2. Technologies and Tools

Domain 2 Questions

  1. In which one of the following mobile device deployment models does the organization allow employees to use corporate-owned devices for personal use?

    A. BYOD

    B. CYOD

    C. COPE

    D. Corporate-owned

  2. Bruce would like to implement an authentication mechanism that requires that users connecting via mobile devices use a second authentication factor when they are connecting from an unfamiliar IP address. What term best describes this technique?

    A. Context-based authentication

    B. Role-based authentication

    C. Rule-based authentication

    D. Device-based authentication

  3. Rob is tracking down the unauthorized exfiltration of sensitive information from his organization and found suspicious emails sent by an employee to a Gmail address. The emails seem to only contain photos, but Rob suspects that the photos contain sensitive information. What technique might the employee have used to embed sensitive information within a photograph?

    A. Cartography

    B. Cryptography

    C. Steganography

    D. Psychology

  4. Brad received a call from the Help Desk that users are suddenly calling to report that they are receiving an Access Denied message when trying to access several popular websites, although they are able to access other sites. It seems that everyone in the organization is experiencing the same symptoms on different devices and operating systems and the sites that are being blocked are consistent from user to user. Of the components listed here, which is the most likely culprit?

    A. Content filter

    B. Network firewall

    C. GPO

    D. IPS

  5. Ryan is reviewing logs for his wireless network controller and discovers that a single system attempted to connect to the wireless network once every minute with incorrect credentials until finally logging in successfully after several hours. While reviewing the logs, Ryan noticed that the system had been used by the same user on the network several days ago. What is the most likely explanation of these log entries?

    A. The user's password was compromised via a brute force attack.

    B. The user fell victim to a social engineering attack.

    C. The user changed his or her password.

    D. The user's device was stolen.

  6. Mary's organization uses a specialized statistical software package for their research. Mary discovered that users pass around installation media within their departments rather than deploying the software via a centralized tool. What is the greatest risk facing the organization?

    A. Social engineering

    B. Malware infection

    C. License violation

    D. Faulty software

  7. Sandra is deploying cellular devices to her firm's salesforce. She is concerned that the employees will install apps on the devices that jeopardize security. Which one of the following technologies will allow her to control the configuration of the device and prevent the installation of unwanted apps?

    A. ERP

    B. BYOD

    C. MDM

    D. CRM

  8. Which one of the following tools would be the most helpful in detecting missing operating system patches?

    A. Documentation review

    B. Network vulnerability scanner

    C. Port scanner

    D. Configuration management tool

  9. Tina is deploying an NAC solution for a university network and she wishes to perform host health checking. The network has many unmanaged student machines and students do not want to have software installed on their systems that remains behind after they leave the network. Which one of the following approaches would be best for Tina to use?

    A. Dissolvable NAC

    B. Permanent NAC

    C. Captive portal

    D. Active Directory NAC

  10. Which one of the following elements of an LDAP entry can be reconstructed to determine the domain name of a system?

    A. CN

    B. OU

    C. DC

    D. ST

  11. Charlie received an alert from file integrity monitoring software running on a server in his organization. Which one of the following is NOT a likely reason for this alert?

    A. Operating system update

    B. CPU failure

    C. Application update

    D. Security incident

  12. Which one of the following features is not typically supported by mobile device management solutions?

    A. Remote wiping

    B. Carrier unlocking

    C. Application management

    D. Configuration management

  13. Consider the load balanced server situation shown here. The load balancer sent the last user request to Server A. If the server is using round-robin load balancing, which server will receive the next request?

    Figure 2.1

    A. Server A

    B. Server B

    C. Server C

    D. Server D

  14. Ben would like to identify all of the active network connections and services listening for connections on a Linux system that he is analyzing. What command-line utility can he use to meet this need?

    A. pstools

    B. tcpdump

    C. netstat

    D. netcat

  15. Carl is troubleshooting a Windows device that is having issues connecting to the network. He runs the ipconfig commands and finds the information shown here for the problematic interface. How did the system receive this IP address?
    Figure 2.2

    Figure 2.2

    A. Active Directory preferred address

    B. DHCP

    C. Static assignment

    D. APIPA

  16. Tim is planning the deployment of a new VPN that is illustrated in the high-level diagram shown here. What type of VPN is Tim deploying?
    Figure 2.3

    Figure 2.3

    A. TLS VPN

    B. Remote access VPN

    C. Site-to-site VPN

    D. IPsec VPN

  17. Vince is concerned that attackers might be able to gain access to the password file for a service that he runs and he would like to protect it as much as possible. Which one of the following controls provides the most effective protection against the success of rainbow table attacks?

    A. Salting

    B. Hashing

    C. Shadow passwords

    D. Password expiration

  18. Which one of the following techniques often reveals both the type and version of a service running on a particular port?

    A. Traceroute

    B. Port scanning

    C. Steganography

    D. Banner grabbing

  19. Jena would like to configure her organization's switches so that they do not allow systems connected to a switch to spoof MAC addresses. Which one of the following features would be helpful in this configuration?

    A. Loop protection

    B. Port security

    C. Flood guard

    D. Traffic encryption

  20. What type of proxy server is shown in the following illustration?
    Figure 2.4

    Figure 2.4

    A. Caching proxy

    B. Reverse proxy

    C. Content filtering proxy

    D. Forward proxy

  21. Bill is inspecting a new tablet computer that was brought to him by an employee wishing to connect it to the network. The device has the logo shown here on its back panel. What does this logo indicate?
    Figure 2.5

    Figure 2.5

    A. The device has the ability to upload data to cloud services.

    B. The device is portable.

    C. The device can be recharged through the USB port.

    D. The device may be used as a server to access other USB devices.

  22. Drew is concerned that users in his organization may send customers sensitive email messages that travel over the internet in an unencrypted form. What technology can he use to intercept these messages and provide encrypted delivery to the recipient?

    A. Firewall

    B. Email gateway

    C. IPS

    D. TLS

  23. What transport protocol is used by the traceroute command by default?

    A. No transport protocol is used

    B. ICMP

    C. TCP

    D. UDP

  24. Helen is working with a user who reported that strange messages were appearing on his mobile device. After troubleshooting, Helen determines that the messages were sent over Bluetooth. There is no indication that any information on the device was accessed by the attacker. What type of attack likely took place?

    A. Bluelining

    B. Bluesnarfing

    C. Bluescreening

    D. Bluejacking

  25. Alan is running a system audit and detects a user workstation that deviates from the organization's security standard. What action should he take next?

    A. Identify the cause of the deviation.

    B. Report the issue to his manager.

    C. Reimage the workstation.

    D. Reconfigure the device to meet the baseline.

  26. Brian recently established a transport mode IPsec connection between his system and a remote VPN concentrator. Which one of the following statements is correct about this connection?

    A. The payload of the packet is not encrypted.

    B. The IP header of the packet is not encrypted.

    C. The connection supports NAT traversal.

    D. No encryption is in use.

  27. Gwen is crafting a social media policy for her organization and is considering including the following provisions. Which one of these provisions is most likely to be problematic from a legal perspective?

    A. Restricting the use of personal social media accounts outside of working hours.

    B. Requiring disclosure of company affiliation on social media.

    C. Requiring the approval of posts that are sent out via corporate social media accounts.

    D. Blocking social media sites at the perimeter firewall.

  28. Nancy issues the command shown here to determine whether a system is live on the network. What type of packet is sent out by her system?
    Figure 2.6

    Figure 2.6

    A. ICMP echo reply

    B. ICMP echo request

    C. ICMP information request

    D. ICMP information reply

  29. What type of social engineering attack always occurs via telephone calls?

    A. Spear phishing

    B. Vishing

    C. Smishing

    D. Whaling

  30. What type of Wi-Fi antenna is shown in the following image?
    Figure 2.7

    Figure 2.7

    A. Omnidirectional

    B. Parabolic

    C. Pulse width

    D. Yagi

  31. Hannah is investigating a security incident and discovers that a network client sent false MAC address information to a switch. What type of attack likely took place?

    A. DNS poisoning

    B. ARP poisoning

    C. Man-in-the-middle

    D. Eavesdropping

  32. Laura is performing a DNS query using the nslookup command and she would like to identify the SMTP server(s) associated with a domain. What type of records should she retrieve?

    A. MX

    B. A

    C. CNAME

    D. NS

  33. Helen would like to sideload an app onto an Android device. What format must the application be in for her to successfully sideload it?

    A. EXE

    B. IPA

    C. ZIP

    D. APK

  34. Raj is troubleshooting authentication problems with his organization's VPN. All of the users are receiving password authentication failures. What is the most likely cause of this problem?

    A. Password expiration

    B. Incorrect passwords

    C. RADIUS server failure

    D. VPN server failure

  35. Carla learns that a user in her organization is about to be terminated at 3:00 and she wants to properly time the disablement of that user's account. What would be the best time to terminate access?

    A. During the termination conversation

    B. Immediately

    C. At the end of the day

    D. Tomorrow morning

  36. Ricky is configuring a directory server that must be accessible to users passing through a firewall. He would like to allow only encrypted LDAPS sessions through the firewall. What port should Ricky enable?

    A. TCP port 3389

    B. TCP port 389

    C. TCP port 636

    D. TCP port 443

  37. Which one of the following security controls can best protect against the risk of unauthorized software installation?

    A. Content filters

    B. Application blacklisting

    C. Host firewalls

    D. Application whitelisting

  38. During a security audit of his organization's web environment, Robert discovers that his web server supports SSL v2.0. What action should he recommend based upon this information?

    A. The organization should replace SSL with TLS.

    B. The organization should disable SSL v2.0 and support only SSL v3.0 or higher.

    C. The organization should replace SSL with SSH.

    D. No action is necessary.

  39. Ryan is experiencing interference on his Wi-Fi network. Which one of the following options is not an effective solution to the problem?

    A. Change wireless channels

    B. Relocate access points

    C. Increase bandwidth

    D. Relocate wireless clients

  40. Which one of the following statements about IPsec protocols is correct?

    A. AH supports authentication, integrity, and confidentiality. ESP supports confidentiality and authentication.

    B. AH supports authentication, integrity, and confidentiality. ESP supports confidentiality and integrity.

    C. AH supports authentication and integrity. ESP supports confidentiality, authentication, and integrity.

    D. AH supports authentication and confidentiality. ESP supports integrity and authentication.

  41. Barry is reviewing log records in the wake of a security incident. He suspects that the attackers attempted a SQL injection attack that was blocked. Which one of the following log sources is likely to contain the best information about the attempted attack?

    A. Host firewall logs

    B. Web server logs

    C. Database logs

    D. Web application firewall logs

  42. After implementing a SIEM solution, Amanda discovers that the timestamps on log entries are not synchronized. What protocol can Amanda deploy in her organization to ensure clock synchronization?

    A. DHCP

    B. DNS

    C. NTP

    D. BGP

  43. Colleen's company is considering deploying a BYOD mobile device strategy. She is concerned about the intermingling of corporate and personal data on mobile devices. What security control can help resolve this situation?

    A. Application control

    B. Full device encryption

    C. Storage segmentation

    D. Multifactor authentication

  44. Renee ran a wireless network scan in her office and found the results shown in the following table. Which one of the following networks has the strongest signal?
    Figure 2.8

    Figure 2.8

    A. CAFwifi-Guest

    B. cathy

    C. CornerBakeryCafeWiFi

    D. CAFwifi

  45. Dylan is helping his organization select a secure video conferencing solution that will be used to meet both internally and with customers. He would like to choose a technology that uses a protocol that supports secure video conferencing and will most likely be allowed through the network firewalls of customer organizations. Which one of the following protocols is his best option?

    A. RTPS

    B. HTTPS

    C. H.323

    D. SIP

  46. Sally is planning to deploy an advanced malware protection system. What feature of these systems would allow Sally to leverage information obtained from malware monitoring that was conducted by other customers of the same vendor?

    A. Sandboxing

    B. Threat intelligence

    C. Quarantining

    D. Behavioral detection

  47. Ron is selecting an email data loss prevention (DLP) solution for use in his organization. He is specifically concerned about preventing the loss of a set of product plans that are contained in a single repository. Which DLP technology would be the most effective at meeting his needs?

    A. Pattern recognition

    B. Watermarking

    C. Host-based

    D. Network-based

  48. Visitors to Patricia's organization's website are seeing the following error message. What is the simplest way that Patricia can resolve this issue?
    Figure 2.9

    Figure 2.9

    A. Require the use of TLS

    B. Renew the certificate

    C. Replace the certificate

    D. Block insecure ciphers

  49. Dennis is reviewing the logs from a content filter and notices that a user has been visiting pornographic websites during business hours. What action should Dennis take next?

    A. Take no action

    B. Discuss the issue with the user

    C. Block access to the websites

    D. Report the issue to management

  50. Review the ifconfig results shown here. What is the primary IP address for this machine?
    Figure 2.1 0

    Figure 2.10

    A. 127.0.0.1

    B. 10.36.23.255

    C. 10.36.23.22

    D. 98:e0:d9:87:8a:73

  51. Alan created a system named PersonnelDatabase that is designed to attract attackers, but there is no real sensitive information on the server. When someone attempts to connect to the system, Alan analyzes their activity. What type of system has Alan created?

    A. Honeypot

    B. Darknet

    C. Sinkhole

    D. Honeynet

  52. Tom would like to deploy NAC technology that is capable of constantly monitoring the configuration of endpoint machines and quarantining machines that fail to meet a security baseline. Which technology would be the most appropriate for Tom to deploy?

    A. Dissolvable NAC

    B. Agentless NAC

    C. Captive portal

    D. Agent-based NAC

  53. Flo is investigating an alert that was generated by her organization's NIDS. The system was alerted to a distributed denial of service attack and Flo's investigation revealed that this type of attack did take place. What type of report has the system generated?

    A. False positive

    B. True negative

    C. True positive

    D. False negative

  54. Kyle would like to capture network traffic to assist with troubleshooting a firewall issue. What command-line utility can he use to capture traffic?

    A. netcat

    B. Wireshark

    C. nmap

    D. tcpdump

  55. Which one of the following IP addresses should never be seen as the destination address of a packet leaving an organization's network over the internet?

    A. 192.168.10.6

    B. 12.8.1.42

    C. 129.53.100.15

    D. 154.42.190.5

  56. Trevor is planning the deployment of a Wi-Fi network. Which one of the following encryption technologies provides the highest level of security?

    A. WPA2

    B. WEP

    C. TKIP

    D. WPA

  57. Wendy is deploying mobile devices to field workers who must travel in rural areas and require constant data service availability. Which one of the following technologies can provide that access?

    A. Cellular

    B. SATCOM

    C. Wi-Fi

    D. Bluetooth

  58. Which one of the following tools is an exploitation framework commonly used in penetration testing?

    A. Metasploit

    B. Cain and Abel

    C. Nessus

    D. Sysinternals

  59. Tim is concerned about the integrity of log records written by a database that stores sensitive information. What technology can he use to best prevent unauthorized changes to log entries?

    A. TLS

    B. Cryptographic hashing

    C. File integrity monitoring

    D. WORM

  60. Brian would like to restrict access to his Wi-Fi network to three specific devices that he controls. This network is small and Brian would like to control costs and preserve simplicity. What is the best way to restrict access?

    A. PSK

    B. MAC filtering

    C. NAC

    D. Kerberos

  61. Victor's organization is experiencing a rash of misplaced devices. What IT management discipline can help them maintain an accurate inventory?

    A. Configuration management

    B. Asset management

    C. Change management

    D. Firewall management

  62. Barry is using Nmap to scan systems and is experiencing difficulty because some systems are not responding to ping requests. He knows the hosts are active. What flag can he use to skip the discovery step entirely?

    A. -Pn

    B. -PS

    C. -PA

    D. -PU

  63. Carrie is setting up a site-to-site VPN between two of her organization's offices and wishes to establish the connection using IPsec-based VPN concentrators. Which IPsec mode should Carrie use?

    A. Tunnel mode

    B. Transport mode

    C. Split tunnel

    D. TLS

  64. Maddox is configuring an internal firewall that will restrict access to a network subnet populated with database servers. Which one of the following ports is not commonly associated with database traffic?

    A. 1433

    B. 1521

    C. 1701

    D. 3306

  65. Tammy is running a set of three load-balanced web servers for her domain. The first server is the primary server and handles requests until it reaches capacity, and then new requests are assigned to the second server. The third server remains idle unless the other two servers are fully utilized. What IP address should Tammy use for the DNS entry for the domain?

    A. Second server's IP

    B. First server's IP

    C. Virtual IP

    D. Third server's IP

  66. Alan is checking the NTFS permissions for a file and finds that the permissions for a problematic user are as follows. What is the end result of these permissions?
    Figure 2.1 1

    Figure 2.11

    A. The user cannot read or write the file.

    B. The user can read the file but not write to it.

    C. The user can write to the file but cannot read it.

    D. The user can read and write the file.

  67. Eric would like to determine whether the users on his network are transmitting sensitive information without the use of encryption. What technology, of the following choices, can best assist Eric in completing this task?

    A. Exploitation framework

    B. Port scanner

    C. Protocol analyzer

    D. Honeypot

  68. Laurie is considering using the S/MIME standard to provide secure email capability for her organization. Which one of the following statements best describes the security capabilities of S/MIME?

    A. S/MIME provides confidentiality, integrity, and non-repudiation.

    B. S/MIME provides confidentiality and integrity, but not non-repudiation.

    C. S/MIME provides integrity and non-repudiation, but not confidentiality.

    D. S/MIME provides confidentiality and non-repudiation, but not integrity.

  69. Tom is conducting a security audit of network devices in a hospital and discovers that the devices are using SNMPv3 for management. What conclusion can he reach from this information alone?

    A. SNMPv3 is insecure because it contains injection vulnerabilities.

    B. SNMPv3 is insecure because it uses plaintext community strings.

    C. SNMPv3 is insecure because it transfers commands in unencrypted form.

    D. The hospital is using a secure network management protocol.

  70. Greg is concerned that users might connect USB drives to their workstations in an attempt to steal sensitive information without being detected on the network. What technology can Greg use to block USB device use?

    A. Host-based DLP

    B. Network-based DLP

    C. Host-based IPS

    D. Network-based IPS

  71. Which one of the following approaches provides the greatest security for a two-factor authentication system based upon the use of mobile devices?

    A. TLS notification

    B. SMS notification

    C. MMS notification

    D. Push notification

  72. Dave's organization uses Android devices from a manufacturer who is very slow to provide operating system updates. Users in his organization are very tech-savvy and want the most recent version of Android. What technique might they wind up adopting to obtain those updates that might also jeopardize Dave's ability to manage them through his MDM platform?

    A. Custom firmware

    B. Application sideloading

    C. Bluejacking

    D. Bluesnarfing

  73. Scott is creating a VPN policy for end users. He would like to provide maximum protection for mobile devices running Windows by automatically establishing VPN connections when the users of those devices open applications that are known to process sensitive data. What technology can best assist Scott with this task?

    A. Split tunnel VPN

    B. TLS VPN

    C. IPsec VPN

    D. Always On VPN

  74. Alan's organization is deploying a BYOD policy for mobile devices, and he would like to protect corporate data stored on those devices in the event of a compromise. Which one of the following features would be the least appropriate for meeting this goal?

    A. Remote wiping

    B. Containerization

    C. Geofencing

    D. Encryption

  75. Molly's security team is overwhelmed by the number of sources of security information that they receive. She would like to select a tool that can aggregate and correlate log entries. What tool is the most appropriate for her needs?

    A. DLP

    B. SIEM

    C. IPS

    D. NAC

  76. Which feature of Microsoft operating systems prevents the execution of code stored in regions of memory not specifically designated for executable code?

    A. PCI

    B. ASLR

    C. DEP

    D. PGP

  77. Libby is reviewing the logs that were generated by her organization's application whitelisting system. Which one of the following circumstances is most likely to generate a false positive alert?

    A. Software update to authorized application

    B. Downloading software from the web

    C. Execution of malware on a system

    D. Installation of a rootkit

  78. Juan is running two load balancers in active/passive mode. Which one of the following terms does NOT describe this situation?

    A. High availability

    B. Fully utilized

    C. Fault tolerant

    D. Easily maintained

  79. Carl is configuring security permissions for his network and comes across the ruleset shown here. What type of device is most likely executing this policy?
    Figure 2.1 2

    Figure 2.12

    A. IDP

    B. Firewall

    C. DLP

    D. Router

  80. In the following image, what term is used to describe the Wi-Fi network names being displayed to the user?
    Figure 2.1 3

    Figure 2.13

    A. Broadcast name

    B. MAC

    C. IP address

    D. SSID

  81. Bev is analyzing host IPS logs from endpoints in her network and notices that many are receiving port scans from external hosts. Which one of the following circumstances is likely present?

    A. Compromised internal system

    B. Misconfigured host firewall

    C. Misconfigured IPS

    D. Misconfigured network firewall

  82. Greg is reviewing smartphone security controls for users who take photos at sensitive locations. He is concerned about the type of information that might be included in the EXIF metadata associated with each image. Which one of the following data elements is not commonly included in EXIF metadata?

    A. Ambient temperature

    B. GPS coordinates

    C. Camera model

    D. Shutter speed

  83. Ricky works for a defense contractor that would like to disable the use of cameras on all mobile devices owned by the organization. They are doing this to prevent the theft of confidential information through device cameras. What technology can Ricky use to best enforce this requirement?

    A. IPS

    B. DLP

    C. MDM

    D. WAF

  84. Which one of the following firewall types is capable of monitoring connection statuses by tracking the stages of the TCP handshake and then using that information when deciding whether to allow future packets that are part of an active connection?

    A. Stateless firewall

    B. Packet filter

    C. Stateful inspection

    D. Router ACL

  85. Barbara is the cybersecurity manager for a retail chain that is considering deploying contactless payment systems that support Apple Pay, Google Wallet, and similar solutions. What type of communication technology do these solutions use to communicate between a user's smartphone and the payment terminal?

    A. NFC

    B. Bluetooth

    C. Infrared

    D. Wi-Fi

  86. After reviewing the results of a system scan, Mike determines that a server in his organization supports connections using the FTP service. What is the primary risk associated with this service?

    A. Buffer overflow

    B. Unencrypted credentials

    C. Cross-site scripting

    D. Privilege escalation

  87. Tina is selecting a firewall for her organization and would like to choose a technology that is capable of serving as her organization's front line connection to the internet and blocking a variety of attacks, including SYN floods, TCP probes, and SQL injection. Which one of the following devices would best meet her needs?

    A. Packet filter

    B. Next-generation firewall

    C. Router ACL

    D. Web application firewall

  88. Sam is reviewing the logs from his organization's unified threat management system. Which one of the following functions is not typically performed by a UTM device?

    A. Sandboxing

    B. Content filter

    C. Firewall

    D. Intrusion prevention

  89. Jaime is creating a firewall ruleset that is designed to allow access from external networks to a web server that responds to both encrypted and unencrypted requests. What ports should Jaime fill for the boxes currently labeled X and Y in the following diagram?
    Figure 2.1 4

    Figure 2.14

    A. 80 and 443

    B. 80 and 8080

    C. 53 and 443

    D. 53 and 80

  90. Which one of the following data sanitization techniques uses strong magnetic fields to remove remnant data from a device?

    A. Pulverizing

    B. Degaussing

    C. Wiping

    D. Overwriting

  91. Tom purchased a mobile device from a carrier under a contract that expired last year. He attempted to transfer the device to a new carrier but was told that the device is locked. Who must unlock the device in order for Tom to complete the transfer?

    A. The new carrier

    B. The original carrier

    C. Tom's employer

    D. Tom

  92. Norma is comparing the security characteristics of different Wi-Fi networks. Which one of the following types of Wi-Fi network allows the use of enterprise authentication protocols?

    A. PSK

    B. WPA

    C. Ad hoc

    D. Direct

  93. Tim is installing a data loss prevention system in his organization and is concerned about the likelihood of false positive reports. Which one of the following techniques is most likely to generate false positive alerts?

    A. Removable media control

    B. Watermarking

    C. Pattern matching

    D. Software updates

  94. Which one of the following network device features is NOT used to prevent routing loops from occurring in a network or to correct them when they do occur?

    A. Split horizon

    B. Loop prevention

    C. Flood guard

    D. Hold-down timers

  95. Samantha would like to add security to her organization's voice over IP (VoIP) telephony system. What protocol is specifically designed to assist with securing VoIP implementations?

    A. SNMP

    B. SRTP

    C. SSH

    D. TLS

  96. Which one of the following services is not normally performed by email security gateways?

    A. Network firewall

    B. Data loss prevention

    C. Encryption

    D. Spam filtering

  97. In the firewall ruleset shown here, what name is typically used to refer to rule number 4?
    Figure 2.1 5

    Figure 2.15

    A. SMTP

    B. Stealth

    C. Promiscuous

    D. Implicit deny

  98. John would like to identify a subscription service that helps him block known malicious systems from accessing his network by automatically updating his firewall rules. What type of service would best meet this need?

    A. Malware signature

    B. IP reputation

    C. IDS signature

    D. Behavioral analysis

  99. Ralph runs a large-scale Wi-Fi network and is having difficulty with interference between access points. What is the most effective and efficient way for Ralph to address these issues?

    A. Use a Wi-Fi controller

    B. Modify access point power levels

    C. Reposition access points

    D. Modify access point antenna configuration

  100. Gavin is choosing a model that will allow employees to access corporate systems remotely. He would like to allow employees to use their own devices but would like to provision access in a way that allows them to use the data through a corporate-controlled computing environment without them having to transfer data to their own devices. Which one of the following models would best meet Gavin's needs?

    A. COPE

    B. CYOD

    C. BYOD

    D. VDI

  101. Justin is searching for rogue systems on his network and would like to detect devices that are responding to network requests but are not on his approved list. What tool can he use to identify the systems on a network that are responding to requests?

    A. sqlmap

    B. OpenSSL

    C. netcat

    D. nmap

  102. Nina is assisting a user who reports that he cannot connect to the wireless network in his building. The network continually shows a message requesting a network password. What is the most likely issue with this connection?

    A. Expired user account

    B. Incorrect PSK

    C. Incorrect user password

    D. Incorrect SSID

  103. An attacker has compromised a system on an organization's local network and has set up an encrypted tunnel to that system. He is now attempting to pivot by exploiting a zero-day vulnerability on a system located on the same LAN as the already compromised system. What type of intrusion detection system would be the most likely to detect the pivot attack?

    A. Signature HIDS

    B. Heuristic HIDS

    C. Heuristic NIDS

    D. Signature NIDS

  104. Greg is working with remote users to troubleshoot issues that they are experiencing with VPN connections when traveling to customer sites. He believes that customer firewalls are interfering with the VPN connection and is considering altering the VPN configuration to prevent this issue. What type of VPN connection is the least susceptible to this problem?

    A. TLS

    B. IPsec

    C. Split tunnel

    D. Full tunnel

  105. Mark is analyzing host antivirus logs in the aftermath of a system compromise. He discovers that the antivirus software did not detect malicious software that infected the system. Which one of the following is the least likely cause of this failure?

    A. Antivirus software failure

    B. Outdated antivirus signatures

    C. Zero-day attack

    D. APT attack

Domain 2 Answers and Explanations

  1. C. The corporate-owned, personally enabled (COPE) model allows employees to make personal use of corporate-owned devices. While choose-your-own-device (CYOD) and corporate-owned models do not preclude personal use, they do not necessarily allow it. Bring-your-own-device (BYOD) models use personally owned equipment, rather than corporate-owned equipment.
  2. A. The use of different authentication requirements depending on the circumstances of the user's request is known as context-based authentication. In this scenario, authentication requirements are changing based upon the user's IP address, making it an example of context-based authentication.
  3. C. Steganography is a set of techniques that are used to hide information within other files, in plain sight. The most common application of steganography is hiding information within images.
  4. A. Any of these devices could conceivably be the culprit, but the most likely case is that a content filter is suddenly blocking sites that should be allowed. This often happens when the filter policy is incorrectly configured. A network firewall is less likely to block traffic based upon the identity of the website. An intrusion prevention system (IPS) may be conducting this type of filtering, but it is a less likely candidate than the content filter. A GPO could also be restricting access to websites, but this is not likely to happen across different operating systems as GPOs are a Windows technology.
  5. C. While any of these explanations are plausible, this pattern of activity is indicative of a password change. Once the user changed his or her password, authentication began to fail and continued to fail as the device retried the connection automatically. The user eventually noticed and updated the password on the device, allowing it to resume normal connectivity.
  6. C. The scenario gives us no reason to believe that the installation media is faulty or malicious. However, deploying the software in this way does run the risk of exceeding the organization's licensed allocation, putting them in jeopardy of violating the terms of their license agreement.
  7. C. Mobile device management (MDM) solutions allow administrators to set policies that manage the configuration of mobile devices, as well as control the apps installed on those devices.
  8. D. All of these tools may be useful in detecting missing patches. However, the most useful tool is a configuration management system. These tools have the ability to directly query the operating system to obtain real-time information on their patch level.
  9. A. Dissolvable NAC uses a temporary agent that is removed immediately after the health check completes. This would be the best solution for Tina to deploy. A captive portal solution does not necessarily have the ability to perform health checking unless it is combined with a dissolvable agent. Permanent NAC would install software that remains on the student computers. Active Directory NAC would not be appropriate because the systems are unmanaged and, therefore, not accessible through AD.
  10. C. The domain component (DC) of an LDAP entry contains portions of the domain name of a system. The OU component contains information about the organizational unit, while the CN component contains the common name. The ST component contains information about the state or territory.
  11. B. Operating system updates and application updates frequently trigger file integrity alerts, as do system compromises. A CPU failure would result in a system crash, rather than a file integrity alert.
  12. B. Mobile device management products do typically support remote wiping, application management, and configuration management, among other features. They do not provide carrier unlocking functionality, as this may only be performed by the wireless carrier that activated the device.
  13. B. In round-robin load balancing, the load balancer assigns requests to servers sequentially. The load balancer does not use capacity information to determine scheduling. It simply assigns each incoming request to the next server in line.
  14. C. The netstat command lists all of the active network connections on a system, as well as the status of ports that are listening for requests. The tcpdump command captures network traffic and would see active network connections but does not identify ports that are listening without an active connection. The pstools comand is used to find information about processes running on a system but does not provide network port or version information. The netcat command is used to send information via a network pipe.
  15. D. Addresses in the range of 169.254.0.0/16 are assigned by the Automatic Private IP Assignment (APIPA) protocol when a system is unable to receive an address via other means. An address that's received via DHCP or static assignment would override this address. An Active Directory preferred address is not a valid IP address assignment mechanism.
  16. C. The illustration shows a VPN that connects multiple branches of the organization to a central office. This is a site-to-site VPN. Remote access VPNs are used to connect individual devices. It is not possible to tell from the diagram whether the VPN is using TLS or IPsec transport.
  17. A. Rainbow table attacks use precomputed hash values to identify commonly used passwords in password files. They are quite effective against password files or shadow password files that contain passwords that have been hashed but have not been salted. Password expiration limits the length of time that a compromised password may be used for but does not prevent rainbow table attacks from being successful.
  18. D. Banner grabbing queries a service for header information provided to clients. This information often includes the specific service running on a port, as well as version information. Port scanning will reveal the existence of a service on a port, but port scanning alone cannot identify version information unless it is supplemented with banner grabbing information. Steganography is a technique that's used for hiding data within images or other binary files. Traceroute is a command that's used to find the path between two systems on a network.
  19. B. Port security restricts the number of unique MAC addresses that may originate from a single switch port. It is commonly used to prevent someone from unplugging an authorized device from the network and connecting an unauthorized device but may also be used to prevent existing devices from spoofing the MAC addresses of other devices.
  20. D. This is a forward proxy because the proxy server is located on the same network as the user. It connects to remote web servers on behalf of the end user. It is not possible to determine whether this proxy server is performing caching and/or content filtering based upon this illustration.
  21. D. While all of the attributes listed in the scenario may be true of the device, the USB on-the-go logo indicates that the device supports the USB OTG standard for acting as a host server for other devices, such as cameras, flash drives, or peripherals.
  22. B. One of the functions provided by email gateways is the interception of sensitive messages destined for external locations. The gateway then informs the recipient that they have a secure message and the recipient logs into a website to receive the message over an HTTPS-protected connection. Firewalls and intrusion prevention systems do not provide this technology. While TLS is used in this solution, TLS alone is not capable of intercepting messages.
  23. D. By default, the traceroute command uses UDP connections. This is different from the ping command, which uses ICMP by default.
  24. D. In a bluejacking attack, the attacker uses a Bluetooth connection to display messages to the end user. This attack does not grant the attacker access to information stored on the device, as would occur in a bluesnarfing attack. Bluescreening and bluelining are made-up terms in the context of Bluetooth technology.
  25. A. There are sometimes legitimate reasons for a system to deviate from a security baseline. Alan should investigate this issue and determine the reason for the deviation before taking more drastic action.
  26. B. VPN connections established in transport mode encrypt the payload of data packets but do not provide encryption for packet headers. Transport mode connections do not support NAT traversal.
  27. A. It is difficult for companies to restrict the social media activity of employees who are accessing the networks outside of working hours and without using corporate resources. It is perfectly reasonable to limit the use of corporate accounts, block social media use on corporate networks, and require the disclosure of corporate affiliations when discussing related matters.
  28. B. The ping command transmits an ICMP echo request message to the target system, which may then respond with an ICMP echo reply message.
  29. B. Vishing, or voice phishing, attacks always take place over telephone calls. Smishing attacks use SMS messages. Spear phishing or whaling attacks normally occur over email but may use any communications mechanism.
  30. B. The antenna that's shown here is an example of a parabolic antenna.
  31. B. Based on the information provided, we can only conclude that an ARP poisoning attack took place. This attack could have been used to conduct eavesdropping or man-in-the-middle attacks but there is not enough information provided to draw that conclusion. There is no evidence that DNS poisoning took place.
  32. A. Mail eXchanger (MX) records contain information about the SMTP servers associated with a domain. A records are standard address mapping records. Canonical name (CNAME) records are used to create aliases for DNS names. Name Server (NS) records are used to identify DNS servers for a domain
  33. D. Android applications must be in Android Application Package (APK) format to be sideloaded onto a device. IPA files are used for iOS applications, not Android applications. EXE files are applications designed for use on Windows systems. The ZIP format is a generic file compression format that is used in APK files, but Android applications are not stored in pure ZIP format.
  34. C. The most likely problem is that the RADIUS server is not properly authenticating accounts. It is not likely to be a VPN server problem because users are able to contact the server but are failing at the authentication step. It is unlikely that users are entering their passwords incorrectly or using expired passwords because the issue is occurring for all users.
  35. A. The primary risk that Carla must avoid is that the user may have access to systems after being terminated. In addition, Carla should avoid tipping off the user to the pending termination. Therefore, she should wait until she can verify that the termination meeting has started and then cut off the user's access during the meeting.
  36. C. Encrypted LDAPS sessions use TCP port 636. Unencrypted LDAP sessions use TCP port 389. Port 3389 is used for GUI connections to devices using the Remote Desktop Protocol (RDP). Port 443 is used for encrypted web connections using HTTPS.
  37. D. Application whitelisting prevents the installation of any software that is not on a list of preapproved applications and would prevent users from installing software that is not on the authorized list. Blacklisting takes the opposite approach, where administrators list the software that may not be installed. Host firewalls and content filters do not generally block the installation of software.
  38. A. The Secure Sockets Layer (SSL) is now considered an insecure protocol and should no longer be used. The secure replacement for SSL is Transport Layer Security (TLS). The Secure Shell (SSH) protocol is a secure means for establishing connections between two systems, but it does not provide the same transport layer functionality as SSL and TLS.
  39. C. Moving the access point or the client may resolve the interference, as might changing the wireless channel/band in use. Increasing bandwidth will only provide more capacity. Additional capacity will not resolve interference.
  40. C. The Authentication Headers (AH) protocol supports only authentication and integrity for IPsec connections. The Encapsulating Security Payload (ESP) protocol supports confidentiality, integrity, and authentication.
  41. D. The web application firewall is the device that most likely blocked the attack and would contain detailed information about the attack. If the WAF blocked the attack, records would not appear in the logs of the web server, the database server, or the host firewalls on any devices.
  42. C. The Network Time Protocol (NTP) performs clock synchronization across devices. The Domain Name Service performs translations between domain names and IP addresses. The Dynamic Host Configuration Protocol (DHCP) provides IP addresses to systems. The Border Gateway Protocol (BGP) is used to configure network routing.
  43. C. Storage segmentation provides separate storage areas on the mobile device for personal and corporate information, preventing the two from becoming intermingled. Application control would limit the applications that users may install on devices but would not control where those applications store data. Full device encryption would add security to all data stored on the device but would not differentiate between personal and corporate data. Multifactor authentication does add a layer of security to the device but does not distinguish between categories of information.
  44. D. When measuring RSSI, the network with the strongest signal is the one with the highest value. Since RSSI is measured in negative numbers, this will be the number closest to zero which, in this case, is -67, corresponding to the CAFwifi network.
  45. B. All of the protocols listed here have the capability of supporting secure video conferencing. Of the options, HTTPS is the most likely to be fully supported by customer firewalls because it is the same port that's used for secure web connections. Therefore, this would be the best option for Dylan to choose.
  46. B. All of the capabilities listed here are features of advanced malware prevention systems. However, only threat intelligence directly leverages information obtained from systems deployed at other customer sites.
  47. B. There is not enough information in the scenario to determine whether host-based or network-based DLP would be more appropriate. The main choice facing Ron is whether to use pattern matching or watermarking. Pattern matching looks for data that matches the format of known sensitive data elements, such as Social Security numbers or credit card numbers. Watermarking tags sensitive documents and then watches for those tags in network traffic. In this case, Ron has a specific set of documents that he would like to protect, so watermarking would be the best solution.
  48. C. This error message indicates that the website is using a certificate from an untrusted certificate authority. Patricia should replace the certificate with one from a trusted CA.
  49. D. Dennis should consult his manager to determine the appropriate next steps. He should not confront the user directly. While his manager may direct him to block the websites, this is a management decision that Dennis should not take on himself.
  50. C. The IP address for this machine is shown in the record for the Ethernet interface en0. It is 10.36.23.22. The address 10.36.23.255 is the broadcast address associated with that adapter and not the IP address of the machine. 127.0.0.1 is the local loopback address for any system. 98:e0:d9:87:8a:73 is the MAC address for the en0 interface and not an IP address.
  51. A. Honeypots are systems that are deliberately designed to attract attackers and monitor their activity. Honeynets are entire networks of decoy systems. Darknets are unused portions of IP space that are used to identify scanning attempts. Sinkholes are false DNS entries that are created to prevent users from accidentally contacting malicious systems.
  52. D. Tom should deploy an agent-based NAC solution or, more specifically, a permanent agent. This technology leaves software running on the endpoint that may remain in constant contact with the NAC solution. Agentless NAC, captive portal solutions, and dissolvable agents do not maintain a constant presence on the system and would not meet Tom's requirements.
  53. C. In a true positive report, the system reports an attack when an attack actually exists. A false positive report occurs when the system reports an attack that did not take place. A true negative report occurs when the system reports no attack and no attack took place. A false negative report occurs when the system does not report an attack that did take place.
  54. D. Both the tcpdump and Wireshark utilities can be used to capture network traffic. Of those two, only tcpdump is a command-line utility. Wireshark uses a graphical interface. Nmap is a network port scanner, while netcat is used to redirect data to a network connection. Neither Nmap nor netcat can capture traffic.
  55. A. The IP address 192.168.10.6 falls within the private IP address range of 192.168.0.0/16. This address range is only for use on a local area network and should never be seen on a public network, such as the internet. The other addresses provided in this question are all valid public IP addresses.
  56. A. Wi-Fi Protected Access version 2 (WPA2) uses the AES encryption standard and provides the highest level of security for a Wi-Fi network. WPA version 1 uses the Temporal Key Integrity Protocol (TKIP), which is secure but not as strong as WPA2. Wired Equivalent Privacy (WEP) is an insecure encryption technique.
  57. B. Satellite communications (SATCOM) have the widest availability, as they may be used from any region of the world with satellite coverage. For large satellite networks, this covers the entire planet. Cellular signals do travel long distances but may not have constant availability in rural areas. Wi-Fi and Bluetooth are only useful over short distances and would not be appropriate for this scenario.
  58. A. Metasploit is an exploitation framework commonly used in penetration testing. Cain and Abel is a password cracking utility. Nessus is a vulnerability scanner. Sysinternals is a set of Windows system administration tools.
  59. D. Write once, read many (WORM) storage devices allow us to write data in a permanent fashion where modification is impossible. Cryptographic hashing and file integrity monitoring solutions may detect unauthorized changes, but they are unable to prevent unauthorized changes. Transport layer security (TLS) is an encryption protocol that would not prevent changes to stored data.
  60. A. Brian can use a preshared key (PSK) known only by him to restrict network access. Kerberos or NAC authentication would require configuration and a costly infrastructure. MAC address filtering is easily defeated and should not be relied upon for secure network access controls.
  61. B. Asset management practices include tracking a physical hardware inventory, which would help maintain accurate device location information. Change and configuration management systems would not generally track the physical location of a device. Firewalls are network security devices, which would not help meet this requirement.
  62. A. The -Pn flag disables the host discovery step and scans every specified system. The -PS flag conducts a TCP SYN ping, while the -PA flag conducts a TCP ACK ping. The -PU flag conducts a UDP ping.
  63. A. IPsec has two modes of operation: tunnel mode and transport mode. Tunnel mode is primarily used for site-to-site connections, such as the one that Carrie is establishing here. Transport mode is normally used for connections involving endpoint devices.
  64. C. Port 1433 is commonly associated with Microsoft SQL Server databases, while port 1521 is used by Oracle databases. Port 3306 is the default port for MySQL databases. Port 1701 is used by the L2TP protocol, which is associated with VPN access, not databases.
  65. C. When registering DNS entries for a load-balanced service, administrators should assign the entry to a virtual IP address that maps to the public interface of the load balancer.
  66. D. In this case, the explicit permission that's granted to the user to write the file overrides the deny permission, which is inherited (denoted by the grey shading). Therefore, the user can both read and write the file.
  67. C. Eric can use a protocol analyzer to sniff network traffic and search the contents for unencrypted sensitive information. A data loss prevention (DLP) solution could automate this work, but that is not one of the options available to Eric.
  68. A. The S/MIME secure email standard allows organizations to achieve confidentiality, integrity, and non-repudiation for email communications.
  69. D. SNMPv3 is the current standard for network management and is a secure protocol. Older versions of SNMP did not provide secure authentication due to their use of plaintext community strings.
  70. A. Data loss prevention systems are designed to prevent the exfiltration of sensitive information, while intrusion prevention systems are designed to block attack traffic. Since Greg is attempting to block the exfiltration of sensitive information, he should choose a DLP solution. The threat that Greg wants to defend against does not use the network, so he should choose a host-based DLP that offers USB blocking capabilities.
  71. D. Push notification uses a secure mechanism to notify users of mobile devices. The Apple Push Notification Service (APNS) is an example of a secure push notification mechanism. SMS (text messaging) notifications have insecurities, particularly when used with VoIP numbers. MMS is used for multimedia messages and is not appropriate for an authentication solution. TLS is a generic transport layer security protocol and cannot be used to directly deliver notifications to mobile devices.
  72. A. Users may bypass the manufacturer's installed operating system by installing their own custom firmware on the device. This may remove any MDM configuration that Dave places on the device before providing it to the user. Application sideloading can install illicit applications on a device but does not replace the operating system. Bluejacking and Bluesnarfing are attacks against Bluetooth connections but do not alter the operating system on a device.
  73. D. In this scenario, Scott would like to choose a technology that automatically triggers VPN connections based upon security policies. Microsoft's Always On VPN technology provides this feature. TLS and IPsec VPNs are different VPN protocols but they do not inherently have the ability to trigger a VPN connection. Split tunneling policies control what information is routed through the VPN connection but they do not have the ability to require or initiate a VPN connection.
  74. C. Mobile device management products support all four of these features. Containerization may be used to isolate corporate content from personal content. Remote wiping may be used to remove data from a lost or stolen device. Encryption may be used to protect data from theft. Geofencing does not prevent the theft of data.
  75. B. Security information and event management (SIEM) solutions aggregate and correlate log entries that are received from a wide variety of sources. Data loss prevention (DLP) systems seek to prevent the exfiltration of sensitive information from the organization. Intrusion prevention systems (IPS) block potentially malicious network traffic. Network access control (NAC) solutions prevent unauthorized systems from connecting to the network.
  76. C. Data execution prevention (DEP) requires the explicit marking of memory regions as executable, preventing malicious attacks that seek to execute code out of other regions of memory.
  77. A. The most common false positive report for application whitelisting results from an unexpected update from the software vendor that changes the signature of the application. A user downloading software from the web should generate an alert, so this would not be a false positive. The same thing is true for malicious activity, such as the execution of malware or the installation of a rootkit.
  78. B. In an active/passive configuration, one load balancer remains unused while the other load balancer handles all traffic. If the active load balancer fails, the passive load balancer takes over. This is a high availability, fault-tolerant configuration and it is easily maintained. It does not, however, use the full capacity of both devices.
  79. D. This is an example of an access control list from a router. Of the devices listed, only routers and firewalls perform network filtering of the type that would be defined by these types of rules. However, if these rules had come from a firewall, they would contain more detail, including source and destination ports.
  80. D. Wi-Fi networks use the service set identifier (SSID) to broadcast a network name to all the devices in the area. SSID broadcasting advertises the presence of the Wi-Fi network.
  81. D. Hosts on an internal network should never see port scans coming from external networks. The fact that these packets are reaching the host indicates that the network perimeter firewall is improperly configured.
  82. A. EXIF metadata includes a wide variety of technical and environmental information about photos that have been shot with digital cameras and smartphones. This information commonly includes geolocation information obtained from the device's GPS, as well as the camera's make and model, shutter speed, and other technical characteristics. It does not normally include temperature information as these devices typically do not include thermometers that measure ambient temperature.
  83. C. Mobile device management (MDM) technology allows administrators to control the configuration of mobile devices, such as disabling device cameras. Data loss prevention (DLP) systems may be useful in preventing the theft of confidential information but cannot disable device cameras. Intrusion prevention systems (IPS) and web application firewalls (WAF) are also good security controls but do not manage mobile device configurations.
  84. C. Stateful inspection firewalls monitor the connection status by tracking the TCP handshake. They maintain a table of active connections and automatically allow traffic that is part of an established connection without requiring the reevaluation of the ruleset for each packet. The other firewall types listed here are more primitive and do not track connection status. They simply reevaluate every packet that they receive.
  85. A. Apple Pay, Google Wallet, and similar contactless payment technologies rely upon near-field communication (NFC) to facilitate communications between a user's smartphone and the payment terminal.
  86. B. The primary issue with FTP is that it does not support the use of encryption. Credentials and other information sent via FTP are transmitted in cleartext and are open to eavesdropping attacks.
  87. B. Next-generation firewalls (NGFW) are traditional firewalls with advanced capabilities, including defense against application layer attacks, such as SQL injection. Of the choices listed, an NGFW is the best solution to meet all of these requirements. Packet filters and router ACLs would not be effective against all of the attacks listed here. A web application firewall does not normally contain the routing technology necessary to be the organization's main connection to the internet.
  88. A. UTM solutions typically perform a wide variety of security functions, including content filtering, intrusion prevention, and firewalling. They do not typically perform sandboxing, as this is typically a capability of more advanced malware prevention systems.
  89. A. Web servers use port 80 for unencrypted communications using the HTTP protocol and port 443 for encrypted communications using the HTTPS protocol. Those are the two ports that Jaime should allow through the firewall. Port 53 is used for DNS, while port 8080 is a non-standard port that's sometimes used for proxies or as an alternate location for web services. Neither of those situations are mentioned in the scenario.
  90. B. Degaussing applies strong magnetic fields to a storage device in order to remove the data that is stored magnetically on that device.
  91. B. Mobile devices purchased under contract are locked by the carrier to prevent transfers to other carriers while the contract is in place. After the expiration of the contract, the original carrier must unlock the device before the user may transfer it to another carrier.
  92. B. Ad hoc and direct Wi-Fi networks allow the establishment of Wi-Fi connectivity between devices without the use of enterprise infrastructure. Therefore, these Wi-Fi operating modes do not support the use of enterprise authentication. Wi-Fi networks using preshared keys (PSKs) use these PSKs in lieu of enterprise authentication. WPA and WPA2 both support the use of enterprise authentication in place of a PSK.
  93. C. Data loss prevention systems that use pattern matching are most likely to generate false positive reports because data in a file might match a pattern by happenstance. Watermarking and removable media control techniques do not typically generate false positive reports. Software updates would not be detected by a DLP system.
  94. C. Flood guard technology is used to block denial of service attacks on a network. Loop prevention, hold-down timers, and split horizon are all used to prevent and correct routing loops.
  95. B. The Secure Real-Time Protocol (SRTP) is a secure, encrypted protocol designed specifically to support VoIP communications. The Simple Network Management Protocol is designed to facilitate management of network devices. Secure Shell (SSH) is a tool for encrypted administrative connections to systems. Transport Layer Security (TLS) may be used to encrypt VoIP communications, but it is a general-purpose encryption protocol and is not specifically designed to secure VoIP communications.
  96. A. Email security gateways commonly perform spam filtering, malware filtering, data loss prevention, and encryption. They do not typically serve as a network firewall.
  97. D. The implicit deny rule is the last rule that's found in a firewall rulebase and is part of the firewall's default configuration. It specifies that any traffic that was not explicitly allowed by an earlier rule should be blocked.
  98. B. IP reputation services are a form of threat intelligence that provides organizations with a frequently updated list of known malicious IP addresses that can be automatically blocked at the firewall. Malware and IDS signature updates are also important security controls but they do not identify known malicious systems and rather identify patterns of suspicious activity. Behavioral analysis systems watch for anomalous patterns of activity rather than relying upon lists of known malicious systems.
  99. A. Any of the solutions presented may resolve the issue that Ralph is experiencing, but deploying a Wi-Fi controller is the most efficient approach. Wireless controllers allow the automated modification of access point settings so that they can be adapted to the changing radio frequency environment.
  100. D. Virutal Desktop Infrastructure (VDI) environments allow employees to access a remote desktop computing environment and work within that environment without transferring data to the device used to access the VDI desktop. The choose-your-own-device (CYOD) and corporate-owned, personally enabled (COPE) models do not involve employee-owned devices. The bring-your-own-device (BYOD) model does allow the use of personal devices but does not necessarily prevent the transfer of corporate information to the device.
  101. D. The Nmap tool performs network mapping and is the ideal way for Justin to develop a list of systems providing network services. OpenSSL is an encryption tool that would not help Justin meet his goal. Netcat lists the open connections and listening services on a single system but does not do this across a network. The sqlmap tool is used to scan database applications for vulnerabilities.
  102. B. The use of a network password indicates that this network is using a preshared key (PSK) rather than user authentication. Therefore, the most likely issue is that the user is entering the PSK incorrectly.
  103. B. This attack is taking place between two systems located on the same LAN, so it is unlikely that a network-based IDS (NIDS) would detect the traffic. A host-based IDS (HIDS) would be much more likely to do so. Signature-based systems are not capable of detecting zero-day attacks, so a heuristic system would be the most likely to detect the attack.
  104. A. TLS VPNs typically use port 443, the same port that's used for HTTPS web traffic. This port is commonly allowed full outbound access through firewalls. IPsec VPNs use UDP port 500, as well as IP protocols 50 and 51. It is much more likely that this traffic will be blocked at a firewall. It is irrelevant whether Greg uses a split tunnel or full tunnel policy in this case as the policy will not help establish the connection through the firewall; it will only control what traffic is routed through the VPN connection once it is established.
  105. A. There is no indication in this scenario that Mark discovered log entries indicating any type of software failure. The failure most likely resulted from the use of malware for which the scanner did not have current signatures. This could be because the scanner had not been updated or it may be because the attacker used a zero-day/APT attack.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset