub. Frames are flooded to all ports, similar
to a broadcast type of communication. The attacker’s machine
will be delivered with all the frames between the victim and
other machines. The attacker will be able to capture sensitive
data from the network. Given the above scenario, identify the
Layer 2 type of attack.
(A) ARP poisoning
(B) MAC flooding
(C) MAC cloning
(D) Man-in-the-browser

Question 53. Which of the following Cryptographic attacks

force victims to use older, more vulnerable versions of software
in order to exploit known vulnerabilities against them?
(A) Birthday
(B) Collision
(C) Downgrade
(D) Reconnaissance

91
Question 54. Which of the following attacks isn’t intended to
steal data but to remain in place for as long as possible, quietly
mining in the background?
(A) Logic bomb
(B) Keylogger
(C) Rootkit
(D) Crypto-malware

Question 55. In which of the following API attacks, the attacker

intercepts communications between an API endpoint and a
client in order to steals and/or alters the confidential data that is
passed between them?
(A) Man in the Middle
(B) Authentication Hijacking
(C) Unencrypted Communications
(D) Injection Attacks

Question 56. Which of the following options are considered as

request forgery attacks? (Choose all that apply)
(A) Server-side
(B) Cross-site
(C) Forge-site
(D) Request-side
(E) Forge-side

92
Question 57. A hacker introduced corrupt Domain Name Sys-
tem (DNS) data into a DNS resolver’s cache with the aim of
redirecting users either to the wrong websites or to his own
computer. What type of DNS attack, hacker implement in this
scenario?
(A) DNS Poisoning
(B) URL redirection
(C) Domain Hijacking
(D) DNS Corruption

Question 59. Which of the following attacks is a Network Layer

DDoS attack?
(A) BGP Hijacking
(B) DNS amplification
(C) HTTP Flood
93
(D) Slow Read

Question 60. You have set up an Intrusion detection system

(IDS) and suddenly the IDS identifies an activity as an attack
but the activity is acceptable behavior. The state, in this case, is
known as:
(A) False-positive
(B) False-negative
(C) Non-credentialed scans
(D) Credentialed scans

Question 61. A zero-day attack is an attack that exploits a po-

tentially serious software security weakness that the vendor or
developer may be unaware of. (True/False)
(A) TRUE
(B) FALSE

Question 62. __________ is the first step where hacker gathers

as much information as possible to find ways to intrude into a
target system or at least decide what type of attacks will be
more suitable for the target.
(A) War Driving
(B) OSINT
(C) Footprinting
(D) Cleanup
94
Question 63. Which of the following options is a dictionary
that provides definitions for publicly disclosed cybersecurity
vulnerabilities and exposures?
(A) Log aggregation
(B) Common Vulnerabilities and Exposures
(C) Sentiment analysis
(D) Security Orchestration, Automation, and Response

Question 64. The type of hackers that violates computer se-

curity systems without permission, stealing the data inside for
their own personal gain or vandalizing the system is commonly
known as:
(A) Black-Hat hackers
(B) White-Hat hackers
(C) Red-Hat hackers
(D) Gray-Hat hackers

Question 65. A hacker attacks a network with the aim of main-

taining ongoing access to the targeted network rather than to
get in and out as quickly as possible with the ultimate goal of
stealing information over a long period of time. Which type of
attack a hacker used in this case?
(A) Insider threat
(B) State actors
95
(C) Hacktivism
(D) Advanced persistent threat (APT)

Question 66. Which of the following statements are true re-

garding Cloud-based security vulnerabilities? (Choose all the
apply)
(A) Misconfigured Cloud Storage
(B) Poor Access ControlPoor Access Control
(C) Shared Tenancy
(D) Secure APIs

Question 67. You have been hired as a penetration tester for a

company to locate and exploit vulnerabilities in its target’s out-
ward-facing services. You are not provided with any architec-
ture diagrams or source code. This means that you are relying
on dynamic analysis of currently running programs and sys-
tems within the target network. Which of the following pentest-
ing assignments are you currently on?
(A) Gray-Box Testing
(B) White-Box Testing
(C) Black-Box Testing
(D) Open-Box Testing

96
Question 68. Which of the following terms refers to Informa-
tion Technology (IT) applications and infrastructure that are
managed and utilized without the knowledge of the enterprise’s
IT department?
(A) Script Kiddies
(B) Indicators of compromise
(C) Shadow IT
(D) Open-source intelligence

Question 69. Which of the following cybersecurity testing ex-

ercise team do not focus exclusively on attacking or defending,
but they do both?
(A) Red team
(B) Blue team
(C) White team
(D) Purple team

Question 70. The technique of redirecting victims from a cur-

rent page to a new URL which is usually a phishing page that
impersonates a legitimate site and steals credentials from the
victims is known as:
(A) URL redirection
(B) DNS spoofing
(C) Domain hijacking
(D) Domain redirection
97
Question 71. The type of hackers that are experts in compro-
mising computer security systems and use their abilities for
good, ethical, and legal purposes rather than bad, unethical,
and criminal purposes is commonly known as:
(A) White-Hat hackers
(B) Black-Hat hackers
(C) Red-Hat hackers
(D) Gray-Hat hackers

98
Answers 36-71

Question 36. Given the following injection attacks, which one

allows an attacker to interfere with the queries that an applica-
tion makes to its database?
(A) SQL injection
(B) DLL Injection
(C) LDAP Injection
(D) XML Injection

Explanation 36. SQL injection is the correct answer.

SQL injection is a web security vulnerability that allows an at-
tacker to interfere with the queries that an application makes to
its database. It generally allows an attacker to view data that
they are not normally able to retrieve.

This might include data belonging to other users, or any other

data that the application itself is able to access. In many cases,
an attacker can modify or delete this data, causing persistent
changes to the application’s content or behavior.

DLL injection is incorrect as DLL injection is another privilege

escalation method that attackers are using. It involves the
compromising of legitimate processes and services of the Win-
99
dows operating system. DLL injection is used to run malicious
code using the context of a legitimate process. By using the
context of a process recognized to be legitimate, an attacker
gains several advantages, especially the ability to access the
processes memory and permissions.

LDAP Injection is incorrect as LDAP Injection is an attack

used to exploit web-based applications that construct LDAP
statements based on user input. When an application fails to
properly sanitize user input, it’s possible to modify LDAP state-
ments using a local proxy. This could result in the execution of
arbitrary commands such as granting permissions to unautho-
rized queries, and content modification inside the LDAP tree.

XML injection is incorrect as XML Injection manipulates or

compromises the logic of an XML application or service. The
injection of unintended XML content and/or structures into an
XML message can alter the intended logic of an application,
and XML Injection can cause the insertion of malicious content
into resulting messages/documents.

With a successful XML Injection attack, the attacker can steal

the entire database, or can even log in as the administrator of
the website. Other security issues such as XSS and DOS attack
can be leveraged with malicious XML Injections.
100
Question 37. A member of the company asks for a financial
transfer by sending an encrypted message to the financial ad-
ministrator. An attacker eavesdrops on this message, captures
it, and is now in a position to resend it. Because it's an authen-
tic message that has simply been resent, the message is al-
ready correctly encrypted and looks legitimate to the financial
administrator. Then the financial administrator is likely to re-
spond to this new request, that response could include sending
a large sum of money to the attacker's bank account. Which of
the following type of attack does the scenario describe?
(A) Ιmproper Input Handling
(B) Pass the hash attack
(C) Replay attack
(D) SSL Stripping

Explanation 37. Replay attack is the correct answer.

A replay attack occurs when a cybercriminal eavesdrops on
secure network communication, intercepts it, and then fraudu-
lently delays or resends it to misdirect the receiver into doing
what the hacker wants.

The added danger of replay attacks is that a hacker doesn’t

even need advanced skills to decrypt a message after captur-
ing it from the network. The attack could be successful simply
101
by resending the whole thing.

Ιmproper Input Handling is incorrect as it is the term used to

describe functions such as validation, sanitization, filtering, or
encoding and/or decoding of input data. Improper Input Han-
dling is a leading cause of critical vulnerabilities that exist in to-
day’s systems and applications.

The root cause of Improper Input Handling is the application

trusting, rather than validating, data inputs. One of the key as-
pects of input handling is validating that the input satisfies cer-
tain criteria. All inputs should be considered untrusted as they
can come from a variety of mechanisms and be transferred in
various formats.

A Pass-the-Hash (PtH) attack is incorrect as it is a tech-

nique whereby an attacker captures a password hash (as op-
posed to the password characters) and then simply passes it
through for authentication and potentially lateral access to oth-
er networked systems.

The threat actor doesn’t need to decrypt the hash to obtain a

plain text password. PtH attacks exploit the authentication pro-
tocol, as the password’s hash remains static for every session
until the password is rotated. Attackers commonly obtain hash-
102
es by scraping a system’s active memory and other techniques.

SSL Stripping or an SSL Downgrade Attack is incorrect as it

is an attack used to circumvent the security enforced by SSL
certificates on HTTPS-enabled websites. In other words, SSL
stripping is a technique that downgrades your connection from
secure HTTPS to insecure HTTP and exposes you to eaves-
dropping and data manipulation.

Question 38. The type of malicious code or software that

Explanation 38. Trojan is the correct answer.

A Trojan horse, or Trojan, is a type of malicious code or soft-
ware that looks legitimate but can take control of your comput-
er. A Trojan is designed to damage, disrupt, steal, or in general,
inflict some other harmful action on your data or network.

103
A Trojan acts as a bona fide application or file to trick you. It
seeks to deceive you into loading and executing the malware
on your device. Once installed, a Trojan can perform the action
it was designed for.

The worm is incorrect as a computer worm is a type of mal-

ware that spreads copies of itself from computer to computer. A
worm can replicate itself without any human interaction, and it
does not need to attach itself to a software program in order to
cause damage.

Ransom malware, or ransomware is inccorect as ran-

somware is a type of malware that prevents users from access-
ing their system or personal files and demands a ransom pay-
ment in order to regain access.

There are several different ways that ransomware can infect

your computer. One of the most common methods today is
through malicious spam, which is an unsolicited email that is
used to deliver malware. The email might include booby-
trapped attachments, such as PDFs or Word documents. It
might also contain links to malicious websites.

The spyware is incorrect as spyware is unwanted software

that infiltrates your computing device, stealing your internet us-
104
age data and sensitive information. Spyware is classified as a
type of malware — malicious software designed to gain access
to or damage your computer, often without your knowledge.
Spyware gathers your personal information and relays it to ad-
vertisers, data firms, or external users.

Spyware is used for many purposes. Usually, it aims to track

and sell your internet usage data, capture your credit card or
bank account information, or steal your personal identity.

Question 39. __________________ attacks are a subset of denial

of service (DoS) attacks in which malicious nodes block legiti-
mate communication by causing intentional interference in
networks.
(A) Disassociation
(B) Bluesnarfing
(C) Bluejacking
(D) Jamming

Explanation 39. Jamming is the correct answer.

Jamming attacks are a subset of denial of service (DoS) at-
tacks in which malicious nodes block legitimate communication
by causing intentional interference in networks.

Disassociation is incorrect. Disassociation attacks exploit the

105
unauthenticated nature of 802.11 management frames. When a
station wants to connect to an AP, it first exchanges authenti-
cation frames and then association frames. It can participate in
the network after it is authenticated and associated.

However, any station can spoof a disassociate message, pre-

tending to be another station. The AP disassociates the target-
ed station, which cannot send traffic until it is associated again.
By repeatedly sending these frames, an attacker can keep one
or more stations off a network indefinitely. This attack is docu-
mented in a paper by John Bellardo and Stephan Savage. The
following are several implementations of this attack.

Bluesnarfing is incorrect. Bluesnarfing is the theft of informa-

tion from a wireless device through a Bluetooth connection.
Bluetooth is a high-speed but very short-range wireless tech-
nology for exchanging data between desktop and mobile com-
puters, personal digital assistants (PDAs), and other devices.

By exploiting a vulnerability in the way Bluetooth is implement-

ed on a mobile phone, an attacker can access information —
such as the user’s calendar, contact list, and e-mail and text
messages — without leaving any evidence of the attack.

Bluejacking is incorrect. Bluejacking is the sending of either a

106
picture or a message from one user to an unsuspecting user
through Bluetooth wireless technology. Bluejacking does not
involve the removal or alteration of any data from the device. It
can also involve taking control of a mobile device wirelessly.

Question 40. There are two main techniques for driver manip-
ulating: Shimming and Refactoring. Shiming is the process of
changing a computer program’s internal structure without mod-
ifying its external functional behavior or existing functionality.
(True/False)
(A) TRUE
(B) FALSE

Explanation 40. FALSE is the correct answer.

There are two main techniques for driver manipulating: Shim-
ming and Refactoring.

Refactoring is the process of changing a computer program’s

internal structure without modifying its external functional be-
havior or existing functionality.

Shimming is a small library that transparently intercepts API

calls and changes the arguments passed. They also can be
used for running programs on different software platforms than
they were developed for.
107
Question 41. In which of the following attacks the attacker
submitting many passwords or passphrases with the hope of
eventually guessing the correct password?
(A) Brute force attack
(B) Rainbow table attack
(C) Dictionary attack
(D) Plaintext Attack

Explanation 41. Brute force attack is the correct answer.

A brute force attack uses trial-and-error to guess login info, en-
cryption keys, or find a hidden web page. An attacker submit-
ting many passwords or passphrases with the hope of eventu-
ally guessing correctly. The attacker systematically checks all
possible passwords and passphrases until the correct one is
found.

The Rainbow table attack is incorrect. A rainbow table attack

is a type of hacking wherein the perpetrator tries to use a rain-
bow hash table to crack the passwords stored in a database
system. A rainbow table is a hash function used in cryptogra-
phy for storing important data such as passwords in a data-
base. Sensitive data are hashed twice (or more times) with the
same or with different keys in order to avoid rainbow table at-
tacks.
108
A dictionary attack is incorrect. A dictionary attack is a
method of breaking into a password-protected computer or
server by systematically entering every word in a dictionary as a
password. A dictionary attack can also be used in an attempt to
find the key necessary to decrypt an encrypted message or
document.

A plaintext Attack is incorrect. The known-plaintext attack

Question 42. Which of the following attacks is a type of hack-

ing wherein the perpetrator tries to crack the passwords stored
in a database system?
(A) Brute force attack
(B) Rainbow table attack
(C) Dictionary attack
(D) Plaintext Attack

Explanation 42. Rainbow table attack is the correct answer.

A rainbow table attack is a type of hacking wherein the perpe-
trator tries to use a rainbow hash table to crack the passwords
109
stored in a database system. A rainbow table is a hash function
used in cryptography for storing important data such as pass-
words in a database. Sensitive data are hashed twice (or more
times) with the same or with different keys in order to avoid
rainbow table attacks.

Brute force attack is incorrect. A brute force attack uses trial-

and-error to guess login info, encryption keys, or find a hidden
web page. An attacker submitting many passwords or
passphrases with the hope of eventually guessing correctly.
The attacker systematically checks all possible passwords and
passphrases until the correct one is found.

A dictionary attack is incorrect. A dictionary attack is a

method of breaking into a password-protected computer or
server by systematically entering every word in a dictionary as a
password. A dictionary attack can also be used in an attempt to
find the key necessary to decrypt an encrypted message or
document.

A plaintext Attack is incorrect. The known-plaintext attack

(KPA) is an attack model for cryptanalysis where the attacker
has access to both the plaintext and its encrypted version (ci-
phertext). These can be used to reveal further secret informa-
tion such as secret keys and codebooks.
110
Question 43. Which of the following attacks occurs when
someone infiltrates a system through an outside partner or
provider with access to the systems and data?
(A) Supply-chain attack
(B) Skimming
(C) Remote Access Trojan
(D) Command and control

Explanation 43. Supply-chain attack is the correct answer.

A supply chain attack also called a value-chain or third-party
attack occurs when someone infiltrates your system through an
outside partner or provider with access to your systems and
data.

This has dramatically changed the attack surface of the typical

enterprise in the past few years, with more suppliers and ser-
vice providers touching sensitive data than ever before.

Skimming is incorrect as it is a method used by identity

thieves to capture payment and personal information from a
credit cardholder. Several approaches can be used by fraud-
sters to procure card information with the most advanced ap-
proach involving a small device called a skimmer that reads the
information stored in a card’s magnetic strip or microchip.
111
A remote access Trojan (RAT) is incorrect as it is a malware
program that includes a back door for administrative control
over the target computer. RATs are usually downloaded invisibly
with a user-requested program — such as a game — or sent as
an email attachment. Once the host system is compromised,
the intruder may use it to distribute RATs to other vulnerable
computers and establish a botnet.

Command and control is incorrect as the malware command

and control (also called C&C or C2) refers to how attackers
communicate and exhibit control of the infected system. Upon
infecting the system, most malware communicates with the at-
tacker-controlled server (C2 server) either to take commands,
download additional components, or to exfiltrate information.

Question 44. Which of the following types of social engineer-

112
Explanation 44. Watering hole attack is the correct answer.
Watering hole attack is a method in which the attacker seeks
to compromise a specific group of end-users by infecting web-
sites that members of that group are known to visit.

The goal is to infect a victim’s computer and gain access to the

network within the victims’ place of employment. Many con-
clude that these attacks are an alternative to Spear Phishing
but are quite different. Watering Hole attacks are still targeted
attacks, but they cast a wider net and trap more victims than
the attacker’s original objective.

Dumpster diving is incorrect as Dumpster diving refers to the

exploration of a system’s trash bin for the purpose of finding
details in order for a hacker to have a successful online assault.

Dumpster diving isn’t limited to searching through the trash for

obvious treasures like access codes or passwords written down
on sticky notes. Seemingly innocent information like a phone
list, calendar, or organizational chart can be used to assist an
attacker using social engineering techniques to gain access to
the network.

Shoulder surfing is incorrect as shoulder surfing is using di-

rect observation techniques, such as looking over someone’s
113
shoulder, to get information. Shoulder surfing is an effective
way to get information in crowded places because it’s relatively
easy to stand next to someone and watch as they fill out a
form, enter a PIN number at an ATM machine.

Credential Harvesting is incorrect as Credential Harvesting is

the use of MITM attacks, DNS poisoning, phishing, and other
vectors to amass large numbers of credentials (username/
password combinations) for reuse. Attackers use a variety of
these tools to aggregate vast quantities of credentials and
make them available for sale on the dark web and through oth-
er clandestine channels.

Question 45. In which of the following wireless network at-

Explanation 45. Evil Twin is the correct answer.

An evil twin is a fraudulent Wi-Fi access point that appears to
be legitimate but is set up to eavesdrop on wireless communi-
114
cations. The attacker snoops on Internet traffic using a bogus
wireless access point. Unwitting web users may be invited to
log into the attacker’s server, prompting them to enter sensitive
information such as usernames and passwords. Often, users
are unaware they have been duped until well after the incident
has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail

accounts, the attacker intercepts the transaction, since it is
sent through their equipment. The attacker is also able to con-
nect to other networks associated with the users’ credentials.

A rogue access point (rogue AP) is incorrect. Rouge AP is

any wireless access point that has been installed on a net-
work’s wired infrastructure without the consent of the network’s
administrator or owner, thereby providing unauthorized wireless
access to the network’s wired infrastructure.

Initialization Vector is incorrect. An initialization vector (IV)

attack is an attack on wireless networks. It modifies the initial-
ization vector of an encrypted wireless packet during transmis-
sion. Once an attacker learns the plaintext of one packet, the
attacker can compute the RC4 keystream generated by the IV
used. This keystream can then be used to decrypt all other
packets that use the same IV.
115
Near-field Communication is incorrect. Near-Field-Commu-
nication (NFC) is a set of communication protocols for commu-
nication between two electronic devices in close proximity.

In an eavesdropping scenario, the attacker uses an antenna to

record communication between NFC devices. Despite the fact
that NFC communication occurs between devices in close
proximity, this type of attack is feasible. The interception of an
NFC exchange doesn’t always translate into the theft of infor-
mation. In some cases, the attack is meant to corrupt the in-
formation being exchanged, making it useless.

Question 46. Which of the following types of social engineer-

ing techniques is the use of messaging systems to send an un-
solicited message to large numbers of recipients for the pur-
pose of commercial advertising, or for the purpose of non-
commercial proselytizing?
(A) Tailgating
(B) Whaling
(C) Pharming
(D) Spamming

Explanation 46. Spamming is the correct answer.

Spam or spamming is the use of messaging systems to send
116
an unsolicited message to large numbers of recipients for the
purpose of commercial advertising or for the purpose of non-
commercial proselytizing.

Tailgating is incorrect as the Tailgating attack, also known as

“piggybacking,” involves an attacker seeking entry to a restrict-
ed area that lacks the proper authentication.

The attacker can simply walk in behind a person who is autho-

rized to access the area. In a typical attack scenario, a person
impersonates a delivery driver or a caretaker who is packed
with parcels and waits when an employee opens their door. The
attacker asks that the employee hold the door, bypassing the
security measures in place.

Pharming is incorrect as Pharming is a cyberattack intended

to redirect a website’s traffic to another, fake site. Pharming can
be conducted either by changing the hosts file on a victim’s
computer or by exploitation of a vulnerability in the DNS server.

Whaling is incorrect as a whaling attack is a method used by

cybercriminals to masquerade as a senior player at an organi-
zation and directly target senior or other important individuals
at an organization, with the aim of stealing money or sensitive
information or gaining access to their computer systems for
117
criminal purposes. Also known as CEO fraud, whaling is similar
to phishing in that it uses methods such as email and website
spoofing to trick a target into performing specific actions, such
as revealing sensitive data or transferring money.

Question 47. Which of the following attacks is known as URL

hijacking?
(A) Impersonation attack
(B) Hoax
(C) Identity fraud
(D) Typosquatting attack

Explanation 47. Typosquatting attack is the correct an-

swer. Typosquatting, also known as URL hijacking, is a form
of cybersquatting (sitting on sites under someone else’s brand
or copyright) that targets Internet users who incorrectly type a
website address into their web browser (e.g., “Gooogle.com”
instead of “Google.com”). When users make such a typograph-
ical error, they may be led to an alternative website owned by a
hacker that is usually designed for malicious purposes.

Hackers often create fake websites that imitate the look and
feel of your intended destination so you may not realize you’re
at a different site. Sometimes these sites exist to sell products
and services that are in direct competition with those sold at
118
the website you had intended to visit, but most often they are
intended to steal your personal identifiable information, includ-
ing credit cards or passwords.

Impersonation attack is incorrect as it uses social engineer-

ing and personalization to trick an employee into unwittingly
transferring money to a fraudulent account or sharing sensitive
data with cybercriminals.

A computer virus hoax is incorrect as a hoax is a message

warning the recipients of a non-existent computer virus threat.
The message is usually a chain e-mail that tells the recipients
to forward it to everyone they know.

Hoaxes can involve a wide range of subjects – warnings about

computer viruses or supposed health risks, horror stories, con-
spiracy theories, calls for donations for the seriously ill and
many more. All of these stories are designed to be spectacular
but are not based on facts – they are simply being used as bait.

Identity fraud is incorrect as it occurs when someone uses

your personal identifying information and pretends to be you in
order to commit fraud or to gain other financial benefits.

Your personal identifying information could include your full

119
name, home address, email address, online login and pass-
words, Social Security number, driver’s license number, pass-
port number, or bank number. Once thieves access this infor-
mation, they may use it to commit identity theft or sell it on the
dark web.

Question 48. Adversarial machine learning is a machine learn-

ing technique that attempts to fool models by supplying decep-
tive input.
(A) TRUE
(B) FALSE

Explanation 48. TRUE is the correct answer. Adversarial ma-

chine learning is a machine learning technique that attempts to
fool models by supplying deceptive input. Adversarial examples
are inputs to machine learning models that an attacker has in-
tentionally designed to cause the model to make a mistake.

Question 49. What type of attack is when an attacker takes

over a regular user account on a network and attempts to gain
administrative permissions?
(A) Cross-site scripting
(B) Directory traversal
(C) Privilege escalation
(D) Buffer overflow
120
Explanation 49. Privilege escalation is the correct answer.
Privilege escalation is a type of attack where an attacker at-
tempts to gain more permissions or access with an existing ac-
count they have compromised. For example, an attacker takes
over a regular user account on a network and attempts to gain
administrative permissions.

Cross-site Scripting (XSS) is incorrect as XSS is a client-side

code injection attack. The attacker aims to execute malicious
scripts in a web browser of the victim by including malicious
code in a legitimate web page or web application.

The actual attack occurs when the victim visits the web page
or web application that executes the malicious code. The web
page or web application becomes a vehicle to deliver the mali-
cious script to the user’s browser.

Directory traversal is incorrect as Directory traversal (also

known as file path traversal) is a web security vulnerability that
allows an attacker to read arbitrary files on the server that is
running an application. This might include application code and
data, credentials for back-end systems, and sensitive operating
system files.

121
In some cases, an attacker might be able to write to arbitrary
files on the server, allowing them to modify application data or
behavior, and ultimately take full control of the server.

A buffer overflow is incorrect. A buffer overflow occurs when

the volume of data exceeds the storage capacity of the memo-
ry buffer. As a result, the program attempting to write the data
to the buffer overwrites adjacent memory locations. Attackers
exploit buffer overflow issues by overwriting the memory of an
application. This changes the execution path of the program,
triggering a response that damages files or exposes private in-
formation.

For example, an attacker may introduce extra code, sending

new instructions to the application to gain access to IT sys-
tems.

Question 50. A method by which authorized and unauthorized

users are able to get around normal security measures and gain
high-level user access (root access) on a computer system,
network, or software application is known as:
(A) Backdoor
(B) Botnet
(C) Spraying
(D) Pretexting
122
Explanation 50. Backdoor is the correct answer.
In the world of cybersecurity, a backdoor refers to any method
by which authorized and unauthorized users are able to get
around normal security measures and gain high-level user ac-
cess (root access) on a computer system, network, or software
application. Once they’re in, cybercriminals can use a backdoor
to steal personal and financial data, install additional malware,
and hijack devices.

A botnet is incorrect as a botnet is a collection of internet-

connected devices infected by malware that allow hackers to
control them. Cybercriminals use botnets to instigate botnet at-
tacks, which include malicious activities such as credentials
leaks, unauthorized access, data theft, and DDoS attacks.

Password Spraying is incorrect as Password Spraying is a

variant of what is known as a brute force attack. In a traditional
brute force attack, the perpetrator attempts to gain unautho-
rized access to a single account by guessing the password re-
peatedly in a very short period of time.

Most organizations have employed countermeasures, com-

monly a lock-out after three to five attempts. In a Password
Spraying attack, the attacker circumvents common counter-
measures (e.g., account lockout) by “spraying” the same
123
password across many accounts before trying another pass-
word.

Pretexting is incorrect as it is a form of social engineering

where attackers focus on creating a good pretext, or a fabricat-
ed scenario, that they use to try and steal their victims’ person-
al information. In these types of attacks, the scammer usually
says they need certain bits of information from their target to
confirm their identity. In actuality, they steal that data and use it
to commit identity theft or stage secondary attacks.

Question 51. In which of the following social engineering tech-

niques the user is tricked into downloading a Trojan horse, virus
or other malware onto his cellular phone or other mobile de-
vices?
(A) Smishing
(B) Phising
(C) Spear phishing
(D) Vishing

Explanation 51. Smishing is the correct answer.

In a Smishing attack, the user is tricked into downloading a Tro-
jan horse, virus, or other malware onto his cellular phone or
other mobile devices.

124
Phishing is incorrect. An attacker, masquerading as a trusted
entity, dupes a victim into opening an email, instant message,
or text message.

Vishing is incorrect. Individuals are tricked into revealing criti-

cal financial or personal information to unauthorized entities
through voice email or VoIP (voice over IP).

Spear phishing is incorrect. Spear phishing is an email or

electronic communications scam targeted towards a specific
individual, organization or business.

Question 52. The attacker connects to a switch port and start

sending a very large number of Ethernet frames with a different
fake source MAC address.

The switch’s MAC address table becomes full and now it’s not
able to save more MAC address, which means it enters into a
fail-open mode and starts behaving like a network Hub. Frames
are flooded to all ports, similar to a broadcast type of communi-
cation.
The attacker’s machine will be delivered with all the frames be-
tween the victim and other machines. The attacker will be able
to capture sensitive data from the network. Given the above
scenario, identify the Layer 2 type of attack.
125
(A) ARP poisoning
(B) MAC flooding
(C) MAC cloning
(D) Man-in-the-browser

Explanation 52. MAC flooding is the correct answer.

The above scenario describes the MAC flooding layer 2 attack.

The MAC Flooding is an attacking method intended to com-

promise the security of the network switches. In a typical MAC
flooding attack, the attacker sends Ethernet Frames in a huge
number. When sending many Ethernet Frames to the switch,
these frames will have various sender addresses.

The intention of the attacker is to consume the memory of the

switch that is used to store the MAC address table. The MAC
addresses of legitimate users will be pushed out of the MAC
Table. Now the switch cannot deliver the incoming data to the
destination system. So a considerable number of incoming
frames will be flooded at all ports.

ARP poisoning is incorrect. An ARP spoofing, also known as

ARP poisoning, is a Man in the Middle (MitM) attack that allows
attackers to intercept communication between network de-
vices. The attack works as follows:
126
1. The attacker must have access to the network. They scan
the network to determine the IP addresses of at least two de-
vices—let’s say these are a workstation and a router.
The attacker uses a spoofing tool, such as Arpspoof or Driftnet,
to send out forged ARP responses.
2. The forged responses advertise that the correct MAC ad-
dress for both IP addresses, belonging to the router and work-
station, is the attacker’s MAC address. This fools both router
and workstation to connect to the attacker’s machine, instead
of to each other.
3. The two devices update their ARP cache entries and from
that point onwards, communicate with the attacker instead of
directly with each other.
4. The attacker is now secretly in the middle of all communica-
tions.

Mac cloning is incorrect. MAC address cloning is the process

of setting the MAC address of the device WAN port to be the
same MAC address as your PC or some other MAC address.

For example, some ISPs register your computer card MAC ad-
dress when the service is first installed. When you place a
router behind the cable modem or DSL modem, the MAC ad-
dress from the device WAN port is not recognized by the ISP.
127
Man-in-the-browser is incorrect. A man-in-the-browser at-
tack uses a Trojan horse (typically spread through email) to in-
stall malware as an extension or Browser Helper Object (BHO).
The malware initiates a man-in-the-browser attack by inter-
cepting all communication between a user’s browser and a
destination Web server, changing the messages or transactions
as they occur in real-time.

Attackers can use a man-in-the-browser attack to hijack an on-

line financial transaction and wire money to a fraudulent ac-
count instead of a legitimate account, all without the user’s
knowledge.

Question 53. Which of the following Cryptographic attacks

force victims to use older, more vulnerable versions of software
in order to exploit known vulnerabilities against them?
(A) Birthday
(B) Collision
(C) Downgrade
(D) Reconnaissance

Explanation 53. Downgrade is the correct answer.

Downgrade attacks are network attacks that force victims to
use older, more vulnerable versions of software in order to ex-
128
ploit known vulnerabilities against them. An example of a
downgrade attack might be redirecting a visitor from an HTTPS
version of a resource to an HTTP copy.

A birthday attack is incorrect as a birthday attack is a type of

cryptographic attack that exploits the mathematics behind the
birthday problem in probability theory. This attack can be used
to abuse communication between two or more parties. The at-
tack depends on the higher likelihood of collisions found be-
tween random attack attempts and a fixed degree of permuta-
tions (pigeonholes).

A collision attack is incorrect as a collision attack finds two

identical values among elements that are chosen according to
some distribution on a finite set S. In cryptography, one typical-
ly assumes that the objects are chosen according to a uniform
distribution. In most cases, a repeating value or collision results
in an attack on the cryptographic scheme.

Reconnaissance is incorrect as reconnaissance is not a cryp-

tographic attack. Reconnaissance is an important step in ex-
ploring an area to steal confidential information. It also plays a
key role in penetration testing. A proper recon would provide
detailed information and open doors to attackers for scanning
and attacking all the way. By using a recon, an attacker can di-
129
rectly interact with potential open ports, services running, or at-
tempt to gain information without actively engaging with the
network.

Question 54. Which of the following attacks isn’t intended to

steal data but to remain in place for as long as possible, quietly
mining in the background?
(A) Logic bomb
(B) Keylogger
(C) Rootkit
(D) Crypto-malware

Explanation 54. Crypto-malware is the correct answer.

Crypto-malware is one of the latest malware threats, and it’s
particularly insidious because, unlike ransomware, it can go
about doing its work completely undetected. The goal of a
crypto-malware isn’t to steal data – it is to remain in place for as
long as possible, quietly mining in the background.

A Logic Bomb is incorrect as a logic bomb is a malicious pro-

gram that is triggered when a logical condition is met, such as
after a number of transactions have been processed, or on a
specific date (also called a time bomb).

130
The Keylogger is incorrect as the keylogger is a malicious
program for recording computer user keystrokes to steal pass-
words and other sensitive information.

Τhe Rootkit is incorrect as the rootkit is malicious software

that allows an unauthorized user to have privileged access to a
computer. A rootkit may contain a number of malicious tools
such as keyloggers, banking credential stealers, password
stealers, antivirus disablers, and bots for DDoS attacks. This
software remains hidden in the computer and allows the at-
tacker remote access to the computer.

Question 55. In which of the following API attacks, the attacker

Explanation 55. Man in the Middle is the correct answer.

In an API Man in the Middle attack, the attacker intercepts
communications between an API endpoint and a client. The at-
tacker steals and/or alters the confidential data that is passed
131
between them.

Authentication Hijacking is incorrect as attackers attempt to

bypass or break the authentication methods that a web appli-
cation is using.

Unencrypted Communications is incorrect as attackers take

advantage of organizations that don’t use Transport Layer Se-
curity (TLS) to secure APIs. This gives hackers free reign over
the API and the data that passes through it.

Injection Attacks is incorrect as injection attacks occur when

malicious code is embedded into unsecured software. SQLi
(SQL injection) and XSS (cross-site scripting) are the most
prominent examples, but there are others. Injection attacks are
a long-standing threat against web applications; today, they are
also a growing threat for APIs.

Question 56. Which of the following options are considered as

request forgery attacks? (Choose all that apply)
(A) Server-side
(B) Cross-site
(C) Forge-site
(D) Request-side
(E) Forge-side
132
Explanation 56. A and B are the correct answers.
Server-side is the correct answer. Server-side request
forgery (also known as SSRF) is a web security vulnerability
that allows an attacker to induce the server-side application to
make HTTP requests to an arbitrary domain of the attacker's
choosing.

In typical SSRF examples, the attacker might cause the server

to make a connection back to itself, or to other web-based ser-
vices within the organization's infrastructure, or to external
third-party systems.

A successful SSRF attack can often result in unauthorized ac-

tions or access to data within the organization, either in the vul-
nerable application itself or on other back-end systems that the
application can communicate with.

Cross-site is the correct answer. The purpose of Cross-site

request forgery (also known as CSRF) attacks is to force a user
to take undesired actions on their online account. Accomplish-
ing this involves taking advantage of state-changing requests,
where a web server will take some action based upon an au-
thenticated user browsing to a particular page.

133
Examples may include changing an account password or mak-
ing a transaction via an online banking portal.

Forge-site, Request-side, and Forge-side are fictitious

names so are incorrect.

Question 57. A hacker introduced corrupt Domain Name Sys-

tem (DNS) data into a DNS resolver’s cache with the aim of
redirecting users either to the wrong websites or to his own
computer. What type of DNS attack, hacker implement in this
scenario?
(A) DNS Poisoning
(B) URL redirection
(C) Domain Hijacking
(D) DNS Corruption

Explanation 57. DNS Poisoning is the correct answer.

DNS poisoning also referred to as DNS spoofing, is a form of
computer security hacking in which corrupt Domain Name Sys-
tem data is introduced into the DNS resolver's cache, causing
the name server to return an incorrect result record, e.g. an IP
address.

This results in traffic being diverted to the attacker's computer

(or any other computer) or to the wrong websites.
134
URL redirection attacks is incorrect. URL redirection attack
redirects victims from the current page to a new URL which is
usually a phishing page that impersonates a legitimate site and
steals credentials from the victims. Such techniques are a
common practice and a widely used method for attackers to
trick victims.

Domain hijacking is incorrect. Domain hijacking is the act of

changing the registration of a domain name without the per-
mission of the original owner, or by abuse of privileges on do-
main hosting and domain registrar systems.

DNS corruption is incorrect. DNS corruption is a fictitious at-

tack.

Question 58. The document that lists out the specifics of your
penetration testing project to ensure that both the client and
the engineers working on a project know exactly what is being
tested when it’s being tested, and how it’s being tested is
known as:
(A) Lateral Movements
(B) Rules of Engagement
(C) Pivoting
(D) Bug Bounty
135
Explanation 58. Rules of Engagement is the correct an-
swer.
The Rules of Engagement, or ROE, are meant to list out the
specifics of your penetration testing project to ensure that both
the client and the engineers working on a project know exactly
what is being tested when it’s being tested, and how it’s being
tested.

Lateral movements is incorrect. Lateral movements are used

by cybercriminals to move throughout a network systematically
to search for sensitive data or assets to perform data exfiltra-
tion. PowerShell is the number one mechanism by which to im-
plement lateral movement techniques. PowerShell uses object-
oriented scripting that makes stealing credentials, system con-
figuration modification, and automation of movement from sys-
tem to system as easy as it is legal to own.

Pivoting is incorrect. Pivoting is a powerful technique in the

arsenal of a web application penetration tester (pen tester).
Once a host has been compromised, the pen tester looks for
information to plunder.

Common artifacts of interest include such things as user ac-

counts, password hashes, and knowledge of other systems or
136
networks that might be accessible from the host. The pen
tester might be able to use the compromised host as a bridge
to pivot to another network or system that is not directly acces-
sible from the attacking system.

Bug Bounty is incorrect. A Bug Bounty is a reward offered for

security vulnerabilities discovered within a set scope. Bug
Bounty programs utilize a pay for results model, leveraging the
crowdsourced model. One of the biggest benefits of a Bug
Bounty Program is that companies pay for valid results, versus
paying for time and effort spent.

Bug Bounty programs can be public or private, meaning they

can be open to anyone in the researcher community, or they
can be invite-only offering organizations the opportunity to uti-
lize the power of the crowd – volume of testers, diversity of skill
and perspective and competitive environment – in a more con-
trolled and stringent environment.

Question 59. Which of the following attacks is a Network Layer

DDoS attack?
(A) BGP Hijacking
(B) DNS amplification
(C) HTTP Flood
(D) Slow Read
137
Explanation 59. DNS amplification is the correct answer.
DNS amplification is a Network layer DDoS attack. This
DDoS attack is a reflection-based volumetric distributed denial-
of-service (DDoS) attack in which an attacker leverages the
functionality of open DNS resolvers in order to overwhelm a
target server or network with an amplified amount of traffic,
rendering the server and its surrounding infrastructure inacces-
sible.

BGP Hijacking, HTTP Flood and Slow Read are incorrect as

they are Application Layer DDoS attacks.

Question 60. You have set up an Intrusion detection system

Explanation 60. False-positive is the correct answer.

A false positive state is when the IDS identifies an activity as an
attack but the activity is acceptable behavior. A false positive is
138
a false alarm.

False negative is incorrect. A False negative state is the most

serious and dangerous state. This is when the IDS identifies an
activity as acceptable when the activity is actually an attack.
That is, a false negative is when the IDS fails to catch an attack.

Non-credentialed scans is incorrect. Non-credentialed as

the name suggests, do not require credentials and do not get
trusted access to the systems they are scanning. While they
provide an outsider’s eye view of an environment, they tend to
miss most vulnerabilities within a target environment.

Non-credentialed scans giver a very incomplete picture of vul-

nerability exposure.

Credentialed scans is incorrect. Credentialed require logging

in with a given set of credentials. These authenticated scans
are conducted with a trusted user’s eye view of the environ-
ment. Credentialed scans uncover many vulnerabilities that
traditional (non-credentialed) scans might overlook.

Because credentialed scans require privileged credentials to

gain access for scanning, organizations should look to integrate
an automated privileged password management tool with the
139
vulnerability scanning tool, to ensure this process is streamlined
and secure.

Question 61. A zero-day attack is an attack that exploits a po-

tentially serious software security weakness that the vendor or
developer may be unaware of. (True/False)
(A) TRUE
(B) FALSE

Explanation 61. TRUE is the correct answer.

A zero-day attack is an attack that exploits a potentially seri-
ous software security weakness that the vendor or developer
may be unaware of. The software developer must rush to re-
solve the weakness as soon as it is discovered in order to limit
the threat to software users.

Question 62. __________ is the first step where hacker gathers

140
Explanation 62. Footprinting is the correct answer.
Footprinting is a part of the reconnaissance process which is
used for gathering possible information about a target comput-
er system or network. Footprinting could be both passive and
active.

Footprinting is basically the first step where hacker gathers as

much information as possible to find ways to intrude into a tar-
get system or at least decide what type of attacks will be more
suitable for the target.

During this phase, a hacker can collect the following informa-

tion.
1. Domain name
2. IP Addresses
3. Namespaces
4. Employee information
5. Phone numbers
6. E-mails
7. Job Information

War driving is incorrect. War driving also called access point

mapping, is the act of locating and possibly exploiting connec-
tions to wireless local area networks while driving around a city
or elsewhere. To do war driving, you need a vehicle, a computer
141
(which can be a laptop), a wireless Ethernet card set to work in
promiscuous mode, and some kind of an antenna that can be
mounted on top of or positioned inside the car.

Open Source Intelligence (OSINT) is incorrect. OSINT is the

collection and analysis of information that is gathered from the
public, or open, sources. OSINT is primarily used in national se-
curity, law enforcement, and business intelligence functions
and is of value to analysts who use non-sensitive intelligence.

OSINT is defined by both the U.S. Director of National Intelli-

gence and the U.S. Department of Defense (DoD), as “pro-
duced from publicly available information that is collected, ex-
ploited, and disseminated in a timely manner to an appropriate
audience for the purpose of addressing a specific intelligence
requirement”.

Cleanup is incorrect. The final stage in every penetration test

is cleaning up all that has been done during the testing
process. For this reason, during a penetration test, you must
keep track of all the payloads you may have dropped to disk
and which modules you may need to clean up after you have
run them.

142
Question 63. Which of the following options is a dictionary
that provides definitions for publicly disclosed cybersecurity
vulnerabilities and exposures?
(A) Log aggregation
(B) Common Vulnerabilities and Exposures
(C) Sentiment analysis
(D) Security Orchestration, Automation, and Response

Explanation 63. Common Vulnerabilities and Exposures is

the correct answer.
Common Vulnerabilities and Exposures (CVE) is a dictionary
that provides definitions for publicly disclosed cybersecurity
vulnerabilities and exposures. The goal of CVE is to make it
easier to share data across separate vulnerability capabilities
(tools, databases, and services) with these definitions. CVE En-
tries are comprised of an identification number, a description,
and at least one public reference.

Log aggregation is incorrect. Log aggregation is a software

function that consolidates log data from throughout the IT in-
frastructure into a single centralized platform where it can be
reviewed and analyzed. Log aggregation is just one aspect of
an overall log management process that produces real-time in-
sights into application security and performance.

143
Sentiment analysis is incorrect. Sentiment analysis helps
data analysts within large enterprises gauge public opinion,
conduct nuanced market research, monitor brand and product
reputation, and understand customer experiences.

Security Orchestration, Automation and Response (SOAR)

is incorrect. SOAR is a solution stack of compatible software
programs that allow an organization to collect data about secu-
rity threats from multiple sources and respond to low-level se-
curity events without human assistance. The goal of using a
SOAR stack is to improve the efficiency of physical and digital
security operations.

Question 64. The type of hackers that violates computer se-

Explanation 64. Black-Hat hackers is the correct answer.

Black-Hat Hackers violate computer security for personal gain
without permission (such as stealing credit card numbers or
144
harvesting personal data for sale to identity thieves) or for pure
maliciousness (such as creating a botnet and using that botnet
to perform DDoS attacks against websites they don’t like.)

White-Hat Hackers is incorrect. White-hat hackers are the

opposite of black-hat hackers. They’re the “ethical hackers,”
experts in compromising computer security systems who use
their abilities for good, ethical, and legal purposes rather than
bad, unethical, and criminal purposes.

Gray-Hat Hackers is incorrect. A Gray-hat hacker falls

somewhere between a black hat and a white hat. A gray hat
doesn’t work for their own personal gain or to cause carnage,
but they may technically commit crimes and do arguably un-
ethical things.

Red-Hat Hackers is incorrect. Red hats hackers are the most

sophisticated hackers of them all. Red hats are motivated by a
desire to end black hat hackers but do not want to play by so-
ciety’s rules.

Question 65. A hacker attacks a network with the aim of main-

taining ongoing access to the targeted network rather than to
get in and out as quickly as possible with the ultimate goal of
stealing information over a long period of time. Which type of
145
attack a hacker used in this case?
(A) Insider threat
(B) State actors
(C) Hacktivism
(D) Advanced persistent threat (APT)

Explanation 65. Advanced persistent threat (APT) is the

correct answer.
The goal of most Advanced persistent threat attacks is to
achieve and maintain ongoing access to the targeted network
rather than to get in and out as quickly as possible. Because a
great deal of effort and resources usually go into carrying out
APT attacks, hackers typically target high-value targets, such
as nation-states and large corporations, with the ultimate goal
of stealing information over a long period of time.

An insider threat is incorrect. Insider threat is a malicious

threat to an organization that comes from people within the or-
ganization, such as employees, former employees, contractors,
or business associates, who have inside information concern-
ing the organization’s security practices, data, and computer
systems.

Nation-State actors is incorrect. Nation-State actors aggres-

sively target and gain persistent access to public and private
146
sector networks to compromise, steal, change, or destroy in-
formation.

Hacktivism is incorrect. Hacktivism uses cyber-attacks based

on political motivations who use cyber sabotage to promote a
specific cause. As opposed to the hacking industry intent on
data theft, hacktivism is not motivated by money and high visi-
bility is key. Hacktivisms are motivated by revenge, politics,
ideology, protest and a desire to humiliate victims. Profit is not a
factor.

Question 66. Which of the following statements are true re-

garding Cloud-based security vulnerabilities? (Choose all the
apply)
(A) Misconfigured Cloud Storage
(B) Poor Access ControlPoor Access Control
(C) Shared Tenancy
(D) Secure APIs

Explanation 66. A, B and C are the correct answers.

Misconfigured Cloud Storage is correct.
Cloud storage is a rich source of stolen data for cybercriminals.
Despite the high stakes, organizations continue to make the
mistake of misconfiguration of cloud storage which has cost
many companies greatly.
147
Poor Access Control is correct.
Another prevalent cyberattack in the cloud has to do with vul-
nerabilities around access control. Often this is due to weak au-
thentication or authorization methods or is linked to vulnerabili-
ties that bypass these methods.

Shared Tenancy is correct.

Another rare security vulnerability in the cloud that takes a high
level of skill to exploit; it's called shared tenancy. As you are
probably aware, cloud platforms involve a number of software
and hardware components.

Adversaries who are able to determine the software or hard-

ware used in a cloud architecture could take advantage of
known vulnerabilities and elevate privileges in the cloud.

Secure APIs is not considered as a cloud-based security

vulnerability so it's incorrect.

Question 67. You have been hired as a penetration tester for a

company to locate and exploit vulnerabilities in its target’s out-
ward-facing services. You are not provided with any architec-
ture diagrams or source code. This means that you are relying
on dynamic analysis of currently running programs and sys-
148
tems within the target network. Which of the following pentest-
ing assignments are you currently on?
(A) Gray-Box Testing
(B) White-Box Testing
(C) Black-Box Testing
(D) Open-Box Testing

Explanation 67. Black-Box Testing is the correct answer.

In a black-box testing assignment, the penetration tester is
placed in the role of the average hacker, with no internal knowl-
edge of the target system. Testers are not provided with any ar-
chitecture diagrams or source code that is not publicly avail-
able. A black-box penetration test determines the vulnerabili-
ties in a system that are exploitable from outside the network.

The limited knowledge provided to the penetration tester

makes black-box penetration tests the quickest to run since the
duration of the assignment largely depends on the tester’s abil-
ity to locate and exploit vulnerabilities in the target’s outward-
facing services.

Gray-Box Testing is incorrect. A gray-box tester has the ac-

cess and knowledge levels of a user, potentially with elevated
privileges on a system. Gray-box pen-testers typically have
some knowledge of a network’s internals, potentially including
149
design and architecture documentation and an account internal
to the network.

The purpose of gray-box pen testing is to provide a more fo-

cused and efficient assessment of a network’s security than a
black-box assessment. Using the design documentation for a
network, pentesters can focus their assessment efforts on the
systems with the greatest risk and value from the start, rather
than spending time determining this information on their own.

White-Box Testing or Open-Box Testing are

incorrect. White-box and Open-box, fall on the opposite end
of the spectrum from black-box testing. Penetration testers are
given full access to source code, architecture documentation
and so forth. The main challenge with white-box testing is sift-
ing through the massive amount of data available to identify
potential points of weakness, making it the most time-consum-
ing type of penetration testing.

Question 68. Which of the following terms refers to Informa-

tion Technology (IT) applications and infrastructure that are
managed and utilized without the knowledge of the enterprise’s
IT department?
(A) Script Kiddies
(B) Indicators of compromise
150
(C) Shadow IT
(D) Open-source intelligence

Explanation 68. Shadow IT is the correct answer.

Shadow IT is a term that refers to Information Technology (IT)
applications and infrastructure that are managed and utilized
without the knowledge of the enterprise’s IT department.
Shadow IT can include hardware, software, web services or
cloud applications that employees turn to without IT authoriza-
tion to accomplish their tasks and projects.

Script kiddies is incorrect. Script kiddies are actors who lack

skills to write their own malicious code, so they rely on scripts
they can get from other sources.

Indicators of compromise is incorrect. Indicators of com-

promise (IOCs) are pieces of forensic data, such as data found
in system log entries or files, that identify potentially malicious
activity on a system or network. Indicators of compromise aid
information security and IT professionals in detecting data
breaches, malware infections, or other threat activity.

Open-source intelligence is incorrect. Open-source intelli-

gence means collecting information from public sources, ana-
lyzing it, and using it for intelligence purposes. The information
151
sources can be anything from television and print newspapers
to blogs and websites, social media, research papers, business
and sales documents, and anything you can find online or off-
line.

Question 69. Which of the following cybersecurity testing ex-

ercise team do not focus exclusively on attacking or defending,
but they do both?
(A) Red team
(B) Blue team
(C) White team
(D) Purple team

Explanation 69. Purple team is the correct answer.

Purple Teams are a single group of people who do both Red
and Blue testing and securing of a company. They may be a
consulting group brought in for an audit, or employees of the
company directly, but they do not focus exclusively on at-
tacking or defending – they do both.

Purple Teams are effective for spot-checking systems in larger

organizations as well, but it is generally best to have opposing
and independent teams whenever possible.

Read team is incorrect. Red Teams are the attackers. While

152
not strictly required, Red Teams are usually outside contractors
– since the best testing is done by a team with a lot of knowl-
edge of how to break in, but no knowledge of what security is
already in place.

Knowing what security is being used can lead to some attacks

being automatically avoided because there is security in place
– which can lead to vulnerabilities being missed if that security
isn’t properly configured.

Blue team is incorrect. Blue teams are the defenders. Blue

Teams have two major areas of operations. They continually at-
tempt to harden security around and within the company’s data
systems and networks – even when no testing is going on.
They can also act as an active part of the defensive systems
when the Red Team is attacking.

White team is incorrect. White team oversees the cyber de-

fense competition and adjudicates the event. They are also re-
sponsible for recording scores for the Blue Teams given by the
Red Team on usability and security, respectively.

The White Team also reads the security reports and scores
them for accuracy and countermeasures.

153
Question 70. The technique of redirecting victims from a cur-
rent page to a new URL which is usually a phishing page that
impersonates a legitimate site and steals credentials from the
victims is known as:
(A) URL redirection
(B) DNS spoofing
(C) Domain hijacking
(D) Domain redirection

Explanation 70. URL redirection is the correct answer.

URL redirection attack redirects victims from the current page
to a new URL which is usually a phishing page that imperson-
ates a legitimate site and steals credentials from the victims.
Such techniques are a common practice and a widely used
method for attackers to trick victims.

DNS spoofing, also referred to as DNS cache poisoning is

incorrect. DNS spoofing is a form of computer security hack-
ing in which corrupt Domain Name System data is introduced
into the DNS resolver’s cache, causing the name server to re-
turn an incorrect result record, e.g. an IP address.

This results in traffic being diverted to the attacker’s computer

(or any other computer) or to the wrong websites.

154
Domain hijacking is incorrect. Domain hijacking is the act of
changing the registration of a domain name without the per-
mission of the original owner, or by abuse of privileges on do-
main hosting and domain registrar systems.

Domain redirection is incorrect. Domain redirection is a ficti-

tious attack.

Question 71. The type of hackers that are experts in compro-

mising computer security systems and use their abilities for
good, ethical, and legal purposes rather than bad, unethical,
and criminal purposes is commonly known as:
(A) White-Hat hackers
(B) Black-Hat hackers
(C) Red-Hat hackers
(D) Gray-Hat hackers

Explanation 71. White-Hat hackers is the correct answer.

White-Hat Hackers are the opposite of black-hat hackers.
They’re the “ethical hackers,” experts in compromising com-
puter security systems who use their abilities for good, ethical,
and legal purposes rather than bad, unethical, and criminal
purposes.

155
Black-Hat Hackers is incorrect. Black-Hat hackers violate
computer security for personal gain without permission (such
as stealing credit card numbers or harvesting personal data for
sale to identity thieves) or for pure maliciousness (such as cre-
ating a botnet and using that botnet to perform DDoS attacks
against websites they don’t like).

Red-Hat Hackers is incorrect. Red hats hackers are the most

sophisticated hackers of them all. Red hats are motivated by a
desire to end black hat hackers but do not want to play by so-
ciety’s rules.

Gray-Hat Hackers is incorrect. A Gray-hat hacker falls

somewhere between a black hat and a white hat. A gray hat
doesn’t work for their own personal gain or to cause carnage,
but they may technically commit crimes and do arguably un-
ethical things.

156
CHAPTER 3
IMPLEMENTATION

Questions 72-106

Question 72. Which of the following features will you use to

remotely clear your phones’ data in the event of losing your
phone?
(A) Geofencing
(B) Remote wipe
(C) Geolocation
(D) Push notifications

Question 73. You have been tasked to access a remote com-

puter for handling some administrative tasks over an unsecured
network in a secure way. Which of the following protocols will
you use to access the remote computer to handle the adminis-
trative tasks?
(A) SRTP
(B) LDAPS
(C) SSH
(D) HTTPS

157
Question 74. As a security expert of your company you are re-
sponsible for preventing unauthorized (rogue) Dynamic Host
Configuration Protocols servers offering IP addresses to the
clients. Which of the following security technology will you im-
plement to meet the requirement?
(A) DHCP snooping
(B) BPDU guard
(C) MAC filtering
(D) Jump server

Question 75. You have been hired as a security expert to im-

plement a security solution to protect an organization from ex-
ternal threats. The solution should provide packet filtering, VPN
support, network monitoring, and deeper inspection capabili-
ties that give the organization a superior ability to identify at-
tacks, malware, and other threats. Which of the following secu-
rity solutions will you implement to meet the requirement?
(A) Next-generation firewall (NGFW)
(B) Endpoint detection and response (EDR)
(C) Anti-malware
(D) Antivirus

158
Question 76. One of the features of SNMPv3 is called mes-
sage integrity.
(A) TRUE
(B) FALSE

Question 77. You have been tasked to implement a solution to

increase the security of your company’s local area network
(LAN). All of the company’s external-facing servers (Web
server, Mail server, FTP server) should be placed in a separate
area in order to be accessible from the internet, but the rest of
the internal LAN to be unreachable. Which of the following
techniques will you implement to meet the requirement?
(A) DMZ
(B) VLAN
(C) VPN
(D) DNS

Question 78. Application whitelisting prevents undesirable

programs from executing, while application blacklisting is more
restrictive and allows only programs that have been explicitly
permitted to run.
(A) TRUE
(B) FALSE

159
Question 79. In which of the following load balancer mode,
two or more servers aggregate the network traffic load and
work as a team distributes it to the network servers?
(A) Active/active
(B) Active/passive
(C) Passive/active
(D) Passive/passive

Question 80. You have been tasked to implement a solution to

send product offers to consumers’ smartphones when they
trigger a search in a particular geographic location, enter a mall,
neighborhood, or store. What solution will you implement in or-
der to achieve that?
(A) Geolocation
(B) Push notifications
(C) Geofencing
(D) Remote wipe

Question 81. The type of network hardware appliance that

protects networks against security threats (malware, attacks)
that simultaneously target separate parts of the network by in-
tegrating multiple security services and features is known as:
(A) Network address translation (NAT)
(B) Web application firewall (WAF)
(C) Content/URL filter
160
(D) Unified threat management (UTM)

Question 82. For security and monitoring purposes your com-

pany instructed you to implement a solution so that all packets
entering or exiting a port should be copied and then should be
sent to a local interface for monitoring. Which of the following
solution will you implement in order to meet the requirement?
(A) Access control list (ACL)
(B) Port mirroring
(C) Quality of service (QoS)
(D) File Integrity Monitoring

Question 83. Your manager trying to understand the differ-

ence between SFTP and FTPS. So, he asked you to explain the
difference between those. Which of the following statements
are correct? (Choose all that apply.)
(A) SFTP, also known as SSH FTP, encrypts both com-
mands and data while in transmission
(B) FTPS, also known as FTP Secure or FTP-SSL
(C) SFTP protocol is packet-based as opposed to text-
based making file and data transfers faster
(D) FTPS authenticates your connection using a user ID and
password or SSH Keys
(E) SFTP authenticates your connection using a user ID and
password, a certificate, or both
161
Question 84. The network administrator from your company
notices that the network performance has been degraded due
to a broadcast storm. Which of the following techniques will
you recommend to the network administrator in order to reduce
broadcast storms? (Choose all that apply)
(A) Check for loops in switches
(B) Split up your broadcast domain
(C) Allow you to rate-limit broadcast packets
(D) Check how often ARP tables are emptied
(E) Split up your collision domain
(F) Check the routing tables

Question 85. Which of the following technologies will you use

in order to send instant notifications to your subscribed users
each time you publish a new blog post on your website?
(A) Push notifications
(B) Geofencing
(C) Geolocation
(D) Remote wipe

Question 86. It has been noticed the Wi-Fi of your company is

slow and sometimes not operational. After investigation, you
noticed this caused by channel interference. Which of the fol-
lowing solutions will you implement to avoid problems such as
162
channel interference when you build your WLAN?
(A) Heat maps
(B) WiFi Protected Setup
(C) Captive portal
(D) You can't avoid channel interference

Question 87. Which of the following options are cryptographic

protocols? (Choose all the apply)
(A) WPA2
(B) WPA3
(C) CCMP
(D) SAE
(E) EAP
(F) PEAP

Question 88. The main goal of performing a wireless site

________________ is to reveal areas of channel interference and
dead zones, helping you avoid problems as you build the net-
work and prevent obstacles for network users.
(A) Inspection
(B) Survey
(C) Check
(D) Scan

163
Question 89. You have been tasked to implement a solution to
encrypt data as it is written to the disk and decrypt data as it is
read off the disk. Which of the following solution will you im-
plement to meet the requirement?
(A) Root of trust
(B) Trusted Platform Module
(C) Self-encrypting drive (SED) / full-disk encryption (FDE)
(D) Sandboxing

Question 90. Which of the following VPN solutions is used to

connect two local area networks (LANs) utilized by businesses
large and small that want to provide their employees with se-
cure access to network resources?
(A) Remote access
(B) Site-to-site
(C) Split tunnel
(D) Proxy server

Question 91. Which of the following options are authentication

protocols? (Choose all the apply)
(A) EAP
(B) PEAP
(C) WPA2
(D) WPA3
(E) RADIUS
164
Question 92. Which of the following types of certificates will
you use to digitally sign your apps as a way for end-users to
verify that the code they receive has not been altered or com-
promised by a third party?
(A) Wildcard
(B) Subject alternative name
(C) Code signing certificates
(D) Self-signed

Question 93. What technique is used for IP address conserva-

tion by making private IP addresses to connect to the Internet?
(A) NAT
(B) UTM
(C) WAF
(D) ACL

Question 94. Which of the following authentication protocols

allows you to use an existing account to sign in to multiple
websites, without needing to create new passwords?
(A) OpenID
(B) Kerberos
(C) TACACS+
(D) OAuth

165
Question 95. Assuming you have the domain yourcompany.
com with the following sub-domains:
www.yourcompany.com
mail.yourcompany.com
intranet.yourcompany.com
secure.yourcompany.com
me.yourcompany.com

Which of the following types of certificates will you choose to

secure all the first-level sub-domains on a single domain
name?
(A) Subject alternative name
(B) Code signing certificates
(C) Wildcard
(D) Self-signed

Question 96. A _____________ certificate is a digital certificate

that’s not signed by a publicly trusted certificate authority (CA).
These certificates are created, issued, and signed by the com-
pany or developer who is responsible for the website or soft-
ware being signed.
(A) Self-signed
(B) Wildcard
(C) Subject alternative name
(D) Code signing certificates
166
Question 97. In the form of Rule-Based Access Control, data
are accessible or not accessible based on the user’s IP ad-
dress.
(A) TRUE
(B) FALSE

Question 98. WiFi ____________ Setup is a wireless network se-

curity standard that tries to make connections between a router
and wireless devices faster, easier, and more secure.
(A) Faster
(B) Easier
(C) Protected
(D) Secured

Question 99. Which of the following Public key infrastructure

(PKI) terms is known as an organization that acts to validate the
identities of entities (such as websites, email addresses, com-
panies, or individual persons) and bind them to cryptographic
keys through the issuance of electronic documents known as
digital certificates?
(A) Certificate authority (CA)
(B) Registration authority (RA)
(C) Online Certificate Status Protocol (OCSP)
(D) Certificate signing request (CSR)
167
Question 100. You have been tasked to implement a security
solution so all the network events from your company should
be recorded in a central database for further analysis. Which of
the following security solutions will you implement to meet the
requirement?
(A) Next-generation firewall (NGFW)
(B) Endpoint detection and response (EDR)
(C) Anti-malware
(D) Antivirus

Question 101. Access _________________ List is a network traffic

filter that controls incoming or outgoing traffic. It works on a set
of rules that define how to forward or block a packet at the
router’s interface.
(A) Security
(B) Filter
(C) Control
(D) Service

Question 102. Which of the following VPN solutions is used to

connect a personal user device to a remote server on a private
network?
(A) Remote Access
(B) Site-to-site
168
(C) Split tunnel
(D) Proxy server

Question 103. In the form of Role-Based Access Control, data

are accessible or not accessible based on the user’s IP ad-
dress.
(A) TRUE
(B) FALSE

Question 104. In cloud computing, the ability to scale up and

down resources based on the user’s needs is known as:
(A) Virtual private cloud
(B) Network segmentation
(C) Dynamic resource allocation
(D) Public subnet

Question 105. ________________________ Assertions Markup Lan-

guage is an important component of many SSO systems that
allow users to access multiple applications, services, or web-
sites from a single login process. It is used to share security
credentials across one or more networked systems.
(A) Security
(B) Single
(C) Sign
(D) Service
169
Question 106. You have been tasked to configure the Wi-Fi of
your company’s LAN to allow certain computers to have access
to the Internet and the rest computers need to be blocked.
Which of the following security technology will you implement
to meet the requirement?
(A) DHCP snooping
(B) BPDU guard
(C) MAC filtering
(D) Jump server

170
Answer 72-106

Question 72. Which of the following features will you use to

remotely clear your phones’ data in the event of losing your
phone?
(A) Geofencing
(B) Remote wipe
(C) Geolocation
(D) Push notifications

Explanation 72. Remote wipe is the correct answer.

Remote wipe is a security feature for mobile device manage-
ment that allows you to remotely clear data from a lost or stolen
mobile device.

Geofencing is incorrect. Geofencing is a location-based ser-

vice that businesses use to engage their audience by sending
relevant messages to smartphone users who enter a pre-de-
fined location or geographic area.

Companies send product offers or specific promotions to con-

sumers’ smartphones when they trigger a search in a particular
geographic location, enter a mall, neighborhood, or store.

171
Geolocation is incorrect. Geolocation refers to the use of lo-
cation technologies such as GPS or IP addresses to identify
and track the whereabouts of connected electronic devices.

Because these devices are often carried on an individual’s per-

son, geolocation is often used to track the movements and lo-
cation of people and surveillance.

Push notifications is incorrect. Push notifications are click-

able pop-up messages that appear on your users’ browsers ir-
respective of which device they use or which browser they are
on. Subscribers can be anywhere on the browser and still re-
ceive these messages as long as they are online or have their
browsers running on their devices.

Browser push notifications are different from in-app notifica-

tions because in-app notifications appear only when triggered
by an existing application on your mobile device, while browser
push notifications can be triggered through browsers on any
device as long as the user subscribes to receive your notifica-
tions. It is an instant mode of automated, direct communication
between a website and its end users.

172
Question 73. You have been tasked to access a remote com-
puter for handling some administrative tasks over an unsecured
network in a secure way. Which of the following protocols will
you use to access the remote computer to handle the adminis-
trative tasks?
(A) SRTP
(B) LDAPS
(C) SSH
(D) HTTPS

Explanation 73. SSH is the correct answer.

SSH, also known as Secure Shell or Secure Socket Shell, is a
network protocol that gives users, particularly system adminis-
trators, a secure way to access a computer over an unsecured
network.

Secure Shell provides strong password authentication and

public key authentication, as well as encrypted data communi-
cations between two computers connecting over an open net-
work, such as the internet.

In addition to providing strong encryption, SSH is widely used

by network administrators for managing systems and ap-
plications remotely, enabling them to log in to another comput-
173
er over a network, execute commands and move files from one
computer to another.

SRTP is incorrect. SRTP also known as Secure Real-Time

Transport Protocol, is an extension profile of RTP (Real-Time
Transport Protocol) which adds further security features, such
as message authentication, confidentiality and replay protec-
tion mostly intended for VoIP communications.

LDAP is incorrect. The Lightweight Directory Access Protocol

(LDAP) is a vendor-neutral application protocol used to main-
tain distributed directory info in an organized, easy-to-query
manner. That means it allows you to keep a directory of items
and information about them.

HTTPS is incorrect. Hypertext transfer protocol secure

(HTTPS) is the secure version of HTTP, which is the primary
protocol used to send data between a web browser and a web-
site.

HTTPS is encrypted in order to increase security of data trans-

fer. This is particularly important when users transmit sensitive
data, such as by logging into a bank account, email service, or
health insurance provider.

174
Question 74. As a security expert of your company you are re-
sponsible for preventing unauthorized (rogue) Dynamic Host
Configuration Protocols servers offering IP addresses to the
clients. Which of the following security technology will you im-
plement to meet the requirement?
(A) DHCP snooping
(B) BPDU guard
(C) MAC filtering
(D) Jump server

Explanation 74. DHCP snooping is the correct answer.

DHCP snooping is a layer 2 security technology built into the
operating system of a capable network switch that drops DHCP
traffic determined to be unacceptable. The fundamental use
case for DHCP snooping is to prevent unauthorized (rogue)
DHCP servers offering IP addresses to DHCP clients.

Rogue DHCP servers are often used in man in the middle or

denial of service attacks for malicious purposes. However, the
most common DoS scenario is that of an end-user plugging in
a consumer-grade router at their desk, ignorant that the device
they plugged in is a DHCP server by default.

BPDU guard is incorrect. PortFast BPDU guard prevents loops

by moving a non trunking port into an errdisable state when a
175
BPDU is received on that port. When you enable BPDU guard
on the switch, spanning tree shuts down PortFast-configured
interfaces that receive BPDUs instead of putting them into the
spanning-tree blocking state.

MAC filtering is incorrect. MAC filtering is a security method

based on access control. In this, each address is assigned a
48-bit address which is used to determine whether we can ac-
cess a network or not. It helps in listing a set of allowed devices
that you need on your Wi-Fi and the list of denied devices that
you don’t want on your Wi-Fi. It helps in preventing unwanted
access to the network. In a way, we can blacklist or white list
certain computers based on their MAC address.

Jump server is incorrect. A jump server is a system on a net-

work used to access and manage devices in a separate securi-
ty zone. A jump server is a hardened and monitored device that
spans two dissimilar security zones and provides a controlled
means of access between them. The most common example is
managing a host in a DMZ from trusted networks or computers.

The jump server acts as a single audit point for traffic and also
a single place where user accounts can be managed. A
prospective administrator must log into the jump server in order
to gain access to the DMZ assets and all access can be logged
176
for later audit.

Question 75. You have been hired as a security expert to im-

Explanation 75. Next-generation firewall (NGFW) is the

correct answer. Next-generation firewall (NGFW) filters
network traffic to protect an organization from external threats.
Maintaining features of stateful firewalls such as packet filter-
ing, VPN support, network monitoring, and IP mapping fea-
tures, NGFWs also possess deeper inspection capabilities that
give them a superior ability to identify attacks, malware, and
other threats.

Next-generation firewalls provide organizations with application

control, intrusion prevention, and advanced visibility across the
177
network. As the threat landscape continues to develop rapidly,
traditional firewalls fall further behind and put your organization
at risk. NGFWs not only block malware, but also include paths
for future updates, giving them the flexibility to evolve with the
landscape and keep the network secure as new threats arise.

Endpoint detection and response (EDR) is incorrect. End-

point detection and response is an emerging technology that
addresses the need for continuous monitoring and response to
advanced threats.

Endpoint detection and response tools work by monitoring

endpoint and network events and recording the information in a
central database where further analysis, detection, investiga-
tion, reporting, and alerting take place. A software agent in-
stalled on the host system provides the foundation for event
monitoring and reporting.

Anti-malware is incorrect. Anti-malware tools may employ

scanning, strategies, freeware, or licensed tools to detect rootk-
its, worms, Trojans, and other types of potentially damaging
software. Each type of malware resource carries its own inter-
face and system requirements, which impact user solutions for
a given device or system.

178
Antivirus is incorrect. Antivirus software helps protect your
computer against malware and cybercriminals. Antivirus soft-
ware looks at data — web pages, files, software, applications
— traveling over the network to your devices. It searches for
known threats and monitors the behavior of all programs, flag-
ging suspicious behavior. It seeks to block or remove malware
as quickly as possible.

Question 76. One of the features of SNMPv3 is called mes-

sage integrity.
(A) TRUE
(B) FALSE

Explanation 76. TRUE is the correct answer.

Simple Network Management Protocol (SNMP) is a way for
different devices on a network to share information with one
another. It allows devices to communicate even if the devices
are different hardware and run different software.

Without a protocol like SNMP, there would be no way for net-

work management tools to identify devices, monitor network
performance, keep track of changes to the network, or deter-
mine the status of network devices in real-time.

Simple Network Management Protocol (SNMP) provides a

179
message format for communication between what are termed,
managers, and agents. An SNMP manager is a network man-
agement application running on a PC or server, with that host
typically being called a Network Management Station (NMS).

As for the SNMP protocol messages, all versions of SNMP sup-

port a basic clear-text password mechanism, although none of
those versions refer to the mechanism as using a password.
SNMP Version 3 (SNMPv3) adds more modern security as well.

The following are SNMPv3 features:

1. Message integrity: This mechanism, applied to all SNMPv3
messages, confirms whether or not each message has been
changed during transit.

2. Authentication: This optional feature adds authentication

with both a username and password, with the password never
sent as clear text. Instead, it uses a hashing method like many
other modern authentication processes.

3. Encryption (privacy): This optional feature encrypts the

contents of SNMPv3 messages so that attackers who intercept
the messages cannot read their contents.

180
Question 77. You have been tasked to implement a solution to
increase the security of your company’s local area network
(LAN). All of the company’s external-facing servers (Web
server, Mail server, FTP server) should be placed in a separate
area in order to be accessible from the internet, but the rest of
the internal LAN to be unreachable. Which of the following
techniques will you implement to meet the requirement?
(A) DMZ
(B) VLAN
(C) VPN
(D) DNS

Explanation 77. DMZ is the correct answer.

In computer networks, a DMZ (demilitarized zone), also
sometimes known as a perimeter network or a screened sub-
network, is a physical or logical subnet that separates an inter-
nal local area network (LAN) from other untrusted networks —
usually the public internet.

External-facing servers, resources, and services are located in

the DMZ. Therefore, they are accessible from the internet, but
the rest of the internal LAN remains unreachable. This provides
an additional layer of security to the LAN as it restricts a hack-
er’s ability to directly access internal servers and data through
the internet.
181
VLAN is incorrect. A VLAN (virtual LAN) is a subnetwork that
can group together collections of devices on separate physical
local area networks (LANs).

A LAN is a group of computers and devices that share a com-

munications line or wireless link to a server within the same ge-
ographical area. A VLAN acts like a physical LAN, but it allows
hosts to be grouped together in the same broadcast domain
even if they are not connected to the same switch.

Here are the main reasons why VLANs are used:

1. VLANs increase the number of broadcast domains while de-
creasing their size.

2. VLANs reduce security risks by reducing the number of

hosts that receive copies of frames that the switches flood.

3. You can keep hosts that hold sensitive data on a separate

VLAN to improve security.

4. You can create more flexible network designs that group

users by department instead of by physical location.

5. Network changes are achieved with ease by just configuring

182
a port into the appropriate VLAN.

VPN is incorrect. A Virtual Private Network (VPN) is a service

that allows you to connect to the Internet via an encrypted tun-
nel to ensure your online privacy and protect your sensitive
data. A VPN is commonly used to secure connection to a public
Wi-FI hotspot, hide IP address, and make your browsing pri-
vate.

DNS is incorrect. DNS stands for Domain Name System. It’s a

system that lets you connect to websites by matching human-
readable domain names (like examsdigest.com) with the
unique ID of the server where a website is stored.

Think of the DNS system as the internet’s phonebook. It lists

domain names with their corresponding identifiers called IP ad-
dresses, instead of listing people’s names with their phone
numbers.

When a user enters a domain name like examsdigest.com on

their device, it looks up the IP address and connects them to
the physical location where that website is stored.

183
Question 78. Application whitelisting prevents undesirable
programs from executing, while application blacklisting is more
restrictive and allows only programs that have been explicitly
permitted to run.
(A) TRUE
(B) FALSE

Explanation 78. FALSE is the correct answer.

Application blacklisting prevents undesirable programs from
executing, while application whitelisting is more restrictive
and allows only programs that have been explicitly permitted to
run.

Application blacklisting, sometimes just referred to as black-

listing, is a network administration practice used to prevent the
execution of undesirable programs. Such programs include not
only those known to contain security threats or vulnerabilities
but also those that are deemed inappropriate within a given or-
ganization. Blacklisting is the method used by most antivirus
programs, intrusion prevention/detection systems and spam fil-
ters.

Application whitelisting is the practice of specifying an index

of approved software applications or executable files that are
permitted to be present and active on a computer system. The
184
goal of whitelisting is to protect computers and networks from
potentially harmful applications.

Question 79. In which of the following load balancer mode,

two or more servers aggregate the network traffic load and
work as a team distributes it to the network servers?
(A) Active/active
(B) Active/passive
(C) Passive/active
(D) Passive/passive

Explanation 79. Active/active is the correct answer.

In Active/active mode two or more servers aggregate the net-
work traffic load and work as a team distributes it to the net-
work servers. The load balancers can also remember informa-
tion requests from users and keep this information in the cache.

Active/passive is incorrect. Active/passive configuration of-

fers many advantages so you should consider buying a pair of
load balancers and configure them in H/A (High Availability)
mode.

This done the primary load balancer distributes the network

traffic to the most suitable server while the second load bal-
ancer operates in listening mode to constantly monitor the per-
185
formance of the primary load balancer, ready at any time to
step in and take over the load balancing duties should the pri-
mary load balancer be in difficulty and failing.

Passive/active and Passive/passive are incorrect as they

aren’t load balancing modes.

Question 80. You have been tasked to implement a solution to

Explanation 80. Geofencing is the correct answer.

Geofencing is a location-based service that businesses use to
engage their audience by sending relevant messages to smart-
phone users who enter a pre-defined location or geographic
area. Companies send product offers or specific promotions to
consumers’ smartphones when they trigger a search in a par-
ticular geographic location, enter a mall or neighborhood.

186
Geolocation is incorrect. Geolocation refers to the use of lo-
cation technologies such as GPS or IP addresses to identify
and track the whereabouts of connected electronic devices.
Because these devices are often carried on an individual’s per-
son, geolocation is often used to track the movements and lo-
cation of people and surveillance.

Push notifications is incorrect. Push notifications are click-

Browser push notifications are different from in-app notifica-

Remote wipe is incorrect. Remote wipe is a security feature

for mobile device management that allows you to remotely
clear data from a lost or stolen mobile device.
187
Question 81. The type of network hardware appliance that
protects networks against security threats (malware, attacks)
that simultaneously target separate parts of the network by in-
tegrating multiple security services and features is known as:
(A) Network address translation (NAT)
(B) Web application firewall (WAF)
(C) Content/URL filter
(D) Unified threat management (UTM)

Explanation 81. Unified threat management (UTM) is the

correct answer.
A Unified threat management (UTM) system is a type of
network hardware appliance, virtual appliance or cloud service
that protects businesses from security threats in a simplified
way by combining and integrating multiple security services
and features.

UTM devices are often packaged as network security appli-

ances that can help protect networks against combined securi-
ty threats, including malware and attacks that simultaneously
target separate parts of the network.

Network Address Translation (NAT) is incorrect. Network

Address Translation (NAT) is designed for IP address conserva-
188
tion. It enables private IP networks that use unregistered IP ad-
dresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the
private (not globally unique) addresses in the internal network
into legal addresses before packets are forwarded to another
network.

As part of this capability, NAT can be configured to advertise

only one address for the entire network to the outside world.
This provides additional security by effectively hiding the entire
internal network behind that address. NAT offers the dual func-
tions of security and address conservation and is typically im-
plemented in remote-access environments.

Web application firewall (WAF) is incorrect. A WAF or Web

Application Firewall helps protect web applications by filtering
and monitoring HTTP traffic between a web application and the
Internet.

It typically protects web applications from attacks such as

cross-site forgery, cross-site-scripting (XSS), file inclusion, and
SQL injection, among others. A WAF is a protocol layer 7 de-
fense (in the OSI model) and is not designed to defend against
all types of attacks. This method of attack mitigation is usually
part of a suite of tools that together create a holistic defense
189
against a range of attack vectors.

Content/URL filter is incorrect. URL filtering is a type of tech-

nology that helps businesses control their users’ and guests’
ability to access certain content on the web.

Question 82. For security and monitoring purposes your com-

Explanation 82. Port mirroring is the correct answer.

Port mirroring copies packets entering or exiting a port or en-
tering a VLAN and sends the copies to a local interface for local
monitoring or to a VLAN for remote monitoring. Use port mirror-
ing to send traffic to applications that analyze traffic for pur-
poses such as monitoring compliance, enforcing policies, de-
tecting intrusions, monitoring and predicting traffic patterns,
correlating events, and so on.

190
Port mirroring is needed for traffic analysis on a switch be-
cause a switch normally sends packets only to the port to
which the destination device is connected. You configure port
mirroring on the switch to send copies of unicast traffic to a lo-
cal interface or a VLAN and run an analyzer application on a
device connected to the interface or VLAN.

Access control list (ACL) is incorrect. Access Control Lists

(ACLs) are network traffic filters that can control incoming or
outgoing traffic. ACLs work on a set of rules that define how to
forward or block a packet at the router’s interface.

An ACL is the same as a Stateless Firewall, which only restricts,

Quality of service (QoS) is incorrect. Quality of service (QoS)

refers to any technology that manages data traffic to reduce
packet loss, latency and jitter on the network.

Quality of service also involves controlling and managing net-

work resources by setting priorities for specific types of data
191
(video, audio, files) on the network. QoS is exclusively applied
to network traffic generated for video on demand, IPTV, VoIP,
streaming media, videoconferencing, and online gaming.

File integrity monitoring (FIM) is incorrect. File integrity mon-

itoring (FIM) refers to an IT security process and technology
that tests and checks operating system (OS), database, and
application software files to determine whether or not they have
been tampered with or corrupted.

Question 83. Your manager trying to understand the differ-

192
Explanation 83. A, B and C are the correct answers.
The correct statements are:
1. SFTP, also known as SSH FTP, encrypts both commands and
data while in transmission.
2. FTPS, also known as FTP Secure or FTP-SSL.
3. SFTP protocol is packet-based as opposed to text-based
making file and data transfers faster.

The incorrect statements are:

1. FTPS authenticates your connection using a user ID and
password or SSH Keys.
2. SFTP authenticates your connection using a user ID and
password, a certificate, or both.

SFTP, also known as SSH FTP, encrypts both commands and

data while in transmission. This means all your data and cre-
dentials are encrypted as they pass through the internet.

SFTP authenticates your connection using a user ID and pass-

word or SSH Keys.

FTPS, also known as FTP Secure or FTP-SSL, is a more secure

form of FTP. FTPS is basic FTP with security added to the data
transfer. Special security protocols TLS (Transport Layer Secu-
rity) and SSL (Secure Sockets Layer) are cryptographic and
193
provide encryption of data to protect your information as it
moves from point A to point B, including username/password.

FTPS authenticates your connection using a user ID and pass-

word, a certificate, or both.

Question 84. The network administrator from your company

notices that the network performance has been degraded due
to a broadcast storm. Which of the following techniques will
you recommend to the network administrator in order to reduce
broadcast storms? (Choose all that apply)
(A) Check for loops in switches
(B) Split up your broadcast domain
(C) Allow you to rate-limit broadcast packets
(D) Check how often ARP tables are emptied
(E) Split up your collision domain
(F) Check the routing tables

Explanation 84. A, B, C and D are the correct answers.

A broadcast storm is an abnormally high number of broadcast
packets within a short period of time. A broadcast storm can
overwhelm switches and endpoints as they struggle to keep up
with processing the flood of packets. When this happens, net-
work performance degrades.

194
How to reduce broadcast storms:
1. Storm control and equivalent protocols allow you to rate-
limit broadcast packets. If your switch has such a mecha-
nism, turn it on.

2. Ensure IP-directed broadcasts are disabled on your Lay-

er 3 devices. There’s little to no reason why you’d want broad-
cast packets coming in from the internet going to a private ad-
dress space. If a storm is originating from the WAN, disabling
IP-directed broadcasts will shut it down.

3. Split up your broadcast domain. Creating a new VLAN and

migrating hosts into it will load balance the broadcast traffic to
a more acceptable level. Broadcast traffic is necessary and
useful, but too much of it eventually leads to a poor network
experience.

4. Check how often ARP tables are emptied. The more fre-
quently they’re emptied, the more often ARP broadcast re-
quests occur.

5. Sometimes, when switches have a hardware failure, their

switchports begin to spew out broadcast traffic onto the net-
work. If you have a spare switch of the same or similar model,
clone the config of the active switch onto the spare and swap
195
the hardware and cables during a maintenance window. Does
the storm subside? If it does, it was a hardware issue. If not,
then you’ve gotta keep digging.

6. Check for loops in switches. Say there was an unmanaged

Layer 2 switch connected upstream to an unmanaged switch,
and someone’s connected a cable between two ports on the
same unmanaged switch (let’s say ports 1 and 2). The unman-
aged switch will respond to all broadcasts multiple times and
flood the broadcast domain with packets, causing a denial of
service attack on the network.

Question 85. Which of the following technologies will you use

in order to send instant notifications to your subscribed users
each time you publish a new blog post on your website?
(A) Push notifications
(B) Geofencing
(C) Geolocation
(D) Remote wipe

Explanation 85. Push notifications is the correct answer.

Push notifications are clickable pop-up messages that appear
on your users’ browsers irrespective of which device they use
or which browser they are on. Subscribers can be anywhere on
the browser and still receive these messages as long as they
196
are online or have their browsers running on their devices.

Browser push notifications are different from in-app notifica-

Geofencing is incorrect. Geofencing is a location-based ser-

vice that businesses use to engage their audience by sending
relevant messages to smartphone users who enter a pre-de-
fined location or geographic area.

Companies send product offers or specific promotions to con-

sumers’ smartphones when they trigger a search in a particular
geographic location, enter a mall, neighborhood, or store.

Geolocation is incorrect. Geolocation refers to the use of lo-

cation technologies such as GPS or IP addresses to identify
and track the whereabouts of connected electronic devices.
Because these devices are often carried on an individual’s per-
son, geolocation is often used to track the movements and lo-
cation of people and surveillance.
197
Remote wipe is incorrect. Remote wipe is a security feature
for mobile device management that allows you to remotely
clear data from a lost or stolen mobile device.

Question 86. It has been noticed the Wi-Fi of your company is

slow and sometimes not operational. After investigation, you
noticed this caused by channel interference. Which of the fol-
lowing solutions will you implement to avoid problems such as
channel interference when you build your WLAN?
(A) Heat maps
(B) WiFi Protected Setup
(C) Captive portal
(D) You can't avoid channel interference

Explanation 86. Heat maps is the correct answer.

A WiFi heatmap is a map of wireless signal coverage and
strength. Typically, a WiFi heatmap shows a real map of a room,
floor, or even a city overlaid by a graphical representation of a
wireless signal.

The purpose of creating a WiFi heatmap is to obtain accurate

information about the quality of coverage of a WiFi network. As
you may know, WiFi coverage is affected by many different fac-
tors, including:
198
1. Your WiFi router
2. Other WiFi networks
3. Physical obstacles
4. RF interference

WiFi Protected Setup is incorrect. WiFi Protected Setup is a

wireless network security standard that tries to make connec-
tions between a router and wireless devices faster and easier.

WPS works only for wireless networks that use a password that
is encrypted with the WPA Personal or WPA2 Personal security
protocols.

Captive portal is incorrect. A captive portal is a web page ac-

cessed with a web browser that is displayed to newly connect-
ed users of a Wi-Fi or wired network before they are granted
broader access to network resources.

You can’t avoid channel interference is incorrect because there

are many tools to avoid channel interference such as
Heatmaps, Site surveys & Wifi Analyzers.

199
Question 87. Which of the following options are cryptographic
protocols? (Choose all the apply)
(A) WPA2
(B) WPA3
(C) CCMP
(D) SAE
(E) EAP
(F) PEAP

Explanation 87. A, B, C and D are the correct answers.

WPA2 is the correct answer. Short for Wi-Fi Protected Access
2, WPA2 is the security method added to WPA for wireless
networks that provide stronger data protection and network ac-
cess control. It provides enterprise and consumer Wi-Fi users
with a high level of assurance that only authorized users can
access their wireless networks.

WPA3 is the correct answer. WPA3 is the latest version of Wi-

Fi Protected Access, a suite of protocols and technologies that
provide authentication and encryption for Wi-Fi networks.

The primary enhancement to WPA3 Personal is in the authenti-

cation process, where WPA3 makes brute-force dictionary at-
tacks much more difficult and time-consuming for an attacker.

200
CCMP is the correct answer. Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol (CCMP) is an
encryption protocol that forms part of the 802.11i standard for
wireless local area networks (WLANs), particularly those using
WiMax technology.

CCMP offers enhanced security compared with similar tech-

nologies such as Temporal Key Integrity Protocol (TKIP). CCMP
employs 128-bit keys and a 48-bit initialization vector that min-
imizes vulnerability to replay attacks.

SAE is the correct answer. In cryptography, Simultaneous Au-

thentication of Equals (SAE) is a secure password-based au-
thentication and password-authenticated key agreement
method.

SAE is resistant to passive attack, active attack, and dictionary

attack. It provides a secure alternative to using certificates or
when a centralized authority is not available.

It is a peer-to-peer protocol, has no asymmetry, and supports

simultaneous initiation. It is therefore well-suited for use in
mesh networks.

201
EAP is incorrect. The Extensible Authentication Protocol (EAP)
is a protocol for wireless networks that expands on authentica-
tion methods used by the Point-to-Point Protocol (PPP), a pro-
tocol often used when connecting a computer to the Internet.

In EAP, a user requests a connection to a wireless network

through an access point. The access point requests identifica-
tion (ID) data from the user and transmits that data to an au-
thentication server.

The authentication server asks the access point for proof of the
validity of the ID. After the access point obtains that verification
from the user and sends it back to the authentication server,
the user is connected to the network as requested.

PEAP is incorrect. PEAP (Protected Extensible Authentication

Protocol) is a version of EAP. PEAP is designed to provide more
secure authentication for 802.11 WLANs (wireless local area
networks) that support 802.1X port access control.

PEAP authenticates the server with a public key certificate and

carries the authentication in a secure Transport Layer Security
(TLS) session, over which the WLAN user, WLAN stations and
the authentication server can authenticate themselves.

202
Question 88. The main goal of performing a wireless site
________________ is to reveal areas of channel interference and
dead zones, helping you avoid problems as you build the net-
work and prevent obstacles for network users.
(A) Inspection
(B) Survey
(C) Check
(D) Scan

Explanation 88. Survey is the correct answer.

The main goal of performing a wireless site survey is to reveal
areas of channel interference and dead zones, helping you
avoid problems as you build the network and prevent obstacles
for network users.

A wireless site survey is used to determine two things. First,

you want to determine the feasibility of building a wireless net-
work on your site. Once you have established it’s feasible, you’ll
need to determine the best place for access points and other
equipment such as antennas and cables.

A site survey also helps you to determine what type of equip-

ment you will need, where it will go, and how it needs to be in-
stalled.
203
Question 89. You have been tasked to implement a solution to
encrypt data as it is written to the disk and decrypt data as it is
read off the disk. Which of the following solution will you im-
plement to meet the requirement?
(A) Root of trust
(B) Trusted Platform Module
(C) Self-encrypting drive (SED) / full-disk encryption
(FDE)
(D) Sandboxing

Explanation 89. Self-encrypting drive (SED) / full-disk en-

cryption (FDE) is the correct answer.
Full-disk encryption (FDE) and self-encrypting drives (SED)
encrypt data as it is written to the disk and decrypt data as it is
read off the disk. FDE makes sense for laptops, which are high-
ly susceptible to loss or theft. But FDE isn’t suitable for the most
common risks faced in data center and cloud environments.

The advantages of full-disk encryption/self-encrypting

drives (FDE/SED) include:

1. Simplest method of deploying encryption

2. Transparent to applications, databases, and users.
3. High-performance, hardware-based encryption
204
The limitations of full-disk encryption/self-encrypting dri-
ves (FDE/SED) include:

1. Addresses a very limited set of threats (protects only from

physical loss of storage media)
2. Lacks safeguards against advanced persistent threats
(APTs), malicious insiders, or external attackers
3. Meets minimal compliance requirements
4. Doesn’t offer granular access audit logs

Root of trust is incorrect. The Root of Trust is a concept that

starts a chain of trust needed to ensure computers boot with
legitimate code. If the first piece of code executed has been
verified as legitimate, those credentials are trusted by the exe-
cution of each subsequent piece of code.

Trusted Platform Module is incorrect. TPM (Trusted Platform

Module) is a computer chip (microcontroller) that can securely
store artifacts used to authenticate the platform (your PC or
laptop). These artifacts can include passwords, certificates, or
encryption keys.

A TPM can also be used to store platform measurements that

help ensure that the platform remains trustworthy. Authentica-
205
tion (ensuring that the platform can prove that it is what it
claims to be) and attestation (a process helping to prove that a
platform is trustworthy and has not been breached) are neces-
sary steps to ensure safer computing in all environments.

Sandboxing is incorrect. Sandboxing is a technique in which

you create an isolated test environment, a sandbox, in which to
execute or detonate a suspicious file or URL that is attached to
an email or otherwise reaches your network and then observe
what happens.

If the file or URL displays malicious behavior, then you’ve dis-

covered a new threat. The sandbox must be a secure, virtual
environment that accurately emulates the CPU of your produc-
tion servers.

Question 90. Which of the following VPN solutions is used to

206
Explanation 90. Site-to-site is the correct answer.
The Site to Site VPN, known as point to point VPN, is used to
connect two local area networks (LANs). Site to site VPNs are
usually utilized by businesses large and small that want to pro-
vide their employees or business partners secure access to
network resources. Usually, these network resources are files or
access to programs that need to be protected.

Remote Access is incorrect. Remote Access (Personal) VPN

is used to connect a personal user device to a remote server on
a private network. Once a remote access VPN is connected, a
user’s internet activity will go through the encrypted VPN tunnel
to the remote server and access the internet from that remote
server. That means that the internet website or application sees
the remote server’s IP address instead of your personal device’s
IP address – which provides a layer of privacy.

Split tunnel is incorrect. VPN split tunneling lets you route

some of your device or app traffic through the encrypted VPN
tunnel while other devices or apps access the internet directly.
Use split tunneling to protect the traffic you choose, without
losing access to local network devices.

Proxy server is incorrect. A proxy server is not a VPN solution,

the proxy server acts as a gateway between you and the inter-
207
net. It’s an intermediary server separating end users from the
websites they browse.

Proxy servers provide varying levels of functionality, security,

and privacy depending on your use case, needs, or company
policy. Proxy servers act as a firewall and web filter, provide
shared network connections, and cache data to speed up
common requests.

Question 91. Which of the following options are authentication

protocols? (Choose all the apply)
(A) EAP
(B) PEAP
(C) WPA2
(D) WPA3
(E) RADIUS

Explanation 91. A, B and E are the correct answers.

EAP is the correct answer. The Extensible Authentication Pro-
tocol (EAP) is a protocol for wireless networks that expands on
authentication methods used by the Point-to-Point Protocol
(PPP), a protocol often used when connecting a computer to
the Internet.

In EAP, a user requests a connection to a wireless network

208
through an access point. The access point requests identifica-
tion (ID) data from the user and transmits that data to an au-
thentication server.

PEAP is the correct answer. PEAP (Protected Extensible Au-

thentication Protocol) is a version of EAP. PEAP is designed to
provide more secure authentication for 802.11 WLANs (wireless
local area networks) that support 802.1X port access control.

PEAP authenticates the server with a public key certificate and

carries the authentication in a secure Transport Layer Security
(TLS) session, over which the WLAN user, WLAN stations and
the authentication server can authenticate themselves.

RADIUS is the correct answer. Remote Authentication Dial-In

User Service (RADIUS) is a client/server protocol that enables
remote access servers to communicate with a central server to
authenticate dial-in users and authorize their access to the re-
quested system or service.

209
RADIUS allows a company to maintain user profiles in a central
database that all remote servers can share. It provides better
security, allowing a company to set up a policy that can be ap-
plied at a single administered network point.

WPA2 is incorrect. Short for Wi-Fi Protected Access 2, WPA2

is the security method added to WPA for wireless networks that
provide stronger data protection and network access control. It
provides enterprise and consumer Wi-Fi users with a high level
of assurance that only authorized users can access their wire-
less networks.

WPA3 is incorrect. WPA3 is the latest version of Wi-Fi Pro-

tected Access, a suite of protocols and technologies that pro-
vide authentication and encryption for Wi-Fi networks. The
primary enhancement to WPA3 Personal is in the authentica-
tion process, where WPA3 makes brute-force dictionary at-
tacks much more difficult and time-consuming for an attacker.

Question 92. Which of the following types of certificates will

you use to digitally sign your apps as a way for end-users to
verify that the code they receive has not been altered or com-
promised by a third party?
(A) Wildcard
(B) Subject alternative name
210
(C) Code signing certificates
(D) Self-signed

Explanation 92. Code signing certificates is the correct an-

swer.
Code signing certificates are used by software developers to
digitally sign apps, drivers, and software programs as a way for
end-users to verify that the code they receive has not been al-
tered or compromised by a third party. They include your signa-
ture, your company’s name, and if desired, a timestamp.

Wildcard is incorrect. A Wildcard SSL Certificate allows you to

www.yourcompany.com
mail.yourcompany.com
intranet.yourcompany.com
secure.yourcompany.com
me.yourcompany.com

Subject alternative name is incorrect. A SAN cert allows for

multiple domain names to be protected with a single certificate.
211
For example, you could get a certificate for yourcompany.com,
and then add more SAN values to have the same certificate
protect yourcompany.org, yourcompany.net and even ex-
amsdigest.com while the wildcard certificate allows for unlim-
ited subdomains to be protected with a single certificate.

Self-signed is incorrect. A self-signed certificate is a digital

certificate that’s not signed by a publicly trusted certificate au-
thority (CA). This can include SSL/TLS certificates, code sign-
ing certificates, and S/MIME certificates.

The reason why they’re considered different from traditional

certificate-authority signed certificates is that they’ve created,
issued, and signed by the company or developer who is re-
sponsible for the website or software being signed. This is why
self-signed certificates are considered unsafe for public-facing
websites and applications.

Question 93. What technique is used for IP address conserva-

tion by making private IP addresses to connect to the Internet?
(A) NAT
(B) UTM
(C) WAF
(D) ACL

212
Explanation 93. NAT is the correct answer. Network Ad-
dress Translation (NAT) is designed for IP address conserva-
tion. It enables private IP networks that use unregistered IP ad-
dresses to connect to the Internet. NAT operates on a router,
usually connecting two networks together, and translates the
private (not globally unique) addresses in the internal network
into legal addresses before packets are forwarded to another
network.

As part of this capability, NAT can be configured to advertise

Unified threat management (UTM) is incorrect. A unified

threat management (UTM) system is a type of network hard-
ware appliance, virtual appliance or cloud service that protects
businesses from security threats in a simplified way by combin-
ing and integrating multiple security services and features.

UTM devices can help protect networks against combined se-

curity threats, including malware and attacks that simultane-
ously target separate parts of the network.
213
Web application firewall (WAF) is incorrect. A WAF or Web
Application Firewall helps protect web applications by filtering
and monitoring HTTP traffic between a web application and the
Internet.

It typically protects web applications from attacks such as

Access control list (ACL) is incorrect. Access Control Lists

(ACLs) are network traffic filters that can control incoming or
outgoing traffic. ACLs work on a set of rules that define how to
forward or block a packet at the router’s interface.

An ACL is the same as a Stateless Firewall, which only restricts,

blocks, or allows the packets that are flowing from source to
destination. When you define an ACL on a routing device for a
specific interface, all the traffic flowing through will be com-
pared with the ACL statement which will either block it or allow
it.
214
Question 94. Which of the following authentication protocols
allows you to use an existing account to sign in to multiple
websites, without needing to create new passwords?
(A) OpenID
(B) Kerberos
(C) TACACS+
(D) OAuth

Explanation 94. OpenID is the correct answer.

OpenID is the correct answer. The OpenID allows you to use
an existing account to sign in to multiple websites, without
needing to create new passwords. With OpenID, your password
is only given to your identity provider, and that provider then
confirms your identity to the websites you visit.

Kerberos is incorrect. Kerberos is a protocol for authenticating

service requests between trusted hosts across an untrusted
network, such as the internet.

TACACS+ is incorrect. Terminal Access Controller Access-

Control System Plus (TACACS+) is an Authentication, Autho-
rization, and Accounting (AAA) protocol that is used to authen-
ticate access to network devices.

215
OAuth is incorrect. OAuth is an authentication protocol that
allows you to approve one application interacting with another
on your behalf without giving away your password.

For example, you can tell Facebook that it’s OK for BBC.com to
access your profile or post updates to your timeline without
having to give BBC your Facebook password. This minimizes
risk in a major way: In the event, BBC suffers a breach, your
Facebook password remains safe.

Question 95. Assuming you have the domain yourcompany.

com with the following sub-domains:
www.yourcompany.com
mail.yourcompany.com
intranet.yourcompany.com
secure.yourcompany.com
me.yourcompany.com
Which of the following types of certificates will you choose to
secure all the first-level sub-domains on a single domain
name?
(A) Subject alternative name
(B) Code signing certificates
(C) Wildcard
(D) Self-signed

216
Explanation 95. Wildcard is the correct answer.
A Wildcard SSL Certificate allows you to secure an unlimited
number of first-level sub-domains on a single domain name.
That means you can get an SSL Certificate with the common
name as *.yourcompany.com and you can use it on all of the
following without errors:

www.yourcompany.com
mail.yourcompany.com
intranet.yourcompany.com
secure.yourcompany.com
me.yourcompany.com

Subject alternative name is incorrect. A SAN cert allows for

multiple domain names to be protected with a single certificate.
For example, you could get a certificate for yourcompany.com,
and then add more SAN values to have the same certificate
protect yourcompany.org, yourcompany.net and even ex-
amsdigest.com while the wildcard certificate allows for unlim-
ited subdomains to be protected with a single certificate.

Code signing certificates is incorrect. Code Signing Certifi-

cates are used by software developers to digitally sign apps,
drivers, and software programs as a way for end-users to verify
that the code they receive has not been altered or compro-
217
mised by a third party. They include your signature, your com-
pany’s name, and if desired, a timestamp.

Self-signed is incorrect. A self-signed certificate is a digital

certificate that’s not signed by a publicly trusted certificate au-
thority (CA). This can include SSL/TLS certificates, code sign-
ing certificates, and S/MIME certificates.

The reason why they’re considered different from traditional

Question 96. A _____________ certificate is a digital certificate

218
Explanation 96. Self-signed is the correct answer.
A self-signed certificate is a digital certificate that’s not
signed by a publicly trusted certificate authority (CA). This can
include SSL/TLS certificates, code signing certificates, and S/
MIME certificates.

The reason why they’re considered different from traditional

Code signing certificates is incorrect. Code Signing Certifi-

cates are used by software developers to digitally sign apps,
drivers, and software programs as a way for end-users to verify
that the code they receive has not been altered or compro-
mised by a third party. They include your signature, your com-
pany’s name, and if desired, a timestamp.

Wildcard is incorrect. A Wildcard SSL Certificate allows you to

secure an unlimited number of first-level sub-domains on a
single domain name. That means you can get an SSL Certifi-
cate with the common name as *.yourcompany.com and you
can use it on all of the following without errors:
219
www.yourcompany.com
mail.yourcompany.com
intranet.yourcompany.com
secure.yourcompany.com
me.yourcompany.com

Subject alternative name is incorrect. A SAN cert allows for

Question 97. In the form of Rule-Based Access Control, data

are accessible or not accessible based on the user’s IP ad-
dress.
(A) TRUE
(B) FALSE

Explanation 97. TRUE is the correct answer.

In the form of Rule-Based Access Control (RBAC), you’re fo-
cusing on the rules associated with the data’s access or restric-
tions. These rules may be parameters, such as allowing access
220
only from certain IP addresses, denying access from certain IP
addresses, or something more specific. In a more specific in-
stance, access from a specific IP address may be allowed un-
less it comes through a certain port (such as the port used for
FTP access).

When dealing with Role-based access controls, data is pro-

tected in exactly the way it sounds like it is: by user roles. Users
are sorted into groups or categories based on their job func-
tions or departments, and those categories determine the data
that they’re able to access. Human Resources team members,
for example, might be permitted to access employee informa-
tion while no other role-based group is permitted to do so.

Question 98. WiFi ____________ Setup is a wireless network se-

curity standard that tries to make connections between a router
and wireless devices faster, easier, and more secure.
(A) Faster
(B) Easier
(C) Protected
(D) Secured

Explanation 98. Protected is the correct answer.

WiFi Protected Setup is a wireless network security standard
that tries to make connections between a router and wireless
221
devices faster, easier, and more secure. WPS works only for
wireless networks that use a password that is encrypted with
the WPA Personal or WPA2 Personal security protocols.

Question 99. Which of the following Public key infrastructure

Explanation 99. Certificate authority (CA) is the correct an-

swer.
A Certificate authority (CA) also sometimes referred to as a
certification authority, is a company or organization that acts
to validate the identities of entities (such as websites, email ad-
dresses, companies, or individual persons) and bind them to
cryptographic keys through the issuance of electronic docu-
ments known as digital certificates. A digital certificate pro-
vides:
222
1. Authentication, by serving as a credential to validate the
identity of the entity that it is issued to.
2. Encryption, for secure communication over insecure net-
works such as the Internet.
3. Integrity of documents signed with the certificate so that
they cannot be altered by a third party in transit.

Registration Authority is incorrect. Registration Authority is a

company or organization that is responsible for receiving and
validating requests for digital certificates and public/private key
pairs. A registration authority (RA) is part of the public key in-
frastructure (PKI).

Online Certificate Status Protocol (OCSP) is incorrect.

When establishing an SSL/TLS session, clients can use Online
Certificate Status Protocol (OCSP) to check the revocation sta-
tus of the authentication certificate. The authenticating client
sends a request containing the serial number of the certificate
to the OCSP responder (server).

The responder searches the database of the certificate authori-

ty (CA) that issued the certificate and returns a response con-
taining the status (good, revoked, or unknown) to the client.
The advantage of the OCSP method is that it can verify status
223
in real-time, instead of depending on the issue frequency
(hourly, daily, or weekly) of CRLs.

Certificate signing request (CSR) is incorrect. A certificate

signing request (CSR) is one of the first steps towards getting
your own SSL Certificate. Generated on the same server you
plan to install the certificate on, the CSR contains information
(e.g. common name, organization, country) the Certificate Au-
thority (CA) will use to create your certificate. It also contains
the public key that will be included in your certificate and is
signed with the corresponding private key.

Question 100. You have been tasked to implement a security

solution so all the network events from your company should
be recorded in a central database for further analysis. Which of
the following security solutions will you implement to meet the
requirement?
(A) Next-generation firewall (NGFW)
(B) Endpoint detection and response (EDR)
(C) Anti-malware
(D) Antivirus

Explanation 100. Endpoint detection and response (EDR) is

the correct answer.
Endpoint detection and response (EDR) is an emerging
224
technology that addresses the need for continuous monitoring
and response to advanced threats.

Endpoint detection and response tools work by monitoring

Next-generation firewall (NGFW) is incorrect. Next-genera-

tion firewalls filter network traffic to protect an organization from
external threats. Maintaining features of stateful firewalls such
as packet filtering, VPN support, network monitoring, and IP
mapping features, NGFWs also possess deeper inspection ca-
pabilities that give them a superior ability to identify attacks,
malware, and other threats.

Next-generation firewalls provide organizations with application

control, intrusion prevention, and advanced visibility across the
network. As the threat landscape continues to develop rapidly,
traditional firewalls fall further behind and put your organization
at risk. NGFWs not only block malware, but also include paths
for future updates, giving them the flexibility to evolve with the
landscape and keep the network secure as new threats arise.
225
Anti-malware is incorrect. Anti-malware tools may employ
scanning, strategies, freeware, or licensed tools to detect rootk-
its, worms, Trojans, and other types of potentially damaging
software. Each type of malware resource carries its own inter-
face and system requirements, which impact user solutions for
a given device or system.

Antivirus is incorrect. Antivirus software helps protect your

computer against malware and cybercriminals. Antivirus soft-
ware looks at data — web pages, files, software, applications
— traveling over the network to your devices. It searches for
known threats and monitors the behavior of all programs, flag-
ging suspicious behavior. It seeks to block or remove malware
as quickly as possible.

Question 101. Access _________________ List is a network traffic

filter that controls incoming or outgoing traffic. It works on a set
of rules that define how to forward or block a packet at the
router’s interface.
(A) Security
(B) Filter
(C) Control
(D) Service

226
Explanation 101. Control is the correct answer.
Access Control List is a network traffic filter that controls in-
coming or outgoing traffic. It works on a set of rules that define
how to forward or block a packet at the router’s interface.

Question 102. Which of the following VPN solutions is used to

connect a personal user device to a remote server on a private
network?
(A) Remote Access
(B) Site-to-site
(C) Split tunnel
(D) Proxy server

Explanation 102. Remote Access is the correct answer.

Remote Access (Personal) VPN is used to connect a personal
user device to a remote server on a private network.

Once a remote access VPN is connected, a user’s internet ac-

tivity will go through the encrypted VPN tunnel to the remote
server and access the internet from that remote server.

That means that the internet website or application sees the

remote server’s IP address instead of your personal device’s IP
address – which provides a layer of privacy.

227
Site-to-site is incorrect. The Site to Site VPN, known as point
to point VPN, is used to connect two local area networks
(LANs). Site to site VPNs are usually utilized by businesses
large and small that want to provide their employees or busi-
ness partners secure access to network resources. Usually,
these network resources are files or access to programs that
need to be protected.

Split tunnel is incorrect. VPN split tunneling lets you route

Proxy server is incorrect. A proxy server is not a VPN solution,

the proxy server acts as a gateway between you and the inter-
net. It’s an intermediary server separating end users from the
websites they browse.

Proxy servers provide varying levels of functionality, security,

and privacy depending on your use case, needs, or company
policy. Proxy servers act as a firewall and web filter, provide
shared network connections, and cache data to speed up
common requests.

228
Question 103. In the form of Role-Based Access Control, data
are accessible or not accessible based on the user’s IP ad-
dress.
(A) TRUE
(B) FALSE

Explanation 103. FALSE is the correct answer.

In the form of Role-Based Access Control, the data is acces-
sible or not accessible based on the user’s IP address.

When dealing with role-based access controls, data is protect-

ed in exactly the way it sounds like it is: by user roles. Users are
sorted into groups or categories based on their job functions or
departments, and those categories determine the data that
they’re able to access. Human Resources team members, for
example, might be permitted to access employee information
while no other role-based group is permitted to do so.

In the form of Rule-Based Access Control (RBAC), you’re fo-

cusing on the rules associated with the data’s access or restric-
tions. These rules may be parameters, such as allowing access
only from certain IP addresses, denying access from certain IP
addresses, or something more specific. In a more specific in-
stance, access from a specific IP address may be allowed un-
229
less it comes through a certain port (such as the port used for
FTP access).

Question 104. In cloud computing, the ability to scale up and

down resources based on the user’s needs is known as:
(A) Virtual private cloud
(B) Network segmentation
(C) Dynamic resource allocation
(D) Public subnet

Explanation 104. Dynamic resource allocation is the cor-

rect answer.
Dynamic resource allocation is the correct answer. Dynam-
ic resource allocation is the ability to scale up and down re-
sources based on the user’s needs.

Virtual private cloud is incorrect. A virtual private cloud (VPC)

is a secure, isolated private cloud hosted within a public cloud.
VPC customers can run code, store data, host websites, and do
anything else they could do in an ordinary private cloud, but the
private cloud is hosted remotely by a public cloud provider.
VPCs combine the scalability and convenience of public cloud
computing with the data isolation of private cloud computing.

Network segmentation is incorrect. Network segmentation in

230
computer networking is the act or practice of splitting a com-
puter network into subnetworks, each being a network seg-
ment. The advantages of such splitting are primarily for boost-
ing performance and improving security.

Public subnet is incorrect. A public subnet is a subnet that’s

associated with a route table that has a route to an Internet
gateway.

Question 105. ________________________ Assertions Markup Lan-

Explanation 105. Security is the correct answer.

Security Assertions Markup Language is an important com-
ponent of many SSO systems that allow users to access multi-
ple applications, services, or websites from a single login
process. It is used to share security credentials across one or
more networked systems.
231
Question 106. You have been tasked to configure the Wi-Fi of
your company’s LAN to allow certain computers to have access
to the Internet and the rest computers need to be blocked.
Which of the following security technology will you implement
to meet the requirement?
(A) DHCP snooping
(B) BPDU guard
(C) MAC filtering
(D) Jump server

Explanation 106. MAC filtering is the correct answer.

MAC filtering is a security method based on access control. In
this, each address is assigned a 48-bit address which is used
to determine whether we can access a network or not.

It helps in listing a set of allowed devices that you need on your

Wi-Fi and the list of denied devices that you don’t want on your
Wi-Fi. It helps in preventing unwanted access to the network. In
a way, we can blacklist or white list certain computers based on
their MAC address.

DHCP snooping is incorrect. DHCP snooping is a layer 2 se-

curity technology built into the operating system of a capable
network switch that drops DHCP traffic determined to be unac-
232
ceptable. The fundamental use case for DHCP snooping is to
prevent unauthorized (rogue) DHCP servers offering IP ad-
dresses to DHCP clients.

Rogue DHCP servers are often used in man in the middle or

BPDU guard is incorrect. PortFast BPDU guard prevents loops

by moving a non trunking port into an errdisable state when a
BPDU is received on that port. When you enable BPDU guard
on the switch, spanning tree shuts down PortFast-configured
interfaces that receive BPDUs instead of putting them into the
spanning-tree blocking state.

Jump server is incorrect. A jump server is a system on a net-

The jump server acts as a single audit point for traffic and also
233
a single place where user accounts can be managed. A
prospective administrator must log in to the jump server in or-
der to gain access to the DMZ assets and all access can be
logged for later audit.

234
CHAPTER 4
OPERATIONS AND
INCIDENT RESPONSE

Questions 107-116

Question 107. You have been noticed that the email server
doesn’t work. Your manager said that someone from the com-
pany changed the DNS records (MX) of the email server. Which
of the following commands will you type to find the new MX
records of the server?
(A) tracert
(B) ipconfig
(C) ping
(D) nslookup

Question 108. Assuming you are working on a Windows envi-

ronment. What command will you type to identify the number
of hops and the time it takes for a packet to travel between your
local computer and your web server?
(A) tracert
(B) ipconfig
(C) ping
(D) nslookup
235
Question 109. Wireshark is a command-line utility that allows
you to capture and analyze network traffic going through your
system. It is often used to help troubleshoot network issues, as
well as a security tool.
(A) TRUE
(B) FALSE

Question 110. PC1 can ping the printer device on the Market-
ing team network but can’t ping the printer on the Sales team
network. Assuming you are working on a Linux environment,
which of the following commands will you type to get details
about the route that packets go through from the PC1 to the
printer on the Sales team network?
(A) traceroute
(B) ifconfig
(C) dig
(D) tracert

Question 111. Which of the following process is designed to

protect personnel or assets and make sure they can function
quickly when a disaster strikes (natural disasters, cyber-at-
tacks)?
(A) Disaster recovery plan
(B) Business continuity plan
236
(C) Incident response team
(D) Retention policy

Question 112. You need to mitigate all the networking attacks

that exploit open unused TCP ports on your system. Which of
the following command displays active TCP connections and
ports on which the computer is listening?
(A) netstat
(B) arp
(C) route
(D) sn1per

Question 113. The log file of your company’s network status is

updated frequently, and the most critical information is on the
first five lines. You want to avoid opening the entire file each
time, only to view the first five lines. What command will you
use to view only the first five lines of the log file?
(A) head
(B) tail
(C) cat
(D) chmod

Question 114. Assuming you are working on a Windows envi-

ronment. For troubleshooting reasons, you need to discover
your IP information, including DHCP and DNS server addresses
237
from your current workstation. Which of the following com-
mands will help you to troubleshoot the network?
(A) tracert
(B) ipconfig
(C) nslookup
(D) ping

Question 115. Which of the following tools can you use to per-
form manual DNS lookups? Assuming you are working on a
Linux environment. (Choose all that apply)
(A) route
(B) pathping
(C) nslookup
(D) dig
(E) ifconfig

Question 116. Which of the following process describes how

long businesses need to keep a piece of information (a record),
where it’s stored, and how to dispose of the record when its
time?
(A) Disaster recovery plan
(B) Business continuity plan
(C) Incident response team
(D) Retention policy

238
Answers 107-116

Explanation 107. nslookup is the correct answer.

The command nslookup is used to perform DNS queries and
receive: domain names, IP addresses, an DNS Records such as
A records, MX records or any other DNS Record.

The command that finds the MX records from your email server
is:
$ nslookup -query=mx yourdomain.com

tracert is incorrect. The command tracert is a utility designed

for displaying the time it takes for a packet of information to
travel between a local computer and a destination IP address or
domain. It’s used to show several details such as the number of
239
hops about the path that a packet takes from the computer or
device you’re on to whatever destination you specify.

ipconfig is incorrect. To command ipconfig displays the ba-

sic TCP/IP configuration such as IPv4, IPv6, subnet mask, and
default gateway for all adapters.

ping is incorrect. The command ping sends a request over

the network to a specific device to see if a networked device is
reachable. In other words, the ping command is used to find
out whether an IP connection exists for a particular host.

Question 108. Assuming you are working on a Windows envi-

Explanation 108. tracert is the correct answer.

The command tracert is a utility designed for displaying the
time it takes for a packet of information to travel between a lo-
cal computer and a destination IP address or domain. It’s used
240
to show several details such as the number of hops about the
path that a packet takes from the computer or device you’re on
to whatever destination you specify.

ipconfig is incorrect. To command ipconfig displays the ba-

sic TCP/IP configuration such as IPv4, IPv6, subnet mask, and
default gateway for all adapters.

nslookup is incorrect. The command nslookup is used to

perform DNS queries and receive: domain names, IP address-
es, an DNS Records such as A records, MX records or any other
DNS Record.

ping is incorrect. The command ping sends a request over

the network to a specific device to see if a networked device is
reachable. In other words, the ping command is used to find
out whether an IP connection exists for a particular host.

Question 109. Wireshark is a command-line utility that allows

you to capture and analyze network traffic going through your
system. It is often used to help troubleshoot network issues, as
well as a security tool.
(A) TRUE
(B) FALSE

241
Explanation 109. FALSE is the correct answer.
The Wireshark is indeed a tool that captures and analyzes net-
work traffic that goes through your system but is not a com-
mand-line utility. Wireshark is the world’s leading network traf-
fic analyzer and an essential tool for any security professional
or systems administrator. It lets you analyze network traffic in
real-time, and is often the best tool for troubleshooting issues
on your network.

Tcpdump is a command-line utility that allows you to capture

and analyze network traffic going through your system. It is of-
ten used to help troubleshoot network issues, as well as a se-
curity tool.

242
Explanation 110. traceroute is the correct answer.
The traceroute command is one of the key diagnostic tools for
TCP/IP. It displays a list of all the routers that a packet must go
through to get from the computer where traceroute is run to any
other computer on the Internet.

To use traceroute, type the traceroute command followed by

the hostname of the computer to which you want to trace the
route.

For example, suppose that the printer on the Sales team net-
work has an IP of 123.123.123.123 then you can use the com-
mand traceroute 123.123.123.123.

ifconfig is incorrect. The command ifconfig is used to view

and change the configuration of the network interfaces on your
system. It displays information about all network interfaces cur-
rently in operation.

dig is incorrect. The command dig is a network administration

command-line tool for querying Domain Name System (DNS)
name servers. It is useful for verifying and troubleshooting DNS
problems and also to perform DNS lookups. The dig command
replaces older tool such as nslookup and the host.

243
tracert is incorrect. The command tracert is a utility designed
for displaying the time it takes for a packet of information to
travel between a local computer and a destination IP address or
domain. This answer can be considered as correct but the
question says that you are working on a Linux environment, the
command tracert is used on the Windows environment.

Question 111. Which of the following process is designed to

Explanation 111. Business continuity plan is the correct an-

swer.
Business continuity planning is a strategy, that ensures con-
tinuity of operations with minimal service outage or downtime.
It is designed to protect personnel or assets and make sure
they can function quickly when a disaster strikes such as nat-
ural disasters or cyber-attacks.

Disaster recovery plan is incorrect. A business disaster re-

244
covery plan can restore data and critical applications in the
event your systems are destroyed when disaster strikes.

The difference between a business continuity plan and

disaster recovery plan is:
A business continuity plan is a strategy businesses put in place
to continue operating with minimal disruption in the event of a
disaster. The disaster recovery plan refers more specifically to
the steps and technologies for recovering from a disruptive
event, especially as it pertains to restoring lost data, in-
frastructure failure, or other technological components.

Incident response team is incorrect. An incident response

team is a group of IT professionals in charge of preparing for
and reacting to any type of organizational emergency. Respon-
sibilities of an incident response team include developing an in-
cident response plan, testing for and resolving system vulnera-
bilities, maintaining strong security best practices, and provid-
ing support for all incident handling measures.

Retention policy is incorrect. A retention policy is a key part

of the lifecycle of a record. It describes how long a business
needs to keep a piece of information (a record), where it’s
stored, and how to dispose of the record when its time.

245
Question 112. You need to mitigate all the networking attacks
that exploit open unused TCP ports on your system. Which of
the following command displays active TCP connections and
ports on which the computer is listening?
(A) netstat
(B) arp
(C) route
(D) sn1per

Explanation 112. netstat is the correct answer.

The netstat command displays active TCP connections, ports
on which the computer is listening, Ethernet statistics, the IP
routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP
protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over
IPv6, and UDP over IPv6 protocols). Used without parameters,
this command displays active TCP connections.

arp is incorrect. The arp command allows you to display and

modify the Address Resolution Protocol (ARP) cache. An ARP
cache is a simple mapping of IP addresses to MAC addresses.

Each time a computer’s TCP/IP stack uses ARP to determine

the Media Access Control (MAC) address for an IP address, it
records the mapping in the ARP cache so that future ARP
lookups go faster.

246
route is incorrect. The route command is used to view and
manipulate the IP routing table.

Sn1per is incorrect. Sn1per is not a command, is an automat-

ed scanner that can be used during a penetration test to enu-
merate and scan for vulnerabilities.

Question 113. The log file of your company’s network status is

Explanation 113. head is the correct answer.

The head command is a UNIX and Linux command for out-
putting the first part of the files. Examples of outputting the first
five lines of a file, limiting the number of lines, limiting the num-
ber of bytes, showing multiple files, and using pipes.

tail is incorrect. The tail command is a command-line utility

247
for outputting the last part of files given to it via standard input.
It writes results to standard output.

By default, tail returns the last ten lines of each file that it is giv-
en. It may also be used to follow a file in real-time and watch as
new lines are written to it.

cat is incorrect. The cat (short for concatenate) command is

one of the most frequently used command in Linux/Unix like
operating systems. cat command allows us to create single or
multiple files, concatenate files and redirect output in terminal
or files.

chmod is incorrect. The chmod command is used to change

the access permissions of file. Let’s say you are the owner of a
file named yourfile, and you want to set its permissions so that
the user can read, write, and execute it, then the final command
is: chmod u=rwx

Question 114. Assuming you are working on a Windows envi-

ronment. For troubleshooting reasons, you need to discover
your IP information, including DHCP and DNS server addresses
from your current workstation. Which of the following com-
mands will help you to troubleshoot the network?
(A) tracert
248
(B) ipconfig
(C) nslookup
(D) ping

Explanation 114. ipconfig is the correct answer.

To command ipconfig displays the basic TCP/IP configuration
such as IPv4, IPv6, subnet mask, and default gateway for all
adapters.

tracert is incorrect. The command tracert is a utility designed

for displaying the time it takes for a packet of information to
travel between a local computer and a destination IP address or
domain. It’s used to show several details such as the number of
hops about the path that a packet takes from the computer or
device you’re on to whatever destination you specify.

nslookup is incorrect. The command nslookup is used to

perform DNS queries and receive: domain names, IP address-
es, an DNS Records such as A records, MX records or any other
DNS Record.

ping is incorrect. The command ping sends a request over

the network to a specific device to see if a networked device is
reachable. In other words, the ping command is used to find
out whether an IP connection exists for a particular host.
249
Question 115. Which of the following tools can you use to per-
form manual DNS lookups? Assuming you are working on a
Linux environment. (Choose all that apply)
(A) route
(B) pathping
(C) nslookup
(D) dig
(E) ifconfig

Explanation 115. C and D are the correct answers.

The commands dig and nslookup can be used to perform
manual DNS lookups on a Linux system.

The command route displays or modifies the computer’s rout-

ing table.

The command pathping provides useful information about

network latency and network loss at intermediate hops be-
tween a source address and a destination address. The com-
mand pathping combines the functionality of ping with that
of tracert.

The command ifconfig displays your IP address in Linux sys-

tems. The command ifconfig can also be used to configure,
250
disable and enable a network interface.

Question 116. Which of the following process describes how

Explanation 116. Retention policy is the correct answer.

Retention policy is a key part of the lifecycle of a record. It de-
scribes how long a business needs to keep a piece of informa-
tion (a record), where it’s stored, and how to dispose of the
record when its time.

Business continuity plan is incorrect. Business continuity

planning is a strategy. It ensures continuity of operations with
minimal service outage or downtime.

It is designed to protect personnel or assets and make sure

they can function quickly when a disaster strikes such as nat-
ural disasters or cyber-
attacks.
251
Disaster recovery plan is incorrect. A business disaster re-
covery plan can restore data and critical applications in the
event your systems are destroyed when disaster strikes.

The difference between a business continuity plan and

Incident response team. An incident response team is a

group of IT professionals in charge of preparing for and reacting
to any type of organizational emergency. Responsibilities of an
incident response team include developing an incident re-
sponse plan, testing for and resolving system vulnerabilities,
maintaining strong security best practices, and providing sup-
port for all incident handling measures.

252
CHAPTER 5
GOVERNANCE, RISK
AND COMPLIANCE

Questions 117-125

Question 117. _________________ measures the predicted time

that passes between one previous failure of a mechanical/elec-
trical system to the next failure during normal operation. In sim-
pler terms, it helps you predict how long an asset can run be-
fore the next unplanned breakdown happens.
(A) Recovery point objective (RPO)
(B) Mean time to repair (MTTR)
(C) Recovery Time Objective (RTO)
(D) Mean time between failures (MTBF)

Question 118. _______________ is a set of rules designed to give

EU citizens more control over their personal data.
(A) General Data Protection Regulation (GDPR)
(B) Payment Card Industry Data Security Standard (PCI
DSS)
(C) National Institute of Standards and Technology (NIST)
(D) International Organization for Standardization (ISO)

253
Question 119. The _________________ is described as an estimat-
ed frequency of the threat occurring in one year.
(A) Single loss expectancy (SLE)
(B) Annualized loss expectancy (ALE)
(C) Annualized rate of occurrence (ARO)
(D) Business continuity plan

Question 120. _________________ is the average time it takes to

recover from a product or system failure. This includes the full
time of the outage—from the time the system or product fails to
the time that it becomes fully operational again.
(A) Recovery point objective (RPO)
(B) Mean time to repair (MTTR)
(C) Recovery Time Objective (RTO)
(D) Mean time between failures (MTBF)

Question 121. A _______________ is an agreement between two

or more parties outlined in a formal document. It is not legally
binding but signals the willingness of the parties to move for-
ward with a contract.
(A) Service level agreement (SLA)
(B) End of life (EOL)
(C) Memorandum of understanding (MOU)
(D) Non-Disclosure Agreement (NDA)

254
Question 122. A ___________________ is a legally enforceable
contract that establishes confidentiality between two parties—
the owner of protected information and the recipient of that in-
formation.
(A) Non-Disclosure Agreement (NDA)
(B) Memorandum of understanding (MOU)
(C) Service-level agreement (SLA)
(D) End of life (EOL)

Question 123. _________________ describes a period of time in

which an enterprise’s operations must be restored following a
disruptive event, e.g., a cyberattack, natural disaster, or com-
munications failure.
(A) Recovery point objective (RPO)
(B) Mean time to repair (MTTR)
(C) Recovery Time Objective (RTO)
(D) Mean time between failures (MTBF)

Question 124. The ____________ is the duration of time and a

service level within which a business process must be restored
after a disaster in order to avoid unacceptable consequences
associated with a break in continuity.
(A) Recovery point objective (RPO)
(B) Mean time to repair (MTTR)
(C) Recovery Time Objective (RTO)
255
(D) Mean time between failures (MTBF)

Question 125. _________________ is a strategy that ensures con-

tinuity of operations with minimal service outage or downtime.
It is designed to protect personnel or assets and make sure
they can function quickly when a disaster strikes such as nat-
ural disasters or cyber-attacks.
(A) Single loss expectancy (SLE)
(B) Annualized loss expectancy (ALE)
(C) Annualized rate of occurrence (ARO)
(D) Business continuity plan

256
Answers 117-125

Question 117. _________________ measures the predicted time

Explanation 117. Mean time between failures (MTBF) is the

correct answer.
Mean time between failures (MTBF) measures the predicted
time that passes between one previous failure of a mechanical/
electrical system to the next failure during normal operation. In
simpler terms, MTBF helps you predict how long an asset can
run before the next unplanned breakdown happens.

Recovery point objective (RPO) is incorrect. Recovery point

objective (RPO) describes a period of time in which an enter-
prise’s operations must be restored following a disruptive event,
e.g., a cyberattack, natural disaster, or communications failure.
257
Mean time to repair (MTTR) is the correct answer. MTTR
(mean time to recovery or mean time to repair) is the average
time it takes to recover from a product or system failure. This
includes the full time of the outage—from the time the system
or product fails to the time that it becomes fully operational
again.

Recovery Time Objective (RTO) is incorrect. The Recovery

Time Objective (RTO) is the duration of time and a service level
within which a business process must be restored after a disas-
ter in order to avoid unacceptable consequences associated
with a break in continuity.

Question 118. _______________ is a set of rules designed to give

Explanation 118. General Data Protection Regulation

(GDPR) is the correct answer.
General Data Protection Regulation) is a set of rules de-
258
signed to give EU citizens more control over their personal data.
It aims to simplify the regulatory environment for business so
both citizens and businesses in the European Union can fully
benefit from the digital economy.

Under the terms of GDPR, not only do organizations have to

ensure that personal data is gathered legally and under strict
conditions, but those who collect and manage it are obliged to
protect it from misuse and exploitation, as well as to respect the
rights of data owners – or face penalties for not doing so.

Payment Card Industry Data Security Standard is

incorrect. The Payment Card Industry Data Security Standard
(PCI DSS) is a widely accepted set of policies and procedures
intended to optimize the security of credit, debit and cash card
transactions and protect cardholders against misuse of their
personal information.

National Institute of Standards and Technology (NIST) is

incorrect . NIST’s mission is to promote U.S. innovation and in-
dustrial competitiveness by advancing measurement science,
standards, and technology in ways that enhance economic se-
curity and improve the quality of life.

259
International Organization for Standardization (ISO) is in-
correct. ISO develops and publishes standards for a vast range
of products, materials, and processes. The organization’s stan-
dards catalog is divided into 97 fields which include healthcare
technology, railway engineering, jewelry, clothing, metallurgy,
weapons, paint, civil engineering, agriculture, and aircraft.

Question 119. The _________________ is described as an estimat-

ed frequency of the threat occurring in one year.
(A) Single loss expectancy (SLE)
(B) Annualized loss expectancy (ALE)
(C) Annualized rate of occurrence (ARO)
(D) Business continuity plan

Explanation 119. Annualized rate of occurrence (ARO) is

the correct answer.
The annualized rate of occurrence (ARO) is described as an
estimated frequency of the threat occurring in one year. ARO is
used to calculate ALE (annualized loss expectancy). ALE is cal-
culated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000
x 0.5), when ARO is estimated to be 0.5 (once in two years).

As we can see, the risk is about the impact of the vulnerability

on the business and the probability of the vulnerability to be
exploited.
260
Single loss expectancy (SLE) is incorrect. SLE tells us what
kind of monetary loss we can expect if an asset is compro-
mised because of a risk. Calculating SLE requires knowledge of
the asset value (AV) and the range of loss that can be expected
if a risk is exploited, which is known as the exposure factor (EF).

EF is a percentage determined by how much of an impact we

can expect based on the risk, the highest being 1 (signifying
100%).

In formulaic terms, SLE = AV ∗ EF

Annualized loss expectancy (ALE) is incorrect. Annualized

loss expectancy is the loss that can be expected for an asset
due to risk over a one-year period. It’s useful for working out
whether a business decision is worthwhile.

Business continuity plan is incorrect. Business continuity

planning is a strategy that ensures continuity of operations with
minimal service outage or downtime. It is designed to protect
personnel or assets and make sure they can function quickly
when a disaster strikes such as natural disasters or cyber-at-
tacks.

261
Question 120. _________________ is the average time it takes to
recover from a product or system failure. This includes the full
time of the outage—from the time the system or product fails to
the time that it becomes fully operational again.
(A) Recovery point objective (RPO)
(B) Mean time to repair (MTTR)
(C) Recovery Time Objective (RTO)
(D) Mean time between failures (MTBF)

Explanation 120. Mean time to repair (MTTR) is the correct

answer.
Mean time to repair (MTTR) is the average time it takes to re-
cover from a product or system failure. This includes the full
time of the outage—from the time the system or product fails to
the time that it becomes fully operational again.

Recovery point objective (RPO) is incorrect. Recovery point

objective (RPO) describes a period of time in which an enter-
prise’s operations must be restored following a disruptive event,
e.g., a cyberattack, natural disaster, or communications failure.

Recovery Time Objective (RTO) is incorrect. The Recovery

Time Objective (RTO) is the duration of time and a service level
within which a business process must be restored after a disas-
262
ter in order to avoid unacceptable consequences associated
with a break in continuity.

Mean time between failures (MTBF) is incorrect. MTBF

measures the predicted time that passes between one previous
failure of a mechanical/electrical system to the next failure dur-
ing normal operation. In simpler terms, MTBF helps you predict
how long an asset can run before the next unplanned break-
down happens.

Question 121. A _______________ is an agreement between two

Explanation 121. Memorandum of understanding (MOU) is

the correct answer. A Memorandum of understanding
(MOU) is an agreement between two or more parties outlined
in a formal document. It is not legally binding but signals the
willingness of the parties to move forward with a contract.

263
The MOU can be seen as the starting point for negotiations as
it defines the scope and purpose of the talks. Such memoranda
are most often seen in international treaty negotiations but also
may be used in high-stakes business dealings such as merger
talks.

Service-level agreement (SLA) is incorrect. A service-level

agreement (SLA) is a contract between a service provider and
its customers that documents what services the provider will
furnish and defines the service standards the provider is oblig-
ated to meet.

End of life (EOL) is incorrect. End of life (EOL) is the final

stage of a product’s existence. The particular concerns of end-
of-life depend on the product in question and whether the per-
spective is that of the manufacturer or the user.

For the manufacturer, EOL concerns involve not only discontin-

uing production but also continuing to address the market
needs that the product addresses — which might lead to the
development of a new product.

For the business using the product, EOL concerns include dis-
posing of the existing product responsibly, transitioning to a dif-
ferent product, and ensuring that disruption will be minimal.
264
Non-Disclosure Agreement (NDA) is incorrect. A Non-Dis-
closure Agreement (NDA) is a legally enforceable contract that
establishes confidentiality between two parties—the owner of
protected information and the recipient of that information. By
signing an NDA, participants agree to protect confidential in-
formation shared with them by the other party.

Question 122. A ___________________ is a legally enforceable

contract that establishes confidentiality between two parties—
the owner of protected information and the recipient of that in-
formation.
(A) Non-Disclosure Agreement (NDA)
(B) Memorandum of understanding (MOU)
(C) Service-level agreement (SLA)
(D) End of life (EOL)

Explanation 122. Non-Disclosure Agreement (NDA) is the

correct answer. A Non-Disclosure Agreement (NDA) is a
legally enforceable contract that establishes confidentiality be-
tween two parties—the owner of protected information and the
recipient of that information. By signing an NDA, participants
agree to protect confidential information shared with them by
the other party.

265
Memorandum of understanding (MOU) is incorrect. A
memorandum of understanding (MOU or MoU) is an agreement
between two or more parties outlined in a formal document. It is
not legally binding but signals the willingness of the parties to
move forward with a contract.

The MOU can be seen as the starting point for negotiations as

it defines the scope and purpose of the talks. Such memoranda
are most often seen in international treaty negotiations but also
may be used in high-stakes business dealings such as merger
talks.

Service-level agreement (SLA) is incorrect. A service-level

End of life (EOL) is incorrect. End of life (EOL) is the final

stage of a product’s existence. The particular concerns of end-
of-life depend on the product in question and whether the per-
spective is that of the manufacturer or the user.

For the manufacturer, EOL concerns involve not only discontin-

uing production but also continuing to address the market
266
needs that the product addresses — which might lead to the
development of a new product. For the business using the
product, EOL concerns include disposing of the existing prod-
uct responsibly, transitioning to a different product, and ensur-
ing that disruption will be minimal.

Question 123. _________________ describes a period of time in

Explanation 123. Recovery point objective (RPO) is the cor-

rect answer. Recovery point objective (RPO) describes a pe-
riod of time in which an enterprise’s operations must be
restored following a disruptive event, e.g., a cyberattack, natur-
al disaster, or communications failure.

Mean time to repair (MTTR) is incorrect. MTTR (mean time to

recovery or mean time to repair) is the average time it takes to
recover from a product or system failure. This includes the full
time of the outage—from the time the system or product fails to
267
the time that it becomes fully operational again.

Recovery Time Objective (RTO) is incorrect. The Recovery

Mean time between failures (MTBF) is incorrect. MTBF

Question 124. The ____________ is the duration of time and a

268
Explanation 124. Recovery Time Objective (RTO) is the cor-
rect answer. Recovery Time Objective (RTO) is the duration
of time and a service level within which a business process
must be restored after a disaster in order to avoid unacceptable
consequences associated with a break in continuity.

Recovery point objective (RPO) is incorrect. Recovery point

objective (RPO) describes a period of time in which an enter-
prise’s operations must be restored following a disruptive event,
e.g., a cyberattack, natural disaster, or communications failure.

Mean time to repair (MTTR) is incorrect. MTTR (mean time to

recovery or mean time to restore) is the average time it takes to
recover from a product or system failure. This includes the full
time of the outage—from the time the system or product fails to
the time that it becomes fully operational again.

Mean time between failures (MTBF) is incorrect. MTBF

269
Question 125. _________________ is a strategy that ensures con-
tinuity of operations with minimal service outage or downtime.
It is designed to protect personnel or assets and make sure
they can function quickly when a disaster strikes such as nat-
ural disasters or cyber-attacks.
(A) Single loss expectancy (SLE)
(B) Annualized loss expectancy (ALE)
(C) Annualized rate of occurrence (ARO)
(D) Business continuity plan

Explanation 125. Business continuity plan is the correct

answer. Business continuity plan is a strategy that ensures
continuity of operations with minimal service outage or down-
time. It is designed to protect personnel or assets and make
sure they can function quickly when a disaster strikes such as
natural disasters or cyber-attacks.

Single loss expectancy (SLE) is incorrect. SLE tells us what

kind of monetary loss we can expect if an asset is compro-
mised because of a risk. Calculating SLE requires knowledge of
the asset value (AV) and the range of loss that can be expected
if a risk is exploited, which is known as the exposure factor (EF).
EF is a percentage determined by how much of an impact we
can expect based on the risk, the highest being 1 (signifying
100%).
270
In formulaic terms, SLE = AV ∗ EF

Annualized loss expectancy (ALE) is incorrect. Annualized

loss expectancy is the loss that can be expected for an asset
due to risk over a one-year period. It’s useful for working out
whether a business decision is worthwhile.

Annualized rate of occurrence (ARO) is incorrect. The an-

nualized rate of occurrence (ARO) is described as an estimated
frequency of the threat occurring in one year. ARO is used to
calculate ALE (annualized loss expectancy). ALE is calculated
as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5),
when ARO is estimated to be 0.5 (once in two years).

As we can see, the risk is about the impact of the vulnerability

on the business and the probability of the vulnerability to be
exploited.

271
THE END

272
Enrich your online experience with Exams-
digest.
Your purchase of this product includes free access to all 100+
practice questions online and much more at examsdigest.com.
You will have access for one (1) month. You may also access
our full library of Practice exams and share with other learners.
Send us an email to [email protected] now and start your
online practice experience!

Examsdigest includes:
✓ Access to 1000+ Questions
✓ Access to 150+ Quizzes
✓ 6+ Certification Paths
✓ 24/7 Support
✓ Interactive Interview Questions
✓ Access on the go

About examsdigest.
Examsdigest started in 2019 and haven’t stopped smashing it
since. Examsdigest is a global, education tech-oriented com-
pany that doesn’t sleep. Their mission is to be a part of your life
transformation by providing you the necessary training to hit
your career goals.

273

Temp Mail - Disposable Temporary Email
No ratings yet
Temp Mail - Disposable Temporary Email
4 pages
CompTIA Linux Study Guide Exam XK0 005 5th Edition Richard Blum Christine Bresnahan download pdf
100% (4)
CompTIA Linux Study Guide Exam XK0 005 5th Edition Richard Blum Christine Bresnahan download pdf
40 pages
C700 PerformanceAssessment
100% (1)
C700 PerformanceAssessment
18 pages
Orange Money WebPay Dev Getting Started Orange Developer
100% (1)
Orange Money WebPay Dev Getting Started Orange Developer
17 pages
Ar 23865 Osiahyper 2022 2023 08092023190824
No ratings yet
Ar 23865 Osiahyper 2022 2023 08092023190824
126 pages
Principles of Computer Security: CompTIA Security+ and Beyond Lab Manual (Exam SY0-601)
From Everand
Principles of Computer Security: CompTIA Security+ and Beyond Lab Manual (Exam SY0-601)
Jonathan S. Weissman
No ratings yet
IDENTIKEY Authentication Server Product Guide
No ratings yet
IDENTIKEY Authentication Server Product Guide
254 pages
Three Level Password Authentication Systems
No ratings yet
Three Level Password Authentication Systems
5 pages
Comptia Security Sy0 501 Exam Objectives
No ratings yet
Comptia Security Sy0 501 Exam Objectives
20 pages
CompTIA Security Study Guide with over 500 Practice Test Questions Exam SY0 701 Sybex Study Guide 9th Edition Mike Chapple & David Seidl All Chapters Instant Download
80% (5)
CompTIA Security Study Guide with over 500 Practice Test Questions Exam SY0 701 Sybex Study Guide 9th Edition Mike Chapple & David Seidl All Chapters Instant Download
40 pages
Wifi security Second Edition
From Everand
Wifi security Second Edition
Gerardus Blokdyk
No ratings yet
4 SQL Injections
No ratings yet
4 SQL Injections
281 pages
Integrating VirusTotal & Windows Defender With Wazuh ?
No ratings yet
Integrating VirusTotal & Windows Defender With Wazuh ?
15 pages
Modulo 4
100% (1)
Modulo 4
76 pages
Network Programmability With Cisco APIC-EM
No ratings yet
Network Programmability With Cisco APIC-EM
43 pages
CompTIA A+ 220-1001 Core 1 Course Notes by Professor Messers_004-006
No ratings yet
CompTIA A+ 220-1001 Core 1 Course Notes by Professor Messers_004-006
3 pages
Ccna-Notes PDF
No ratings yet
Ccna-Notes PDF
84 pages
Unquoted Service Path
No ratings yet
Unquoted Service Path
12 pages
Lecture 0
No ratings yet
Lecture 0
23 pages
CEH Certified+Ethical+Hacker+Brochure
No ratings yet
CEH Certified+Ethical+Hacker+Brochure
26 pages
A+ 1101 Notes Comptia
No ratings yet
A+ 1101 Notes Comptia
40 pages
Certified Information Security Professional - CISP-1337
No ratings yet
Certified Information Security Professional - CISP-1337
13 pages
Week6 3
No ratings yet
Week6 3
25 pages
IC ISO 27001 Controls Checklist 10838
No ratings yet
IC ISO 27001 Controls Checklist 10838
6 pages
SY0-071-Module 4 Powerpoint Slides
No ratings yet
SY0-071-Module 4 Powerpoint Slides
358 pages
Offensive Enumeration in
No ratings yet
Offensive Enumeration in
13 pages
Correlation Rules and Engine Debugging1
No ratings yet
Correlation Rules and Engine Debugging1
30 pages
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0
No ratings yet
Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0
4 pages
SOC_Analyst_Training_InfosecTrain_v3
No ratings yet
SOC_Analyst_Training_InfosecTrain_v3
18 pages
N+ Syllabus
50% (2)
N+ Syllabus
3 pages
Configure Protections For Passwords and Terminal Lines
No ratings yet
Configure Protections For Passwords and Terminal Lines
10 pages
000 CCNA 200-301 - Full Workbook (1) - Part-20-Part-12
100% (1)
000 CCNA 200-301 - Full Workbook (1) - Part-20-Part-12
6 pages
Cybersecurity
No ratings yet
Cybersecurity
8 pages
Linux Incident Response
No ratings yet
Linux Incident Response
18 pages
Oscp Pen-200
No ratings yet
Oscp Pen-200
11 pages
CEH11 Lab Manual Module 10 - Denial-of-Service
No ratings yet
CEH11 Lab Manual Module 10 - Denial-of-Service
39 pages
11 Threat Hunting
No ratings yet
11 Threat Hunting
15 pages
Mimikatz Comprehensive Book
No ratings yet
Mimikatz Comprehensive Book
40 pages
eJPT CheatSheet
No ratings yet
eJPT CheatSheet
61 pages
Comptia Advanced Security Practitioner (Casp) Certification Exam Objectives
No ratings yet
Comptia Advanced Security Practitioner (Casp) Certification Exam Objectives
21 pages
Ultimate+XSS+Guide+ +slides
No ratings yet
Ultimate+XSS+Guide+ +slides
43 pages
Fireware Watchguard
No ratings yet
Fireware Watchguard
87 pages
CompTIA a+ 900 Series
No ratings yet
CompTIA a+ 900 Series
813 pages
SY0-071-Module 3 Powerpoint Slides
No ratings yet
SY0-071-Module 3 Powerpoint Slides
232 pages
Legal & Compliance User Agreement: Effective: January 01, 2024
No ratings yet
Legal & Compliance User Agreement: Effective: January 01, 2024
14 pages
Nuevo Blueteam
No ratings yet
Nuevo Blueteam
100 pages
CompTIA Network Practice Tests Exam N10 009 for True Epub 3rd Edition Craig Zacker - Download the ebook now for full and detailed access
100% (2)
CompTIA Network Practice Tests Exam N10 009 for True Epub 3rd Edition Craig Zacker - Download the ebook now for full and detailed access
46 pages
CyberOps v1.1 Scope and Sequence PDF
No ratings yet
CyberOps v1.1 Scope and Sequence PDF
5 pages
Sans 504
No ratings yet
Sans 504
1 page
Lab-Project 11: Using FTK: What You Need For This Part
No ratings yet
Lab-Project 11: Using FTK: What You Need For This Part
15 pages
03 SystemAdministration
No ratings yet
03 SystemAdministration
30 pages
MCSA: Windows 10 Complete Study Guide: Exam 70-698 and Exam 70-697
From Everand
MCSA: Windows 10 Complete Study Guide: Exam 70-698 and Exam 70-697
William Panek
No ratings yet
6.6.8 Configure Port Security 3
No ratings yet
6.6.8 Configure Port Security 3
1 page
Penetration Testing
No ratings yet
Penetration Testing
12 pages
n10 008 Exam Simulation 3
No ratings yet
n10 008 Exam Simulation 3
95 pages
Ccna Compressed
No ratings yet
Ccna Compressed
11 pages
Ddos
No ratings yet
Ddos
30 pages
ITF+ CompTIA IT Fundamentals All-in-One Exam Guide, Second Edition (Exam FC0-U61) Mike Meyers - Ebook PDF 2024 Scribd Download
100% (5)
ITF+ CompTIA IT Fundamentals All-in-One Exam Guide, Second Edition (Exam FC0-U61) Mike Meyers - Ebook PDF 2024 Scribd Download
51 pages
802.1x Cisco ISE Succeed Steps
No ratings yet
802.1x Cisco ISE Succeed Steps
3 pages
Network Defense Essentials Nde Brochure
No ratings yet
Network Defense Essentials Nde Brochure
12 pages
Sba IpAddr DG
No ratings yet
Sba IpAddr DG
21 pages
Planning and Designing A Windows Server Environment
No ratings yet
Planning and Designing A Windows Server Environment
34 pages
SY0-071-Module 5 Powerpoint Slides
No ratings yet
SY0-071-Module 5 Powerpoint Slides
113 pages
Obscurity Labs 2020 InfoSheet
No ratings yet
Obscurity Labs 2020 InfoSheet
8 pages
Configuring IPCop Firewalls: Closing Borders with Open Source
From Everand
Configuring IPCop Firewalls: Closing Borders with Open Source
Barrie Dempster
No ratings yet
AJP Project Report-Password Generating System
No ratings yet
AJP Project Report-Password Generating System
8 pages
FAQ iOS V 8 Qatar
No ratings yet
FAQ iOS V 8 Qatar
10 pages
Vendor Manual
No ratings yet
Vendor Manual
17 pages
CND Project
No ratings yet
CND Project
17 pages
LMS Cross Sell Training
No ratings yet
LMS Cross Sell Training
35 pages
3m India Annual Report 21 22
No ratings yet
3m India Annual Report 21 22
263 pages
NABL Webportal Help Manual For Testing Labs
No ratings yet
NABL Webportal Help Manual For Testing Labs
36 pages
Blue Bank Stroy Mapping
No ratings yet
Blue Bank Stroy Mapping
1 page
How To Register For A New myTNB Account PDF
No ratings yet
How To Register For A New myTNB Account PDF
28 pages
FAQs - Meal Cards PDF
No ratings yet
FAQs - Meal Cards PDF
6 pages
O2R - DS Group - FRD - V 1.1
No ratings yet
O2R - DS Group - FRD - V 1.1
21 pages
Account Statement From 1 Jan 2022 To 13 Apr 2022: TXN Date Value Date Description Ref No./Cheque No. Debit Credit Balance
No ratings yet
Account Statement From 1 Jan 2022 To 13 Apr 2022: TXN Date Value Date Description Ref No./Cheque No. Debit Credit Balance
7 pages
Bank Statement 7
No ratings yet
Bank Statement 7
2 pages
cardless atm
No ratings yet
cardless atm
9 pages
LANDBANK Weaccess Terms and Conditions
No ratings yet
LANDBANK Weaccess Terms and Conditions
4 pages
Software Engineering Assignment2
No ratings yet
Software Engineering Assignment2
3 pages
October 13 2022 session notes
No ratings yet
October 13 2022 session notes
5 pages
Manual For Renewal of Dog License
No ratings yet
Manual For Renewal of Dog License
12 pages
Trading
No ratings yet
Trading
35 pages
Test Strategy For Ecommerce
No ratings yet
Test Strategy For Ecommerce
64 pages
SERT ARTICLE Final
No ratings yet
SERT ARTICLE Final
57 pages
Paypulse - Step by Step Guide 2LFVDAawsq
No ratings yet
Paypulse - Step by Step Guide 2LFVDAawsq
20 pages
BITS-battery-tracking Userguide v3.2 Whats New-1
No ratings yet
BITS-battery-tracking Userguide v3.2 Whats New-1
38 pages
GEN ELEC 18 G01 How To Register For Efiling and Manage Your User Profile External Guide
No ratings yet
GEN ELEC 18 G01 How To Register For Efiling and Manage Your User Profile External Guide
51 pages
NCBA Internet Banking User Manual
No ratings yet
NCBA Internet Banking User Manual
92 pages