Chapter13 Mock Exam 2
1. You are the security administrator for a large multinational corporation, and you have used a black box penetration tester to find vulnerabilities in your company and exploit them as far you can. During the penetration test, it was found that there were some vulnerabilities in your Windows 10 desktop operating system. There were no vulnerabilities in any of your Linux or Unix systems. Which of the following reason best describes why the penetration tester was successful with the Windows 10 machines, but not with the Linux or Unix?
A. Linux and Unix are more secure than Windows 10
B. The penetration tester did not attempt to exploit the Linux/Unix machines
C. The Linux and Unix operating systems never have any vulnerabilities
D. The operating systems' attack vectors are very different
2. You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the most secure for your wireless network?
A. PAP
B. WPA2-PSK
C. EAP-TLS
D. PEAP
3. You are designing the network topology for a new company that is rapidly expanding from a one-premise company with 20 users to a medium-sized company with 300 users. The company tells you that it was subjected to a DDoS attack last year that took the company down for over a day. In your network design, they don't want to implement a DMZ; therefore, the traffic will be coming direct from the internet. How do you propose to best mitigate against future DDoS attacks? Select two answers from the following list; each is part of the solution:
A. Install a stateless firewall on the edge of your network to prevent incoming traffic
B. Install a stateful firewall on the edge of your network to prevent incoming traffic
C. Install a NIDS in your network as an additional layer of protection
D. Install a NIPS in your network as an additional layer of protection
E. Install an inline NIPS in your network as an additional layer of protection
4. You work on the cyber security team of a large multinational corporation, and you have been alerted to an attack on the web server inside your DMZ that is used for selling your products on the internet. You can see by running netstat that you have an unknown active connection. What should be the first step you take when investigating this incident?
A. Isolate the web server by disconnecting it from the network to prevent further damage
B. Disconnect all external active connections to ensure that any attack is stopped
C. Run a packet sniffer to capture the network traffic to identify the attacker
D. Take a screenshot of the damage done to the website and report the incident to the police
5. I need to purchase a certificate that I can install on five mail servers. Which one should I purchase?
A. PEM certificate
B. Wildcard certificate
C. Subject Alternative Name (SAN) certificate
D. Root certificate
6. You are the manager of a large IT company and it is your duty to authorize the administrative controls. Which of the following are actions that you would normally authorize? Select all that apply:
A. Collecting an ID badge
B. Creating an IT security policy
C. Purchasing a cable lock
D. Creating a new firewall rule
7. You are the operational manager for a financial company, that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the least amount of time?
A. Cold site
B. Warm site
C. Hot site
D. Campus site
8. The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody?
A. Making a system image of the laptop
B. Placing it in a polythene bag and sealing it
C. Hashing the data so that data integrity is assured
D. Asking for proof of ownership of the laptop
9. If an attacker is looking for information about the software versions that you use on your network, which of the following tools could he/she use? Select all that apply:
A. Protocol analyzer
B. Port scanning
C. Network mapper
D. Baseline analyzer
10. Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and coworkers, resulting in an enquiry being launched by the police. Initial evidence reported a similarity in that they had all recently purchased IoT devices, such as health monitors, baby monitors, smart TVs and refrigerators. Which of the following best describes why the attacks were successful?
A. The devices' default configurations were not changed
B. Their houses had been broken into and hidden cameras were installed
C. Their wireless networks were broadcasting beyond the boundaries of their homes
D. The manufacturers of the devices installed hidden devices allowing them to film
11. You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Your corporate admin team could not access the internet last week as they were getting their IP settings from one of the training room's DHCP servers. The training manger has asked you to separate the corporate admin machines into their own network with a different IP range from the training rooms. What is the most secure way of implementing this? Select the best option from the following:
A. Create a VLAN on the switch and put the corporate admin team in the VLAN
B. Install a router in the LAN and place the corporate admin team in the new subnet
C. Create a NAT from the firewall and put the corporate machines in that network
D. Install a proxy server
12. Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will log periods of access. Select the two most suitable methods of authentication from the following:
A. PAP
B. TACACS+
C. NTLM
D. RADIUS
13. What is the major benefit of using imaging technology, such as Microsoft WDS server or Symantec Ghost, to image desktop computers and laptops that are being rolled out from a security perspective?
A. It provides a consistent baseline for all new machines
B. It ensures that all machines are patched
C. It reduces the number of vulnerabilities
D. It allows a nontechnical person to roll out the images
14. A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of such an arrangement is using their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the best choice:
A. Kerberos
B. SAML
C. OAuth 2.0
D. Federation services
15. You are the security administrator for a medium-sized company who need to enforce a much stricter password policy via group policy. The aims of this policy are to do the following:
Select the following options that you will need to use to fulfill all of these goals:
A. Enforce password history
B. Minimum password length
C. Passwords must meet complexity requirements
D. Minimum password age
E. Maximum password length
16. You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply:
A. Tethering
B. Sideloading
C. Slipstreaming
D. Jailbreaking or rooting
E. Degaussing
17. You are the security administrator of a multinational company that has recently prevented brute force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful?
A. Obfuscation
B. PBKDF2
C. XOR
D. bcrypt
18. You want to join a wireless network using a password. Which of the following wireless features would be most appropriate to achieve this objective?
A. WPA2-Enterprise
B. WPA2-TKIP
C. WPS
D. WPA2-PSK
E. WPA2-CCMP
19. What is the one main purpose of a network intrusion detection system (NIDS)? Select the most appropriate option:
A. Identifies vulnerabilities
B. Identifies new network hosts
C. Identifies viruses
D. Identifies new web servers
20. A web server was the victim of an integer overflow attack. How could this be prevented in the future?
A. Install a proxy server
B. Install an SQL injection
C. Input validation on forms
D. Install a web application firewall
21. You have recently set up a new virtual network with over 1,000 guest machines. One of the hosts is running out of resources, such as memory and disk space. Which of the following best describes what is happening?
A. Virtual machine escape
B. End of system lifespan
C. System sprawl
D. Poor setup
22. You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to obtain two-factor authentication? Select all that apply:
A. Palm reader
B. Signature verification
C. Thumb scanner
D. Gait
E. Iris scanner
23. The security auditor has just visited your company and is recommending that change management reduces the risks from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend to reduce the risk when you first evaluate the software? Select the best two practices to adopt from the following list:
A. Jailbreaking
B. Sandboxing
C. Bluesnarfing
D. Chroot jail
E. Fuzzing
24. You are the security administrator for a multinational corporation. You recently detected and thwarted an attack on your network when someone hacked into your network and took full control of one of the hosts. What type of attack best described the attack you stopped?
A. Man-in-the-middle attack
B. Replay attack
C. Packet filtering
D. Remote exploit
25. You are the security administrator for a multinational corporation and you recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM on all servers. Which of the following types of attack best describes why you have taken this action?
A. It will improve the server's performance
B. To prevent a man-in-the-middle attack
C. To prevent a pass-the-hash attack
D. To prevent a poodle attack
26. The political adviser to the Prime Minister of the United Kingdom has returned from the two months of summer break that all staff are entitled to. He has applied for an immediate transfer to another department, stating that his health is bad and the job was far too intense. When his replacement arrives, he finds that, during the summer recess, the political adviser has shredded all documents relating to a political inquiry that has involved his cousin. The police are immediately called in and say that they cannot prosecute the political adviser due to lack of evidence. What precautions could the Houses of Parliament because of a security team take to prevent further events such as this happening in the future?
A. Create a change-management document to ensure that the receptionists are more vigilant to people coming in out of hours
B. Enforce time-of-day restrictions so that nobody can access the IT systems during summer breaks
C. Enforce separation of duties to ensure that any document that is destroyed has been witnessed by a second person
D. Enforce mandatory vacations to prevent his coming in during the recess
27. You work in the forensics team of a very large multinational corporation, where an attack has happened across three different sites in two different countries. You have been collecting the following log files from these locations:
What is the first action that you need to take when collating these logs?
A. Apply time normalization to these logs
B. Copy them into a worm drive so that they cannot be tampered with
C. Sort out the sequence of events by site
D. Raise chain of custody documentation for these logs
28. You are an Active Directory administrator and have been having problems with the time synchronization that is used by the Kerberos authentication protocols. Consequently, you have now contacted a third party to provide your time synchronization. They use Stratum network time protocol (NTP) servers. What is the most secure method of setting up a Stratum server for time synchronization?
A. The servers should connect to an internal Stratum 1 NTP server
B. The servers should connect to an internal Stratum 2 NTP server
C. The servers should connect to an internal Stratum 0 NTP server
D. The servers should connect to an external Stratum 0 NTP server
29. You are the network administrator for a company that runs an Active Directory domain environment where the system administrator is failing to keep you updated when new hosts are added to the network. You now decide that you will use your networking tools to:
Which of the following network-based tools provide the information that you require? Select the tools that you are most likely use:
A. Protocol scanner
B. Microsoft baseline analyser
C. Nmap
D. Penetration testing
30. You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to best prove this? Select all that apply:
A. MD5
B. 3DES
C. SHA1
D. Blowfish
31. You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the <script> and </script> tags?
A. Cross-site scripting
B. Man-in-the-middle
C. Cross-site forgery attack
D. SQL injection
32. You are a system administrator working for a multinational company that has a Windows domain and is using an active passive model. Which of the following are the best reasons why your company would have adopted this model?
A. It provides vendor diversity
B. It provides much faster disaster recovery
C. It is the best model to use for symmetric encryption
D. It provides availability of your IT systems
33. You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following do you use as an authentication method by entering a PIN instead of a password?
A. Smart card
B. Kerberos
C. WPS
D. TOTP
34. You are the security administrator for a large multinational corporation and you have a meeting with the CEO about the security posture of the company. He wants you to ensure that the following are carried out effectively:
Which of the following is the best solution to implement? Select all that apply:
A. Robocopy firewall logs to a worm drive
B. Robocopy firewall logs to a RAID 5 volume
C. Implement usage auditing and reviews
D. Carry out permission audits and review every seven days
35. You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the least amount of administrative effort?
A. Email the people involved and ask them to delete the X509 from their desktop immediately
B. Carry out certificate pinning to prevent the CA from being compromised
C. Revoke the root CA X509 so it is added to the CRL
D. Revoke the X509 so it is added to the CRL
36. You need to install a new wireless access point that should be as secure as possible with the functionality of being able to be used for backwards compatibility with legacy wireless systems:
A. WPA2 PSK
B. WPA
C. WPA2 CCMP
D. WPA2 TKIP
37. You are the capacity planning administrator for a large multinational corporation, and find that Server 1 is running out of disk space, and, when you monitor its network card, you see that it is at 100% utilization. Which of the following reasons best describes what is happening?
A. There are hardware errors on the server
B. Unauthorized software is being downloaded
C. Event logs are getting full and slowing down the system
D. The disks that were selected were too small
38. You are the security administrator and someone has just tried to attack your web server, which is protected by a web application firewall. When you look into the log files of the web application firewall, two of the rows of the log file have the following two entries:
var data = "<blackbeard> ++ </../etc/passwd>"
Select* from customers where 1=1
Which of the following attacks are most likely to be have been attempted? Select all that apply:
A. Integer overflow
B. SQL injection
C. JavaScript
D. Buffer overflow
39. Data has been classified as internal data and external data. The company recently added two new classifications of data, legal and financial. What would be the benefit of these new classifications? Select the best solution for the new data classifications:
A. You need a minimum of three classifications for it to be effective
B. Better data classification
C. Quicker indexing
D. Faster searching
40. You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After learning the lessons following the attack learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:
A. Federation services
B. EAP-TLS
C. Kerberos
D. RADIUS federation
41. Which of the following threat actors would be the most likely to steal a company's research and development data?
A. Organised crime
B. Competitor
C. Script kiddie
D. Nation state
42. You are a security administrator for a large multinational corporation based in the United Kingdom. You have just attended an annual seminar about the various types of password attacks. You have already disabled NTLM on all of the servers to prevent pass-the-hash attacks. Which of the following statements involved the storing passwords as a hash value?
A. A collision attack—the hash value and the data match
B. A collision attack—the hash values match
C. A rainbow-table attack performs a search of simple passwords
D. A rainbow-table attack performs a search of precomputed hashes
43. You are the new IT director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know why you have asked for funds for vendor diversity. They have asked you to provide two good reasons as to why they should grant you the funds. Which of the following are the most suitable reasons why you wish to implement vendor diversity?
A. Reliability
B. Regulatory compliance
C. It is a best practice in your industry
D. Resiliency
44. You are the network administrator for a large multinational corporation where you have captured packets that show that the traffic between the company's network devices is in clear text. Which of the following protocols could be used to secure the traffic between the company's network devices? Select all that apply:
A. SNMP V 3
B. SNMP
C. SCP
D. SFTP
45. You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output?
A. There was a zero-day virus
B. False negatives
C. False positives
D. The wrong filter was used to audit
46. You are a forensic investigator who has been called out to deal with a virus attack. You collect the information from the network card and volatile memory. After gathering, documenting, and securing the evidence of a virus attack, what is the best method to prevent further losses to the company?
A. Send a copy of the virus to the lab for analysis
B. Mitigate the attack and get the system back up and running
C. Initiate a chain of custody
D. Initiate business-impact analysis
47. You are the purchasing manager for a very large multinational company, and you are looking at the company's policy dealing with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance?
A. A budget laptop at $1,300 each
B. A budget laptop at $1,200 each
C. A budget laptop at $1,000 each
D. A budget laptop at $1,001 each
48. Your company has suffered a system-sprawl attack, and you need to be able to identify what has caused the attack, and what the symptoms of the attack are. Which of the following attacks could cause system sprawl and what would be a tell-tale sign of it? Select the best two answers; each is a part of the solution:
A. SQL injection
B. DoS attack
C. CPU at 100% utilization
D. Buffer overflow
49. Which of the following is a measure of reliability?
A. MTTR
B. MTBF
C. MTTF
D. RPO
50. Which of the following are the characteristics of a third-party to third-party authentication protocol that uses XML based authentication? Select the best three answers:
A. Single sign on (SSO)
B. Kerberos
C. SAML
D. Federation services