Friday, February 11, 2022

Security+ certification concepts, q&as

1)A network administrator wants to restrict internal access to other parts of the network. The network restrictions must be implemented with the least amount of administrative overhead and must be hardware based. What is the best solution? @Implement firewalls between subnets to restrict access or, implement a VLAN (Virtual Local Area Network) to restrict network access 2)Which tunneling protocol only works on IP networks? @L2TP or, PPTP 3)Incorrectly detecting authorized access as an intrusion or attack is called a false: @Positive 4)One of the factors that influence the lifespan of a public key certificate and its associated keys is the: @Length of the asymmetric hash. or, Value of the information it is used to protect. 5)When a user digitally signs a document an asymmetric algorithm is used to encrypt: @Hash results 6)During the digital signature process, asymmetric cryptography satisfied what security requirement? @Authentication 7)What is the advantage of a multi-homed firewall? @If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed. or, It is relatively inexpensive to implement. 8)Privileged accounts are most vulnerable immediately after a: @Privileged user is terminated. or, Default installation is performed. 9)One of the most effective ways for an administrator to determine what security holes reside on a network is to: @Perform a vulnerability assessment. 10)Dave is increasing the security of his Web site by adding SSL (Secure Sockets Layer). Which type of encryption does SSL use? @Public Key or, Symmetric 11)As the Security Analyst for your companies network, you want to implement Single Signon technology. What benefit can you expect to get when implementing Single Signon? @You can allow for system wide permissions with it. or, You can browse multiple directories. 12)Forensic procedures must be followed exactly to ensure the integrity of data obtained in an investigation. When making copies of data from a machine that us being examined, which of the following tasks should be done to ensure it is an exact duplicate? @Open files on the original media and compare them to the copied data. or, Perform a cyclic redundancy check using a checksum or hashing algorithm. 13)Users who configure their passwords using simple and meaningful things such as pet names or birthdays are subject to having their account used by an intruder after what type of attack? @Brute Force attack or, Dictionary attack 14)At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists? @Penetration 15)Following a disaster, while returning to the original site from an alternate site, the first process to resume at the original site would be the: @Most critical process. or, Least critical process 16)As the Security Analyst for your companies network, you become aware that your systems may be under attack. This kind of attack is a DOS attack and the exploit sends more traffic to a node than anticipated. What kind of attack is this? @Smurf or, Buffer Overflow 17)John wants to encrypt a sensitive message before sending it to one of his managers. Which type of encryption is often used for e-mail? @DES or, S/MINE 18)A well defined business continuity plan must consist of risk and analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and: @Budgeting and acceptance. or, Integration and validation.
================================================================
=================================================
Questions and answers:


Security + SYO-101A

1. Following a disaster, while returning to the original site from an alternate site, the first process to resume-at the original site would be the:

A. least critical process
B. most critical process
C. process most expensive to maintain at an alternate site
D. process that has maximum visibility in the organization

Answer: A

2. Documenting change levels and revision information is most useful for:

A. theft tracking
B. security audits
C. disaster recovery
D. license enforcement

Answer: C

3. A recent audit shows that a user logged into a server with their user account and executed a program. The user then performed activities only available to an administrator. This is an example of what type of an attack?

A. Trojan horse
B. privilege escalation
C. subseven back door
D. security policy removal

Answer: B

4. Notable security organizations often recommend only essential services be provided by a particular hosts and any unnecessary services is disabled. Which of the following does NOT represent a reason supporting this recommendation?

A. Each additional service increases the risk of compromising the hosts, the-services that run on the hosts, and potential clients of these services.

B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host fewer log entries and fewer interactions between different services are expected, which simplifies the analysis and maintenance of the system from a security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this ports and an administrator will not be able to restrict access to this service.

Answer: D

5. Which of the following is a technical solution that supports high availability?

A. UDP (User Datagram Protocol).
B. anti-virus solution.
C. RAID (Redundant Array of Independent Disks).
D. firewall.

Answer: C

6. In order for a user to obtain a certificate from a trusted CA (Certificate Authority), the user must present proof of identity and a:

A. private key.
B. public key.
C. password.
D. Kerberos key.

Answer: B

7. In the context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:

A. provide the same level of security as a wired LAN (Local Area Network).
B. provide a collision preventive method of media access.
C. provide a wider access area than that of wired LANs (Local Area Network).
D. allow radio frequencies to penetrate walls.

Answer: A

8. A primary drawback to using shared storage clustering for high availability and disaster recovery is:

A. the creation of a single point of vulnerability.
B. the increased network latency between the host computers and the RAID (Redundant Array of Independent Disks) subsystem.
C. the asynchronous writes which must be used to flush the server cache.
D. the higher storage capacity required by the RAID (Redundant Array of Independent Disks) subsystem.

Answer: A

9. What are access decisions based on in a MAC (Mandatory Access Control) environment?

A. access control lists.
B. ownership.
C. group membership.
D. sensitivity labels.

Answer: D

10. Packet sniffing can be used to obtain usename and password information in clear text from which one of the following?

A. SSH (Secure Shell).
B. SSL (Secure Sockets Layer).
C. FTP (File Transfer Protocol).
D. H1TPS (Hypertext Transfer Protocol over Secure Sockets Layer).

Answer: C

11. When securing a FTP (File Transfer Protocol) server, what can be done to ensure that only authorized users can access the server?

A. allow blind authentication.
B. disable anonymous authentication.
C. redirect FTP (File Transfer Protocol) to another port.
D. only give the address to users that need access.

Answer: B

12. Asymmetric cryptography ensures that:
A. encryption and authentication can take place without sharing private keys.
B. encryption of the secret key is performed with the fastest algorithm available.
C. encryption occurs only when both parties have been authenticated.
D. encryption factoring is limited to the session key.

Answer: A

13. Which of the following media types is most immune to RF (Radio Frequency) eavesdropping?
A. coaxial cable.
B. fiber optic cable.
C. twisted pair wire.
D. unbounded.

Answer: B

14. Access controls that are created and administered by the data owner are considered.
A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. LBACB (List Based Access Control).
D. DAC (Discretionary Access Control).

Answer: D

15. An administrator notices that an e-mail server is currently relaying e-mail (including spam) for an e-mail server requesting relaying. Upon further investigation the administrator notices the existence of/etc/mail relay domains. What modifications should the administrator make to the relay domains file to prevent relaying for non-explicitly named domains?

A. move the .* entry to the bottom of the relay domains file and restart the e-mail process.
B. move the .* entry to the top of the relay domains file and restart the e-mail process.
C. delete the .* entry in the relay domains file and restart the e-mail process.
D. delete the relay domains file from the /etc/mail folder and restart the e-mail process.

Answer: C

16. Providing false information about the source of an attack is known as:
A. aliasing.
B. spoofing.
C. flooding.
D. redirecting.

Answer: B

17. The term “due care” best relates to:

A. policies and procedures intended to reduce the likelihood of damage or injury.
B. scheduled activity in a comprehensive preventative maintenance program.
C. techniques and methods for secure shipment of equipment and supplies.
D. user responsibilities involved when sharing passwords in a secure environment.

Answer: A

18. A high profile company has been receiving a high volume of attacks on their public web site. The network administrator wants to be able to collect information on the attacker(s) so legal action can be taken. What should be implemented?

A. a DMZ (Demilitarized Zone).
B. a honey pot.
C. a firewall.
D. a new subnet.

Answer: B

19. Many intrusion detection systems look for known patterns or____ to aid in detecting attacks.

A. viruses.
B. signatures.
C. hackers.
D. malware.

Answer: B

20. After installing a new operating system, what configuration changes should be implemented?

A. create application user accounts.
B. rename the guest account.
C. rename the administrator account, disable the guest accounts.
D. create a secure administrator account.

Answer: C

21. In order to establish a secure connection between headquarters and a branch office over a public network, the router at each location should be configured to use IPSec (Intenet Protocol Security) in mode.

A. secure.
B. tunnel.
C. transport.
D. data link.

Answer: B

22. What type of authentication may be needed when a stored key and a memorized password are not strong enough and additional layers of security are needed?

A. mutual.
B. multi-factor.
C. biometric.
D. certificate.

Answer: B

23. What technology was originally designed to decrease broadcast traffic but is also beneficial in reducing the likelihood of having information compromised by sniffers?
A. VPN (Virtual Private Network).
B. DMZ (Demilitarized Zone).
C. VLAN (Virtual Local Area Network).
D. RADIUS (Remote Authentication Dial-in User Service).

Answer: C

24. A DMZ (Demilitarized Zone) typically contains:

A. a customer account database.
B. staff workstations.
C. a FTP (File Transfer Protocol) server.
D. a SQL (Structured Query Language) based database server.

Answer: C

25. What kind of attack are hashed passwords vulnerable to?

A. man in the middle.
B. dictionary or brute force.
C. reverse engineering. .
D. DoS (Denial of Service).

Answer: B

26. Controlling access to information systems and associated networks is necessary for the preservation of their:

A. authenticity, confidentiality,and availability.
B. integrity, availability and reliability.
C. confidentiality, integrity and availability.
D. authenticity, confidentiality and availability.

Answer: C

27. A collection of information that includes login, file access, other various activities, and actual or attempted legitimate and unauthorized security violations is a (n):

A. audit.
B. ACL (Access Control List).
C. audit trail.
D. syslog.

Answer: C

28. What transport protocol and port number does SSH (Secure Shell) use?
A. TCP (Transmission Control Protocol) port 22.
B. UDP (User Datagram Protocol) port 69.
C. TCP (Transmission Control Protocol) port 179.
D. UDP (User Datagram Protocol) port 17.

Answer: A

29. What statement is most true about viruses and hoaxes?
A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate users about a virus.
D. Hoaxes carry a malicious payload and can be destructive.

Answer: A

30. What is the greatest benefit to be gained through the use of S/MIME (Secure Multipurpose Internet Mail Extensions)? The ability to:
A. encrypt and digitally sign e-mail messages.
B. send anonymous e-mails.
C. send e-mails with a return receipt.
D. expedite the delivery of e-mail.

Answer: A

31. Access control decisions are based on responsibilities that an individual user or process has in an organization. This best describes:

A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. DAC (Discretionary Access Control).
D. none of the above.

Answer: B

32. Which of the following results in a domain name server resolving the domain name to a different and wrong IP (internet Protocol) address and thus misdirecting Internet traffic?

A. DoS (Denial of Service).
B. spoofing.
C. brute force attack. D. reverse DNS (Domain Name Service).
D. Non of the above.
Answer: B

33. When examining the server’s list of protocols that are bound and active on each network interface card, the network administrator notices a relatively large number of protocols. Which actions should be taken to ensure network security?

A. Unnecessary protocols do net pose a significant risk to the system and should be left intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disabled on all server and client machines on a network as they pose great-risk.
D. Using port filtering ACL’s (Access Control List) at firewalls and routers is sufficient to stop malicious attacks on unused protocols.

Answer: C

34. If a private key becomes compromised before its certificate’s normal expiration date, X.509 defines a method requiring each CA (Certificate Authority) to periodically issue a signed data structure called a certificate:

A. enrollment list.
B. expiration list.
C. revocation list.
D. validation list.

Answer: C

35. DAC (Discretionary Access Control) systems operate following which guideline statement.

A. files that don’t have an owner CAN NOT be modified.
B. the administrator of the system is an owner of each object.
C. the operating system is an owner of each object.
D. each object has an owner, which has full control over the object.

Answer: D

36. An autonomous agent that copies itself into one or more host programs, then propagates when the host is run, is best described as a:

A. Trojan horse.
B. backdoor.
C. logic bomb.
D. virus.

Answer: D

37. The defacto IT (Information Technology) security evaluation criteria for the international community is called?

A. Common Criteria.
B. Global Criteria.
C. TCSEC (Trusted Computer System Evaluation Criteria).
D. 1TSEC (Information Technology Security Evaluation Criteria).

Answer: A

38. The best protection against the abuse of remote maintenance of a PBX (Private Branch Exchange) system is to:

A. keep maintenance features turned off until needed.
B. insist on strong authentication before allowing remote maintenance.
C. keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. check to see if the maintenance caller is on the list of approved maintenance personnel.

Answer: B

39. At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists?

A. penetration.
B. control.
C. audit planning.
D. discovery.

Answer: A

40. Computer forensics experts collect and analyze data using which of the following guidelines so as to minimize data loss?

A. evidence.
B. chain of custody.
C. chain of command.
D. incident response.

Answer: B

41. Data integrity is best achieved using a (n):

A. asymmetric cipher.
B. digital certificate.
C. message digest.
D. symmetric cipher.

Answer: C

42. A program that can infect other programs by modifying them to include a version of itself is a:

A. replicator.
B. virus.
C. Trojan horse.
D. logic bomb.

Answer: B

43. Which of the following is an example of an asymmetric algorithm?

A. CAST (Carlisle Adams Stafford Tavares).
B. RC5 (Rivest Cipher 5).
C. RSA (Rivest Shamir Adelman).
D. SHA-l (Secure Hashing Algorithm 1).

Answer: C

44. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled server will first:

A. use its digital certificate to establish its identity to the browser.
B. validate the user by checking the CRL (Certificate Revocation List).
C. request the user to produce the CRL (Certificate Revocation List).
D. display the requested page on the browser, then provide its (Internet Protocol) address for verification.

Answer: A

45. User A needs to send a private e-mail to User B. User A does not want anyone to have the ability to read the e-mail except for User B, thus retaining privacy. Which tenet of information security is User A concerned about?

A. authentication.
B. integrity.
C. confidentiality.
D. non-repudiation.

Answer: C

46. A company uses WEP (Wired Equivalent Privacy) for wireless security. Who may authenticate to the company’s access point?

A. only the administrator.
B. anyone can authenticate.
C. only users within the company.
D. only users with the correct WEP (Wired Equivalent Privacy) key.

Answer: D

47. Giving each user or group of users only the access they need to do their job is an example of which security principal:

A. least privilege
B. defense in depth
C. separation of duties
D. access control

Answer: A

48. The primary purpose of NAT (Network Address Translation) is to:

A. translate (internet Protocol) addresses into user friendly names.
B. hide internal hosts from the public network.
C. use one public IP (internet Protocol) address on the intimae network as a name server.
D. hide the public network from internal hosts.

Answer: B

49. The start of the LDAP (Lightweight Directory Access Protocol) directory is called the:

A. head
B. root
C. top
D. tree

Answer: B

50. The protection of data, against unauthorized access or disclosure is an example of what?

A. confidentiality
B. integrity
C. signing
D. hashing

Answer: A

51. Which of the following backup methods copies only modified files since the last full backup?

A. full.
B. differential.
C. incremental.
D. archive.

Answer: B

52. While connected from home to an ISP (Internet Service Provider), a network administrator performs sport scan against a corporate server and encounters four open TCP (Transmission Control Protocol) ports 25,110,143, and 389. Corporate users in the organization must be able to connect from home, send and receive messages on the Internet, read e-mail by means of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a directory services database for user e-mail addresses, and digital certificates. All the e-mail related services, as well as the directory server, run on the scanned server. Which of the above ports can be filtered out to decrease unnecessary exposure without affecting functionality?

A. 25.
B. 110.
C. 143.
D. 389.

Answer: B

53. In a decentralized privilege management environment, user accounts and passwords are stored on:

A. One central authentication server.
B. each individual server.
C. no more than two servers.
D. One server configured for decentralized management.

Answer: B

54. A well defined business continuity plan must consist of risk analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and:

A. security labeling and classification.
B. budgeting and acceptance.
C. documentation and security labeling.
D. integration and validation.

Answer: D

55. One way to limit hostile sniffing on a LAN (Local Area Network) is by installing:

A. an Ethernet switch.
B. an Ethernet hub.
C. a CSU/DSU (Channel Service Unit/Data Service Unit).
D. a firewall.

Answer: A

56. The WAP (Wireless Application Protocol) programming model is based on the following three elements:

A. client, original server, WEP (Wired Equivalent Privacy).
B. code design, code review, documentation.
C. client, original server, wireless interface card.
D. client, gateway, original server.

Answer: D

57. The first step in establishing a disaster recovery plan is to:

A. get budgetary approval for the plan.
B. agree on the objectives of the plan.
C. list possible alternative sites to be used in a disaster event.
D. prioritize processes requiring immediate attention in a disaster event.

Answer: B

58. When securing a DNS (Domain Name Service) server, and shutting down all unnecessary ports, which port should NOT be shut down?

A. 21
B. 23
C. 53
D. 55

Answer: C

59. What is the main advantage SSL (Secure Sockets Layer) has over HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)?

A. SSL (Secure Sockets Layer) offers full application security for HTTP (Hypertext Transfer Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
B. SSL (Secure Sockets Layer) supports additional application layer protocols such as FTP (File Transfer Protocol) and NNTP (Network News Transport Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
C. SSL (Secure Sockets Layer) and Https (Hypertext Transfer Protocol over Secure Sockets Layer) are transparent to the application.
D. SSL (Secure Sockets Layer) supports user authentication and HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.

Answer: B

60. A sound security policy will define:

A. what is considered an organization’s assets.
B. what attacks are planned against the organization.
C. how an organization compares to others in security audits.
D. weaknesses in competitor’s systems.

Answer: A

61. What functionality should be disallowed between a DNS (Domain Name Service) server and untrusted node?

A. names resolutions.
B. reverse ARP (Address Resolution Protocol) requests.
C. system name resolutions.
D. zone transfers.

Answer: D

62. What is the most effective social engineering defensive strategy?
A. marking of documents.
B. escorting of guests.
C. badge security system.
D. training and awareness.

Answer: D

63. An IDS (Intrusion Detection System) is sending alerts that attacks are occurring which are not actually taking place. What is the IDS (Intrusion Detection System) registering?

A. false positives.
B. false negatives.
C. true negatives.
D. true positives.

Answer: A

64. When an employee is dismissed, the security administrator should:

A. allow the employee to backup computer files then disable network access.
B. change all network passwords.
C. disable the employee’s network access.
D. set rules to forward the employee’s e-mail to a home address.

Answer: C

65. How are honey pots used to collect information? Honey pots collect:

A. IP (Internet Protocol) addresses and identity of internal users.
B. data on the identity, access, and compromise methods used by the intruder.
C. data regarding and the identity of servers within the network.
D. IP (Internet Protocol) addresses and data of firewalls used within the network.

Answer: B

66. How must a firewall be configured to only allow employees within the company to download files from a FTP (File Transfer Protocol) server?

A. open port 119 to all inbound connections.
B. open port 119 to all outbound connections.
C. open port 20/21 to all inbound connections.
D. open port 20/21 to all outbound connections.

Answer: D

67. Administrators currently use telnet to remotely manage several servers. Security policy dictates that passwords and administrative activities must not be communicated in clear text. Which of the following is the best alterative to using telnet?

A. DES (Data Encryption Standard).
B. S-Telnet.
C. SSH (Secure Shell).
D. PKI (Public Key Infrastructure).

Answer: C

68. Which of the following provides privacy, data integrity and authentication for handheld devices in a wireless network environment?

A. WEP (Wired Equivalent Privacy).
B. WAP (Wireless Application Protocol).
C. WSET (Wireless Secure Electronic Transaction).
D. WTLS (Wireless Transport Layer Security).

Answer: D

69. Analyzing log files after an attack has started is an example of:

A. active detection.
B. overt detection.
C. covert detection.
D. passive detection.

Answer: D

70. How many characters should the minimum length of a password be to deter dictionary password cracks?

A. 6.
B. 8.
C. 10.
D. 12.

Answer: B

71. An acceptable use policy signed by an employee can be interpreted as an employee’s written______ for allowing an employer to search an employee’s workstation.

A. refusal.
B. policy.
C. guideline.
D. consent.

Answer: D

72. What protocol can be used to create a VPN (Virtual Private Network)?

A. PPP (Point-to-Point Protocol).
B. PPTP (Point-to-Point Tunneling Protocol).
C. SLIP (Serial Line Internet Protocol).
D. ESLIP (Encrypted Serial Line Internet Protocol).

Answer: B

73. An attack whereby two different messages using the same hash function produce a common message digest is also known as a:

A. man in the middle attack.
B. cipher text only attack.
C. birthday attack.
D. brute force attack.

Answer: C

74. A common algorithm used to verify the integrity of data from a remote user through the creation of a 128-bit hash from a data input is:

A. IPSec (Internet Protocol Security).
B. RSA (Rivest Shamir Adelman).
C. Blowfish.
D. MD5 (Message Digest).

Answer: D

75. In a RBAC (Role Based Access Control) contexts, which statement best describes the relation between users, roles and operations?

A. multiple users, single role and single operation.
B. multiple users, single role and multiple operations.
C. single user, single role and single operation.
D. multiple users, multiple roles and multiple operations.

Answer: D

76. An administrator is setting permissions on a file object in a network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control List) of the file follows:

Owner: Read, Write, Execute; User. A: Read, Write, -; User B: -, -, - (None); Sales: Read,-, -; Marketing: -, Write,-; Other: Read, Write, -;

User "A" is the only owner of the file. User "B" is a member of the Sales group. What effective permissions does User "B" have on the file with the above access list?

A. User B has no permissions on the file.
B. User B has read permissions on the file.
C. User B has read and write permissions on the file.
D. User B has read, write and execute permissions on the file.

Answer: A

77. A user who has accessed an information system with a valid user ID and password combination is considered a (n):

A. manager
B. user
C. authenticated user
D. security officer

Answer: C

78. The use of embedded root certificates within web browsers is an example of which of the following trust models?

A. bridge.
B. mesh.
C. hierarchy.
D. trust list.

Answer: D

79. What is the most common method used by attackers to identify the presence of an 802.11b network?

A. war driving.
B. direct inward dialing.
C. war dialing.
D. packet driving.

Answer: A

80. The best way to harden an application that is developed in house is to:

A. use an industry recommended hardening tool.
B. ensure that security is given due considerations throughout the entire development process.
C. try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. ensure that the auditing system is comprehensive enough to detect and log any possible intrusion, identifying existing vulnerabilities.

Answer: B

81. A security consideration that is introduced by a VPN (Virtual Private Network) is:

A. an intruder can intercept VPN (Virtual Private Network) traffic and create a man in the middle attack.
B. captured data is easily decrypted because there are a finite number of encryption keys.
C. tunneled data CAN NOT be authenticated, authorized or accounted for.
D. a firewall CAN NOT inspect encrypted traffic.

Answer: D

82. Which of the following would NOT be considered a method for managing the administration of accessibility?

A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list.

Answer: B

83. Which of the following is required to use S/MIME (Secure Multipurpose Internet Mail Extensions)?

A. digital certificate.
B. server side certificate.
C. SSL (Secure Sockets Layer) certificate.
D. public certificate.

Answer: A

84. Non-repudiation is generally used to:

A. protect the system from transmitting various viruses, worms and Trojan horses to other computers on the same network.
B. protect the system from DoS (Denial of Service) attacks.
C. prevent the sender or the receiver from denying that the communication between them has occurred.
D. ensure the confidentiality and integrity of the communication.

Answer: C

85. Which of the following hash functions generates a 160-bit output?

A. MD4 (Message Digest 4).
B. MD5 (Message Digest5).
C. UDES (Data Encryption Standard).
D. SHA-1 (Secure Hashing Algorithm 1).

Answer: D

86. Why are unique user IDs critical in the review of audit trails?

A. They CAN NOT be easily altered.
B. They establish individual accountability.
C. They show which files were changed.
D. They trigger corrective controls.

Answer: B

87. A DRP (Disaster Recovery Plan) typically includes which of the following:

A. penetration testing.
B. risk assessment.
C. DoS (Denial of Service) attack.
D. ACL (Access Control List).

Answer: B

88. An attacker can determine what network services are enabled on a target system by:

A. installing a rootkit on the target system.
B. checking the services file.
C. enabling logging on the target system.
D. running a port scan against the target system.

Answer: D

89. A police department has three types of employees: booking officers, investigators, and judges. Each group of employees is allowed different rights to files based on their need. The judges do not need access to the fingerprint database, the investigators need read access and the booking officers need read/write access. The booking officer would need no access to warrants, while an investigator would need read access and a judge would need read/write access. This is an example of:

A. DAC (Discretionary Access Control) level access control.
B. RBAC (Role Based Access Control) level access control.
C. MAC (Mandatory Access Control) level access control.
D. ACL (Access Control List) level access control.

Answer: B

90. Which of the following access control models introduces user security clearance and data classification?

A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control).

Answer: C

91. A wireless network with three access points, two of which are used as repeaters, exists at a company. What step should be taken to secure the wireless network?

A. Ensure that employees use complex passwords.
B. Ensure that employees are only using issued wireless cards in their systems.
C. Ensure that WEP (Wired Equivalent Privacy) is being used.
D. Ensure that everyone is using adhoc mode.

Answer: C

92. Digital certificates can contain which of the following items:

A. the CA’s (Certificate Authority) private key.
B. the certificate holder’s private key.
C. the certificate’s revocation information.
D. the certificate’s validity period.

Answer: D

93. Which encryption key is used to verify a digital signature?

A. the signer’s public key.
B. the signer’s private key.
C. the recipient's public key.
D. the recipient's private key.

Answer: A

94. NetBus and Back Orifice are each considered an example of a (n):

A. virus.
B. illicit server.
C. spoofing tool.
D. allowable server.

Answer: B


95. The theft of network passwords without the use of software tools is an example of:

A. Trojan programs.
B. social engineering.
C. sniffing.
D. hacking.

Answer: B

96. An alternate site configured with necessary system hardware, supporting infrastructure and an on site staff able to respond to an activation of a contingency plan 24 hours a day, 7 days a week is a:

A. cold site.
B. warm site.
C. mirrored site.
D. hot site.

Answer: D

97. Security controls may become vulnerabilities in a system unless they are:

A. designed and implemented by the system vendor.
B. adequately tested.
C. implemented at the application layer in the system.
D. designed to use multiple factors of authentication.

Answer: B

98. Which of the following is likely to be found after enabling anonymous FTP (File Transfer Protocol) read/write access?

A. an upload and download directory for each user.
B. detailed logging information for each user.
C. storage and distribution of unlicensed software.
D. fewer server connections and less network bandwidth utilization.

Answer: C

99. LDAP (Lightweight Directory Access Protocol) directories are arranged as:

A. linked lists.
B. trees.
C. stacks.
D. queues.

Answer: B

100. An inherent flaw of DAC (Discretionary Access Control) relating to security is:

A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.

Answer: A

Security+ SYO-101B


101. Which of the following is the greatest problem associated with Instant Messaging?

A. widely deployed and difficult to control.
B. created without security in mind.
C. easily spoofed.
D. created with file sharing enabled.

Answer: B

102. An organization is implementing Kerberos as its primary authentication protocol. Which of the following must be deployed for Kerberos to function properly?

A. dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. separate network segments for the realms.
C. token authentication devices.
D. time synchronization services for clients and servers.

Answer: D

103. Searching through trash is used by an attacker to acquire data such as network diagrams, IP (Internet Protocol) address lists and:

A. boot sectors.
B. process lists.
C. old passwords.
D. virtual memory.

Answer: C

104. Discouraging employees from misusing company e-mail is best handled by:

A. enforcing ACL (Access Control List).
B. creating a network security policy.
C. implementing strong authentication.
D. encrypting company e-mail messages.

Answer: B

105. The Diffie-Hellman algorithm allows:

A. access to digital certificate stores from s-certificate authority.
B. a secret key exchange over an insecure medium without any prior secrets.
C. authentication without the use of hashing algorithms.
D. multiple protocols to be used in key exchange negotiations.

Answer: B

106. Which of the following type of attack CAN NOT be deterred solely through technical means?

A. dictionary.
B. man in the middle.
C. DoS (Denial of Service).
D. social engineering.

Answer: D

107. Which of the following is the best description of “separation of duties”?

A. assigning different parts of tasks to different employees.
B. employees are granted only the privileges necessary to perform their tasks.
C. each employee is granted specific information that is required to carry out a job function.
D. screening employees before assigning them to a position.

Answer: A

108. How must a firewall be configured to make sure that a company can communicate with other companies using SMTP (Simple Mail Transfer Protocol) e-mail?

A. Open TCP (transmission Control Protocol) port 110 to all inbound and outbound connections.
B. Open UDP (User Datagram Protocol) port 110 to all inbound connections.
C. Open UUP (User Datagram Protocol) port 25 to all inbound connections.
D. Open TCP (Transmission Control Protocol) port 25 to all inbound and outbound connections.

Answer: D

109. An organization’s primary purpose in conducting risk analysis in dealing with computer security is:

A. to identify vulnerabilities to the computer systems within the organization.
B. to quantify the impact of potential threats in relation to the cost of lost business-functionality.
C. to identify how much it will cost to implement countermeasures.
D. to delegate responsibility.

Answer: B

110. A user wants to send an e-mail and ensure that the message is not tampered with while in transit. Which feature of modern cryptographic systems will facilitate this?

A. confidentiality.
B. authentication.
C. integrity.
D. non-repudiation.

Answer: C

111. WTLS (Wireless Transport Layer Security) provides security services between a mobile device and a:

A. WAP (Wireless Application Protocol) gateway.
B. web server.
C. wireless client.
D. wireless network interface card.

Answer: A

112. What are three measures which aid in the prevention of a social engineering attack?

A. education, limit available information and security policy.
B. education, firewalls and security policy.
C. security policy, firewalls and incident response.
D. security policy, system logging and incident response.

Answer: A

113. A server placed into service for the purpose of attracting a potential intruder’s attention is known as a:

A. honey pot.
B. lame duck.
C. teaser.
D. pigeon.

Answer: A

114. Which of the following would be most effective in preventing network traffic sniffing?

A. deploy an IDS (Intrusion Detection System).
B. disable promiscuous mode.
C. use hubs instead of routers.
D. use switches instead of hubs.

Answer: D

115. What ports does FTP (File Transfer Protocol) use?

A. 20 and 21.
B. 25 and 110.
C. 80 and 443.
D. 161 and 162.

Answer: A

116. A decoy system that is designed to devert an attacker from accessing critical systems while collecting information about the attacker’s activity, and encouraging the attacker to sts-y on the system long enough for administrators to respond is known as:

A. DMZ (Demilitarized Zone).
B. honey pot.
C. intrusion detector.
D. screened host.

Answer: B

117. An e-mail relay server is mainly used to:

A. block all spam, which allows the e-mail system to function more efficiently without the additional load of spam.
B. prevent viruses from entering the network.
C. defend the primary e-mail server and limit the effects of any attack.
D. eliminate e-mail vulnerabilities since all e-mail is passed through the relay first.

Answer: C

118. What network mapping tool uses ICMP (Internet Control Message Protocol)?

A. port scanner.
B. map scanner.
C. ping scanner.
D. share scanner.

Answer: C

119. Which two protocols are VPN (Virtual Private Network) tunneling protocols?

A. PPP (point-to-Point Protocol) and SliP (Serial Line Internet Protocol).
B. PPP (Point-Point-Protocol) and PPTP (Point-to-Point Tunneling Protocol).
C. L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol).
D. SMTP (Simple Mail Transfer Protocol) and L2TP (Layer Two Tunneling Protocol).

Answer: C

120. File encryption using symmetric cryptography satisfies what security requirement?

A. confidentiality.
B. access control.
C. data integrity.
D. authentication.

Answer: A

121. An e-mail is received alerting the network administrator to the presence of a virus on the system if a specific executable file exists. What should be the first course of action?

A. Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.
B. Immediately search for and delete the file if discovered.
C. Broadcast amessage to the entire organization to alert users to the presence of a virus.
D. Locate and download a patch to repair the file.

Answer: A

122. Part of a fire protection plan for a computer room should include;

A. procedures for an emergency shutdown of equipment.
B. a sprinkler system that exceeds local code requirements.
C. the exclusive use of non-flammable materials within the room.
D. fireproof doors that can be easily opened if an alarm is sounded.

Answer: A

123. Which of the following is an HTTP (Hypertext Transfer Protocol) extension or mechanism used to retain connection data, user information, history of sites visited, and can be used by attackers for spoofing an on-line identity?

A. HTTPS (Hypertext Transfer Protocol over SSL).
B. cookies.
C. HTTP (Hypertext Transfer Protocol)/l.0 Caching.
D. vCard v3.0.

Answer: B


124. ActiveX controls__________ to prove where they originated.

A. are encrypted.
B. are stored on the web server.
C. use SSL (Secure Sockets Layer).
D. are digitally signed.

Answer: D

125. A virus that hides itself by intercepting disk access requests is:

A. multipartite.
B. stealth.
C. interceptor.
D. polymorphic.

Answer: B

126. When a potential hacker looks through trash, the most useful items or information that might be found include all except:

A. an IP (Internet Protocol) address.
B. system configuration or network map.
C. old passwords.
D. system access requests.

Answer: D

127. A user logs onto a workstation using a smart card containing a private key. The user is verified when the public key is successfully factored with the private key. What security service is being provided?

A. authentication.
B. confidentiality.
C. integuity.
D. non-repudiation.

Answer: A

128. In cryptographic operations, digital signatures can be used for which of the following systems?

A. encryption.
B. asymmetric key.
C. symmetric and encryption.
D. public and decryption.

Answer: B

129. Which of the following programs is able to distribute itself without using a host file?

A. virus.
B. Trojan horse.
C. logic bomb.
D. worm.

Answer: D

130. Malicious code is installed on a server that will e-mail system keystrokes stored in a text file to the author and delete system logs every five days or whenever a backup is performed. What type of program is this?

A. virus.
B. back door.
C. logic bomb.
D. worm.

Answer: C

131. What is a common type of attack on web servers?

A. birthday.
B. buffer overflow.
C. spam.
D. brute force.

Answer: B

132. Digital signatures can be used for which of the following?

A. availability.
B. encryption.
C. decryption.
D. non-repudiation.

Answer: D

133. Malicious port scanning is a methed of attack to determine which of the following?

A. computer name
B. the fingerprint of the operating system
C. the physical cabling topology of a network
D. user IDs and passwords

Answer: B

134. What should be done to secure a DHCP (Dynamic Host Configuration Protocol) service?

A. block ports 67 and 68 at the firewall.
B. block port 53 at the firewall.
C. block ports 25 and 26 at the firewall.
D.block port 110 at the flrewall.

Answer: A

135. During the digital signature process, asymmetric cryptography satisfies what security requirement?

A. confidentiality.
B. access control.
C. data. integrity.
D. authentication.

Answer: D

136. Which security method is in place when the administrator of a network enables access lists on the routers to disable all ports that are not used?

A. MAC (Mandatory Access Control).
B. DAC (fliscretionary Access Control).
C. RBAC (Role Based Access Control).
D. SAC (Subjective Access Control).

Answer: A

137. What is the first step before a wireless solution is implemented?

A. ensure adhoc mode is enabled on the access points.
B. ensure that all users have strong passwords.
C. purchase only Wi-Fi (Wireless Fidelity) equipment.
D. perform a thorough site survey.

Answer: D

138. A system administrator discovers suspicious activity that might indicate a computer crime. The administrator should flrst:

A. refer to incident response plan.
B. change ownership of any related files to prevent tampering.
C. move any related programs and files to non-erasable media.
D. set the system time to ensure any logged information is accurate.

Answer: A

139. The information that governs and associates users and groups to certain rights to use, read, write, modify, or execute objects on the system is called a(n):

A. public key ring.
B. ACL (Access Control List).
C. digital signature.
D. CRL (Certificate Revocation Lists).

Answer: B

140. Which of the following is expected network behavior?

A. traffic coming from or going to unexpected locations.
B. non-standard or malformed packets/protocol violations.
C. repeated, failed connection attempts.
D. changes in network performance such as variations in traffic load.

Answer: D

141. Security training should emphasize that the weakest links in the security of an organization are typically:

A. firewalls.
B. policies.
C. viruses.
D. people.

Answer: D

142. For system logging to be an effective security measure, an administrator must:

A. review the logs on a regular basis.
B. implement circular logging.
C. configure the system to shutdown when the logs are fill.
D. configure SNMP (Simple Network Management Protocol) traps for logging events.

Answer: A

143. A perimeter router is configured with a restrictive ACL (Access Control List). Which transport layer protocols and ports must be allowed in order to support L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) connections respectively, through the perimeter router?

A. TCP (rransmission Control Protocol) port 635 and UDP (User Dalagram Protocol) port 654
B. TCP (Fransmission Control Protocol) port 749 and UDP (User Datagram Protocol) port 781
C. UDP (User Datagram Protocol) port 1701 and TCP (transmission Control Protocol) port 1723
D. TCP (rransmission Control Protocol) port 1812 and UDP (User Datagram Protocol) port 1813

Answer: C

144. Which of the following keys is contained in a digital certificate?

A. public key.
B. private key.
C. hashing key.
D. session key.

Answer: A

145. Which of the following options describes a challenge-response session?

A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identificatton Number).
B. a workstaiion or system Ihat generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).
C. a special hardware device that is used to generate random text in a cryptography system.
D. the authentication mechanism in the workstation or system does act determine if the owner should be authenticated.

Answer: A

146. Message authentication codes are used to provide which service?

A. integrity.
B. fault recovery.
C. key recovery.
D. acknowledgement.


Answer: A


147. Single servers are frequently the targets of attacks because they contain:

A. application launch scripts.
B. security policy settings.
C. credentials for many systems and users.
D. master encryption keys.

Answer: C

148. Sensitive data traffic can be confined to workstations on a specific subnet using privilege policy based tables in the:

A. router.
B. server.
C. modem.
D. VPN (Virtual Private Network).

Answer: A

149. Which one of the following would most likely lead to a CGI (Common Gateway Interface) security problem?

A. HTTP (Hypertext Transfer Protocol) protocol.
B. compiler or interpreter that DNS the CGI (Common Gateway Interface) script.
C. the web browser.
D. external data supplied by the user.

Answer: D

150. An attacker manipulates what field of an IP (Internet Protocol) packet in an IP (Internet Protocol) spoofing attack?

A. version field.
B. source address field.
C. source port field.
D. destination address field.

Answer: B

151. What is the best method of defense against IP (Internet Protocol) spoofing attacks?

A. deploying intrusion detection systems.
B. creating a DMZ (Demilitarized Zone).
C. applying ingress filtering to routers.
D. There is not a good defense against IP (Internet Protocol) spoofing.

Answer: C

152. What access control principle requires that every user or process is given the most restricted privileges?

A. control permissions.
B. least privilege.
C. hierarchical permissions.
D. access mode.

Answer: B

153. Incorrectly detecting authorized access as an intrusion or attack is called a false:

A. negative.
B. intrusion.
C. positive.
D. alarm.

Answer: C

154. A VPN (Virtual Private Network) using IPSec (Internet Protocol Security) in the tunnel mode will provide encryption for the:

A. one time pad used in handshaking.
B. payload and message header.
C. hashing algorithm and all e-mail messages.
D. message payload only.

Answer: B

155. When implementing Kerberos authentication, which of the following factors must be accounted for?

A. Kerberos can be susceptible to man in the middle attacks to gain unauthorized access.
B. Kerberos tickets can be spoofed using replay attacks to network resources.
C. Kerberos requires a centrally managed database of all user and resource passwords.
D. Kerberos uses clear text passwords.

Answer: C

156. Which of the following protocols is most similar to SSLv3 (Secure Sockets Layer version 3)?

A. TLS (transport Layer Security).
B. MPLS (Multi-Protocol Label Switching).
C. SASL (Simple Authentication and Security Layer).
D. MLS (Multi-Layer Switching).

Answer: A

157. How should a primary DNS (D)omain Name Service) server be configured to-provide the best security against DoS (Denial of Service) and hackers?

A. disable the DNS (Domain Name Service) cache function.
B. disable application services other than DNS (Domain Name Service).
C. disable the DNS (Domain Name Service) reverse lookup function.
D. allow only encrypted zone transfer to a secondary DNS (Domain Name Service) server.

Answer: B

158. What type of security process will allow others to verify the originator of an e-mail message?

A. authentication.
B. integrity.
C. non-repudiation.
D. confidentiality.

Answer: C

159. Which of the following statements is true about Network based IDS (Intrusion Detection System)?

A. Network based (Intrusion Detection System) are never passive devices that listen on a network wire-without interfering with the normal operation of a network.
B. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire while interfering with the normal operation of a network.
C. Network based IDS (Intrusion Detection System) are usually intrusive devices that listen on a network wire while interfering with the normal operation of a network.
D. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire without interfering with the normal operation of a network.

Answer: D

160. What physical access control most adequately protects against physical piggybacking?

A. man trap.
B. security guard.
C. CCTV (Closed-Circuit Television).
D. biometrics.

Answer: A

161. Management wants to track personnel who visit unauthorized web sites. What type of detection will this be?

A. abusive detection.
B. misuse detection.
C. anomaly detection.
D. site filtering.

Answer: B

162. An administrator of a web server notices many port scans to a server. To limit exposure and vulnerability exposed by these port scans
the administrator should:

A. disable the ability to remotely scan the registry.
B. leave all processes running for possible future use.
C. close all programs or processes that use a UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) port.
D. uninstall or disable any programs or processes that are not needed for the proper use of the server.

Answer: D

163. Which protocol is typically used for encrypting traffic between a web browser and web server?

A. IPSec (Internet Protocol Security).
B. HTTP (IIypertext Transfer Protocol).
C. SSL (Secure Sockets Layer).
D. VPN (Virtual Private Network).

Answer: C

164. Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?

A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.
B. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party hosts to create new IP (Internet Protocol) addresses.
C. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the server.
D. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the client.

Answer: A

165. A malformed MIME (Multipurpose Internet Mail Extensions) header can:

A. create a back door that will allow an attacker free access to a company private network.
B. create a virus that infects a user’s computer.
C. cause an unauthorized disclosure of private information.
D. cause an e-mail server to crash.

Answer: D

166. When a change to user security policy is made, the policy maker should provide appropriate documentation to:

A. the security-administrator.
B. auditors.
C. users.
D. all staff.

Answer: D

167. What technical impact may occur due to the receipt of large quantifies of spam?
A. DoS (Denial of Service).
B. processor underutilization.
C. reduction in hard drive space requirements.
D. increased network throughput.

Answer: A

168. A public key ___________ is a pervasive system whose services are implemented and delivered using public key technologies that include CAs (Certificate Authority), digital certificates, non-repudiation, and key history management.

A. cryptography scheme.
B. distribution authority.
C. exchange.
D. infrastructure.

Answer: D

169. Forging an IP (Internet Protocol) address to impersonate another machine is best defined as:

A. TCP/IP (Transmission Control Protocol/Intemet Protocol) hijacking.
B. IF (Internet Protocol) spoofing.
C. man in the middle.
D. replay.

Answer: B

170. When setting password rules, which of the following would LOWER the level of security of a network?

A. Passwords must be greater than six characters and consist at least one non-alpha.
B. All passwords are set to expire at regular intervals and users are required to choose new passwords that have not been used before.
C. Complex passwords that users CAN NOT remotely change are randomly generated by the administrator and given to users.
D. After a set number of failed attempts the server will lock out any user account forcing the user to call the administrator to re-enable the account.

Answer: C

171. Which of the following can be used to track a user’s browsing habits on the Internet
and may contain usernames and passwords?

A. digital certificates.
B. cookies.
C. ActiveX controls.
D. web server cache.

Answer: B

172. Currently, the most costly method of authentication is the use of:

A. passwords.
B. tokens.
C. biometrics.
D. shared secrets.

Answer: C

173. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. value of the information it is used to protect
B. cost and management fees
C. length of the asymmetric hash
D. data-available openly on the cryptographic system

Answer: A

174. FTP (Fi1e Transfer Protocol) is accessed through what ports?
A. 80 and 443.
B. 20 and 21.
C. 21 and 23.
D. 20 and 80.

Answer: B

175. The best method to use for protecting a password stored on the server used for user authentication is to:

A. store the server password in clear text.
B. hash the server password.
C. encrypt the server password with asymmetric keys.
D. encrypt the server password with a public key.

Answer: B

176. In a typical file encryption process, the asymmetric algorithm is used to?

A. encrypt symmetric keys.
B. encrypt file contents.
C. encrypt certiflcates.
D. encrypt hash results.

Answer: A

177. Which of the following protocols is used by web servers to encrypt data?

A. TCP/IP (transmission Control Protocol/Internet Protocol)
B. ActiveX
C. IPSec (Internet Protocol Security)
D. SSL (Secure Sockets Layer)

Answer: D

178. A piece of code that appears to do something useful while performing a harmful and unexpected function like stealing passwords is a:

A. virus.
B. logic bomb.
C. worm.
D. Trojan horse.

Answer: D

179. The integrity of a cryptographic system is considered compromised if which of the following conditions exist?

A. a 40-bit algorithm is used for a large financial transaction
B. the public key is disclosed
C. the private key is disclosed
D. the validity of the data source is compromised

Answer: C

180. During the digital signature process, hashing provides a means to verify what security requirement?

A. non-pudiation.
B. access control.
C. data integrity.
D. authentication.

Answer: C

181. Which of the following often requires the most effort when securing a server due to lack of available documentation?

A. hardening the OS (Operating System)
B. configuring the network
C. creating a proper security policy
D. installing the latest hot fixes and patches

Answer: A

182. One of the most effective ways for an administrator to determine what security holes reside on a network is is to:

A. perform a vulnerability assessment.
B. run a port scan.
C. run a sniffer.
D. install and monitor an IDS (Intrusion Detection System).

Answer: A

183. As it relates to digital certificates, SSLv3.0 (Secure Sockets Layer version 3.0) added which of the following key functionalities? The ability to:
A. act as a CA (Certificate Authority).
B. force client side authentication via digital certificates.
C. use x.400 certificates.
D. protect transmissions with 1024-bit symmetric encryption.

Answer: B

184. In responding to incidents such as security breaches, one of the most important steps taken is:

A. encryption.
B. authentication.
C. containment.
D. intrusion.

Answer: C

185. Missing audit log entries rnost seriously affect an organization’s ability to;

A. recover destroyed data.
B. legally prosecute an attacker.
C. evaluate system vulnerabilities.
D. create reliable system backups.

Answer: B

186. SSL (Secure Sockets Layer) is used for secure communications with:

A. file and print servers.
B. RADIUS (Remote Authentication Dial-in User Service) servers.
C. AAA (Authentication, Authorization, and Administration) servers.
D. web servers.

Answer: D

187. Non-repudiation is based on what type of key infrastructure?

A. symmetric.
B. distributed trust.
C. asymmetric.
D. user-centric.

Answer: C

188. The first step in effectively implementing a firewall is:

A. blocking unwanted incoming traffic.
B. blocking unwanted outgoing traffic.
C. developing a firewall policy.
D. protecting against DDoS (Distributed Denial of Service) attacks.

Answer: C

189. Which of the following provides the strongest authentication?

A. token
B. username and password
C. biometrics
D. one time password

Answer: C

190. A security administrator tasked with confining sensitive data traffic to a specific subnet would do so by manipulating privilege policy based tables in the networks:

A. server
B. router
C. VPN (Virtual Private Network)
D. switch

Answer: B

191. What is the best method to secure a web browser?

A. do not upgrade, as neW versions tend to have more security flaws.
B. disable any unused features of the web browser.
C. connect to the Internet using only a VPN (Virtual Private Network) connection.
D. implement a filtering policy for illegal, unknown and undesirable sites.

Answer: B

192. The most common form of authentication is the use of:

A. certificates.
B. tokens.
C. passwords.
D. biometrics.

Answer: C

193. What are the three main components of a Kerberos server?

A. authentication server, security database and a privilege server.
B. SAM (Sequential Access Method), security database and an authentication server.
C. application database, security database and system manager.
D. authentication server, security database and system manager.

Answer: A

194. Which of the following methods may be used to exploit the clear text nature of an instant-Messaging session?

A. packet sniffing.
B. port scanning.
C. crypt analysis.
D. reverse engineering.

Answer: A

195. A user receives an e-mail from a colleague in another company. The e-mail message warns of a virus that may have been accidentally sent in the pasts, and warns the user to delete a specific file if it appears on the user’s computer. The user checks and has the file. What is the best next step for the user?

A. Delete the file immediately.
B. Delete the file immediately and copy the e-mail to all distribution lists.
C. Report the contents of the message to the network administrator.
D. Ignore the message. This is a virus hoax and no action is required.

Answer: C

196. A need to know security policy Would grant access based on:

A. least privilege.
B. less privilege.
C. loss of privilege.
D. single privilege.

Answer: A

197. IDEA (International Data Encryption Algorithm), Blowfish, RC5 (Rivest Cipher 5)
and CAST-128 are encryption algorithms of which type?

A. symmetric.
B. asymmetric.
C. hashing.
D. elliptic curve.

Answer: A

198. A CRL (Certificate Revocation List) query that receives a response in near real time:

A. indicates that high availability equipment is used.
B. implies that a fault tolerant database is being used.
C. does not guarantee that fresh data is being returned.
D. indicates that the CA (Certificate Authority) is providing near real time updates.

Answer: C

199. Which of the following is a VPN (Virtual Private Network) tunneling protocol?

A. AH (Authentication Header).
B. SSH (Secure Shell).
C. IPSec (Internet Protocol Security).
D. DES (Data Encryption Standard).

Answer: C

200. Appropriate documentation of a security incident is important for each of the following reasons EXCEPT:

A. The documentation serves as a lessons learned which may help avoid further exploitation of the same vulnerability.
B. The documentation will serve as an aid to updating policy and procedure.
C. The documentation will indicate who should be fired for the incident.
D. The documentation will serve as a tool to assess the impact and damage for the incident.

Answer: C


Security+ SYO-101C


201. A network attack method that uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer is known as as:

A. man in the middle attack.
B. smurf attack.
C. ping of death attack.
D. TCP SYN (Transmission Control Protocol / Synchronized) attack.

Answer: C

202. The standard encryption algorithm based on Rijndeel is known as:

A. AES (Advanced Encryption Standard).
B. 3DES (rriple Data Encryption Standard).
C. DES (Data Encryption Standard).
D. Skipjack.

Answer: A

203. A DoS (Denial of Service) attack which takes advantage of TCP’s (Transmission Control Protocol) three way handshake for new connections is known as as:

A. SYN (Synchronize) flood.
B. ping of death attack.
C. land attack.
D. buffer overflow attack.

Answer: A

204. The Bell La-Padula access control model consists of four elements. These elements are

A. subjects, objects, access modes and security levels.
B. subjects, objects, roles and groups.
C. read only, read/write, write only and read/write/delete.
D. groups, roles, access modes and security levels.

Answer: A

205. What is generally the most overlooked element of security management?

A. security awareness.
B. intrusion detection.
C. risk assessment.
D. vulnerability control.

Answer: A

206. What is the advantage of a multi-homed firewall?

A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.

Answer: A

207. Which of the following is an example of an asymmetric encryption algorithm?

A. RCA (Rivest Cipher 4)
B. IDEA (International Data Encryption Algorithm)
C. MD5 (Message Digest-5)
D. RSA (Rivest Shamir Adelman)

Answer: D

208. Which of the following needs to be included in a SLA (Service Level Agreement) to ensure the availability of server based resources rather than guaranteed server performance levels?

A. network
B. hosting
C. application
D. security

Answer: B

209. Which access control method provides the most granular access to protected objects?

A. capabilities
B. access control lists
C. permission bits
D. profiles

Answer: B

210. The process by which remote users can make a secure connection to internal resources after establishing an Internet connection could correctly be referred to as:

A. channeling
B. tunneling
C. throughput
D. forwarding

Answer: B

211. When an ActiveX control is executed, it executes with the privileges of the:

A. current user account.
B. administrator account.
C. guest account.
D. system account.

Answer: A

212. Which of the following would best protect the confidentiality and integrity of an e-mail message?

A. SHA-1 (Secure Hashing Algorithm I).
B. IPSec (Internet Protocol Security).
C. digital signature.
D. S/MIME (Secure Multipurpose Internet Mail Extensions).

Answer: D

213. When does CHAP (Challenge Handshake Authentication Protocol) perform the handshake process?

A. when establishing a connection and at anytime after the connection is established.
B. only when establishing a connection and disconnecting.
C. only when establishing a connection.
D. only when disconnecting.

Answer: A

214. What should a firewall employ to ensure that each packet is part of an established TCP (Transmission Control Protocol) session?

A. packet filter.
B. stateless inspection.
C. stateful like inspection.
D. circuit level gateway.

Answer: C

215. Which of the following is most commonly used by an intruder to gain unauthorized-access to a system?

A. brute force attack.
B. key logging.
C. Trojan horse.
D. social engineering.

Answer: D

216. A minor configuration change which can help secure DNS (Domain Name Service) information is:

A. block all unnecessary traffic by using port filtering.
B. prevent unauthorized zone transfers.
C. require password changes every 30 days.
D. change the default password.

Answer: B


217. What determines if a user is presented with a dialog box prior to downloading an Active-X component?

A. the user’s browser setting.
B. the meta tag.
C. the condition of the sandbox.
D. the negotiation between the client and the server.

Answer: A

218. LDAP (Lightweight Directory Access Protocol) requires what ports by default?

A. 389 and 636
B. 389and 139
C. 636 and 137
D. 137 and 139

Answer: A

219. Which security method should be implemented to allow secure access to a web page, regardless of the browser type or vendor?

A. certificates with SSL (Secure Sockets Layer).
B. integrated web with NOS (Network Operating System) security.
C. SSL (Secure Sockets Layer) only.
D. secure access to a web page is not possible.

Answer: A

220. What is a common DISADVANTAGE of employing an IDS (Intrusion Detection System)?

A. false positives.
B. throughput decreases.
C. compatibility.
D. administration.

Answer: A

221. System administrators and hackers use what technique to review network traffic to determine what services are running?

A. sniffer.
B. IDS (Intrusion Detection System).
C. firewall.
D. router.

Answer: A

222. Servers or workstations running programs and utilities for recording probes and attacks against them are referred to as:

A. firewalls.
B. host based IDS (Intrusion Detection System).
C. proxies.
D. active targets.

Answer: B

223. To reduce vulnerabilities on a web server, an administrator should adopt which preventative measure?

A. use packet sniffing software on all inbound communications.
B. apply the most recent manufacturer updates and patches to the server.
C. enable auditing on the web server and periodically review the audit logs.
D. block all DNS (Domain Naming Service) requests coming into the server.

Answer: B

224. What is the greatest advantage to using RADIUS (Remote Authentication Dial-in User Service) for a multi-site VPN (Virtual Private Network) supporting a large population of remote users?
A. RADIUS (Remote Authentication Dial-in User Service) provides for a centralized user database.
B. RADIUS (Remote Authentication Dial-in User Service) provides for a decentralized user database.
C. No user database is required with RADIUS (Remote Authentication Dial-in User Service).
D. User database is replicated and stored locally on all remote systems.

Answer: A

225. What is NOT an acceptable use for smart card technology?

A. mobile telephones.
B. satellite television access cards.
C. a PKI (Public Key Infrastructure) token card shared by multiple users.
D. credit cards.

Answer: C

226. Which of the following is the best protection against an intercepted password?

A. VPN (Virtual Private Network).
B. PPTP (Pointsto-Point Tunneling Protocol).
C. one time password.
D. complex password requirement.

Answer: C

227. Which of the following statements most clearly outlines a major security vuInerability associated with Instant Messaging?

A. Instant Messaging does not support any form of message encryption.
B. Instant Messaging negatively impacts user productivity.
C. Instant Messaging uses TCP (rransmission Control Protocol) port 25 for message exchange.
D. Instant Messaging allows file attachments which could potentially contain viruses.

Answer: D

228. Using distinct key pairs to separate confidentiality services from integrity services to support non-repudiation describes which one of the following models?

A.discrete key pair.
B. dual key pair.
C. key escrow.
D. foreign key.

Answer: B

229. Which IETF (Internet Engineering Task Force) protocol uses All (Authentication Header) and ESP (Encapsulating Security Payload) to provide security in a networked environment?

A. SSL (Secure Sockets Layer).
B. IPSec (Internet Protocol Security).
C. S-HTrP (Secure Hypertext Transfer Protocol).
D. SSH (Secure Shell).

Answer: B

230. A honey pot is best described as

A. encryptor.
B. DMZ (Demilitarized Zone).
C. firewall.
D. decoy.

Answer: D

231. A program appearing to be useful that contains additional hidden code that allows unauthorized individuals to exploit or destroy data is commonly known as as:

A. virus.
B. Trojan horse.
C. worm.
D. back door.

Answer: B

232. Which of the following is typically included in a CRL (Certificate Revocation List)?

A. certificates that have had a limited validity period and have expired.
B. certificates that are pending renewal.
C. certificates that are considered invalid because they do not contain a valid CA (Certificate Authority) signature.
D. certificates that have been disabled before their scheduled expiration.

Answer: D

233. A CPS (Certificate Practice Statement) is a legal document that describes a CA’s (Certificate Authority):

A. class level issuing process.
B. copyright notice.
C. procedures.
D. asymmetric encryption schema.

Answer: C

234. A severed Tl line is most likely to be considered in planning.

A. data recovery.
B. off site storage.
C. media destraction.
D. incident response.

Answer: D

235. The primary DISADVANTAGE of symmetric cryptography is:

A. speed.
B. key distribution.
C. weak algorithms.
D. memory management.

Answer: B

236. How are clocks used in a Kerberos authentication system?

A. The clocks are synchronized to ensure proper connections.
B. The clocks are synchronized to ensure tickets expire correctly.
C. The clocks are used to generate the seed value for the encryptions keys.
D. The clocks are used to benchmark and set the optimal encryption algorithm.

Answer: B

237. An IT (Information Technology) security audit is generally focused on reviewing existing:

A. resources and goals
B. policies and procedures
C. mission statements
D. ethics codes

Answer: B

238. The action of determining which operating system is installed on a system simply by analyzing its response to certain network traffic is called:

A. OS (Operating System) scanning.
B. reverse engineering.
C. Fingerprinting.
D. host hijacking.

Answer: C

239. The most effective way an administrator can protect users from social engineering is:

A. education.
B. implement personal firewalls.
C. enable logging on at users’ desktops.
D. monitor the network with an IDS (Intrusion Detection System).

Answer: A

240. Instant Messaging is most vulnerable to:

A. DoS (Denial of Service).
B. fraud.
C. stability.
D. sniffing.

Answer: D

241. What type of security mechanism can be applied to modems to better authenticate remote users?

A. firewalls
B. encryption
C. SSH (Secure Shell)
D. callback

Answer: D

242. Despite regular system backups a significant risk still exists if:

A. recovery procedures are not tested
B. all users do not log off while the backup is made
C. backup media is moved to an off-site location
D. an administrator notices a failure during the backup process

Answer: A

243. What are three characteristics of a computer virus?

A. find mechanism, initiation mechanism and propagate
B. learning mechanism, contamination mechanism and exploit
C. search mechanism, connection mechanism and integrate
D. replication mechanism, activation mechanism and objective

Answer: D

244. Technical security measures and countermeasures are primarily intended to prevent:

A. unauthorized access, unauthorized modification, and denial of authorized access.
B. interoperability of the framework, unauthorized modification, and denial of authorized access.
C. potential discovesy of access, interoperability of the framework, and denial of authorized access.
D. interoperability of the framework, unauthorized modification, and unauthorized access.

Answer: A

245. Impersonating a dissatisfied customer of a company and requesting a password change on the customer’a account is a form of:

A. hostile code.
B. social engineering.
C. IP (Intemet Protocol) spoofing.
D. man in the middle attack.

Answer: B

246. The basic strategy that should be used when configuring the rules for a secure firewall is:

A. permit all.
B. deny all.
C. default permit.
D. default deny .

Answer: D

247. An employer gives an employee a laptop computer to use remotely. The user installs personal applications on the laptop and overwrites some system files. How might this have been prevented with minimal impact on corporate productivity?

A. Users should not be given laptop computers in order to prevent this type of occurrence.
B. The user should have received instructions as to what is allowed to be installed.
C. The hard disk should have been made read-only
D. Biometrics should have been used to authenticate the user before allowing software installation.

Answer: B

248. A fundamental risk management assumption is, computers can NEVER be completely.

A. secure until all vendor patches are installed.
B. secure unless they have a variable password.
C. secure.
D. secure unless they have only one user.

Answer: C

249. DDoS (Distributed Denial of Service) is most commonly accomplished by:

A. internal host computers simultaneously failing.
B. overwhelming and shutting down multiple services on a server.
C. multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
D. an individual e-mail address list being used to distribute a virus.

Answer: C

250. IEEE (Institute of Electrical and Electronics Engineers) 802.llb is capable of providing data rates of up to:

A. 10Mbps (Megabits per second).
B. 10.5Mbps (Megabits per second).
C. 11 Mbps (Megabits per second).
D. 12 Mbps (Megabits per second).

Answer: C

251. A team organized for the purpose of handling security crises is called a(n):

A. computer information team.
B. security resources team.
C. active detection team.
D. incident response team.

Answer: D

252. Which security architecture utilizes authentication header and/or encapsulating security payload protocols?

A. IPSec (Internet Protocol Security).
B. SSL (Secure Sockets Layer).
C. TLS (Transport Layer Security).
D. PPTP (Point-to-Point Tunneling Protocol).

Answer: A

253. Tunneling is best described as the ac of encapsulating:

A. encrypted/secure IP packets inside of ordinary/non-secure IP packets.
B. ordinary/non-secure IP packets inside of encrypted/secure IP packets.
C. encrypted/secure IP packets inside of encrypted/non-secure IP packets.
D. ordinary/secure IP packets inside of ordinary/non-secure IP packets.

Answer: B

254. What is a good practice in deploying a CA (Certificate Authority)?

A. enroll users for policy based certificates.
B. create a CPS (Certificate Practice Statement).
C. register the CA (Certificate Authority) with a subordinate CA (Certificate Authority).
D. create a mirror CA (Certificate Authority) for fault tolerance.

Answer: B

255. What is the most common goal of operating system logging?
A. to determine the amount of time employees spend using various applications.
B. to keep a record of system usage.
C. to provide details of what systems have been compromised.
D. to provide details of which systems are interconnected.

Answer: B

256. Poor programming techniques and lack of code review can lead to which of the following type of attack?

A. CGI (Common Gateway Interface) script.
B. birthday.
C. buffer overflow.
D. dictionary.

Answer: C

257. When a patch is released for a server the administrator should:

A. immediately download and install the patch.
B. test the patch on a non-production server then install the patch to production.
C. not install the patch unless there is a current need.
D. install the patch and then backup the production server.

Answer: B

258. An attacker attempting to penetrate a company’s network through its remote access system would most likely gain access through what method?

A. war dialer.
B. Trojan horse.
C. DoS (Denial of Service).
D. worm.

Answer: A

259. A company’s web server is configured for the following services: HTTP (Hypertext Transfer Protocol), SSL (Secure Sockets Layer), FTP (Pile Transfer Protocol), SMTP (Simple Mail Transfer Protocol). The web server is placed into a DMZ (Demilitarized Zone). What are the standard ports on the firewall that must be opened to allow traffic to and from the server?

A. 119,23,21,80.
B. 443, 119,21,1250.
C. 80,443,21,25.
D. 80,443, 110,21.

Answer: C

260. Which systems should be included in a disaster recovery plan?

A. all systems.
B. those identified by the board of directors, president or owner.
C. financial systems and human resources systems.
D. systems identified in a formal risk analysis process.

Answer: D

261. A PKI (Public Key Infrastructure) document that serves as the vehicle on which to base common interoperability standards and common assurance criteria on an industry wide basis is a certificate:

A. policy.
B. practice.
C. procedure.
D. process.

Answer: A

262. When hardening a machine against external attacks, what process should be followed when disabling services?

A. disable services such as DHCP (Dynamic Host Configuration Protocol) client and print servers from servera that do not use/serve those functions.
B. disable one unnecessary service after another, while reviewing the effects of the previous action.
C. research the services and their dependencies before disabling any default services.
D. disable services not directly related to financial operations.

Answer: C

263. Which of the following will let a security administrator allow only if HTTP (Hypertext Transfer Protocol) traffic for outbound Intemet connections and set permissions to allow only certain users to browse the web?

A. packet filtering firewall.
B. protocol analyzer.
C. proxy server.
D. stateful firewall.

Answer: C

264. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?

A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network’s users, applications and data.

Answer: B

265. The system administrator concerned about security has designated a special area in which tops the web server away from other servers on the network. This area is commonly known as the?

A. honey pot
B. hybrid subuet
C. DMZ (Demilitarized Zone).
D. VLAN (Virtual Local Area Network)
Answer: C

266. Which of the following IP (Internet Protocol) address schemes will require NAT (Network Address Translation) to connect to the Intemet?
A. 204.180.0.0/24
B. 172.16.0.0/24
C. 192.172.0.0/24
D. 172.48.0.0/24

Answer: B

267. What is the primary DISADVANTAGE of a third party relay?

A. Spammers can utilize the relay.
B. The relay limits access to specific users.
C. The relay restricts the types of e-mail that maybe sent.
D. The relay restricts spaminers from gaining access.

Answer: A

268. A network administrator wants to connect a network to the Internet but does not want to compromise internal network IP (Internet Protocol) addresses. What should the network administrator implement?

A. a honey pot
B. a NAT (Network Address Translation)
C. a VPN (Virtual Private Network)
D. a screened network

Answer: B

269. Which of the following is NOT a field of a X.509 v.3 certificate?

A. private key
B. issuer
C. serial number
D. subject

Answer: A


270. What is the default transport layer protocol and port number that
SSL (Secure Sockets Layer) uses?


A. UDP (User Datagram Protocol) transport layer protocol and port 80
B. TCP (Transmission Control Protocol) transport layer protocol and port 80
C. TCP (Transmission Control Protocol) transport layer protocol and port 443
D. UDP (User Datagram Protocol) transport layer protocol and port 69

Answer: C

271. The greater the keyspace and complexity of a password, the longer a_______ attack may take to crack the password.

A. dictionary
B. brute force
C. inference
D. frontal

Answer: B


272. Security requirements for servers DO NOT typically include:

A. the absence of vulnerabilities used by known forms of attack against server hosts
B. the ability to allow administrative activities to all users
C. the ability to deny access to information on the server other than that intended to be available
D. the ability to disable unnecessary network services that may be built
into the operating system or server sofiware
Answer: B


273. When a cryptographic system’s keys are no longer needed, the keys should be:


A. destroyed or stored in a secure manner
B. deleted from the system’s storage mechanism
C. recycled
D. submitted to a key repository

Answer: A


274. Creation of an information inventory is most valuable when:

A. localizing license based attacks
B. trying to reconstruct damaged systems
C. determining virus penetration within an enterprise
D. terminating employees for security policy violations

Answer: B

275. A network administrator wants to restrict intenal access to other parts of the network.
The network restrictions must be implemented with the least amount of administrative overhead
and must be hardware based. What is the best solution?

A. implement firewalls between subnets to restrict access
B. implement a VLAN (Virtual Local Area Network) to restrict network access
C. implement a proxy server to restrict access
D. implement a VPN (Virtual Private Network)

Answer: B



276. Which of the following is the best reason for a CA (Certificate Authority) to-revoke a certificate?

A. The user’s certificate has been idle for two months.
B. The user has relocated to another address.
C. The user’s private key has been compromised.
D. The user’s public key has been compromised.

Answer: C


277. Which of the following correctly identifies some of the contents of an end user’s X.509 certificate?
A. user’s public key, object identifiers, and the location of the user’s electronic identity
B. user’s public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption
C. user’s public key, the certificate’s serial number, and the certificate’s validity dates
D. user’s public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point
Answer: C


278. Which of the following is a protocol generally used for secure web transactions?

A. S/MIME (Secure Multipurpose Internet Mail Extensions)
B. XML (Extensible Markup Language)
C. SSL (Secure Sockets Layer)
D. SMTP (Simple Mail Transfer Protocol)
Answer: C

279. Which of the following statements identifies a characteristic of a symmetric algorithm?

A. performs a fast transformation of data relative to other cryptographic methods
B. regardless of the size of the user’s input data, the size of the output data is fixed.
C. is relatively slow in transforming data when compared to other cryptographic methods
D. includes a one way function where it is computationally infeasible for another entity to determine the input data from the output data
Answer: A

280. Assuring the recipient that a message has not been altered in transit is an example of which of the following:

A. integrity
B. static assurance
C. dynamic assurance
D. cyclical check sequence

Answer: A


281. Being able to verify that a message received has not been modified in transit is defined as:
A. authorization
B. non-repudiation
C. integrity
D. cryptographic mapping

Answer: C


282. Which of the following terms represents a MAC (Mandatory Access Control) model?

A. Lattice
B. Bell La-Padla
C. BIBA
D. Clark and Wilson

Answer: A


283. The most common method of social engineering is:

A. looking through users’ trash for information
B. calling users and asking for information
C. e-mailing users and asking for information
D. e-mail

Answer: B


284. In the context of the Internet; what is tunneling? Tunneling is:

A. using the Internet as part of a private secure network
B. the ability to burrow through three levels of firewalls
C. the ability to pass information over the internet within the shortest amount of time
D. creating a tunnel which can capture data

Answer: A

285. An effective method of preventing computer viruses from spreading is to:

A. require root/administrator access to run programs
B. enable scanning of e-mail attachments
C. prevent the execution of .vbs files
D. install a host based IDS (Intrusion Detection System)

Answer: B

286. The term cold site refers to:
A. a low temperature facility for long term storage of critical data
B. a location to begin operations during disaster recovery
C. a facility seldom used for high performance equipment
D. a location that is transparent to potential attackers

Answer: B

287. Sensitive material is currently displayed on a user’s monitor. What is the best course of action for the user before leaving the area?

A. The user should leave the area. The monitor is at a personal desk so there is no risk.
B. turn off the monitor
C. wait for the screen saver to start
D. refer to the company's policy on securing sensitive data

Answer: D


288. The system administrator of the company has terminated employment unexpectedly. When the administrator’s user ID is deleted, the system suddenly begins deleting files.
This is an example of what type of malicious code?

A. logic bomb
B. virus
C. Trojan horse
D. worm

Answer: A

289. With regards to the use of Instant Messaging, which of the following type of attack strategies is effectively combated with user awareness training?

A. social engineering
B. stealth
C. ambush
D. multi-pronged

Answer: A


290. What would NOT improve the physical security of workstations?

A. lockable cases, keyboards, and removable media drives
B. key or password proteced configuration and setup
C. password required to boot
D. strong passwords

Answer: D


291. What authentication problem is addressed by single sign on?

A. authorization through multiple servers
B. multiple domains
C. multi-factor authentication
D. multiple usernames and passwords

Answer: D

292. Access controls based on security labels associated with each data item and each user are known as:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (t)iscretionary Access Control)

Answer: A

293. A network administrator has just replaced a hub with a switch. When using software to sniff packets from the networks, the administrator notices conversations the administrator’s computer is having with servers on the network, but can no longer see conversations taking place between other network clients and servers. Given that the switch is functioning properly, what is the most likely cause of this?

A. With the exception of broadcasts, switches do not forward traffic out all port .
B. The switch is setup with a VLAN (Virtual Local Area Network) utilizing all ports.
C. The software used to sniff packets is not configured properly.
D. The sniffer’s ethernet card is malfunctioning.

Answer: A

294. Which type of password generator is based on challenge-response mechanisms?

A. asynchronous
B. synchronous
C. cryptographic keys
D. smart cards

Answer: A


295. Which of the following is a characteristic of MAC (Mandatory Acces Control) systems? MACs (Mandatory Access Control):

A. uses levels of security to classify users and data
B. allows owners of documents to determine who has access to specific documents
C. uses access control lists which specify a list of authorized users
D. uses access control lists which specify a list of unauthorized users

Answer: A


296. Which of the following is considered the best technical solution for reducing the threat of a man in the middle attack?

A. Implement virtual LAN (Local Area Network)
B. Implement GRE (Generic Route Encapsulation) tunnel IPIP
(Internet Protocol-within-Internet Protocol)Encapsulation Protocol)
C. Implement PKI (Public Key Infrastructure)
D. Implement enforcement of badge system

Answer: C

297. Companies without an acceptable use policy (AUP) may give their employees an
expectation of:

A. intrusions
B. audits
C. privacy
D. prosecution

Answer: C

298. An administrator is concerned with viruses in e-mail attachments being distributed and inadvertently installed on users’ workstations. If the administrator set up an attachment filter, what types of attachments should be filtered from e-mails to minimize the danger of viruses?

A. textflles
B. image files
C. sound files
D. executable files

Answer: D


299. It is most difficult to eavesdrop on which of the following types of network cabling?

A. fiber optic cable
B. coaxial cable
C. UTP (DNShielded Twisted Pair)
D. STP (Shielded Twisted Pair)

Answer: A


300. Implementation of access control devices and technologies must fully reflect an organization’s security position as contained in its:

A. ACLs (Access Control List)
B. access control matrixes
C. information security policies
D. internal control procedures

Answer: C

Security+ SYO-101D

301. Which of the following are tunneling protocols?

A. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and SSL (Secure Sockets Layer)
B. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and PPP (Point-to-Point Protocol)
C. L2TP (Layer Two Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol), and SSL (Secure Sockets Layer)
D. PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), and IPSec (Internet Protocol Security)

Answer: D

302. What are TCP (Transmission Control Protocol) wrappers used for?
A. preventing IP (Internet Protocol) spoofing
B. controlling access to selected services
C. encrypting TCP (Transmission Control Protocol) traffic
D. sniffing TCP (Transmission Control Protocol) traffic to troubleshoot

Answer: B

303. Loki, NetCaZ, Masters Paradise and NetBus are all considered what type of attack?

A. brute force
B. spoofing
C. back door
D. man in the middle

Answer: C

304. Which protocol is used to negotiate and provide authenticated keying material for-security associations in a protected manner?

A. ISAKMP (Internet Security Association and Key Management Protocol)
B. ESP Incapsulating Security Payload) CompTiA SYO-101
C. SSH (Secure Shell)
D. SKEME (Secure Key Exchange Mechaniam)

Answer: A

305. An administrator wants to set up a system for an internal network that will examine all packets for known attack signatures. What type of system will be set up?

A. vulnerability scanner
B. packet filter
C. host based IDS (Intrusion Detection System)
D. network based IDS (Intrusion Detection System)

Answer: D


306. Which of the following steps in the SSL (Secure Sockets Layer) protocol allows for client and server authentication, MAC (Mandatory Acceas Control) and encryption algorithm negotiation, and selection of cryptographic keys?

A. SSL (Secure Sockets Layer) alert protocol
B. SSL (Secure Sockets Layer) change cipher spec protocol
C. SSL (Secure Sockets Layer) record protocol
D. SSL (Secure Sockets Layer) handshake protocol

Answer: D

307. What type of attack CAN NOT be detected by an IDS (Intrusion Detection System)?

A. DoS (Denial of Service)
B. exploits of bugs or hidden features
C. spoofed e-mail
D. port scan

Answer: C

308. A password management system designed to provide availability for a large number of users includes which of the following?

A. self service password resets
B. locally saved passwords
C. multiple access methods
D. synchronized passwords

Answer: A

309. What must be done to maximize the effectiveness of system logging?
A.encrypt log files
B. rotate log files
C. print and copy log files
D. review and monitor log files

Answer: D

310. Regarding security, biometrics are used for

A. accountability
B. certification
C. authorization
D. authentication

Answer: D

311. What fingerprinting technique relies on the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

A. TCP (Transmission Control Protocol) options
B. ICMP (Internet Control Message Protocol) error message quenching
C. Fragmentation handling
D. ICMP (Internet Control Message Protocol) message quoting

Answer: D

312. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?

A. PPP (Point-to-PointProtocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)

Answer: D

313. Turnstiles, double entry doors and security guards are all prevention measures for what type of social enginering?

A. piggybacking
B. looking over a co-worker’s shoulder to retrieve information
C. looking through a co-worker’s trash to retrieve information
D. impersonation
Answer: A

314. What is the major reason that social engineering attacks succeed?

A. strong passwords are not required
B. lack of security awareness
C. multiple logins are allowed
D. audit logs are not monitored frequently

Answer: B

315. Which authentication protocol should be employed to encrypt passwords?

A. PPTP (Point-to-Point Tunneling Protocol)
B. SMTP (Simple Mail Transfer Protocol)
C. Kerberos
D. CHAP (Challenge Handshake Authentication Protocol)

Answer: D

316. NAT (Network Address Translation) can be accomplished with which of the following?

A. static and dynamic NAT (Network Address Translation) and PAT (Port Address Translation)
B. static and hide NAT (Network Address Translation)
C. static and hide NAT (Network Address Translation) and PAT (Port Address Translation)
D. static, hide, and dynamic NAT (Network Address Translation)
Answer: C

317. In order for an SSL (Secure Sockets Layer) connection to be established between a web client and server automatically, the web client and server should have a(n):

A. shared password
B. certificate signed by a trusted root CA (Certificate Authority)
C. address on the same subnet
D. common operating system

Answer: B

318. A mobile sales force requires remote connectivity in order to access shared files and e-mail on the corporate network. All employees in the sales department have laptops equipped with ethemet adapters. Some also have moderns. What is the best remote access solution to allow all sales employees to access the corporate network?

A. ISDN (Integrated Services Digital Network)
B. dial-up
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)

Answer: D

319. An example of a physical access barrier would be

A. video surveillance
B. personnel traffic pattern management
C. security guard
D. motion detector

Answer: C

320. What media provides the best protection against electromagnetic interference?

A. coaxial cable
B. IJTP (DNShielded Twisted Pair)
C. STP (Shielded Twisted Pair)
D. fiber optic cable

Answer: D

321. Which of the following four critical functions of a VPN (Virtual Private Network) restricts users from using resources in a corporate network?

A. access control
B. authentication
C. confidentiality
D. data integrity

Answer: A


322. Of the following, what is the primary attribute associated with e-mail hoaxes?

A. E-mail hoaxes create unnecessary e-mail traffic and panic in non-technical users.
B. E-mail hoaxes take up large amounts of server disk space.
C. E-mail hoaxes can cause buflin overflows on the e-mail server.
D. E-mail hoaxes can encourage malicious users.

Answer: A



323. Most certificates used for authentication are based on what standard?

A. 1S019278
B. X.500
C. RFC 1205
D. X.509 v3

Answer: D


324. In order for User A to send User B an e-mail message that only User B can read, User A must encrypt the e-mail with which of the following keys?

A. User B’s public key
B. User B’s private key
C. User A’s public key
D. User A’s private key

Answer: A

325. What does the message recipient use with the hash value to verify a digital signature?

A. signer’s private key
B. receiver’s private key
C. signer’s public key
D. receiver’s public key
Answer: C

326. While surfing the Internet a user encounters a pop-up window that prompts the user to download abrowser plug-in. The pop-up window is a certificate which validates the identity of the plug-in developer. Which of the following best describes this type of certificate?

A. software publisher certificate
B. web certificate
C. CA (Certificate Authority) certificate
D. server certificate

Answer: A


327. The public key infrastructure model where certificates are issued and revoked via a
CA (Certificate Authority) is what type of model?

A. managed
B. distributed
C. centralized
D.standard

Answer: C

328. Company intranets, newsletters, posters, login banners and e-mails would be good tools to utilize in a security:

A. investigation
B. awareness program
C. policy review
D. control test
Answer: B

329. What is a network administrator protecting against by ingress/egress filtering traffic as follows:

Any packet coming into the network must not have a source address of the internal network. Any packet coming into the network must have a destination address from the internal netwoii Any packet leaving the network must have a source address from the internal network. Any packet leaving the network must not have a destination address from the internal networks Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.

A. SYN (Synchronize) flooding
B. spoofing
C. DoS (Denial of Service) attacks
D. dictionary attacks

Answer: B

330. When hosting a web server with CGI (Common Gateway Interface) scripts, the directories for public view should have:

A. execute permissions
B. read and write permissions
C. read, write, and execute permissions
D. full control permissions

Answer: A

331. When UserA applies to the CA (Certificate Authority) requesting a certificate to allow the start of communication with User B, User A must supply the CA (Certificate Authority) with

A. User A’s public key only
B. User B’s public key only
C. User A’s and User B’s public keys
D. User A’s and User B’s public and private keys

Answer: A

332. Which of the following most accurately describes a DMZ (Demilitarized Zone)?

A. an application program with a state that authenticates the user and allows the user to be categorized based on privilege
B. a network between a protected network and an external network in order to provide an additional layer of security
C. the entire area between the network of origin and the destination network
D. an application that allows the user to remove any offensive of an attacker


Answer: B

333. Privileged accounts are most vulnerable immediately after a:

A. successful remote login
B. privileged user is terminated
C. default installation is performed
D. full system backup is performed

Answer: C

334. A protocol specified in IEEE (Institute of Electrical and Electronics Engineers)
802.11b intended to provde a WLAN (Wireless Local AreaNetwork) with the level of security associated a WAN ( Wireless Local-Area Network) is:

A. WEP (Wired Equivalent Privacy)
B. ISSE (Information Systems Security Engineering)
C. ISDN (tntegrated Services Digital Network)
D. VPN (Virtual Private Network)

Answer: A

335. SSL (Secure Sockets Layer) operates between which two layers of the OSI (Open Systems Interconnection) model?

A. application and transport
B. transport and network
C. network and data link CompTIA SYO-1O1
D. data link and physical

Answer: A


336. A network attack that misuses TCP’s (Transmission Control Potocol) three way handshake to overload servers and deny access to legitimate users is called a:

A. man in the middle
B. smurf
C. teardrop
D. SYN

Answer: D (Synchronize)

337. What are the three entities of the SQL (Structured Query Language) security model?

A. actions, objects and tables
B. actions, objects and users
C. tables, objects and users
D. users, actions and tables

Answer: B

338. Which is of greatest importance when considering physical security?

A. reduce overall opportunity for an intrusion to occur
B. make alarm identification easy for security professionals
C. barricade all entry points against unauthorized entry
D. assess the impact of crime zoning and environmental considerations in the overall design
Answer: A

339. The flow of packets traveling through routers can be controlled by implementing what type of security mechanism?

A. ACLs (Access Control List)
B. fault tolerance tables
C. OSPF (Open Shortest Path First) policy
D. packet locks

Answer: A

340. Clients in Company A can view web sites that have been created for them, but CAN NOT navigate in them. Why might the clients not be able to navigate in the sites?

A. The sites have improper permissions assigned to them.
B. The server is in a DMZ (Demilitarized Zone).
C. The sites have IP (Internet Protocol) filtering enabled.
D. The server has heavy traffic.

Answer: A

341. The goal of TCP (Transmission Control Protocol) hijacking is:

A. taking over a legitimate TCP (Transmission Control Protocol) connection
B. predicting the TCP (Transmission Control Protocol) sequence number
C. identifying the TCP (Transmission Control Protocol) port for future exploitation
D. identifying source addresses for malicious use

Answer: A

342. The system administrator has just used a program that highlighted the susceptibility of several servers on the network to various exploits. The program also suggested fixes. What type of program was used?

A. intrusion detection
B. port scanner
C. vunerability scanner
D. Trojan scanner

Answer: C

343. A password security policy can help a system administrator to decrease the probability that a password can be guessed by reducing the password’s:

A. length
B. lifetime
C. encryption level
D. alphabet set
Answer: B

344. How can an e-mail administrator prevent malicious users from sending e-mails from non-existent domains?

A. enable DNS (Domain Name Service) reverse lookup on the e-mail server
B. enable DNS (Domain Name Service) forward lookup on the e-mail server
C. enable DNS (Domain Name Service) recursive queries on the DNS (Domain Name Service) server
D. enable DNS (Domain Name Service) reoccuring queries on the DNS (flomain Name Service) server

Answer: A

345. TCP/IP Transmission Control Protocol/Internet Protocol) hijacking resulted from exploitation of the fact that TCP/IP (Transmission Control Protocol/Internet Protocol):

A. has no authentication mechanism, thus allowing a cleartext password of 16 bytes
B. allows packets to be tunneled to an alternate network
C. has no authentication mechanism, and therefore allows connectionless packets from anyone
D. allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host

Answer: D

346. Intruders are detected accessing an internal network The source IP (Internet Protocol) addresses originate from trusted networks. The most comomon type of attack in this scenario is:

A. social engineering
B. TCP/IP hijacking
C. smurfing
D. spoofing

Answer: D

347. Which of the following is used to authenticate and encrypt IP (Internet Protocol) traffic?

A. ESP (Encapsulating Security Payload)
B. S/MIME (Secure Multipurpose Internet Mail Extensions)
C. IPSec (Internet Protocol Security)
D. IPv2 (Internet Protocol version 2)

Answer: C

348. An administrator is configuring a server to make it less susceptible to an attacker obtaining the user account passwords. The administrator decides to have the encrypted passwords contained within a file that is readable only by root. What is a common name for this file?

A. passwd
B. shadow
C. hosts.allow
D. hosts.deny

Answer: B

349. Which of the following is the best IDS (Intrusion Detection System) to monitor the-entire network?

A. a network based IDS (Intrusion Detection System)
B. a host based IDS (Intrusion Detection System)
C. a user based IDS (Intrusion Detection System)
D. a client based IDS (Intrusion Detection System)

Answer: A

350. SSL (Secure Sockets Layer) session keys are available in what two lengths?

A. 40-bit and 64-bit
B. 40-bit and 128-bit
C. 64-bit and 128-bit
D. 128-bit and 1,024-bit

Answer: B

351. One of the primary concerns of a centralized key management system is that?

A. keys must be stored and distributed securely
B. certificates must be made readily available
C. the key repository must be publicly accessible
D. the certificate contents must be kept confidential

Answer: A

352. An extranet would be best defined as an area or zone:

A. set aside for a business to store extra servers for internal use
B. accessible to the general public for accessing the business’ web site
C. that allows a business to securely transact with other businesses
D. added after the original network was built for additional storage

Answer: C

353. What standard security protocol provides security and privacy in a WLAN (Wireless Local Area Network)?

A. SWP (Secure WLAN Protocol)
B. WEP (Wired Equivalent Privacy)
C. SSL (Secure Sockets Layer)
D. S/MIME (Secure Multipurpose Internet Mail Extensions)

Answer: B

354. What port scanning technique is used to see what ports are in a listening state and then performs atwo way handshake?

A. TCP (transmission Control Protocol) SYN (Synchronize) scan
B. TCP (transmission Control Protocol) connect scan
C. TCP (transmission Control Protocol) fin scan
D. TCP (transmission Control Protocol) null scan

Answer: A

355. Performing a security vulnerability assessment on systems that a company relies on demonstrates:

A. that the site CAN NOT be hacked
B. a commitment to protecting data and customers
C. insecurity on the part of the organization
D. a needless fear of attack

Answer: B

356. The best reason to perform a business impact analysis as part of the business continuity planning process is to:

A. test the veracity of data obtained from risk analysis
B. obtain formal agreement on maximum tolerable downtime
C. create the framework for desiguing tests to determine efficiency of business continuity plans
D. satisfy documentation requirements of insurance companies covering risks of systems and data important for business continuity
Answer: B

357. A FTP (File Transfer Protocol) bounce attack is generally used to:

A. exploit a buffer overflow vulnerability on the FTP (File Transfer Protocol) server
B. reboot the FTP (File Transfer Protocol) server
C. store and distribute malicious code
D. establish a connection between the FTP (File Transfer Protocol) server and another computer

Answer: D

358. E-mail servers have a configuration choice which allows the relaying of messages from one e-mail server to another. An e-mail server should be configured to prevent e-mail relay because:

A. untraceable, unwanted e-mail can be sent
B. an attacker can gain access and take over the server
C. confidential information in the server’s e-mail boxes can be read using the relay
D. the open relay can be used to gain control of nodes on additional networks

Answer: A

359. S/MIME (Secure Multipurpose Internet Mail Extensions) is used to:

A. encrypt user names and profiles to ensure privacy
B. encrypt messages and files
C. encrypt network sessions acting as a VPN (Virtual Private Network) client
D. automatically encrypt all outbound messages

Answer: B


360. A security designer is planning the implementation of security mechanisms in a RBAC (Role Based Access Control) compliant system. The designer has determined that there are three types of resources in the system inclading files, printers, and mailboxes. The organization has four distinct departments with distinct functions including Sales, Marketing, Management, and Production. Each department needs access to different resources. Each user has a workstation. Which roles should be created to support the REAC (Role Based Access Control) model?

A. file, printer, and mailbox roles
B. sales, marketing, management, and production roles
C. user and workstation roles
D. allow access and deny access roles

Answer: B

361. A network administrator is having difficulty establishing a L2TP (Layer Two Tunneling Protocol) VPN (Virtual Private Network) tunnel with IPSec (Internet Protocol Security) between a remote dial-up client and the firewall, through a perimeter router. The administrator has confirmed that the cient's and firewall’s IKE (Internet Key Exchange) policy and IPSec (Internet Protocol Security) policy are identical. The appropriate L2TP (Layer Two Tunneling Protocol) and IKE (Internet Key Exchange) transport layer ports have also been allowed on the perimeter router and firewall.

What additional step must be performed on the perimeter router and firewall to allow (Authentication Header) and ESP (Encapsulating Security Payload) tunnel-encapsulated IPSec (Internet Protocol Security) traffic to flow between the client and the firewall?


A. configure the perimeter router and firewall to allow inbound protocol number 51 for ESP (Encapsulating Security Payload) encapsulated IPSec (Internet Protocol Security) traffic
B. configure the perimeter router and firewall to allow inbound protocol number 49 for ESP (Encapsulating Security Payload) and All (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.

C. configure the perimeter router and firewall to allow inbound protocol numbers 50 and 51 for ESP (Encapsulating Security Payload) and AH (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.

D. configure the perimeter router and firewall to allow inbound protocol numbers 52 and 53 for AH (Authentication Header) and ESP (Encapsulating SecurityPayload) encapsulated IPSec (Internet Protocol Security) traffic

Answer: C

362. What is the best method of reducing vuneralbility from dumpster diving?

A. hire additional staff
B. destroy papers and other media
C. install surveillance
D. empty trash can frequently

Answer: B


363. One characteristic of biometrics is:

A. it does not require a password
B. it is 100% effective
C. false positives are rare
D. false negatives are rare

Answer: A


364. As a security administrator, what are the three categories of active responses relating to intrusion detection?

A. collect additional information, maintain the environment, and take action against the intruder

B. collect additional information, maintain the environment, and take action against the intruder

C. collect additional information, change the environment, and take action against the intruder

D. discard any additional information, change the environment, and take action against the intruder

Answer: C

365. Intrusion detection systems typically consist of two parts, a console and a:

A. sensor
B. router
C. processor
D. firewall

Answer: A

366. The owner of a file modifies the security settings of that file on the servers to
limit access to specific individuals. Which method of security is being applied?

A. MAC (Mandatory Access Control)
B. DAC (Discretionary Acess Control)
C. SAC (Subject Access Control)
D. RBAC (Role Based Access Control)

Answer: B

367. A block cipher is an example of which of the following encryption algorithms?

A. asymmetric key
B. public key
C. symmetric key
D. unkeyed

Answer: C

368. What is the best defense against man in the middle?

A. a firewall
B. strong encryption
C. strong authenication
D. strong passwords

Answer: B

369. There are a number of ports in TCP/IP that can be scanned, exploited or
attacked. How many ports are vunerable to such operations?

A. 32
B. 1,024
C. 65,535
D. 16,777,216

Answer: C

370. Which of the following makes a token based authentication system very diffult
to attack?

A. a token uses a digital certificates
B. a token is something that is physically possessed
C. a token can only be used once
D. a token can only be used by the intended owner.

Answer: B

371. What are the 4 major components of ISAKMP?
(Internet Security Association and Key Management Protocol)

A. authentication of peers, threat management, communication management, and cryptographic key establishment.
B. authentication of peers, threat management, communication management, and cryptographic key establishment.
C. authentication of peers, threat management, security association creation and management, cryptographic key establishment and management.
D. authentication of peers, threat management, security association creation, and cryptographic key establishment.

Answer: C

372. A major difference between a worm and a Trojan horse is :

A. worms are spread via e-mail and Trojans are not
B. worms are self replicating and Trojans are not
C. worms are a form malicious code and Trojans are not
D. there is no difference

Answer: B

373. When a user digitally signs a document an asymmetric algorithm is used to encrypt:

A. secret passkeys
B. file contents
C. certificates
D. hash results

Answer: D


374. The main purpose of digital certificates is to securely bind a:

A. public key to the identity of the signer and recipient
B. private key to the identity of the signer and recipient
C. public key to the entity that holds the corresponding private key
D. private key to the entity that holds the corresponding public key

Answer: C


375. What protocol should be used to prevent intruders from using access points on a wireless network?

A. ESP (Encapsulating Security Payload)
B. WEP (Wired Equivalent Privacy)
C. TLS (Transport Layer Security)
D. SSL (Secure Sockets Layer)

Answer: B


376. What are two common methods when using a public key infrastructure for maintaining access to servers in a network?



A. ACL and PGP.
B. PIM and CRL.
C. CRL and OCSP.
D. RSA and MD2

Answer: C

377. Missing audit log entries most seriously affect an organization's ability to:

A. Recover destroyed data.
B. Legally prosecute an attacker.
C. Evaluate system vulnerabilities.
D. Create reliable system backups.

Answer: B

378. File encryption using symmetric cryptography satisfies what security requirement?



A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: D


379. Dave is increasing the security of his Web site by adding SSL (Secure Sockets Layer).
Which type of encryption does SSL use?



A. Asymmetric
B. Symmetric
C. Public Key
D. Secret

Answer: B


380. During the digital signature process, asymmetric cryptography satisfied what security requirement?



A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: D

381. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?



A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network's users, applications and data.

Answer: B

382. What would NOT improve the physical security of workstations?


A. Lockable cases, keyboards, and removable media drives.
B. Key or password protected configuration and setup.
C. Password required to boot.
D. Strong passwords.

Answer: D

383. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?


A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)

Answer: D


384. Which of the following describes the concept of data integrity?



A. A means of determining what resources a user can use and view.
B. A method of security that ensures all data is sequenced, and numbered.
C. A means of minimizing vulnerabilities of assets and resources.
D. A mechanism applied to indicate a data's level of security.

Answer: B


385. The best protection against the abuse of remote maintenance of PBX (Private Branch Exchange) system is to:


A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance personnel

Answer: B


386. You are the first person to arrive at a crime scene. An investigator and crime scene technician arrive afterwards to take over the investigation.
Which of the following tasks will the crime scene technician be responsible for performing?


A. Ensure that any documentation and evidence they possessed is handled over to the investigator.
B. Re-establish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.

Answer: D



387. Forensic procedures must be followed exactly to ensure the integrity of data obtained in an investigation.
When making copies of data from a machine that us being examined, which of the following tasks should be done to ensure it is an exact duplicate?


A. Perform a cyclic redundancy check using a checksum or hashing algorithm.
B. Change the attributes of data to make it read only.
C. Open files on the original media and compare them to the copied data.
D. Do nothing. Imaging software always makes an accurate image.

Answer: A

388. Privileged accounts are most vulnerable immediately after a:

A. Successful remote login.
B. Privileged user is terminated.
C. Default installation is performed.
D. Full system backup is performed.

Answer: C


389. Which tunneling protocol only works on IP networks?


A. IPX
B. L2TP
C. PPTP
D. SSH

Answer: C


390. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. Value of the information it is used to protect.
B. Cost and management fees.
C. Length of the asymmetric hash.
D. Data available openly on the cryptographic system.

Answer: A

391. Users who configure their passwords using simple and meaningful things such as pet names or birthdays are subject to having their account used by an intruder after what type of attack?


A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack
E. Man in the middle attack
F. Change list attack
G. Role Based Access Control attack
H. Replay attack
I. Mickey Mouse attack

Answer: A

392. What port does TACACS use?


A. 21
B. 161
C. 53
D. 49

Answer: D

393. What is the advantage of a multi-homed firewall?


A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.

Answer: A


394. What type of attack CANNOT be detected by an IDS (Intrusion Detection System)?


A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e- mail
D. Port scan

Answer: C


395. By definition, how many keys are needed to lock and unlock data using symmetric- key encryption?


A. 3+
B. 2
C. 1
D. 0

Answer: C


396. Data integrity is best achieved using a(n)

A. Asymmetric cipher
B. Digital certificate
C. Message digest
D. Symmetric cipher


Answer: C


397. Which of the following correctly identifies some of the contents of an user's X.509 certificate?

A. User's public key, object identifiers, and the location of the user's electronic identity.
B. User's public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption.
C. User's public key, the certificate's serial number, and the certificate's validity dates.
D. User's public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point.


Answer: c

398. SSL uses which port?

A. UDP 443
B. TCP 80
C. TCP 443
D. UDP and TCP 445

Answer: C

399. Which of the following is an asymmetric cryptographic algorithm?

A. AES
B. EIGamal
C. IDEA
D. DES

Answer: B


400. The Bell La-Padula access control model consists of four elements. These elements are

A. subjects, objects, roles and groups.
B. read only, read/write, write only and read/write/delete.
C. subjects, objects, access modes and security levels.
D. groups, roles, access modes and security levels.

Answer: C






    

 Copyright © 2004- 2005 "MCSE Braindumps". All rights reserved. MCSE braindumps forum | Database Administration help

Offshore webhosting by ServersLease.net

===============================================================================================================

1. The best protection against the abuse of remote maintenance of PBX (Private
Branch Exchange) system is to:
A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to
only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance
personnel
Answer: B

2. A high profile company has been receiving a high volume of attacks on their web
site. The network administrator wants to be able to collect information on the
attacker(s) so legal action can be taken.
What should be implemented?
A. A DMZ (Demilitarized Zone)
B. A honey pot
C. A firewall
D. A new subnet
Answer: B

3. The protection of data against unauthorized access or disclosure is an example of
what?
A. Confidentiality
B. Integrity
C. Signing
D. Hashing
Answer: A

4. You are running cabling for a network through a boiler room where the furnace
and some other heavy machinery reside. You are concerned about interference from
these sources.
Which of the following types of cabling provides the best protection from
interference in this area?
A. STP
B. UTP
C. Coaxial
D. Fiber-optic
Answer: D

5. In order for a user to obtain a certificate from a trusted CA (Certificate Authority),
the user must present proof of identity and a:
A. Private key
B. Public key
C. Password
D. Kerberos key
Answer: B

6. If a private key becomes compromised before its certificate’s normal expiration,
X509 defines a method requiring each CA (Certificate Authority) to periodically
issue a signed data structure called a certificate:
A. Enrollment list
B. Expiration list
C. Revocation list
D. Validation list
Answer: C

7. An application that appears to perform a useful function but instead contains some
sort of malicious code is called a _____.
A. Worm
B. SYN flood
C. Virus
D. Trojan Horse
E. Logic Bomb
Answer: D

8. How many bits are employed when using has encryption?
A. 32
B. 64
C. 128
D. 256
Answer: C

9. What transport protocol and port number does SHH (Secure Shell) use?
A. TCP (Transmission Control Protocol) port 22
B. UDP (User Datagram Protocol) port 69
C. TCP (Transmission Control Protocol) port 179
D. UDP (User Datagram Protocol) port 17
Answer: A

10. While performing a routing site audit of your wireless network, you discover an
unauthorized Access Point placed on your network under the desk of Accounting
department security. When questioned, she denies any knowledge of it, but informs
you that her new boyfriend has been to visit her several times, including taking her
to lunch one time.
What type of attack have you just become a victim of?
A. SYN Flood.
B. Distributed Denial of Service.
C. Man in the Middle attack.
D. TCP Flood.
E. IP Spoofing.
F. Social Engineering
G. Replay attack
H. Phone tag
I. Halloween attack
Answer: F

11. When visiting an office adjacent to the server room, you discover the lock to the
window is broken. Because it is not your office you tell the resident of the office to
contact the maintenance person and have it fixed. After leaving, you fail to follow up
on whether the windows was actually repaired.
What affect will this have on the likelihood of a threat associated with the
vulnerability actually occurring?
A. If the window is repaired, the likelihood of the thread occurring will increase.
B. If the window is repaired, the likelihood of the threat occurring will remain
constant.
C. If the window is not repaired the, the likelihood of the threat occurring will
decrease.
D. If the window is not repaired, the likelihood of the threat occurring will increase.
Answer: D

12. Providing false information about the source of an attack is known as:
A. Aliasing
B. Spoofing
C. Flooding
D. Redirecting
Answer: B

13. The start of the LDAP (Lightweight Directory Access Protocol) directory is called
the:
A. Head
B. Root
C. Top
D. Tree
Answer: B

14. A company consists of a main building with two smaller branch offices at opposite
ends of the city. The main building and branch offices are connected with fast links
so that all employees have good connectivity to the network.
Each of the buildings has security measures that require visitors to sign in, and all
employees are required to wear identification badges at all times. You want to
protect servers and other vital equipment so that the company has the best level of
security at the lowest possible cost.
Which of the following will you do to achieve this objective?
A. Centralize servers and other vital components in a single room of the main
building, and add security measures to this room so that they are well protected.
B. Centralize most servers and other vital components in a single room of the main
building, and place servers at each of the branch offices. Add security measures to
areas where the servers and other components are located.
C. Decentralize servers and other vital components, and add security measures to
areas where the servers and other components are located.
D. Centralize servers and other vital components in a single room in the main
building. Because the building prevents unauthorized access to visitors and other
persons, there is no need to implement physical security in the server room.
Answer: A

15. You are explaining SSL to a junior administrator and come up to the topic of
handshaking. How many steps are employed between the client and server in the SSL handshake
process?
A. Five
B. Six
C. Seven
D. Eight
Answer: B

16. An administrator notices that an e-mail server is currently relaying e-mail
(including spam) for any e-mail server requesting relaying. Upon further
investigation the administrator notices the existence of /etc/mail/relay domains.
What modifications should the administrator make to the relay domains file to
prevent relaying for non-explicitly named domains?
A. Move the .* entry to the bottom of the relay domains file and restart the e-mail
process.
B. Move the .* entry to the top of the relay domains file and restart the e-mail
process.
C. Delete the .* entry in the relay domains file and restart the e-mail process.
D. Delete the relay domains file from the /etc/mail folder and restart the e-mail
process.
Answer: C

17. Access control decisions are based on responsibilities that an individual user or
process has in an organization.
This best describes:
A. MAC (Mandatory Access Control)
B. RBAC (Role Based Access Control)
C. DAC (Discretionary Access Control)
D. None of the above.
Answer: B

18. A honey pot is _____.
A. A false system or network to attract attacks away from your real network.
B. A place to store passwords.
C. A sage haven for your backup media.
D. Something that exist only in theory.
Answer: A

19. A problem with air conditioning is causing fluctuations in temperature in the server
room. The temperature is rising to 90 degrees when the air conditioner stops
working, and then drops to 60 degrees when it starts working again.
The problem keeps occurring over the next two days.
What problem may result from these fluctuations? (Select the best answer)
A. Electrostatic discharge
B. Power outages
C. Chip creep
D. Poor air quality
Answer: C

20. You have been alerted to the possibility of someone using an application to capture
and manipulate packets as they are passing through your network.
What type of threat does this represent?
A. DDos
B. Back Door
C. Spoofing
D. Man in the Middle
Answer: D

21. Which of the following media types is most immune to RF (Radio Frequency)
eavesdropping?
A. Coaxial cable
B. Fiber optic cable
C. Twisted pair wire
D. Unbounded
Answer: B

22. What statement is most true about viruses and hoaxes?
A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate user about a virus.
D. Hoaxes carry a malicious payload and can be destructive.
Answer: A

23. While connected from home to an ISP (Internet Service Provider), a network
administrator performs a port scan against a corporate server and encounters four
open TCP (Transmission Control Protocol) ports: 25, 110, 143 and 389. Corporate
users in the organization must be able to connect from home, send and receive
messages on the Internet, read e-mail by beams of the IMAPv.4 (Internet Message
Access Protocol version 4) protocol, and search into a directory services database
for user e-mail addresses, and digital certificates. All the e-mail relates services, as
well as the directory server, run on the scanned server.
Which of the above ports can be filtered out to decrease unnecessary exposure
without affecting functionality?
A. 25
B. 110
C. 143
D. 389
Answer: B

24. A piece of malicious code that can replicate itself has no productive purpose and
exist only to damage computer systems or create further vulnerabilities is called a?
A. Logic Bomb
B. Worm
C. Trojan Horse
D. SYN flood
E. Virus
Answer: E

25. When evidence is acquired, a log is started that records who had possession of the
evidence for a specific amount of time. This is to avoid allegations that the evidence
may have been tampered with when it was unaccounted for, and to keep track of the
tasks performed in acquiring evidence from a piece of equipment or materials.
What is the term used to describe this process?
A. Chain of command.
B. Chain of custody.
C. Chain of jurisdiction.
D. Chain of evidence.
Answer: B

26. Data integrity is best achieved using a(n)
A. Asymmetric cipher
B. Digital certificate
C. Message digest
D. Symmetric cipher
Answer: C

27. A recent audit shows that a user logged into a server with their user account and
executed a program. The user then performed activities only available to an
administrator.
This is an example of an attack?
A. Trojan horse
B. Privilege escalation
C. Subseven back door
D. Security policy removal
Answer: B

28. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled
server will first:
A. Use its digital certificate to establish its identity to the browser.
B. Validate the user by checking the CRL (Certificate Revocation List).
C. Request the user to produce the CRL (Certificate Revocation List).
D. Display the requested page on the browser, then provide its IP (Internet Protocol)
address for verification
Answer: A

29. You are assessing risks and determining which asset protection policies to create
first. Another member of the IT staff has provided you with a list of assets which
have importance weighted on a scale of 1 to 10. Internet connectivity has an
importance of 8, data has an importance of 9, personnel have an importance of 7,
and software has an importance of 5.
Based on the weights, what is the order in which you will generate new policies?
A. Internet policy, data security, personnel safety policy, software policy.
B. Data security policy, Internet policy, software policy, personnel safety policy.
C. Software policy, personnel safety policy, Internet policy, data security policy.
D. Data security policy, Internet policy, personnel safety policy, software policy.
Answer: D

30. Controlling access to information systems and associated networks is necessary for
the preservation of their:
A. Authenticity, confidentiality, integrity and availability.
B. Integrity and availability.
C. Confidentiality, integrity and availability.
D. Authenticity, confidentiality and availability.
Answer: C

31. What design feature of Instant Messaging makes it extremely insecure compared to
other messaging systems?
A. It is a peer-to-peer network that offers most organizations virtually no control
over it.
B. Most IM clients are actually Trojan Horses.
C. It is a centrally managed system that can be closely monitored.
D. It uses the insecure Internet as a transmission medium.
Answer: A

32. Access controls that are created and administered by the data owner are
considered:
A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)
Answer: D

33. A well defined business continuity plan must consist of risk and analysis, business
impact analysis, strategic planning and mitigation, training and awareness,
maintenance and audit and:
A. Security labeling and classification.
B. Budgeting and acceptance.
C. Documentation and security labeling.
D. Integration and validation.
Answer: D

34. John wants to encrypt a sensitive message before sending it to one of his managers.
Which type of encryption is often used for e-mail?
A. S/MINE
B. BIND
C. DES
D. SSL
Answer: A

35. What is the greatest benefit to be gained through the use of S/MINE /Secure
Multipurpose Internet Mail Extension) The ability to:
A. Encrypted and digitally sign e-mail messages.
B. Send anonymous e-mails.
C. Send e-mails with a return receipt.
D. Expedite the delivery of e-mail.
Answer: A

36. A _____ occurs when a string of data is sent to a buffer that is larger than the buffer
was designed to handle.
A. Brute Force attack
B. Buffer owerflow
C. Man in the middle attack
D. Blue Screen of Death
E. SYN flood
F. Spoofing attack
Answer: B

37. Packet sniffing can be used to obtain username and password information in clear
text from which one of the following?
A. SSH (Secure Shell)
B. SSL (Secure Sockets Layer)
C. FTP (File Transfer Protocol)
D. HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)
Answer: C

38. A company uses WEP (Wired Equivalent Privacy) for wireless security.
Who may authenticate to the company’s access point?
A. Only the administrator.
B. Anyone can authenticate.
C. Only users within the company.
D. Only users with the correct WEP (Wired Equivalent Privacy) key.
Answer: D

39. As the Security Analyst for your companies network, you become aware that your
systems may be under attack. This kind of attack is a DOS attack and the exploit
send more traffic to a node than anticipated.
What kind of attack is this?
A. Ping of death
B. Buffer Overflow
C. Logic Bomb
D. Smurf
Answer: B

40. Following a disaster, while returning to the original site from an alternate site, the
first process to resume at the original site would be the:
A. Least critical process
B. Most critical process.
C. Process most expensive to maintain at an alternate site.
D. Process that has a maximum visibility in the organization.
Answer: A

41. In order to establish a secure connection between headquarters and a branch office
over a public network, the router at each location should be configured to use IPSec
(Internet Protocol Security) in ______ mode.
A. Secure
B. Tunnel
C. Transport
D. Data link
Answer: B

42. The primary purpose of NAT (Network Address Translation) is to:
A. Translate IP (Internet Protocol) addresses into user friendly names.
B. Hide internal hosts from the public network.
C. Use on public IP (Internet Protocol) address on the internal network as a name
server.
D. Hide the public network from internal hosts.
Answer: B

43. Users of Instant Messaging clients are especially prone to what?
A. Theft of root user credentials.
B. Disconnection from the file server.
C. Hostile code delivered by file transfer.
D. Slow Internet connections.
E. Loss of email privileges.
F. Blue Screen of Death errors.
Answer: C

44. Which two of the following are symmetric-key algorithms used for encryption?
A. Stream-cipher
B. Block
C. Public
D. Secret
Answer: A, B

45. Computer forensics experts collect and analyze data using which of the following
guidelines so as to minimize data loss?
A. Evidence
B. Chain of custody
C. Chain of command
D. Incident response
Answer: B

46. A DMZ (Demilitarized Zone) typically contains:
A. A customer account database
B. Staff workstations
C. A FTP (File Transfer Protocol) server
D. A SQL (Structured Query Language) based database server
Answer: C

47. What kind of attack is a type of security breach to a computer system that does not
usually result in the theft of information or other security loss but the lack of
legitimate use of that system?
A. CRL
B. DOS
C. ACL
D. MD2
Answer: B

48. User A needs to send a private e-mail to User B. User A does not want anyone to
have the ability to read the e-mail except for User B, thus retaining privacy.
Which tenet of information security is User A concerned about?
A. Authentication
B. Integrity
C. Confidentiality
D. Non-repudiation
Answer: C

49. You are researching the ARO and need to find specific data that can be used for
risk assessment.
Which of the following will you use to find information?
A. Insurance companies
B. Stockbrokers
C. Manuals included with software and equipment.
D. None of the above. There is no way to accurately predict the ARO.
Answer: A

50. Giving each user or group of users only the access they need to do their job is an
example of which security principal.
A. Least privilege
B. Defense in depth
C. Separation of duties
D. Access control
Answer: A

51. Documenting change levels and revision information is most useful for:
A. Theft tracking
B. Security audits
C. Disaster recovery
D. License enforcement
Answer: C

52. One way to limit hostile sniffing on a LAN (Local Area Network is by installing:
A. An ethernet switch.
B. An ethernet hub.
C. A CSU/DSU (Channel Service Unit/Data Service Unit).
D. A firewall.
Answer: A

53. Notable security organizations often recommend only essential services be provided
by a particular host, and any unnecessary services be disable.
Which of the following does NOT represent a reason supporting this
recommendation?
A. Each additional service increases the risk of compromising the host, the services
that run on the host, and potential clients of these services.
B. Different services may require different hardware, software, or a different
discipline of administration.
C. When fewer services and applications are running on a specific host, fewer log
entries and fewer interactions between different services are expected, which
simplifies the analysis and maintenance of the system from a security point of
view.
D. If a service is not using a well known port, firewalls will not be able to disable
access to this port, and an administrator will not be able to restrict access to this
service.
Answer: D

54. Which of the following backup methods copies only modified files since the last full
backup?
A. Full
B. Differential
C. Incremental
D. Archive
Answer: B

55. You are compiling estimates on how much money the company could lose if a risk
occurred one time in the future.
Which of the following would these amounts represent?
A. ARO
B. SLE
C. ALE
D. Asset identification
Answer: B

56. The term “due care” best relates to:
A. Policies and procedures intended to reduce the likelihood of damage or injury.
B. Scheduled activity in a comprehensive preventative maintenance program.
C. Techniques and methods for secure shipment of equipment and supplies.
D. User responsibilities involved when sharing passwords in a secure environment.
Answer: A

57. Advanced Encryption Standard (AES) is an encryption algorithm for securing
sensitive but unclassified material by U.S. Government agencies.
What type of encryption is it from the list below?
A. WTLS
B. Symmetric
C. Multifactor
D. Asymmetric
Answer: B

58. You are the first person to respond to the scene of an incident involving a computer
being hacked. After determining the scope of the crime scene and securing it, you
attempt to preserve evidence at the scene.
Which of the following tasks will you perform to preserve evidence? (Choose all that
apply)
A. Photograph any information displayed on the monitors of computers involved in
the incident.
B. Document any observation or messages displayed by the computer.
C. Shut down the computer to prevent further attacks that may modify data.
D. Gather up manuals, nonfunctioning devices, and other materials and equipment in
the area so they are ready for transport.
Answer: A, B

59. At what stage of an assessment would an auditor test systems for weaknesses and
attempt to defeat existing encryption, passwords and access lists?
A. Penetration
B. Control
C. Audit planning
D. Discovery
Answer: A

60. When examining the server’s list of protocols that are bound and active on each
network interface card, the network administrator notices a relatively large number
of protocols.
Which actions should be taken to ensure network security?
A. Unnecessary protocols do not pose a significant to the system and should be left
intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen
during the installation.
C. Unnecessary protocols should be disable on all server and client machines on a
network as they pose great risk.
D. Using port filtering ACLs (Access Control List) at firewalls and routers is
sufficient to stop malicious attacks on unused protocols.
Answer: C

61. Which of the following describes the concept of data integrity?
A. A means of determining what resources a user can use and view.
B. A method of security that ensures all data is sequenced, and numbered.
C. A means of minimizing vulnerabilities of assets and resources.
D. A mechanism applied to indicate a data’s level of security.
Answer: B

62. In a decentralized privilege management environment, user accounts and passwords
are stored on:
A. One central authentication server.
B. Each individual server.
C. No more than two servers.
D. One server configured for decentralized management.
Answer: B

63. In context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:
A. Provide the same level of security as a wired LAN (Local Area Network).
B. Provide a collision preventive method of media access.
C. Provide a wider access area that that of wired LANs (Local Area Network).
D. Allow radio frequencies to penetrate walls.
Answer: A

64. What two functions does IPSec perform? (Choose two)
A. Provides the Secure Shell (SSH) for data confidentiality.
B. Provides the Password Authentication Protocol (PAP) for user authentication.
C. Provides the Authentication Header (AH) for data integrity.
D. Provides the Internet Protocol (IP) for data integrity.
E. Provides the Nonrepudiation Header (NH) for identity integrity.
F. Provides the Encapsulation Security Payload (ESP) for data confidentiality.
Answer: C, F

65. A primary drawback to using shared storage clustering for high availability and
disaster recover is:
A. The creation of a single point of vulnerability.
B. The increased network latency between the host computers and the RAID
(Redundant Array of Independent Disk) subsystem.
C. The asynchronous writes which must be used to flush the server cache.
D. The highest storage capacity required by the RAID (Redundant Array of
Independent Disks) subsystem.
Answer: A

66. What are two common methods when using a public key infrastructure for
maintaining access to servers in a network?
A. ACL and PGP.
B. PIM and CRL.
C. CRL and OCSP.
D. RSA and MD2
Answer: C

67. After installing a new operating system, what configuration changes should be
implemented?
A. Create application user accounts.
B. Rename the guest account.
C. Rename the administrator account, disable the guest accounts.
D. Create a secure administrator account.
Answer: C

68. Users who configure their passwords using simple and meaningful things such as
pet names or birthdays are subject to having their account used by an intruder after
what type of attack?
A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack
E. Man in the middle attack
F. Change list attack
G. Role Based Access Control attack
H. Replay attack
I. Mickey Mouse attack
Answer: A

69. By definition, how many keys are needed to lock and unlock data using symmetrickey
encryption?
A. 3+
B. 2
C. 1
D. 0
Answer: C

70. What kind of attack are hashed password vulnerable to?
A. Man in the middle.
B. Dictionary or brute force.
C. Reverse engineering.
D. DoS (Denial of Service)
Answer: B

71. What is one advantage if the NTFS file system over the FAT16 and FAT32 file
systems?
A. Integral support for streaming audio files.
B. Integral support for UNIX compatibility.
C. Integral support for dual-booting with Red Hat Linux.
D. Integral support for file and folder level permissions.
Answer: D

72. You have identified a number of risks to which your company’s assets are exposed,
and want to implement policies, procedures, and various security measures.
In doing so, what will be your objective?
A. Eliminate every threat that may affect the business.
B. Manage the risks so that the problems resulting from them will be minimized.
C. Implement as many security measures as possible to address every risk that an
asset may be exposed to.
D. Ignore as many risks as possible to keep costs down.
Answer: B

73. Which of the following results in a domain name server resolving the domain name
to a different and thus misdirecting Internet traffic?
A. DoS (Denial of Service)
B. Spoofing
C. Brure force attack
D. Reverse DNS (Domain Name Service)
Answer: B

74. Active detection IDS systems may perform which of the following when a
unauthorized connection attempt is discovered? (Choose all that apply)
A. Inform the attacker that he is connecting to a protected network.
B. Shut down the server or service.
C. Provide the attacker the usernames and passwords for administrative accounts.
D. Break of suspicious connections.
Answer: B, D

75. Honey pots are useful in preventing attackers from gaining access to critical system.
True or false?
A. True
B. False
C. It depends on the style of attack used.
Answer: A

76. A autonomous agent that copies itself into one or more host programs, then
propagates when the host is run, is best described as a:
A. Trojan horse
B. Back door
C. Logic bomb
D. Virus
Answer: D

77. What technology was originally designed to decrease broadcast traffic but is also
beneficial in reducing the likelihood of having information compromised by
sniffers?
A. VPN (Virtual Private Network)
B. DMZ (Demilitarized Zone)
C. VLAN (Virtual Local Area Network)
D. RADIUS (Remote Authentication Dial-in User Service)
Answer: C

78. Of the following services, which one determines what a user can change or view?
A. Data integrity
B. Data confidentiality
C. Data authentication
D. Access control
Answer: D

79. IMAP4 requires port ____ to be open.
A. 80
B. 3869
C. 22
D. 21
E. 23
F. 25
G. 110
H. 143
I. 443
Answer: H

80. What are access decisions based on in a MAC (Mandatory Access Control)
environment?
A. Access control lists
B. Ownership
C. Group membership
D. Sensitivity labels
Answer: D

81. As the Security Analyst for your companies network, you want to implement AES.
What algorithm will it use?
A. Rijndael
B. Nagle
C. Spanning Tree
D. PKI
Answer: A

82. When securing a FTP (File Transfer Protocol) server, what can be done to ensure
that only authorized users can access the server?
A. Allow blind authentication.
B. Disable anonymous authentication.
C. Redirect FTP (File Transfer Protocol) to another port.
D. Only give the address to users that need access.
Answer: B

83. Asymmetric cryptography ensures that:
A. Encryption and authentication can take place without sharing private keys.
B. Encryption of the secret key is performed with the fastest algorithm available.
C. Encryption occurs only when both parties have been authenticated.
D. Encryption factoring is limited to the session key.
Answer: A

84. You are promoting user awareness in forensics, so users will know what to do when
incidents occur with their computers.
Which of the following tasks should you instruct users to perform when an incident
occurs? (Choose all that apply)
A. Shut down the computer.
B. Contact the incident response team.
C. Documents what they see on the screen.
D. Log off the network.
Answer: B, C

85. When a session is initiated between the Transport Control Program (TCP) client
and server in a network, a very small buffer space exist to handle the usually rapid
“hand-shaking” exchange of messages that sets up the session.
What kind of attack exploits this functionality?
A. Buffer Overflow
B. SYN Attack
C. Smurf
D. Birthday Attack
Answer: B

86. A program that can infect other programs by modifying them to include a version of
itself is a:
A. Replicator
B. Virus
C. Trojan horse
D. Logic bomb
Answer: B

87. A collection of information that includes login, file access, other various activities,
and actual or attempted legitimate and unauthorized violations is a(n):
A. Audit
B. ACL (Access Control List)
C. Audit trail
D. Syslog
Answer: C

88. Forensic procedures must be followed exactly to ensure the integrity of data
obtained in an investigation. When making copies of data from a machine that us
being examined, which of the following tasks should be done to ensure it is an exact
duplicate?
A. Perform a cyclic redundancy check using a checksum or hashing algorithm.
B. Change the attributes of data to make it read only.
C. Open files on the original media and compare them to the copied data.
D. Do nothing. Imaging software always makes an accurate image.
Answer: A

89. DAC (Discretionary Access Control) system operate which following statement:
A. Files that don’t have an owner CANT NOT be modified.
B. The administrator of the system is an owner of each object.
C. The operating system is an owner of each object.
D. Each object has an owner, which has full control over the object.
Answer: D

90. You have decided to implement biometrics as part of your security system.
Before purchasing a locking system that uses biometrics to control access to secure
areas, you need to decide what will be used to authenticate users.
Which of the following options relies solely on biometric authentication?
A. Username and password.
B. Fingerprints, retinal scans, PIN numbers, and facial characteristics.
C. Voice patterns, fingerprints, and retinal scans.
D. Strong passwords, PIN numbers, and digital imaging.
Answer: C

91. As the Security Analyst for your companies network, you want to implement Single
Signon technology.
What benefit can you expect to get when implementing Single Signon?
A. You will need to log on twice at all times.
B. You can allow for system wide permissions with it.
C. You can install multiple applications.
D. You can browse multiple directories.
Answer: D

92. Many intrusion detection systems look for known patterns or _____ to aid in
detecting attacks.
A. Viruses
B. Signatures
C. Hackers
D. Malware
Answer: B

93. What type of authentication may be needed when a stored key and memorized
password are not strong enough and additional layers of security is needed?
A. Mutual
B. Multi-factor
C. Biometric
D. Certificate
Answer: B

94. You are the first to arrive at a crime scene in which a hacker is accessing
unauthorized data on a file server from across the network.
To secure the scene, which of the followings actions should you perform?
A. Prevent members of the organization from entering the server room.
B. Prevent members of the incident response team from entering the server room.
C. Shut down the server to prevent the user from accessing further data.
D. Detach the network cable from the server to prevent the user from accessing
further data.
Answer: A, D

95. You are the first person to arrive at a crime scene. An investigator and crime scene
technician arrive afterwards to take over the investigation.
Which of the following tasks will the crime scene technician be responsible for
performing?
A. Ensure that any documentation and evidence they possessed is handled over to the
investigator.
B. Reestablish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.
Answer: D

96. The defacto IT (Information Technology) security evaluation criteria for the
international community is called?
A. Common Criteria
B. Global Criteria
C. TCSEC (Trusted Computer System Evaluation Criteria)
D. ITSEC (Information Technology Security Evaluation Criteria)
Answer: A

97. Which of the following is a technical solution that supports high availability?
A. UDP (User Datagram Protocol)
B. Anti-virus solution
C. RAID (Redundant Array of Independent Disks)
D. Firewall
Answer: C

98. Which of the following is an example of an asymmetric algorithm?
A. CAST (Carlisle Adams Stafford Tavares)
B. RC5 (Rivest Cipher 5)
C. RSA (Rivest Shamir Adelman)
D. SHA-1 (Secure Hashing Algorithm 1)
Answer: C

99. Dave is increasing the security of his Web site by adding SSL (Secure Sockets
Layer).
Which type of encryption does SSL use?
A. Asymmetric
B. Symmetric
C. Public Key
D. Secret
Answer: B

100. What would NOT improve the physical security of workstations?
A. Lockable cases, keyboards, and removable media drives.
B. Key or password protected configuration and setup.
C. Password required to boot.
D. Strong passwords.
Answer: A

101. What are the four major components of ISAKMP (Internet Security Association
and Key Management Protocol)?
A. Authentication of peers, threat management, communication management, and
cryptographic key establishment.
B. Authentication of peers, threat management, communication management, and
cryptographic key establishment and management.
C. Authentication of peers, threat management, security association creation and
management cryptographic key establishment and management.
D. Authentication of peers, threat management, security association creation and
management and cryptographic key management.
Answer: C
Explanation: The four major functional components of ISAKMP are:
. Authentication of communications peers.
. Threat mitigation.
. Security association creation and management.
. Cryptographic key establishment and management.

102. Security training should emphasise that the weakest links in the security of an
organization are typically:
A. Firewalls
B. Polices
C. Viruses
D. People
Answer: D

103. IEEE (Institute of Electrical and Electronics Engineers) 802.11b is capable of
providing data rates of to:
A. 10 Mbps (Megabits per second)
B. 10.5 Mbps (Megabits per second)
C. 11 Mbps (Megabits per second)
D. 12 Mbps (Megabits per second)
Answer: C

104. The standard encryption algorithm based on Rijndael is known as:
A. AES (Advanced Encryption Standard)
B. 3DES (Triple Data Encryption Standard)
C. DES (Data Encryption Standard)
D. Skipjack
Answer: A
Explanation: Rijndael is a symmetric-key block cipher. After a competition Rijndael
was selected as the successor to DES and became the Advanced Encryption Standard, or
AES.

105. Security controls may become vulnerabilities in a system unless they are:
A. Designed and implemented by the system vendor.
B. Adequately tested.
C. Implemented at the application layer in the system.
D. Designed to use multiple factors of authentication.
Answer: B

106. Which of the following is considered the best technical solution for reducing the
treat of a man in the middle attack?
A. Virtual LAN (Local Area Network)
B. GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol-within-
Internet Protocol Encapsulation Protocol)
C. PKI (Public Key Infrastructure)
D. Enforcement of badge system
Answer: C

107. Access controls based on security labels associated with each data item and each
user are known as:
A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)
Answer: A

108. An extranet would be best defined as an area or zone:
A. Set aside for business to store extra servers for internal use.
B. Accessible to the general public for accessing the business’ web site.
C. That allows a business to securely transact with other businesses.
D. Added after the original network was built for additional storage.
Answer: C
Explanation: An extranet is a private network that uses the Internet protocol and the
public telecommunication system to securely share part of a business's information or
operations with suppliers, vendors, partners, customers, or other businesses. An extranet
can be viewed as part of a company's intranet that is extended to users outside the
company.

109. What authentication problem is addressed by single sign on?
A. Authorization through multiple servers.
B. Multiple domains.
C. Multi-factor authentication.
D. Multiple usernames and passwords.
Answer: D

110. An administrator is concerned with viruses in e-mail attachments being distributed
and inadvertently installed on user’s workstations. If the administrator sets up and
attachment filter, what types of attachments should be filtered from e-mails to
minimize the danger of viruses.
A. Text file
B. Image files
C. Sound files
D. Executable files
Answer: D

111. When an ActiveX control is executed, it executes with the privileges of the:
A. Current user account
B. Administrator account
C. Guest account
D. System account
Answer: A

112. IDEA (International Data Encryption Algorithm), Blowfish, RC5 (Rivest Cipher 5)
and CAST-128 are encryption algorithms of which type?
A. Symmetric
B. Asymmetric
C. Hashing
D. Elliptic curve
Answer: A
Explanation: A few well-known examples of symmetric encryption algorithms are:
DES, Triple-DES (3DES), IDEA, CAST-128, BLOWFISH, RC5, and TWOFISH.
Note: When using symmetric algorithms, both parties share the same key for en- and
decryption. To provide privacy, this key needs to be kept secret. Once somebody else
gets to know the key, it is not safe any more. Symmetric algorithms have the advantage
of not consuming too much computing power

113. An example of a physical access barrier would be:
A. Video surveillance
B. Personnel traffic pattern management
C. Security guard
D. Motion detector
Answer: C

114. Which of the following is likely to be found after enabling anonymous FTP (File
Transfer Protocol) read/write access?
A. An upload and download directory for each user.
B. Detailed logging information for each user.
C. Storage and distribution of unlicensed software.
D. Fewer server connections and less network bandwidth utilization.
Answer: C

115. A network attack method that uses ICMP (Internet Control Message Protocol) and
improperly formatted MTUs (Maximum Transmission Unit) to crash a target
computer is known as a:
A. Man in the middle attack
B. Smurf attack
C. Ping of death attack
D. TCP SYN (Transmission Control Protocol / Synchronized) attack
Answer: C
Explanation: The Ping of Death attack involved sending IP packets of a size greater than
65,535 bytes to the target computer. IP packets of this size are illegal, but applications
can be built that are capable of creating them. Carefully programmed operating systems
could detect and safely handle illegal IP packets, but some failed to do this.
Note: Packets that are bigger than the maximum size the underlying layer can handle (the
MTU) are fragmented into smaller packets, which are then reassembled by the receiver.
For ethernet style devices, the MTU is typically 1500.
Incorrect Answers
A: A man in the middle attack allows a third party to intercept and replace components
of the data stream.
B: The "smurf" attack, named after its exploit program, is one of the most recent in the
category of network-level attacks against hosts. A perpetrator sends a large amount
of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed
source address of a victim.
D: In a TCP SYN attack a sender transmits a volume of connections that cannot be
completed. This causes the connection queues to fill up, thereby denying service to
legitimate TCP users.

116. What is NOT an acceptable use for smart card technology?
A. Mobile telephones
B. Satellite television access cards
C. A PKI (Public Key Infrastructure) token card shared by multiple users
D. Credit cards
Answer: C

117. An effective method of preventing computer viruses from spreading is to:
A. Require root/administrator access to run programs.
B. Enable scanning of e-mail attachments.
C. Prevent the execution of .vbs files.
D. Install a host based IDS (Intrusion Detection System)
Answer: B

118. A PKI (Public Key Infrastructure) document that serves as the vehicle on which to
base common interoperability standards and common assurance criteria on an
industry wide basis is a certificate:
A. Policy
B. Practice
C. Procedure
D. Process
Answer: A

119. Currently, the most costly method of an authentication is the use of:
A. Passwords
B. Tokens
C. Biometrics
D. Shared secrets
Answer: C

120. Which systems should be included in a disaster recover plan?
A. All systems.
B. Those identified by the board of directors, president or owner.
C. Financial systems and human resources systems.
D. Systems identified in a formal risk analysis process.
Answer: D
Explanation: A preliminary risk analysis is performed to identify business critical
applications and functions. Once those functions have been identified and documented,
we prepared a structured approach to disaster recovery for the organization.

121. What is the best defence against man in the middle attacks?
A. A firewall
B. Strong encryption
C. Strong authentication
D. Strong passwords
Answer: C
Explanation: A man in the middle (MITM) attack, means that someone places himself in
the communication channel between the two parties already at the time of certificate
exchange. When a party sends its public key to the other, the MITM takes this key and
replaces it by his own. The other party thinks the key just received came from the
expected sender, but in fact it comes from the MITM. That's the reasons why public keys
should be signed by a trusted authority (a.k.a. "trust center" or "certificate authority").

122. One of the most effective ways for an administrator to determine what security
holes reside on a network is to:
A. Perform a vulnerability assessment.
B. Run a port scan.
C. Run a sniffer.
D. Install and monitor and IDS (Intrusion Detection System)
Answer: A

123. Analyzing log files after an attack has started as an example of:
A. Active detection
B. Overt detection
C. Covert detection
D. Passive detection
Answer: D
Explanation: Passive intrusion detection systems involve the manual review of event
logs and application logs. The inspection involves analysis and detection of attack
patterns in event log data.

124. A malformed MIME (Multipurpose Internet Mail Extensions) header can:
A. Create a back door that will allow an attacker free access to a company’s private
network.
B. Create a virus that infects a user’s computer.
C. Cause an unauthorized disclosure of private information.
D. Cause an e-mail server to crash.
Answer: D

125. An attacker can determine what network services are enabled on a target system
by:
A. Installing a rootkit on the target system.
B. Checking the services file.
C. Enabling logging on the target system.
D. Running a port scan against the target system.
Answer: D

126. What type of attack CANNOT be detected by an IDS (Intrusion Detection System)?
A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e-mail
D. Port scan
Answer: C

127. Regarding security, biometrics are used for.
A. Accountability
B. Certification
C. Authorization
D. Authentication
Answer: D

128. What is the most effective social engineering defence strategy?
A. Marking of documents
B. Escorting of guests
C. Badge security system
D. Training and awareness
Answer: D

129. A security administrator tasked with confining sensitive data traffic to a specific
subnet would do so by manipulating privilege policy based tables in the networks:
A. Server
B. Router
C. VPN (Virtual Private Network)
D. Switch
Answer: B

130. For system logging to be an effective security measure, an administrator must:
A. Review the logs on a regular basis.
B. Implement circular logging.
C. Configure the system to shutdown when the logs are full.
D. Configure SNMP (Simple Network Management Protocol) traps for logging
events.
Answer: A

131. With regards to the use of Instant Messaging, which of the following type of attack
strategies is effectively combated with user awareness training?
A. Social engineering
B. Stealth
C. Ambush
D. Multi-prolonged
Answer: A

132. The process by which remote users can make a secure connection to internal
resources after establishing an Internet connection could correctly be referred to as:
A. Channeling
B. Tunneling
C. Throughput
D. Forwarding
Answer: B

133. Appropriate documentation of a security incident is important for each of the
following reasons EXCEPT:
A. The documentation serves as a lessons learned which may help avoid further
exploitation of the same vulnerability.
B. The documentation will server as an aid to updating policy and procedure.
C. The documentation will indicate who should be fired for the incident.
D. The documentation will server as a tool to assess the impact and damage for the
incident.
Answer: C

134. Assuring the recipient that a message has not been altered in transit is an example
of which of the following:
A. Integrity
B. Static assurance
C. Dynamic assurance
D. Cyclical check sequence
Answer: A

135. Which of the following is expected network behaviour?
A. Traffic coming from or going to unexpected locations.
B. Non-standard or malformed packets/protocol violations.
C. Repeated, failed connection attempts.
D. Changes in network performance such as variations in traffic load.
Answer: D

136. Which of the following steps in the SSL (Secure Socket Layer) protocol allows for
client and server authentication, MAC (Mandatory Access Control) and encryption
algorithm negotiation, and selection of cryptographic keys?
A. SSL (Secure Sockets Layer) alert protocol.
B. SSL (Secure Sockets Layer) change cipher spec protocol.
C. SSL (Secure Sockets Layer) record protocol.
D. SSL (Secure Sockets Layer) handshake protocol.
Answer: D
SSL Handshake Protocol
. run before any application data is transmitted
. provides mutual authentication
. establishes secret encryption keys
. establishes secret MAC keys

137. Which of the following correctly identifies some of the contents of an user’s X.509
certificate?
A. User’s public key, object identifiers, and the location of the user’s electronic
identity.
B. User’s public key, the CA (Certificate Authority) distinguished name, and the
type of symmetric algorithm used for encryption.
C. User’s public key, the certificate’s serial number, and the certificate’s validity
dates.
D. User’s public key, the serial number of the CA (Certificate Authority) certificate,
and the CRL (Certificate Revocation List) entry point.
Answer: B
Explanation: The X.509 standard defines what information can go into a certificate, and
describes how to write it down (the data format). All X.509 certificates have the
following data, in addition to the signature:
Version
Serial Number The entity that created the certificate, the CA, is responsible for
assigning it a serial number to distinguish it from other certificates it issues.
Signature Algorithm Identifier
Issuer Name The X.500 name of the entity that signed the certificate. This is normally a
CA. Using this certificate implies trusting the entity that signed this certificate.
Validity Period
Subject Name
Subject Public Key Information This is the public key of the entity being named,
together with an algorithm identifier which specifies which public key crypto system this
key belongs to and any associated key parameters.
Reference: http://csrc.nist.gov/pki/panel/santosh/tsld002.htm

138. An organization is implementing Kerberos as its primary authentication protocol.
Which of the following must be deployed for Kerberos to function properly?
A. Dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. Separate network segments for the realms.
C. Token authentication devices.
D. Time synchronization services for clients and servers.
Answer: D
Time synchronization is crucial because Kerberos uses server and workstation time as
part of the authentication process.

139. The WAP (Wireless Application Protocol) programming model is based on the
following three elements:
A. Client, original server, WEP (Wired Equivalent Privacy)
B. Code design, code review, documentation
C. Client, original server, wireless interface card
D. Client, gateway, original server
Answer: D
Explanation: WAP programming model:

140. Technical security measures and countermeasures are primary intended to prevent:
A. Unauthorized access, unauthorized modification, and denial of authorized access.
B. Interoperability of the framework, unauthorized modification, and denial of
authorized access.
C. Potential discovery of access, interoperability of the framework, and denial of
authorized access.
D. Interoperability of the framework, unauthorized modification, and unauthorized
access.
Answer: A

141. Poor programming techniques and lack of code review can lead to which of the
following type of attack?
A. CGI (Common Gateway Interface) script
B. Birthday
C. Buffer overflow
D. Dictionary
Answer: C

142. Which of the following is NOT a characteristic of DEN (Directory Enabled
Networking)?
A. It is mapped into the directory defined as part of the LDAP (Lightweight
Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about
a network’s users, applications and data.
Answer: B

143. Privileged accounts are most vulnerable immediately after a:
A. Successful remote login.
B. Privileged user is terminated.
C. Default installation is performed.
D. Full system backup is performed.
Answer: B
Explanation: A fired domain admin could easily RAS or VPN in and wreck havoc if
his/her privileged account is not disabled.

144. What is the advantage of a multi-homed firewall?
A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone)
are exposed.
D. An attacker must circumvent two firewalls.
Answer: C

145. A password security policy can help a system administrator to decrease the
probability that a password can be guessed by reducing the password’s:
A. Length
B. Lifetime
C. Encryption level
D. Alphabet set
Answer: B

146. An inherent flaw of DAC (Discretionary Access Control) relating to security is:
A. DAC (Discretionary Access Control) relies only on the identity of the user or
process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to
use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user,
allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.
Answer: A

147. What is the most common method used by attackers to identify the presence of an
801.11b network?
A. War driving
B. Direct inward dialing
C. War dialing
D. Packet driving
Answer: A
Explanation: War driving is the practice of literally driving around looking for free
connectivity from Wi-Fi networks.
Incorrect Answers
B: Does not apply.
C: In war dialing combinations of numbers are tested to find network back doors via
modem.
D: Does not apply.

148. The best method to use for protecting a password stored on the server used for user
authentication is to:
A. Store the server password in clear text.
B. Hash the server password.
C. Encrypt the server password with asymmetric keys.
D. Encrypt the server password with a public key.
Answer: B

149. During the digital signature process, asymmetric cryptography satisfied what
security requirement?
A. Confidentiality
B. Access control
C. Data integrity
D. Authentication
Answer: D

150. The most effective way an administrator can protect users from social engineering
is:
A. Education
B. Implement personal firewalls.
C. Enable logging on at user’s desktops.
D. Monitor the network with an IDS (Intrusion Detection System)
Answer: A
Social engineering: An outside hacker's use of psychological tricks on legitimate users
of a computer system, in order to gain the information (usernames and passwords) he
needs to gain access to the system.

151. The action of determining with operating system is installed on a system simply by
analyzing its response to certain network traffic is called:
A. OS (Operating System) scanning.
B. Reverse engineering.
C. Fingerprinting
D. Host hijacking.
Answer: C

152. One of the factors that influence the lifespan of a public key certificate and its
associated keys is the:
A. Value of the information it is used to protect.
B. Cost and management fees.
C. Length of the asymmetric hash.
D. Data available openly on the cryptographic system.
Answer: C

153. A DRP (Disaster Recovery Plan) typically includes which of the following:
A. Penetration testing.
B. Risk assessment.
C. DoS (Denial of Service) attack.
D. ACLs (Access Control List).
Answer: B

154. Which of the following is the best description of “separation of duties”?
A. Assigning different parts of tasks to different employees.
B. Employees are granted only the privileges necessary to perform their tasks.
C. Each employee is granted specific information that is required to carry out the job
function.
D. Screening employees before assigning them to a position.
Answer: A
Explanation: A task needs several people involved as a method of checks and balances.

155. Which of the following is a popular VPN (Virtual Private Network) protocol
operating at OSI (Open Systems Interconnect) model Layer 3?
A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)
Answer: D

156. The system administrator has just used a program that highlighted the
susceptibility of several servers on the network to various exploits. The program
also suggested fixes.
What type of program was used?
A. Intrusion detection
B. Port scanner
C. Vulnerability scanner
D. Trojan scanner
Answer: C

157. Which protocol is typically used for encrypting traffic between a web browser and
web server?
A. IPSec (Internet Protocol Security)
B. HTTP (Hypertext Transfer Protocol)
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)
Answer: C

158. What fingerprinting technique relies on the fact that operating systems differ in the
amount of information that is quoted when ICMP (Internet Control Message
Protocol) errors are encountered?
A. TCP (Transmission Control Protocol) options.
B. ICMP (Internet Control Message Protocol) error message quenching.
C. Fragmentation handling.
D. ICMP (Internet Control Message Protocol) message quoting.
Answer: D
ICMP Message quoting: The ICMP quotes back part of the original message with every
ICMP error message. Each operating system will quote definite amount of message to the
ICMP error messages. The peculiarity in the error messages received from various types
of operating systems helps us in identifying the remote host’s OS.

159. Incorrectly detecting authorized access as an intrusion or attack is called a false:
A. Negative
B. Intrusion
C. Positive
D. Alarm
Answer: C

160. When hardening a machine against external attacks, what process should be
followed when disabling services?
A. Disable services such as DHCP (Dynamic Host Configuration Protocol) client and
print servers from servers that do not use/serve those functions.
B. Disable one unnecessary service after another, while reviewing the effects of the
previous action.
C. Research the services and their dependencies before disabling any default
services.
D. Disable services not directly related to financial operations.
Answer: C

161. Message authentication codes are used to provide which service?
A. Integrity
B. Fault recovery
C. Key recovery
D. Acknowledgement
Answer: A

162. When a change to user security policy is made, the policy maker should provide
appropriate documentation to:
A. The security administrator.
B. Auditors
C. Users
D. All staff.
Answer: D

163. A major difference between a worm and a Trojan horse program is:
A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are self replicating while Trojan horses are not.
C. Worms are a form of malicious code while Trojan horses are not.
D. There is no difference.
Answer: B

164. A common algorithm used to verify the integrity of data from a remote user through
a the creation of a 128-bit hash from a data input is:
A. IPSec (Internal Protocol Security)
B. RSA (Rivest Shamir Adelman)
C. Blowfish
D. MD5 (Message Digest 5)
Answer: D
The MD5 hashing algorithm that creates a 128-bit hash value.

165. What is the best method of reducing vulnerability from dumpster diving?
A. Hiring additional security staff.
B. Destroying paper and other media.
C. Installing surveillance equipment.
D. Emptying the trash can frequently.
Answer: B

166. What is the best method of defence against IP (Internet Protocol) spoofing attacks?
A. Deploying intrusion detection systems.
B. Creating a DMZ (Demilitarized Zone).
C. Applying ingress filtering to routers.
D. Thee is not a good defense against IP (Internet Protocol) spoofing.
Answer: C
Explanation: IP Spoofing attacks that take advantage of the ability to forge (or "spoof")
IP address can be prevented by implementing Ingress and Egress filtering on the network
perimeter.

167. A need to know security policy would grant access based on:
A. Least privilege
B. Less privilege
C. Loss of privilege
D. Singe privilege
Answer: A

168. When a user digitally signs a document an asymmetric algorithm is used to encrypt:
A. Secret passkeys
B. File contents
C. Certificates
D. Hash results
Answer: D

169. The best way to harden an application that is developed in house is to:
A. Use an industry recommended hardening tool.
B. Ensure that security is given due considerations throughout the entire
development process.
C. Try attacking the application to detect vulnerabilities, then develop patches to fix
any vulnerabilities found.
D. Ensure that the auditing system is comprehensive enough to detect and log any
possible intrusion, identifying existing vulnerabilities.
Answer: B

170. Security requirements for servers DO NOT typically include:
A. The absence of vulnerabilities used by known forms of attack against server hosts.
B. The ability to allow administrative activities to all users.
C. The ability to deny access to information on the server other than that intended to
be available.
D. The ability to disable unnecessary network services that may be built into the
operating system or server software.
Answer: B

171. How can an e-mail administrator prevent malicious users from sending e-mails
from non-existent domains?
A. Enable DNS (Domain Name Service) reverse lookup on the e-mail server.
B. Enable DNS (Domain Name Service) forward lookup on the e-mail server.
C. Enable DNS (Domain Name Service) recursive queries on the DNS (Domain
Name Service) server.
D. Enable DNS (Domain Name Service) reoccurring queries on the DNS (Domain
Name Service)
Answer: A

172. A network attack that misuses TCP’s (Transmission Control Protocol) three way
handshake to overload servers and deny access to legitimate users is called a:
A. Man in the middle.
B. Smurf
C. Teardrop
D. SYN (Synchronize)
Answer: D

173. Which of the following options describes a challenge-response session?
A. A workstation or system that generates a random challenge string that the user
enters when prompted along with the proper PIN (Personal Identification
Number).
B. A workstation or system that generates a random login ID that the user enters
when prompted along with the proper PIN (Personal Identification Number).
C. A special hardware device that is used to generate random text in a cryptography
system.
D. The authentication mechanism in the workstation or system does not determine if
the owner should be authenticated.
Answer: A

174. A server placed into service for the purpose of attracting a potential intruder’s
attention is known as a:
A. Honey pot
B. Lame duck
C. Teaser
D. Pigeon
Answer: A
Explanation: A honeypot is a system which uses fake server and send alarms when
some "bad guy" try to exploit some bug. The goal is to learn how black-hats probe for
and exploit a system. By learning their tools and methods, you can then better protect
your network and systems.

175. A network administrator wants to restrict internal access to other parts of the
network. The network restrictions must be implemented with the least amount of
administrative overhead and must be hardware based.
What is the best solution?
A. Implement firewalls between subnets to restrict access.
B. Implement a VLAN (Virtual Local Area Network) to restrict network access.
C. Implement a proxy server to restrict access.
D. Implement a VPN (Virtual Private Network).
Answer: A

176. Which one of the following would most likely lead to a CGI (Common Gateway
Interface) security problem?
A. HTTP (Hypertext Transfer Protocol) protocol.
B. Compiler or interpreter that runs the CGI (Common Gateway Interface) script.
C. The web browser.
D. External data supplied by the user.
Answer: D

177. SSL (Secure Sockets Layer) session keys are available in what two lengths?
A. 40-bit and 64-bit.
B. 40-bit and 128-bit.
C. 64-bit and 128-bit.
D. 128-bit and 1,024-bit.
Answer: B

178. Which access control method provides the most granular access to protected
objects?
A. Capabilities
B. Access control lists
C. Permission bits
D. Profiles
Answer: B

179. The primary DISADVANTAGE of symmetric cryptography is:
A. Speed
B. Key distribution
C. Weak algorithms
D. Memory management
Answer: B
In symmetric encryption the message can be encrypted and decrypted using the same key.

180. Missing audit log entries most seriously affect an organization’s ability to:
A. Recover destroyed data.
B. Legally prosecute an attacker.
C. Evaluate system vulnerabilities.
D. Create reliable system backups.
Answer: C
The audit trail lets you detect suspicious activity from both outsiders and insiders and
provides you with important evidence to use against intruders.

181. File encryption using symmetric cryptography satisfies what security requirement?
A. Confidentiality
B. Access control
C. Data integrity
D. Authentication
Answer: A

182. Which of the following provides privacy, data integrity and authentication for
handles devices in a wireless network environment?
A. WEP (Wired Equivalent Privacy)
B. WAP (Wireless Application Protocol)
C. WSET (Wireless Secure Electronic Transaction)
D. WTLS (Wireless Transport Layer Security)
Answer: D
Explanation: Short for Wireless Transport Layer Security. WTLS is the security layer of
the WAP, providing privacy, data integrity and authentication for WAP services.
Not A: WEP is one of the most popular features available for a Wireless LAN. It is used
to encrypt and decrypt data signals transmitted between Wireless LAN devices. In
essence, WEP makes a wireless LAN link as secure as a wired link. However, WTLS

183. The integrity of a cryptographic system is considered compromised if which of the
following conditions exist?
A. A 40-bit algorithm is used for a large financial transaction.
B. The public key is disclosed.
C. The private key is disclosed.
D. The validity of the data source is compromised.
Answer: C

184. The system administrator concerned about security has designated a special area in
which to place the web server away from other servers on the network. This area is
commonly known as the?
A. Honey pot
B. Hybrid subnet
C. DMZ (Demilitarized Zone)
D. VLAN (Virtual Local Area Network)
Answer: C
A Demilitarized Zone is used by a company that wants to host its own Internet services
without sacrificing unauthorized access to its private network.

185. An administrator of a web server notices many port scans to a server. To limit
exposure and vulnerability exposed by these port scans the administrator should:
A. Disable the ability to remotely scan the registry.
B. Leave all processes running for possible future use.
C. Close all programs or processes that use a UDP (User Datagram Protocol) or TCP
(Transmission Control Protocol) port.
D. Uninstall or disable any programs or processes that are not needed for the proper
use of the server.
Answer: D

186. Which encryption scheme relies on both the sender and receiver to use different
keys to encrypt and decrypt messages?
A. Symmetric
B. Blowfish
C. Skipjack
D. Asymmetric
Answer: D
Explanation: Asymmetric Encryption is a form of Encryption where keys come in pairs.
What one key encrypts, only the other can decrypt.
Incorrect Answers
A: In symmetric encryption the message can be encrypted and decrypted using the same
key.
B: Blowfish is a symmetric block cipher that can be used as a drop-in replacement for
DES or IDEA.
C: Skipjack is the encryption algorithm contained in the Clipper chip, and it was
designed by the NSA.

187. Which tunneling protocol only works on IP networks?
A. IPX
B. L2TP
C. PPTP
D. SSH
Answer: B

188. What functionality should be disallowed between a DNS server and untrusted node?
A. name resolutions
B. reverse ARP requests
C. system name resolutions
D. zone transfers
Answer: D
Users who can start zone transfers from your server can list all of the records in your
zones.

189. A document written by the CEO that outlines PKI use, management and
deployment is a...
A. PKI policy
B. PKI procedure
C. PKI practice
D. best practices guideline
Answer: A
Definition of Policy - course of action, guiding principle, or procedure considered
expedient, prudent, or advantageous.

190. Which one does not use Smart Card Technology?
A. CD Player
B. Cell Phone
C. Satellite Cards
D. Handheld Computer
Answer: A

191. What port does SNMP use?
A. 21
B. 161
C. 53
D. 49
Answer: B
SNMP uses UDP port 161

192. What port does TACACS use?
A. 21
B. 161
C. 53
D. 49
Answer: D
TACACS uses UDP port 49.

193. The first step in establishing a disaster recovery plan is to:
A. get budgetary approval for the plan.
B. agree on the objectives of the plan.
C. list possible alternative sites to be used in a disaster event.
D. prioritize processes requiring immediate attention in a disaster event.
Answer: B

194. When securing a DNS (Domain Name Service) server, and shutting down all unnecessary ports, which port should NOT be shut down?
A. 21
B. 23
C. 53
D. 55
Answer: C

195. What is the main advantage SSL (Secure Sockets Layer) has over HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)?
A. SSL (Secure Sockets Layer) offers full application security for HTTP (Hypertext Transfer Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
B. SSL (Secure Sockets Layer) supports additional application layer protocols such as FTP (File Transfer Protocol) and NNTP (Network News Transport Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
C. SSL (Secure Sockets Layer) and Https (Hypertext Transfer Protocol over Secure Sockets Layer) are transparent to the application.
D. SSL (Secure Sockets Layer) supports user authentication and HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
Answer: B

196. A sound security policy will define:
A. what is considered an organization’s assets.
B. what attacks are planned against the organization.
C. how an organization compares to others in security audits.
D. weaknesses in competitor’s systems.
Answer: A

197. An IDS (Intrusion Detection System) is sending alerts that attacks are occurring which are not actually taking place. What is the IDS (Intrusion Detection System) registering?
A. false positives.
B. false negatives.
C. true negatives.
D. true positives.
Answer: A

198. When an employee is dismissed, the security administrator should:
A. allow the employee to backup computer files then disable network access.
B. change all network passwords.
C. disable the employee’s network access.
D. set rules to forward the employee’s e-mail to a home address.
Answer: C

199. How are honey pots used to collect information? Honey pots collect:
A. IP (Internet Protocol) addresses and identity of internal users.
B. data on the identity, access, and compromise methods used by the intruder.
C. data regarding and the identity of servers within the network.
D. IP (Internet Protocol) addresses and data of firewalls used within the network.
Answer: B

200. How must a firewall be configured to only allow employees within the company to download files from a FTP (File Transfer Protocol) server?
A. open port 119 to all inbound connections.
B. open port 119 to all outbound connections.
C. open port 20/21 to all inbound connections.
D. open port 20/21 to all outbound connections.
Answer: D

201. Administrators currently use telnet to remotely manage several servers. Security policy dictates that passwords and administrative activities must not be communicated in clear text. Which of the following is the best alterative to using telnet?
A. DES (Data Encryption Standard).
B. S-Telnet.
C. SSH (Secure Shell).
D. PKI (Public Key Infrastructure).
Answer: C

202. An acceptable use policy signed by an employee can be interpreted as an employee’s written______ for allowing an employer to search an employee’s workstation.
A. refusal.
B. policy.
C. guideline.
D. consent.
Answer: D

203. What protocol can be used to create a VPN (Virtual Private Network)?
A. PPP (Point-to-Point Protocol).
B. PPTP (Point-to-Point Tunneling Protocol).
C. SLIP (Serial Line Internet Protocol).
D. ESLIP (Encrypted Serial Line Internet Protocol).
Answer: B

204. An attack whereby two different messages using the same hash function produce a common message digest is also known as a:
A. man in the middle attack.
B. cipher text only attack.
C. birthday attack.
D. brute force attack.
Answer: C

205. In a RBAC (Role Based Access Control) contexts, which statement best describes the relation between users, roles and operations?
A. multiple users, single role and single operation.
B. multiple users, single role and multiple operations.
C. single user, single role and single operation.
D. multiple users, multiple roles and multiple operations.
Answer: D

206. An administrator is setting permissions on a file object in a network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control List) of the file follows:
Owner: Read, Write, Execute; User. A: Read, Write, -; User B: -, -, - (None); Sales: Read,-, -; Marketing: -, Write,-; Other: Read, Write, -;
User "A" is the only owner of the file. User "B" is a member of the Sales group. What effective permissions does User "B" have on the file with the above access list?
A. User B has no permissions on the file.
B. User B has read permissions on the file.
C. User B has read and write permissions on the file.
D. User B has read, write and execute permissions on the file.
Answer: A

207. A user who has accessed an information system with a valid user ID and password combination is considered a (n):
A. manager
B. user
C. authenticated user
D. security officer
Answer: C

208. The use of embedded root certificates within web browsers is an example of which of the following trust models?
A. bridge.
B. mesh.
C. hierarchy.
D. trust list.
Answer: D

209. A security consideration that is introduced by a VPN (Virtual Private Network) is:
A. an intruder can intercept VPN (Virtual Private Network) traffic and create a man in the middle attack.
B. captured data is easily decrypted because there are a finite number of encryption keys.
C. tunneled data CAN NOT be authenticated, authorized or accounted for.
D. a firewall CAN NOT inspect encrypted traffic.
Answer: D

210. Which of the following would NOT be considered a method for managing the administration of accessibility?
A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list.
Answer: B

211. Which of the following is required to use S/MIME (Secure Multipurpose Internet Mail Extensions)?
A. digital certificate.
B. server side certificate.
C. SSL (Secure Sockets Layer) certificate.
D. public certificate.
Answer: A

212. Non-repudiation is generally used to:
A. protect the system from transmitting various viruses, worms and Trojan horses to other computers on the same network.
B. protect the system from DoS (Denial of Service) attacks.
C. prevent the sender or the receiver from denying that the communication between them has occurred.
D. ensure the confidentiality and integrity of the communication.
Answer: C

213. Which of the following hash functions generates a 160-bit output?
A. MD4 (Message Digest 4).
B. MD5 (Message Digest5).
C. UDES (Data Encryption Standard).
D. SHA-1 (Secure Hashing Algorithm 1).
Answer: D

214. Why are unique user IDs critical in the review of audit trails?
A. They CAN NOT be easily altered.
B. They establish individual accountability.
C. They show which files were changed.
D. They trigger corrective controls.
Answer: B

215. A police department has three types of employees: booking officers, investigators, and judges. Each group of employees is allowed different rights to files based on their need. The judges do not need access to the fingerprint database, the investigators need read access and the booking officers need read/write access. The booking officer would need no access to warrants, while an investigator would need read access and a judge would need read/write access. This is an example of:
A. DAC (Discretionary Access Control) level access control.
B. RBAC (Role Based Access Control) level access control.
C. MAC (Mandatory Access Control) level access control.
D. ACL (Access Control List) level access control.
Answer: B

216. Which of the following access control models introduces user security clearance and data classification?
A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control).
Answer: C

217. A wireless network with three access points, two of which are used as repeaters, exists at a company. What step should be taken to secure the wireless network?
A. Ensure that employees use complex passwords.
B. Ensure that employees are only using issued wireless cards in their systems.
C. Ensure that WEP (Wired Equivalent Privacy) is being used.
D. Ensure that everyone is using adhoc mode.
Answer: C

218. Digital certificates can contain which of the following items:
A. the CA’s (Certificate Authority) private key.
B. the certificate holder’s private key.
C. the certificate’s revocation information.
D. the certificate’s validity period.
Answer: D

219. Which encryption key is used to verify a digital signature?
A. the signer’s public key.
B. the signer’s private key.
C. the recipient's public key.
D. the recipient's private key.
Answer: A

220. NetBus and Back Orifice are each considered an example of a (n):
A. virus.
B. illicit server.
C. spoofing tool.
D. allowable server.
Answer: B

221. The theft of network passwords without the use of software tools is an example of:
A. Trojan programs.
B. social engineering.
C. sniffing.
D. hacking.
Answer: B

222. An alternate site configured with necessary system hardware, supporting infrastructure and an on site staff able to respond to an activation of a contingency plan 24 hours a day, 7 days a week is a:
A. cold site.
B. warm site.
C. mirrored site.
D. hot site.
Answer: D

223. LDAP (Lightweight Directory Access Protocol) directories are arranged as:
A. linked lists.
B. trees.
C. stacks.
D. queues.
Answer: B

224. Which of the following is the greatest problem associated with Instant Messaging?
A. widely deployed and difficult to control.
B. created without security in mind.
C. easily spoofed.
D. created with file sharing enabled.
Answer: B

225. Searching through trash is used by an attacker to acquire data such as network diagrams, IP (Internet Protocol) address lists and:
A. boot sectors.
B. process lists.
C. old passwords.
D. virtual memory.
Answer: C

226. Discouraging employees from misusing company e-mail is best handled by:
A. enforcing ACL (Access Control List).
B. creating a network security policy.
C. implementing strong authentication.
D. encrypting company e-mail messages.
Answer: B

227. The Diffie-Hellman algorithm allows:
A. access to digital certificate stores from s-certificate authority.
B. a secret key exchange over an insecure medium without any prior secrets.
C. authentication without the use of hashing algorithms.
D. multiple protocols to be used in key exchange negotiations.
Answer: B

228. Which of the following type of attack CAN NOT be deterred solely through technical means?
A. dictionary.
B. man in the middle.
C. DoS (Denial of Service).
D. social engineering.
Answer: D

229. How must a firewall be configured to make sure that a company can communicate with other companies using SMTP (Simple Mail Transfer Protocol) e-mail?
A. Open TCP (transmission Control Protocol) port 110 to all inbound and outbound connections.
B. Open UDP (User Datagram Protocol) port 110 to all inbound connections.
C. Open UUP (User Datagram Protocol) port 25 to all inbound connections.
D. Open TCP (Transmission Control Protocol) port 25 to all inbound and outbound connections.
Answer: D

230. An organization’s primary purpose in conducting risk analysis in dealing with computer security is:
A. to identify vulnerabilities to the computer systems within the organization.
B. to quantify the impact of potential threats in relation to the cost of lost business-functionality.
C. to identify how much it will cost to implement countermeasures.
D. to delegate responsibility.
Answer: B

231. A user wants to send an e-mail and ensure that the message is not tampered with while in transit. Which feature of modern cryptographic systems will facilitate this?
A. confidentiality.
B. authentication.
C. integrity.
D. non-repudiation.
Answer: C

232. WTLS (Wireless Transport Layer Security) provides security services between a mobile device and a:
A. WAP (Wireless Application Protocol) gateway.
B. web server.
C. wireless client.
D. wireless network interface card.
Answer: A

233. What are three measures which aid in the prevention of a social engineering attack?
A. education, limit available information, and security policy.
B. education, firewalls, and security policy.
C. security policy, firewalls, and incident response.
D. security policy, system logging, and incident response.
Answer: A

234. Which of the following would be most effective in preventing network traffic sniffing?
A. deploy an IDS (Intrusion Detection System).
B. disable promiscuous mode.
C. use hubs instead of routers.
D. use switches instead of hubs.
Answer: D

235. What ports does FTP (File Transfer Protocol) use?
A. 20 and 21.
B. 25 and 110.
C. 80 and 443.
D. 161 and 162.
Answer: A

236. An e-mail relay server is mainly used to:
A. block all spam, which allows the e-mail system to function more efficiently without the additional load of spam.
B. prevent viruses from entering the network.
C. defend the primary e-mail server and limit the effects of any attack.
D. eliminate e-mail vulnerabilities since all e-mail is passed through the relay first.
Answer: C

237. What network mapping tool uses ICMP (Internet Control Message Protocol)?
A. port scanner.
B. map scanner.
C. ping scanner.
D. share scanner.
Answer: C

238. Which two protocols are VPN (Virtual Private Network) tunneling protocols?
A. PPP (point-to-Point Protocol) and SliP (Serial Line Internet Protocol).
B. PPP (Point-Point-Protocol) and PPTP (Point-to-Point Tunneling Protocol).
C. L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol).
D. SMTP (Simple Mail Transfer Protocol) and L2TP (Layer Two Tunneling Protocol).
Answer: C

239. File encryption using symmetric cryptography satisfies what security requirement?
A. confidentiality.
B. access control.
C. data integrity.
D. authentication.
Answer: A

240. An e-mail is received alerting the network administrator to the presence of a virus on the system if a specific executable file exists. What should be the first course of action?
A. Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.
B. Immediately search for and delete the file if discovered.
C. Broadcast amessage to the entire organization to alert users to the presence of a virus.
D. Locate and download a patch to repair the file.
Answer: A

241. Part of a fire protection plan for a computer room should include;
A. procedures for an emergency shutdown of equipment.
B. a sprinkler system that exceeds local code requirements.
C. the exclusive use of non-flammable materials within the room.
D. fireproof doors that can be easily opened if an alarm is sounded.
Answer: A

242. Which of the following is an HTTP (Hypertext Transfer Protocol) extension or mechanism used to retain connection data, user information, history of sites visited, and can be used by attackers for spoofing an on-line identity?
A. HTTPS (Hypertext Transfer Protocol over SSL).
B. cookies.
C. HTTP (Hypertext Transfer Protocol)/l.0 Caching.
D. vCard v3.0.
Answer: B

243. ActiveX controls__________ to prove where they originated.
A. are encrypted.
B. are stored on the web server.
C. use SSL (Secure Sockets Layer).
D. are digitally signed.
Answer: D

244. A virus that hides itself by intercepting disk access requests is:
A. multipartite.
B. stealth.
C. interceptor.
D. polymorphic.
Answer: B

245. When a potential hacker looks through trash, the most useful items or information that might be found include all except:
A. an IP (Internet Protocol) address.
B. system configuration or network map.
C. old passwords.
D. system access requests.
Answer: D

246. A user logs onto a workstation using a smart card containing a private key. The user is verified when the public key is successfully factored with the private key. What security service is being provided?
A. authentication.
B. confidentiality.
C. integuity.
D. non-repudiation.
Answer: A

247. In cryptographic operations, digital signatures can be used for which of the following systems?
A. encryption.
B. asymmetric key.
C. symmetric and encryption.
D. public and decryption.
Answer: B

248. Which of the following programs is able to distribute itself without using a host file?
A. virus.
B. Trojan horse.
C. logic bomb.
D. worm.
Answer: D

249. Malicious code is installed on a server that will e-mail system keystrokes stored in a text file to the author and delete system logs every five days or whenever a backup is performed. What type of program is this?
A. virus.
B. back door.
C. logic bomb.
D. worm.
Answer: C

250. What is a common type of attack on web servers?
A. birthday.
B. buffer overflow.
C. spam.
D. brute force.
Answer: B

251. Digital signatures can be used for which of the following?
A. availability.
B. encryption.
C. decryption.
D. non-repudiation.
Answer: D

252. Malicious port scanning is a methed of attack to determine which of the following?
A. computer name
B. the fingerprint of the operating system
C. the physical cabling topology of a network
D. user IDs and passwords
Answer: B

253. What should be done to secure a DHCP (Dynamic Host Configuration Protocol) service?
A. block ports 67 and 68 at the firewall.
B. block port 53 at the firewall.
C. block ports 25 and 26 at the firewall.
D.block port 110 at the flrewall.
Answer: A

255. Which security method is in place when the administrator of a network enables access lists on the routers to disable all ports that are not used?
A. MAC (Mandatory Access Control).
B. DAC (fliscretionary Access Control).
C. RBAC (Role Based Access Control).
D. SAC (Subjective Access Control).
Answer: A

256. What is the first step before a wireless solution is implemented?
A. ensure adhoc mode is enabled on the access points.
B. ensure that all users have strong passwords.
C. purchase only Wi-Fi (Wireless Fidelity) equipment.
D. perform a thorough site survey.
Answer: D

257. A system administrator discovers suspicious activity that might indicate a computer crime. The administrator should flrst:
A. refer to incident response plan.
B. change ownership of any related files to prevent tampering.
C. move any related programs and files to non-erasable media.
D. set the system time to ensure any logged information is accurate.
Answer: A

258. The information that governs and associates users and groups to certain rights to use, read, write, modify, or execute objects on the system is called a(n):
A. public key ring.
B. ACL (Access Control List).
C. digital signature.
D. CRL (Certificate Revocation Lists).
Answer: B

259. A perimeter router is configured with a restrictive ACL (Access Control List). Which transport layer protocols and ports must be allowed in order to support L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) connections respectively, through the perimeter router?
A. TCP (rransmission Control Protocol) port 635 and UDP (User Dalagram Protocol) port 654
B. TCP (Fransmission Control Protocol) port 749 and UDP (User Datagram Protocol) port 781
C. UDP (User Datagram Protocol) port 1701 and TCP (transmission Control Protocol) port 1723
D. TCP (rransmission Control Protocol) port 1812 and UDP (User Datagram Protocol) port 1813
Answer: C

260. Which of the following keys is contained in a digital certificate?
A. public key.
B. private key.
C. hashing key.
D. session key.
Answer: A

261. Single servers are frequently the targets of attacks because they contain:
A. application launch scripts.
B. security policy settings.
C. credentials for many systems and users.
D. master encryption keys.
Answer: C

262. An attacker manipulates what field of an IP (Internet Protocol) packet in an IP (Internet Protocol) spoofing attack?
A. version field.
B. source address field.
C. source port field.
D. destination address field.
Answer: B

263. A VPN (Virtual Private Network) using IPSec (Internet Protocol Security) in the tunnel mode will provide encryption for the:
A. one time pad used in handshaking.
B. payload and message header.
C. hashing algorithm and all e-mail messages.
D. message payload only.
Answer: B

264. When implementing Kerberos authentication, which of the following factors must be accounted for?
A. Kerberos can be susceptible to man in the middle attacks to gain unauthorized access.
B. Kerberos tickets can be spoofed using replay attacks to network resources.
C. Kerberos requires a centrally managed database of all user and resource passwords.
D. Kerberos uses clear text passwords.
Answer: C

265. Which of the following protocols is most similar to SSLv3 (Secure Sockets Layer version 3)?
A. TLS (transport Layer Security).
B. MPLS (Multi-Protocol Label Switching).
C. SASL (Simple Authentication and Security Layer).
D. MLS (Multi-Layer Switching).
Answer: A

266. How should a primary DNS (D)omain Name Service) server be configured to-provide the best security against DoS (Denial of Service) and hackers?
A. disable the DNS (Domain Name Service) cache function.
B. disable application services other than DNS (Domain Name Service).
C. disable the DNS (Domain Name Service) reverse lookup function.
D. allow only encrypted zone transfer to a secondary DNS (Domain Name Service) server.
Answer: B

267. What type of security process will allow others to verify the originator of an e-mail message?
A. authentication.
B. integrity.
C. non-repudiation.
D. confidentiality.
Answer: C

268. Which of the following statements is true about Network based IDS (Intrusion Detection System)?
A. Network based (Intrusion Detection System) are never passive devices that listen on a network wire-without interfering with the normal operation of a network.
B. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire while interfering with the normal operation of a network.
C. Network based IDS (Intrusion Detection System) are usually intrusive devices that listen on a network wire while interfering with the normal operation of a network.
D. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire without interfering with the normal operation of a network.
Answer: D

269. What physical access control most adequately protects against physical piggybacking?
A. man trap.
B. security guard.
C. CCTV (Closed-Circuit Television).
D. biometrics.
Answer: A

270. Management wants to track personnel who visit unauthorized web sites. What type of detection will this be?
A. abusive detection.
B. misuse detection.
C. anomaly detection.
D. site filtering.
Answer: B

271. Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?
A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.
B. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party hosts to create new IP (Internet Protocol) addresses.
C. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the server.
D. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the client.
Answer: A

272. What technical impact may occur due to the receipt of large quantifies of spam?
A. DoS (Denial of Service).
B. processor underutilization.
C. reduction in hard drive space requirements.
D. increased network throughput.
Answer: A

273. A public key ___________ is a pervasive system whose services are implemented and delivered using public key technologies that include CAs (Certificate Authority), digital certificates, non-repudiation, and key history management.
A. cryptography scheme.
B. distribution authority.
C. exchange.
D. infrastructure.
Answer: D

274. Forging an IP (Internet Protocol) address to impersonate another machine is best defined as:
A. TCP/IP (Transmission Control Protocol/Intemet Protocol) hijacking.
B. IP (Internet Protocol) spoofing.
C. man in the middle.
D. replay.
Answer: B

275. When setting password rules, which of the following would LOWER the level of security of a network?
A. Passwords must be greater than six characters and consist at least one non-alpha.
B. All passwords are set to expire at regular intervals and users are required to choose new passwords that have not been used before.
C. Complex passwords that users CAN NOT remotely change are randomly generated by the administrator and given to users.
D. After a set number of failed attempts the server will lock out any user account forcing the user to call the administrator to re-enable the account.
Answer: C

276. Which of the following can be used to track a user’s browsing habits on the Internet
and may contain usernames and passwords?
A. digital certificates.
B. cookies.
C. ActiveX controls.
D. web server cache.
Answer: B

277. FTP (Fi1e Transfer Protocol) is accessed through what ports?
A. 80 and 443.
B. 20 and 21.
C. 21 and 23.
D. 20 and 80.
Answer: B

278. In a typical file encryption process, the asymmetric algorithm is used to?
A. encrypt symmetric keys.
B. encrypt file contents.
C. encrypt certiflcates.
D. encrypt hash results.
Answer: D

279. During the digital signature process, hashing provides a means to verify what security requirement?
A. non-pudiation.
B. access control.
C. data integrity.
D. authentication.
Answer: C

280. Which of the following often requires the most effort when securing a server due to lack of available documentation?
A. hardening the OS (Operating System)
B. configuring the network
C. creating a proper security policy
D. installing the latest hot fixes and patches
Answer: A

281. As it relates to digital certificates, SSLv3.0 (Secure Sockets Layer version 3.0) added which of the following key functionalities? The ability to:
A. act as a CA (Certificate Authority).
B. force client side authentication via digital certificates.
C. use x.400 certificates.
D. protect transmissions with 1024-bit symmetric encryption.
Answer: B

282. In responding to incidents such as security breaches, one of the most important steps taken is:
A. encryption.
B. authentication.
C. containment.
D. intrusion.
Answer: C

283. SSL (Secure Sockets Layer) is used for secure communications with:
A. file and print servers.
B. RADIUS (Remote Authentication Dial-in User Service) servers.
C. AAA (Authentication, Authorization, and Administration) servers.
D. web servers.
Answer: D

284. Non-repudiation is based on what type of key infrastructure?
A. symmetric.
B. distributed trust.
C. asymmetric.
D. user-centric.
Answer: C

285. The first step in effectively implementing a firewall is:
A. blocking unwanted incoming traffic.
B. blocking unwanted outgoing traffic.
C. developing a firewall policy.
D. protecting against DDoS (Distributed Denial of Service) attacks.
Answer: C

286. What is the best method to secure a web browser?
A. do not upgrade, as neW versions tend to have more security flaws.
B. disable any unused features of the web browser.
C. connect to the Internet using only a VPN (Virtual Private Network) connection.
D. implement a filtering policy for illegal, unknown and undesirable sites.
Answer: B

287. The most common form of authentication is the use of:
A. certificates.
B. tokens.
C. passwords.
D. biometrics.
Answer: C

288. What are the three main components of a Kerberos server?
A. authentication server, security database, and a privilege server.
B. SAM (Sequential Access Method), security database, and an authentication server.
C. application database, security database, and system manager.
D. authentication server, security database, and system manager.
Answer: A

289. Which of the following methods may be used to exploit the clear text nature of an instant-Messaging session?
A. packet sniffing.
B. port scanning.
C. crypt analysis.
D. reverse engineering.
Answer: A

290. A user receives an e-mail from a colleague in another company. The e-mail message warns of a virus that may have been accidentally sent in the pasts, and warns the user to delete a specific file if it appears on the user’s computer. The user checks and has the file. What is the best next step for the user?
A. Delete the file immediately.
B. Delete the file immediately and copy the e-mail to all distribution lists.
C. Report the contents of the message to the network administrator.
D. Ignore the message. This is a virus hoax and no action is required.
Answer: C

291. A CRL (Certificate Revocation List) query that receives a response in near real time:
A. indicates that high availability equipment is used.
B. implies that a fault tolerant database is being used.
C. does not guarantee that fresh data is being returned.
D. indicates that the CA (Certificate Authority) is providing near real time updates.
Answer: C

292. Which of the following is a VPN (Virtual Private Network) tunneling protocol?
A. AH (Authentication Header).
B. SSH (Secure Shell).
C. IPSec (Internet Protocol Security).
D. DES (Data Encryption Standard).
Answer: C

293. The Bell La-Padula access control model consists of four elements. These elements are
A. subjects, objects, access modes and security levels.
B. subjects, objects, roles and groups.
C. read only, read/write, write only and read/write/delete.
D. groups, roles, access modes and security levels.
Answer: A

294. What is generally the most overlooked element of security management?
A. security awareness.
B. intrusion detection.
C. risk assessment.
D. vulnerability control.
Answer: A

295. Which of the following needs to be included in a SLA (Service Level Agreement) to ensure the availability of server based resources rather than guaranteed server performance levels?
A. network
B. hosting
C. application
D. security
Answer: B

296. When does CHAP (Challenge Handshake Authentication Protocol) perform the handshake process?
A. when establishing a connection and at anytime after the connection is established.
B. only when establishing a connection and disconnecting.
C. only when establishing a connection.
D. only when disconnecting.
Answer: A

297. What should a firewall employ to ensure that each packet is part of an established TCP (Transmission Control Protocol) session?
A. packet filter.
B. stateless inspection.
C. stateful like inspection.
D. circuit level gateway.
Answer: C

298. Which of the following is most commonly used by an intruder to gain unauthorized-access to a system?
A. brute force attack.
B. key logging.
C. Trojan horse.
D. social engineering.
Answer: D

299. A minor configuration change which can help secure DNS (Domain Name Service) information is:
A. block all unnecessary traffic by using port filtering.
B. prevent unauthorized zone transfers.
C. require password changes every 30 days.
D. change the default password.
Answer: B

300. What determines if a user is presented with a dialog box prior to downloading an Active X component?
A. the user’s browser setting.
B. the Script meta tag.
C. the condition of the sandbox.
D. the negotiation between the client and the server.
Answer: A

301. LDAP (Lightweight Directory Access Protocol) requires what ports by default?
A. 389 and 636
B. 389and 139
C. 636 and 137
D. 137 and 139
Answer: A

302. Which security method should be implemented to allow secure access to a web page, regardless of the browser type or vendor?
A. certificates with SSL (Secure Sockets Layer).
B. integrated web with NOS (Network Operating System) security.
C. SSL (Secure Sockets Layer) only.
D. secure access to a web page is not possible.
Answer: A

303. What is a common DISADVANTAGE of employing an IDS (Intrusion Detection System)?
A. false positives.
B. throughput decreases.
C. compatibility.
D. administration.
Answer: A

304. System administrators and hackers use what technique to review network traffic to determine what services are running?
A. sniffer.
B. IDS (Intrusion Detection System).
C. firewall.
D. router.
Answer: A

305. Servers or workstations running programs and utilities for recording probes and attacks against them are referred to as:
A. firewalls.
B. host based IDS (Intrusion Detection System).
C. proxies.
D. active targets.
Answer: B

306. To reduce vulnerabilities on a web server, an administrator should adopt which preventative measure?
A. use packet sniffing software on all inbound communications.
B. apply the most recent manufacturer updates and patches to the server.
C. enable auditing on the web server and periodically review the audit logs.
D. block all DNS (Domain Naming Service) requests coming into the server.
Answer: B

307. What is the greatest advantage to using RADIUS (Remote Authentication Dial-in User Service) for a multi-site VPN (Virtual Private Network) supporting a large population of remote users?
A. RADIUS (Remote Authentication Dial-in User Service) provides for a centralized user database.
B. RADIUS (Remote Authentication Dial-in User Service) provides for a decentralized user database.
C. No user database is required with RADIUS (Remote Authentication Dial-in User Service).
D. User database is replicated and stored locally on all remote systems.
Answer: A

308. Which of the following is the best protection against an intercepted password?
A. VPN (Virtual Private Network).
B. PPTP (Pointsto-Point Tunneling Protocol).
C. one time password.
D. complex password requirement.
Answer: C

309. Which of the following statements most clearly outlines a major security vuInerability associated with Instant Messaging?
A. Instant Messaging does not support any form of message encryption.
B. Instant Messaging negatively impacts user productivity.
C. Instant Messaging uses TCP (rransmission Control Protocol) port 25 for message exchange.
D. Instant Messaging allows file attachments which could potentially contain viruses.
Answer: D

310. Using distinct key pairs to separate confidentiality services from integrity services to support non-repudiation describes which one of the following models?
A.discrete key pair.
B. dual key pair.
C. key escrow.
D. foreign key.
Answer: B

311. Which IETF (Internet Engineering Task Force) protocol uses AH (Authentication Header) and ESP (Encapsulating Security Payload) to provide security in a networked environment?
A. SSL (Secure Sockets Layer).
B. IPSec (Internet Protocol Security).
C. S-HTrP (Secure Hypertext Transfer Protocol).
D. SSH (Secure Shell).
Answer: B

312. A honey pot is best described as
A. encryptor.
B. DMZ (Demilitarized Zone).
C. firewall.
D. decoy.
Answer: D

313. Which of the following is typically included in a CRL (Certificate Revocation List)?
A. certificates that have had a limited validity period and have expired.
B. certificates that are pending renewal.
C. certificates that are considered invalid because they do not contain a valid CA (Certificate Authority) signature.
D. certificates that have been disabled before their scheduled expiration.
Answer: D

314. A CPS (Certificate Practice Statement) is a legal document that describes a CA’s (Certificate Authority):
A. class level issuing process.
B. copyright notice.
C. procedures.
D. asymmetric encryption schema.
Answer: C

315. A severed T1 line is most likely to be considered in planning.
A. data recovery.
B. off site storage.
C. media destraction.
D. incident response.
Answer: D

316. How are clocks used in a Kerberos authentication system?
A. The clocks are synchronized to ensure proper connections.
B. The clocks are synchronized to ensure tickets expire correctly.
C. The clocks are used to generate the seed value for the encryptions keys.
D. The clocks are used to benchmark and set the optimal encryption algorithm.
Answer: B

317. An IT (Information Technology) security audit is generally focused on reviewing existing:
A. resources and goals
B. policies and procedures
C. mission statements
D. ethics codes
Answer: B

318. Instant Messaging is most vulnerable to:
A. DoS (Denial of Service).
B. fraud.
C. stability.
D. sniffing.
Answer: D

319. What type of security mechanism can be applied to modems to better authenticate remote users?
A. firewalls
B. encryption
C. SSH (Secure Shell)
D. callback
Answer: D

320. Despite regular system backups a significant risk still exists if:
A. recovery procedures are not tested
B. all users do not log off while the backup is made
C. backup media is moved to an off-site location
D. an administrator notices a failure during the backup process
Answer: A

321. What are three characteristics of a computer virus?
A. find mechanism, initiation mechanism, and propagate
B. learning mechanism, contamination mechanism, and exploit
C. search mechanism, connection mechanism, and integrate
D. replication mechanism, activation mechanism, and objective
Answer: D

322. Impersonating a dissatisfied customer of a company and requesting a password change on then customer’s account is a form of:
A. hostile code.
B. social engineering.
C. IP (Intemet Protocol) spoofing.
D. man in the middle attack.
Answer: B

323. The basic strategy that should be used when configuring the rules for a secure firewall is:
A. permit all.
B. deny all.
C. default permit.
D. default deny .
Answer: D

324. An employer gives an employee a laptop computer to use remotely. The user installs personal applications on the laptop and overwrites some system files. How might this have been prevented with minimal impact on corporate productivity?
A. Users should not be given laptop computers in order to prevent this type of occurrence.
B. The user should have received instructions as to what is allowed to be installed.
C. The hard disk should have been made read-only
D. Biometrics should have been used to authenticate the user before allowing software installation.
Answer: B

325. A fundamental risk management assumption is, computers can NEVER be completely.
A. secure until all vendor patches are installed.
B. secure unless they have a variable password.
C. secure.
D. secure unless they have only one user.
Answer: C

326. DDoS (Distributed Denial of Service) is most commonly accomplished by:
A. internal host computers simultaneously failing.
B. overwhelming and shutting down multiple services on a server.
C. multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
D. an individual e-mail address list being used to distribute a virus.
Answer: C

327. Which security architecture utilizes authentication header and/or encapsulating security payload protocols?
A. IPSec (Internet Protocol Security).
B. SSL (Secure Sockets Layer).
C. TLS (Transport Layer Security).
D. PPTP (Point-to-Point Tunneling Protocol).
Answer: A

328. Tunneling is best described as the act of encapsulating:
A. encrypted/secure IP packets inside of ordinary/non-secure IP packets.
B. ordinary/non-secure IP packets inside of encrypted/secure IP packets.
C. encrypted/secure IP packets inside of encrypted/non-secure IP packets.
D. ordinary/secure IP packets inside of ordinary/non-secure IP packets.
Answer: B

329. What is a good practice in deploying a CA (Certificate Authority)?
A. enroll users for policy based certificates.
B. create a CPS (Certificate Practice Statement).
C. register the CA (Certificate Authority) with a subordinate CA (Certificate Authority).
D. create a mirror CA (Certificate Authority) for fault tolerance.
Answer: B

330. What is the most common goal of operating system logging?
A. to determine the amount of time employees spend using various applications.
B. to keep a record of system usage.
C. to provide details of what systems have been compromised.
D. to provide details of which systems are interconnected.
Answer: B

331. When a patch is released for a server the administrator should:
A. immediately download and install the patch.
B. test the patch on a non-production server then install the patch to production.
C. not install the patch unless there is a current need.
D. install the patch and then backup the production server.
Answer: B

332. An attacker attempting to penetrate a company’s network through its remote access system would most likely gain access through what method?
A. war dialer.
B. Trojan horse.
C. DoS (Denial of Service).
D. worm.
Answer: A

333. A company’s web server is configured for the following services: HTTP (Hypertext Transfer Protocol), SSL (Secure Sockets Layer), FTP (Pile Transfer Protocol), SMTP (Simple Mail Transfer Protocol). The web server is placed into a DMZ (Demilitarized Zone). What are the standard ports on the firewall that must be opened to allow traffic to and from the server?
A. 119,23,21,80.
B. 443, 119,21,1250.
C. 80,443,21,25.
D. 80,443, 110,21.
Answer: C

334. Which of the following will let a security administrator allow only if HTTP (Hypertext Transfer Protocol) traffic for outbound Intemet connections and set permissions to allow only certain users to browse the web?
A. packet filtering firewall.
B. protocol analyzer.
C. proxy server.
D. stateful firewall.
Answer: C

335. Which of the following IP (Internet Protocol) address schemes will require NAT (Network Address Translation) to connect to the Intemet?
A. 204.180.0.0/24
B. 172.16.0.0/24
C. 192.172.0.0/24
D. 172.48.0.0/24
Answer: B

336. What is the primary DISADVANTAGE of a third party relay?
A. Spammers can utilize the relay.
B. The relay limits access to specific users.
C. The relay restricts the types of e-mail that maybe sent.
D. The relay restricts spaminers from gaining access.
Answer: A

337. A network administrator wants to connect a network to the Internet but does not want to compromise internal network IP (Internet Protocol) addresses. What should the network administrator implement?
A. a honey pot
B. a NAT (Network Address Translation)
C. a VPN (Virtual Private Network)
D. a screened network
Answer: B

338. Which of the following is NOT a field of a X.509 v.3 certificate?
A. private key
B. issuer
C. serial number
D. subject
Answer: A

339. What is the default transport layer protocol and port number that
SSL (Secure Sockets Layer) uses?
A. UDP (User Datagram Protocol) transport layer protocol and port 80
B. TCP (Transmission Control Protocol) transport layer protocol and port 80
C. TCP (Transmission Control Protocol) transport layer protocol and port 443
D. UDP (User Datagram Protocol) transport layer protocol and port 69
Answer: C

340. The greater the keyspace and complexity of a password, the longer a_______ attack may take to crack the password.
A. dictionary
B. brute force
C. inference
D. frontal
Answer: B

341. When a cryptographic system’s keys are no longer needed, the keys should be:
A. destroyed or stored in a secure manner
B. deleted from the system’s storage mechanism
C. recycled
D. submitted to a key repository
Answer: A

342. Creation of an information inventory is most valuable when:
A. localizing license based attacks
B. trying to reconstruct damaged systems
C. determining virus penetration within an enterprise
D. terminating employees for security policy violations
Answer: B

343. Which of the following is the best reason for a CA (Certificate Authority) to-revoke a certificate?
A. The user’s certificate has been idle for two months.
B. The user has relocated to another address.
C. The user’s private key has been compromised.
D. The user’s public key has been compromised.
Answer: C

344. Which of the following statements identifies a characteristic of a symmetric algorithm?
A. performs a fast transformation of data relative to other cryptographic methods
B. regardless of the size of the user’s input data, the size of the output data is fixed.
C. is relatively slow in transforming data when compared to other cryptographic methods
D. includes a one way function where it is computationally infeasible for another entity to determine the input data from the output data
Answer: A

345. Which of the following terms represents a MAC (Mandatory Access Control) model?
A. Lattice
B. Bell La-Padla
C. BIBA
D. Clark and Wilson
Answer: A

346. The most common method of social engineering is:
A. looking through users’ trash for information
B. calling users and asking for information
C. e-mailing users and asking for information
D. e-mail
Answer: B

347. In the context of the Internet; what is tunneling? Tunneling is:
A. using the Internet as part of a private secure network
B. the ability to burrow through three levels of firewalls
C. the ability to pass information over the internet within the shortest amount of time
D. creating a tunnel which can capture data
Answer: A

348. The term cold site refers to:
A. a low temperature facility for long term storage of critical data
B. a location to begin operations during disaster recovery
C. a facility seldom used for high performance equipment
D. a location that is transparent to potential attackers
Answer: B

349. Sensitive material is currently displayed on a user’s monitor. What is the best course of action for the user before leaving the area?
A. The user should leave the area. The monitor is at a personal desk so there is no risk.
B. turn off the monitor
C. wait for the screen saver to start
D. refer to the company's policy on securing sensitive data
Answer: D

350. The system administrator of the company has terminated employment unexpectedly. When the administrator’s user ID is deleted, the system suddenly begins deleting files.
This is an example of what type of malicious code?
A. logic bomb
B. virus
C. Trojan horse
D. worm
Answer: A

351. With regards to the use of Instant Messaging, which of the following type of attack strategies is effectively combated with user awareness training?
A. social engineering
B. stealth
C. ambush
D. multi-pronged
Answer: A

352. A network administrator has just replaced a hub with a switch. When using software to sniff packets from the networks, the administrator notices conversations the administrator’s computer is having with servers on the network, but can no longer see conversations taking place between other network clients and servers. Given that the switch is functioning properly, what is the most likely cause of this?
A. With the exception of broadcasts, switches do not forward traffic out all port .
B. The switch is setup with a VLAN (Virtual Local Area Network) utilizing all ports.
C. The software used to sniff packets is not configured properly.
D. The sniffer’s ethernet card is malfunctioning.
Answer: A

353. Which type of password generator is based on challenge-response mechanisms?
A. asynchronous
B. synchronous
C. cryptographic keys
D. smart cards
Answer: A

354. Which of the following is a characteristic of MAC (Mandatory Acces Control) systems? MACs (Mandatory Access Control):
A. uses levels of security to classify users and data
B. allows owners of documents to determine who has access to specific documents
C. uses access control lists which specify a list of authorized users
D. uses access control lists which specify a list of unauthorized users
Answer: A

355. Companies without an acceptable use policy (AUP) may give their employees an
expectation of:
A. intrusions
B. audits
C. privacy
D. prosecution
Answer: C

356. It is most difficult to eavesdrop on which of the following types of network cabling?
A. fiber optic cable
B. coaxial cable
C. UTP (DNShielded Twisted Pair)
D. STP (Shielded Twisted Pair)
Answer: A

357. Implementation of access control devices and technologies must fully reflect an organization’s security position as contained in its:
A. ACLs (Access Control List)
B. access control matrixes
C. information security policies
D. internal control procedures
Answer: C

358. Which of the following are tunneling protocols?
A. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and SSL (Secure Sockets Layer)
B. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and PPP (Point-to-Point Protocol)
C. L2TP (Layer Two Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol), and SSL (Secure Sockets Layer)
D. PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), and IPSec (Internet Protocol Security)
Answer: D

359. What are TCP (Transmission Control Protocol) wrappers used for?
A. preventing IP (Internet Protocol) spoofing
B. controlling access to selected services
C. encrypting TCP (Transmission Control Protocol) traffic
D. sniffing TCP (Transmission Control Protocol) traffic to troubleshoot
Answer: B

360. Loki, NetCaZ, Masters Paradise and NetBus are all considered what type of attack?
A. brute force
B. spoofing
C. back door
D. man in the middle
Answer: C

361. Which protocol is used to negotiate and provide authenticated keying material for-security associations in a protected manner?
A. ISAKMP (Internet Security Association and Key Management Protocol)
B. ESP Incapsulating Security Payload)
C. SSH (Secure Shell)
D. SKEME (Secure Key Exchange Mechaniam)
Answer: A

362. An administrator wants to set up a system for an internal network that will examine all packets for known attack signatures. What type of system will be set up?
A. vulnerability scanner
B. packet filter
C. host based IDS (Intrusion Detection System)
D. network based IDS (Intrusion Detection System)
Answer: D

363. A password management system designed to provide availability for a large number of users includes which of the following?
A. self service password resets
B. locally saved passwords
C. multiple access methods
D. synchronized passwords
Answer: A

364. Turnstiles, double entry doors and security guards are all prevention measures for what type of social enginering?
A. piggybacking
B. looking over a co-worker’s shoulder to retrieve information
C. looking through a co-worker’s trash to retrieve information
D. impersonation
Answer: A

365. What is the major reason that social engineering attacks succeed?
A. strong passwords are not required
B. lack of security awareness
C. multiple logins are allowed
D. audit logs are not monitored frequently
Answer: B

366. Which authentication protocol should be employed to encrypt passwords?
A. PPTP (Point-to-Point Tunneling Protocol)
B. SMTP (Simple Mail Transfer Protocol)
C. Kerberos
D. CHAP (Challenge Handshake Authentication Protocol)
Answer: D

367. NAT (Network Address Translation) can be accomplished with which of the following?
A. static and dynamic NAT (Network Address Translation) and PAT (Port Address Translation)
B. static and hide NAT (Network Address Translation)
C. static and hide NAT (Network Address Translation) and PAT (Port Address Translation)
D. static, hide, and dynamic NAT (Network Address Translation)
Answer: C

368. In order for an SSL (Secure Sockets Layer) connection to be established between a web client and server automatically, the web client and server should have a(n):
A. shared password
B. certificate signed by a trusted root CA (Certificate Authority)
C. address on the same subnet
D. common operating system
Answer: B

369. A mobile sales force requires remote connectivity in order to access shared files and e-mail on the corporate network. All employees in the sales department have laptops equipped with ethemet adapters. Some also have modems. What is the best remote access solution to allow all sales employees to access the corporate network?
A. ISDN (Integrated Services Digital Network)
B. dial-up
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)
Answer: D

370. Which of the following four critical functions of a VPN (Virtual Private Network) restricts users from using resources in a corporate network?
A. access control
B. authentication
C. confidentiality
D. data integrity
Answer: A

371. Of the following, what is the primary attribute associated with e-mail hoaxes?
A. E-mail hoaxes create unnecessary e-mail traffic and panic in non-technical users.
B. E-mail hoaxes take up large amounts of server disk space.
C. E-mail hoaxes can cause buflin overflows on the e-mail server.
D. E-mail hoaxes can encourage malicious users.
Answer: A

372. Most certificates used for authentication are based on what standard?
A. ISO 19278
B. X.500
C. RFC 1205
D. X.509 v3
Answer: D

373. In order for User A to send User B an e-mail message that only User B can read, User A must encrypt the e-mail with which of the following keys?
A. User B’s public key
B. User B’s private key
C. User A’s public key
D. User A’s private key
Answer: A

374. What does the message recipient use with the hash value to verify a digital signature?
A. signer’s private key
B. receiver’s private key
C. signer’s public key
D. receiver’s public key
Answer: C

375. While surfing the Internet a user encounters a pop-up window that prompts the user to download a browser plug-in. The pop-up window is a certificate which validates the identity of the plug-in developer. Which of the following best describes this type of certificate?
A. software publisher certificate
B. web certificate
C. CA (Certificate Authority) certificate
D. server certificate
Answer: A

376. The public key infrastructure model where certificates are issued and revoked via a
CA (Certificate Authority) is what type of model?
A. managed
B. distributed
C. centralized
D.standard
Answer: C

377. Company intranets, newsletters, posters, login banners and e-mails would be good tools to utilize in a security:
A. investigation
B. awareness program
C. policy review
D. control test
Answer: B

378. What is a network administrator protecting against by ingress/egress filtering traffic as follows:
-Any packet coming into the network must not have a source address of the internal network. Any packet coming into the network must have a destination address from the internal network. Any packet leaving the network must have a source address from the internal network. Any packet leaving the network must not have a destination address from the internal networks. Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC191S reserved space.
A. SYN (Synchronize) flooding
B. spoofing
C. DoS (Denial of Service) attacks
D. dictionary attacks
Answer: B

379. When hosting a web server with CGI (Common Gateway Interface) scripts, the directories for public view should have:
A. execute permissions
B. read and write permissions
C. read, write, and execute permissions
D. full control permissions
Answer: A

380. When UserA applies to the CA (Certificate Authority) requesting a certificate to allow the start of communication with User B, User A must supply the CA (Certificate Authority) with
A. User A’s public key only
B. User B’s public key only
C. User A’s and User B’s public keys
D. User A’s and User B’s public and private keys
Answer: A

381. Which of the following most accurately describes a DMZ (Demilitarized Zone)?
A. an application program with a state that authenticates the user and allows the user to be categorized based on privilege
B. a network between a protected network and an external network in order to provide an additional layer of security
C. the entire area between the network of origin and the destination network
D. an application that allows the user to remove any offensive of an attacker
Answer: B

382. A protocol specified in IEEE (Institute of Electrical and Electronics Engineers)
802.11b intended to provde a WLAN (Wireless Local AreaNetwork) with the level of security associated a WAN ( Wireless Local-Area Network) is:
A. WEP (Wired Equivalent Privacy)
B. ISSE (Information Systems Security Engineering)
C. ISDN (tntegrated Services Digital Network)
D. VPN (Virtual Private Network)
Answer: A

383. SSL (Secure Sockets Layer) operates between which two layers of the OSI (Open Systems Interconnection) model?
A. application and transport
B. transport and network
C. network and data link
D. data link and physical
Answer: A

385. What are the three entities of the SQL (Structured Query Language) security model?
A. actions, objects and tables
B. actions, objects and users
C. tables, objects and users
D. users, actions and tables
Answer: B

386. Which is of greatest importance when considering physical security?
A. reduce overall opportunity for an intrusion to occur
B. make alarm identification easy for security professionals
C. barricade all entry points against unauthorized entry
D. assess the impact of crime zoning and environmental considerations in the overall design
Answer: A

387. The flow of packets traveling through routers can be controlled by implementing what type of security mechanism?
A. ACLs (Access Control List)
B. fault tolerance tables
C. OSPF (Open Shortest Path First) policy
D. packet locks
Answer: A

388. Clients in Company A can view web sites that have been created for them, but CAN NOT navigate in them. Why might the clients not be able to navigate in the sites?
A. The sites have improper permissions assigned to them.
B. The server is in a DMZ (Demilitarized Zone).
C. The sites have IP (Internet Protocol) filtering enabled.
D. The server has heavy traffic.
Answer: A

389. The goal of TCP (Transmission Control Protocol) hijacking is:
A. taking over a legitimate TCP (Transmission Control Protocol) connection
B. predicting the TCP (Transmission Control Protocol) sequence number
C. identifying the TCP (Transmission Control Protocol) port for future exploitation
D. identifying source addresses for malicious use
Answer: A

390. TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking resulted from exploitation of the fact that TCP/IP (Transmission Control Protocol/Internet Protocol):
A. has no authentication mechanism, thus allowing a cleartext password of 16 bytes
B. allows packets to be tunneled to an alternate network
C. has no authentication mechanism, and therefore allows connectionless packets from anyone
D. allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host
Answer: D

391. Intruders are detected accessing an internal network. The source IP (Internet Protocol) addresses originate from trusted networks. The most comomon type of attack in this scenario is:
A. social engineering
B. TCP/IP hijacking
C. smurfing
D. spoofing
Answer: D

392. Which of the following is used to authenticate and encrypt IP (Internet Protocol) traffic?
A. ESP (Encapsulating Security Payload)
B. S/MIME (Secure Multipurpose Internet Mail Extensions)
C. IPSec (Internet Protocol Security)
D. IPv2 (Internet Protocol version 2)
Answer: C

393. An administrator is configuring a server to make it less susceptible to an attacker obtaining the user account passwords. The administrator decides to have the encrypted passwords contained within a file that is readable only by root. What is a common name for this file?
A. passwd
B. shadow
C. hosts.allow
D. hosts.deny
Answer: B

394. Which of the following is the best IDS (Intrusion Detection System) to monitor the-entire network?
A. a network based IDS (Intrusion Detection System)
B. a host based IDS (Intrusion Detection System)
C. a user based IDS (Intrusion Detection System)
D. a client based IDS (Intrusion Detection System)
Answer: A

395. One of the primary concerns of a centralized key management system is that?
A. keys must be stored and distributed securely
B. certificates must be made readily available
C. the key repository must be publicly accessible
D. the certificate contents must be kept confidential
Answer: A

396. What standard security protocol provides security and privacy in a WLAN (Wireless Local Area Network)?
A. SWP (Secure WLAN Protocol)
B. WEP (Wired Equivalent Privacy)
C. SSL (Secure Sockets Layer)
D. S/MIME (Secure Multipurpose Internet Mail Extensions)
Answer: B

397. What port scanning technique is used to see what ports are in a listening state and then performs a two way handshake?
A. TCP (transmission Control Protocol) SYN (Synchronize) scan
B. TCP (transmission Control Protocol) connect scan
C. TCP (transmission Control Protocol) fin scan
D. TCP (transmission Control Protocol) null scan
Answer: A

398. Performing a security vulnerability assessment on systems that a company relies on demonstrates:
A. that the site CAN NOT be hacked
B. a commitment to protecting data and customers
C. insecurity on the part of the organization
D. a needless fear of attack
Answer: B

399. The best reason to perform a business impact analysis as part of the business continuity planning process is to:
A. test the veracity of data obtained from risk analysis
B. obtain formal agreement on maximum tolerable downtime
C. create the framework for desiguing tests to determine efficiency of business continuity plans
D. satisfy documentation requirements of insurance companies covering risks of systems and data important for business continuity
Answer: B

400. A FTP (File Transfer Protocol) bounce attack is generally used to:
A. exploit a buffer overflow vulnerability on the FTP (File Transfer Protocol) server
B. reboot the FTP (File Transfer Protocol) server
C. store and distribute malicious code
D. establish a connection between the FTP (File Transfer Protocol) server and another computer
Answer: D

401. E-mail servers have a configuration choice which allows the relaying of messages from one e-mail server to another. An e-mail server should be configured to prevent e-mail relay because:
A. untraceable, unwanted e-mail can be sent
B. an attacker can gain access and take over the server
C. confidential information in the server’s e-mail boxes can be read using the relay
D. the open relay can be used to gain control of nodes on additional networks
Answer: A

402. A security designer is planning the implementation of security mechanisms in a RBAC (Role Based Access Control) compliant system. The designer has determined that there are three types of resources in the system inclading files, printers, and mailboxes. The organization has four distinct departments with distinct functions including Sales, Marketing, Management, and Production. Each department needs access to different resources. Each user has a workstation. Which roles should be created to support the REAC (Role Based Access Control) model?
A. file, printer, and mailbox roles
B. sales, marketing, management, and production roles
C. user and workstation roles
D. allow access and deny access roles
Answer: B

403. A network administrator is having difficulty establishing a L2TP (Layer Two Tunneling Protocol) VPN (Virtual Private Network) tunnel with IPSec (Internet Protocol Security) between a remote dial-up client and the firewall, through a perimeter router. The administrator has confirmed that the client's and firewall’s IKE (Internet Key Exchange) policy and IPSec (Internet Protocol Security) policy are identical. The appropriate L2TP (Layer Two Tunneling Protocol) and IKE (Internet Key Exchange) transport layer ports have also been allowed on the perimeter router and firewall.
-What additional step must be performed on the perimeter router and firewall to allow (Authentication Header) and ESP (Encapsulating Security Payload) tunnel-encapsulated IPSec (Internet Protocol Security) traffic to flow between the client and the firewall?
A. configure the perimeter router and firewall to allow inbound protocol number 51 for ESP (Encapsulating Security Payload) encapsulated IPSec (Internet Protocol Security) traffic
B. configure the perimeter router and firewall to allow inbound protocol number 49 for ESP (Encapsulating Security Payload) and All (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.
C. configure the perimeter router and firewall to allow inbound protocol numbers 50 and 51 for ESP (Encapsulating Security Payload) and AH (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.
D. configure the perimeter router and firewall to allow inbound protocol numbers 52 and 53 for AH (Authentication Header) and ESP (Encapsulating SecurityPayload) encapsulated IPSec (Internet Protocol Security) traffic
Answer: C

404. One characteristic of biometrics is:
A. it does not require a password
B. it is 100% effective
C. false positives are rare
D. false negatives are rare
Answer: A

405. As a security administrator, what are the three categories of active responses relating to intrusion detection?
A. collect additional information, maintain the environment, and take action against the intruder
B. collect additional information, maintain the environment, and take action against the intruder
C. collect additional information, change the environment, and take action against the intruder
D. discard any additional information, change the environment, and take action against the intruder
Answer: C

406. Intrusion detection systems typically consist of two parts, a console and a:
A. sensor
B. router
C. processor
D. firewall
Answer: A

407. The owner of a file modifies the security settings of that file on the servers to
limit access to specific individuals. Which method of security is being applied?
A. MAC (Mandatory Access Control)
B. DAC (Discretionary Acess Control)
C. SAC (Subject Access Control)
D. RBAC (Role Based Access Control)
Answer: B

408. A block cipher is an example of which of the following encryption algorithms?
A. asymmetric key
B. public key
C. symmetric key
D. unkeyed
Answer: C

409. There are a number of ports in TCP/IP that can be scanned, exploited or
attacked. How many ports are vunerable to such operations?
A. 32
B. 1,024
C. 65,535
D. 16,777,216
Answer: C

410. Which of the following makes a token based authentication system very diffult
to attack?
A. a token uses a digital certificates
B. a token is something that is physically possessed
C. a token can only be used once
D. a token can only be used by the intended owner.
Answer: B

411. The main purpose of digital certificates is to securely bind a:
A. public key to the identity of the signer and recipient
B. private key to the identity of the signer and recipient
C. public key to the entity that holds the corresponding private key
D. private key to the entity that holds the corresponding public key
Answer: C

412. Which of the following is an asymmetric cryptographic algorithm?
A. AES
B. EIGamal
C. IDEA
D. DES
Answer: B




    

 Copyright © 2004- 2005 "MCSE Braindumps". All rights reserved. MCSE braindumps forum | Database Administration help

Offshore webhosting by ServersLease.net

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CompTIA Security+ Exam SY0-101


1. What port does TACACS use?

A. 21
B. 161
C. 53
D. 49

Answer: d

2. What port does SNMP use?

A. 21
B. 161
C. 53
D. 49

Answer: b


3. Which one does not use Smart Card Technology?

A. CD Player
B. Cell Phone
C. Satellite Cards
D. Handheld Computer

Answer: a


4. A document written by the CEO that outlines PKI use, management and deployment is a...

A. PKI policy
B. PKI procedure
C. PKI practice
D. best practices guideline

Answer: a


5. What functionality should be disallowed between a DNS server and untrusted node?

A. name resolutions
B. reverse ARP requests
C. system name resolutions
D. zone transfers

Answer: d


6. Which tunneling protocol only works on IP networks?

A. IPX
B. L2TP
C. PPTP
D. SSH

Answer: b


7. Which encryption scheme relies on both the sender and receiver to use different keys to encrypt and decrypt messages?

A. Symmetric
B. Blowfish
C. Skipjack
D. Asymmetric

Answer: d


8. An administrator of a web server notices many port scans to a server. To limit exposure and vulnerability exposed by these port scans the administrator should:

A. Disable the ability to remotely scan the registry.
B. Leave all processes running for possible future use.
C. Close all programs or processes that use a UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) port.
D. Uninstall or disable any programs or processes that are not needed for the proper use of the server.

Answer: d


9. The system administrator concerned about security has designated a special area in which to place the web server away from other servers on the network. This area is commonly known as the?

A. Honey pot
B. Hybrid subnet
C. DMZ (Demilitarized Zone)
D. VLAN (Virtual Local Area Network)

Answer: c


10. The integrity of a cryptographic system is considered compromised if which of the following conditions exist?

A. A 40-bit algorithm is used for a large financial transaction.
B. The public key is disclosed.
C. The private key is disclosed.
D. The validity of the data source is compromised.

Answer: c


11. Which of the following provides privacy, data integrity and authentication for handles devices in a wireless network environment?

A. WEP (Wired Equivalent Privacy)
B. WAP (Wireless Application Protocol)
C. WSET (Wireless Secure Electronic Transaction)
D. WTLS (Wireless Transport Layer Security)

Answer: d


12. File encryption using symmetric cryptography satisfies what security requirement?

A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: a


13. Missing audit log entries most seriously affect an organization’s ability to:

A. Recover destroyed data.
B. Legally prosecute an attacker.
C. Evaluate system vulnerabilities.
D. Create reliable system backups.

Answer: b


14. The primary DISADVANTAGE of symmetric cryptography is:

A. Speed
B. Key distribution
C. Weak algorithms
D. Memory management

Answer: b


15. Which access control method provides the most granular access to protected objects?

A. Capabilities
B. Access control lists
C. Permission bits
D. Profiles

Answer: b


16. SSL (Secure Sockets Layer) session keys are available in what two lengths?

A. 40-bit and 64-bit.
B. 40-bit and 128-bit.
C. 64-bit and 128-bit.
D. 128-bit and 1,024-bit.

Answer: b


17. Which one of the following would most likely lead to a CGI (Common Gateway Interface) security problem?

A. HTTP (Hypertext Transfer Protocol) protocol.
B. Compiler or interpreter that runs the CGI (Common Gateway Interface) script.
C. The web browser.
D. External data supplied by the user.

Answer: d


18. A network administrator wants to restrict internal access to other parts of the network. The network restrictions must be implemented with the least amount of administrative overhead and must be hardware based. What is the best solution?

A. Implement firewalls between subnets to restrict access.
B. Implement a VLAN (Virtual Local Area Network) to restrict network access.
C. Implement a proxy server to restrict access.
D. Implement a VPN (Virtual Private Network).

Answer: a


19. A server placed into service for the purpose of attracting a potential intruder’s attention is known as a:

A. Honey pot
B. Lame duck
C. Teaser
D. Pigeon

Answer: a


20. Which of the following options describes a challenge -response session?

A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identification Number).
B. A workstation or system that generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).
C. A special hardware device that is used to generate random text in a cryptography system.
D. The authentication mechanism in the workstation or system does not determine if the owner should be authenticated.

Answer: a


21. A network attack that misuses TCP’s (Transmission Control Protocol) three way handshake to overload servers and deny access to legitimate users is called a:

A. Man in the middle.
B. Smurf
C. Teardrop
D. SYN (Synchronize)

Answer: d


22. How can an e-mail administrator prevent malicious users from sending e-mails from non-existent domains?

A. Enable DNS (Domain Name Service) reverse lookup on the e- mail server.
B. Enable DNS (Domain Name Service) forward lookup on the e- mail server.
C. Enable DNS (Domain Name Service) recursive queries on the DNS (Domain Name Service) server.
D. Enable DNS (Domain Name Service) reoccurring queries on the DNS (Domain Name Service)

Answer: a


23. Security requirements for servers DO NOT typically include:

A. The absence of vulnerabilities used by known forms of attack against server hosts.
B. The ability to allow administrative activities to all users.
C. The ability to deny access to information on the server other than that intended to be available.
D. The ability to disable unnecessary network services that may be built into the operating system or server software.

Answer: b


24. The best way to harden an application that is developed in house is to:

A. Use an industry recommended hardening tool.
B. Ensure that security is given due considerations throughout the entire development process.
C. Try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. Ensure that the auditing system is comprehensive enough to detect and log any possible intrusion, identifying existing vulnerabilities.

Answer: b


25. When a user digitally signs a document an asymmetric algorithm is used to encrypt:

A. Secret passkeys
B. File contents
C. Certificates
D. Hash results

Answer: d



26. A need to know security policy would grant access based on:

A. Least privilege
B. Less privilege
C. Loss of privilege
D. Singe privilege

Answer: a


27. What is the best method of defence against IP (Internet Protocol) spoofing attacks?

A. Deploying intrusion detection systems.
B. Creating a DMZ (Demilitarized Zone).
C. Applying ingress filtering to routers.
D. Thee is not a good defense against IP (Internet Protocol) spoofing.

Answer: c


28. What is the best method of reducing vulnerability from dumpster diving?

A. Hiring addit ional security staff.
B. Destroying paper and other media.
C. Installing surveillance equipment.
D. Emptying the trash can frequently.

Answer: b


29. A common algorithm used to verify the integrity of data from a remote user through a the creation of a 128-bit hash from a data input is:

A. IPSec (Internal Protocol Security)
B. RSA (Rivest Shamir Adelman)
C. Blowfish
D. MD5 (Message Digest 5)

Answer: d



30. A major difference between a worm and a Trojan horse program is:

A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are self replicating while Trojan horses are not.
C. Worms are a form of malicious code while Trojan horses are not.
D. There is no difference.

Answer: b


31. When a change to user security policy is made, the policy maker should provide appropriate documentation to:

A. The security administrator.
B. Auditors
C. Users
D. All staff.

Answer: d


32. Message authentication codes are used to provide which service?

A. Integrity
B. Fault recovery
C. Key recovery
D. Acknowledgement

Answer: a


33. When hardening a machine against external attacks, what process should be followed when disabling services?

A. Disable services such as DHCP (Dynamic Host Configuration Protocol) client and print servers from servers that do not use/serve those functions.
B. Disable one unnecessary service after another, while reviewing the effects of the previous action.
C. Research the services and their dependencies before disabling any default services.
D. Disable services not directly related to financial operations.

Answer: c


34. Incorrectly detecting authorized access as an intrusion or attack is called a false:

A. Negative
B. Intrusion
C. Positive
D. Alarm

Answer: c



35. What fingerprinting technique relies on the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

A. TCP (Transmission Control Protocol) options.
B. ICMP (Internet Control Message Protocol) error message quenching.
C. Fragmentation handling.
D. ICMP (Internet Control Message Protocol) message quoting.

Answer: d


36. Which protocol is typically used for encrypting traffic between a web browser and web server?

A. IPSec (Internet Protocol Security)
B. HTTP (Hypertext Transfer Protocol)
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)

Answer: c


37. The system administrator has just used a program that highlighted the susceptibility of several servers on the network to various exploits. The program also suggested fixes. What type of program was used?

A. Intrusion detection
B. Port scanner
C. Vulnerability scanner
D. Trojan scanner

Answer: c


38. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?

A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)

Answer: d


39. Which of the following is the best description of “separation of duties”?

A. Assigning different parts of tasks to different employees.
B. Employees are granted only the privileges necessary to perform their tasks.
C. Each employee is granted specific information that is required to carry out the job function.
D. Screening employees before assigning them to a position.

Answer: a



40. A DRP (Disaster Recovery Plan) typically includes which of the following:

A. Penetration testing.
B. Risk assessment.
C. DoS (Denial of Service) attack.
D. ACLs (Access Control List).

Answer: b


41. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. Value of the information it is used to protect.
B. Cost and management fees.
C. Length of the asymmetric hash.
D. Data available openly on the cryptographic system.

Answer: c


42. The action of determining with operating system is installed on a system simply by analyzing its response to certain network traffic is called:

A. OS (Operating System) scanning.
B. Reverse engineering.
C. Fingerprinting
D. Host hijacking.

Answer: c


43. The most effective way an administrator can protect users from social engineering is:

A. Education
B. Implement personal firewalls.
C. Enable logging on at user’s desktops.
D. Monitor the network with an IDS (Intrusion Detection System)

Answer: a


44. During the digital signature process, asymmetric cryptography satisfied what security requirement?

A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: d



45. The best method to use for protecting a password stored on the server used for user authentication is to:

A. Store the server password in clear text.
B. Hash the server password.
C. Encrypt the server password with asymmetric keys.
D. Encrypt the server password with a public key.

Answer: b


46. What is the most common method used by attackers to identify the presence of an 801.11b network?

A. War driving
B. Direct inward dialing
C. War dialing
D. Packet driving

Answer: a


47. An inherent flaw of DAC (Discretionary Access Control) relating to security is:

A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.

Answer: a


48. A password security policy can help a system administrator to decrease the probability that a password can be guessed by reducing the password’s:

A. Length
B. Lifetime
C. Encryption level
D. Alphabet set

Answer: b


49. What is the advantage of a multi-homed firewall?

A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.

Answer: c


50. Privileged accounts are most vulnerable immediately after a:

A. Successful remote login.
B. Privileged user is terminated.
C. Default installation is performed.
D. Full system backup is performed.

Answer: b


51. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?

A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network’s users, applications and data.

Answer: b


52. Poor programming techniques and lack of code review can lead to which of the following type of attack?

A. CGI (Common Gateway Interface) script
B. Birthday
C. Buffer overflow
D. Dictionary

Answer: c


53. Technical security measures and countermeasures are primary intended to prevent:

A. Unauthorized access, unauthorized modification, and denial of authorized access.
B. Interoperability of the framework, unauthorized modification, and denial of authorized access.
C. Potential discovery of access, interoperability of the framework, and denial of authorized access.
D. Interoperability of the framework, unauthorized modification, and unauthorized access.

Answer: a


54. The WAP (Wireless Application Protocol) programming model is based on the following three elements:

A. Client, original server, WEP (Wired Equivalent Privacy)
B. Code design, code review, documentation
C. Client, original server, wireless interface card
D. Client, gateway, original server

Answer: d



55. An organization is implementing Kerberos as its primary authentication protocol. Which of the following must be deployed for Kerberos to function properly?

A. Dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. Separate network segments for the realms.
C. Token authentication devices.
D. Time synchronization services for clients and servers.

Answer: d



56. Which of the following correctly identifies some of the contents of an user’s X.509 certificate?

A. User’s public key, object identifiers, and the location of the user’s electronic identity.
B. User’s public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption.
C. User’s public key, the certificate’s serial number, and the certificate’s validity dates.
D. User’s public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point.

Answer: c


57. Which of the following steps in the SSL (Secure Socket Layer) protocol allows for client and server authentication, MAC (Mandatory Access Control) and encryption algorithm negotiation, and selection of cryptographic keys?

A. SSL (Secure Sockets Layer) alert protocol.
B. SSL (Secure Sockets Layer) change cipher spec protocol.
C. SSL (Secure Sockets Layer) record protocol.
D. SSL (Secure Sockets Layer) handshake protocol.

Answer: d


58. Which of the following is expected network behaviour?

A. Traffic coming from or going to unexpected locations.
B. Non-standard or malformed packets/protocol violations.
C. Repeated, failed connection attempts.
D. Changes in network performance such as variations in traffic load.

Answer: d


59. Assuring the recipient that a message has not been altered in transit is an example of which of the following:

A. Integrity
B. Static assurance
C. Dynamic assurance
D. Cyclical check sequence

Answer: a



60. Appropriate documentation of a security incident is important for each of the following reasons EXCEPT:

A. The documentation serves as a lessons learned which may help avoid further exploitation of the same vulnerability.
B. The documentation will server as an aid to updating policy and procedure.
C. The documentation will indicate who should be fired for the incident.
D. The documentation will server as a tool to assess the impact and damage for the incident.

Answer: c


61. The process by which remote users can make a secure connection to internal resources after establishing an Internet connection could correctly be referred to as:

A. Channeling
B. Tunneling
C. Throughput
D. Forwarding

Answer: b


62. With regards to the use of Instant Messaging, which of the following type of attack strategies is effectively combated with user awareness training?

A. Social engineering
B. Stealth
C. Ambush
D. Multi-prolonged

Answer: a


63. For system logging to be an effective security measure, an administrator must:

A. Review the logs on a regular basis.
B. Implement circular logging.
C. Configure the system to shutdown when the logs are full.
D. Configure SNMP (Simple Network Management Protocol) traps for logging events.

Answer: a


64. A security administrator tasked with confining sensitive data traffic to a specific subnet would do so by manipulating privilege policy based tables in the networks:

A. Server
B. Router
C. VPN (Virtual Private Network)
D. Switch

Answer: b


65. What is the most effective social engineering defence strategy?

A. Marking of documents
B. Escorting of guests
C. Badge security system
D. Training and awareness

Answer: d


66. Regarding security, biometrics are used for.

A. Accountability
B. Certification
C. Authorization
D. Authentication

Answer: d


67. What type of attack CANNOT be detected by an IDS (Intrusion Detection System)?

A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e- mail
D. Port scan

Answer: c


68. An attacker can determine what network services are enabled on a target system by:

A. Installing a rootkit on the target system.
B. Checking the services file.
C. Enabling logging on the target system.
D. Running a port scan against the target system.

Answer: d


69. A malformed MIME (Multipurpose Internet Mail Extensions) header can:

A. Create a back door that will allow an attacker free access to a company’s private network.
B. Create a virus that infects a user’s computer.
C. Cause an unauthorized disclosure of private information.
D. Cause an e-mail server to crash.

Answer: d



70. Analyzing log files after an attack has started as an example of:

A. Active detection
B. Overt detection
C. Covert detection
D. Passive detection

Answer: d


71. One of the most effective ways for an administrator to determine what security holes reside on a network is to:

A. Perform a vulnerability assessment.
B. Run a port scan.
C. Run a sniffer.
D. Install and monitor and IDS (Intrusion Detection System)

Answer: a


72. What is the best defence against man in the middle attacks?

A. A firewall
B. Strong encryption
C. Strong authentication
D. Strong passwords

Answer: b


73. Which systems should be included in a disaster recover plan?

A. All systems.
B. Those identified by the board of directors, president or owner.
C. Financial systems and human resources systems.
D. Systems identified in a formal risk analysis process.

Answer: d


74. Currently, the most costly method of an authentication is the use of:

A. Passwords
B. Tokens
C. Biometrics
D. Shared secrets

Answer: c


75. A PKI (Public Key Infrastructure) document that serves as the vehicle on which to base common interoperability standards and common assurance criteria on an industry wide basis is a certificate:

A. Policy
B. Practice
C. Procedure
D. Process

Answer: a


76. An effective method of preventing computer viruses from spreading is to:

A. Require root/administrator access to run programs.
B. Enable scanning of e-mail attachments.
C. Prevent the execution of .vbs files.
D. Install a host based IDS (Intrusion Detection System)

Answer: b


77. What is NOT an acceptable use for smart card technology?

A. Mobile telephones
B. Satellite television access cards
C. A PKI (Public Key Infrastructure) token card shared by multiple users
D. Credit cards

Answer: c


78. A network attack method that uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer is known as a:

A. Man in the middle attack
B. Smurf attack
C. Ping of death attack
D. TCP SYN (Transmission Control Protocol / Synchronized) attack

Answer: c


79. Which of the following is likely to be found after enabling anonymous FTP (File Transfer Protocol) read/write access?

A. An upload and download directory for each user.
B. Detailed logging information for each user.
C. Storage and distribution of unlicensed software.
D. Fewer server connections and less network bandwidth utilization.

Answer: c



80. An example of a physical access barrier would be:

A. Video surveillance
B. Personnel traffic pattern management
C. Security guard
D. Motion detector

Answer: c


81. IDEA (International Data Encryption Algorithm), Blowfish, RC5 (Rivest Cipher 5) and CAST-128 are encryption algorithms of which type?

A. Symmetric
B. Asymmetric
C. Hashing
D. Elliptic curve

Answer: a


82. When an ActiveX control is executed, it executes with the privileges of the:

A. Current user account
B. Administrator account
C. Guest account
D. System account

Answer: a


83. An administrator is concerned with viruses in e-mail attachments being distributed and inadvertently installed on user’s workstations. If the administrator sets up and attachment filter, what types of attachments should be filtered from e-mails to minimize the danger of viruses.

A. Text file
B. Image files
C. Sound files
D. Executable files

Answer: d


84. What authentication problem is addressed by single sign on?

A. Authorization through multiple servers.
B. Multiple domains.
C. Multi-factor authentication.
D. Multiple usernames and passwords.

Answer: d


85. An extranet would be best defined as an area or zone:

A. Set aside for business to store extra servers for internal use.
B. Accessible to the general public for accessing the business’ web site.
C. That allows a business to securely transact with other businesses.
D. Added after the original network was built for additional storage.

Answer: c


86. Access controls based on security labels associated with each data item and each user are known as:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)

Answer: a


87. Which of the following is considered the best technical solution for reducing the treat of a man in the middle attack?

A. Virtual LAN (Local Area Network)
B. GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol- within-Internet Protocol Encapsulation Protocol)
C. PKI (Public Key Infrastructure)
D. Enforcement of badge system

Answer: c


88. Security controls may become vulnerabilities in a system unless they are:

A. Designed and implemented by the system vendor.
B. Adequately tested.
C. Implemented at the application layer in the system.
D. Designed to use multiple factors of authentication.

Answer: b



89. The standard encryption algorithm based on Rijndael is known as:

A. AES (Advanced Encryption Standard)
B. 3DES (Triple Data Encryption Standard)
C. DES (Data Encryption Standard)
D. Skipjack

Answer: a



90. IEEE (Institute of Electrical and Electronics Engineers) 802.11b is capable of providing data rates of to:

A. 10 Mbps (Megabits per second)
B. 10.5 Mbps (Megabits per second)
C. 11 Mbps (Megabits per second)
D. 12 Mbps (Megabits per second)

Answer: c


91. Security training should emphasise that the weakest links in the security of an organization are typically:

A. Firewalls
B. Polices
C. Viruses
D. People

Answer: d


92. What are the four major components of ISAKMP (Internet Security Association and Key Management Protocol)?

A. Authentication of peers, threat management, communication ma nagement, and cryptographic key establishment.
B. Authentication of peers, threat management, communication management, and cryptographic key establishment and management.
C. Authentication of peers, threat management, security association creation and management cryptographic key establishment and management.
D. Authentication of peers, threat management, security association creation and management and cryptographic key management.

Answer: c


93. What would NOT improve the physical security of workstations?

A. Lockable cases, keyboards, and removable media drives.
B. Key or password protected configuration and setup.
C. Password required to boot.
D. Strong passwords.

Answer: d


94. Dave is increasing the security of his Web site by adding SSL (Secure Sockets Layer). Which type of encryption does SSL use?

A. Asymmetric
B. Symmetric
C. Public Key
D. Secret

Answer: c



95. Which of the following is an example of an asymmetric algorithm?

A. CAST (Carlisle Adams Stafford Tavares)
B. RC5 (Rivest Cipher 5)
C. RSA (Rivest Shamir Adelman)
D. SHA-1 (Secure Hashing Algorithm 1)

Answer: c


96. Which of the following is a technical solution that supports high availability?

A. UDP (User Datagram Protocol)
B. Anti-virus solution
C. RAID (Redundant Array of Independent Disks)
D. Firewall

Answer: c


97. The defacto IT (Information Technology) security evaluation criteria for the international community is called?

A. Common Criteria
B. Global Criteria
C. TCSEC (Trusted Computer System Evaluation Criteria)
D. ITSEC (Information Technology Security Evaluation Criteria)

Answer: a


98. You are the first person to arrive at a crime scene. An investigator and crime scene technician arrive afterwards to take over the investigation. Which of the following tasks will the crime scene technician be responsible for performing?

A. Ensure that any documentation and evidence they possessed is handled over to the investigator.
B. Reestablish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.

Answer: d


99. You are the first to arrive at a crime scene in which a hacker is accessing unauthorized data on a file server from across the network. To secure the scene, which of the followings actions should you perform?

A. Prevent members of the organization from entering the server room.
B. Prevent members of the incident response team from entering the server room.
C. Shut down the server to prevent the user from accessing further data.
D. Detach the network cable from the server to prevent the user from accessing further data.

Answer: a,d


100. What type of authentication may be needed when a stored key and memorized password are not strong enough and additional layers of security is needed?

A. Mutual
B. Multi-factor
C. Biometric
D. Certificate

Answer: b



101. Many intrusion detection systems look for known patterns or _____ to aid in detecting attacks.

A. Viruses
B. Signatures
C. Hackers
D. Malware

Answer: b


102. As the Security Analyst for your companies network, you want to implement Single Signon technology. What benefit can you expect to get when implementing Single Signon?

A. You will need to log on twice at all times.
B. You can allow for system wide permissions with it.
C. You can install multiple applications.
D. You can browse multiple directories.

Answer: b


103. You have decided to implement biometrics as part of your security system. Before purchasing a locking system that uses biometrics to control access to secure areas, you need to decide what will be used to authenticate users. Which of the following options relies solely on biometric authentication?

A. Username and password.
B. Fingerprints, retinal scans, PIN numbers, and facial characteristics.
C. Voice patterns, fingerprints, and retinal scans.
D. Strong passwords, PIN numbers, and digital imaging.

Answer: c


104. DAC (Discretionary Access Control) system operate which following statement:

A. Files that don’t have an owner CANT NOT be modified.
B. The administrator of the system is an owner of each object.
C. The operating system is an owner of each object.
D. Each object has an owner, which has full control over the object.

Answer: d



105. Forensic procedures must be followed exactly to ensure the integrity of data obtained in an investigation. When making copies of data from a machine that us being examined, which of the following tasks should be done to ensure it is an exact duplicate?

A. Perform a cyclic redundancy check using a checksum or hashing algorithm.
B. Change the attributes of data to make it read only.
C. Open files on the original media and compare them to the copied data.
D. Do nothing. Imaging software always makes an accurate image.

Answer: a



106.
A collection of information that includes login, file access, other various activities, and actual or attempted legitimate and unauthorized violations is a(n):

A. Audit
B. ACL (Access Control List)
C. Audit trail
D. Syslog

Answer: c


107. A program that can infect other programs by modifying them to include a version of itself is a:

A. Replicator
B. Virus
C. Trojan horse
D. Logic bomb

Answer: b


108. When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exist to handle the usually rapid “hand-shaking” exchange of messages that sets up the session. What kind of attack exploits this functionality?

A. Buffer Overflow
B. SYN Attack
C. Smurf
D. Birthday Attack

Answer: b


109. You are promoting user awareness in forensics, so users will know what to do when incidents occur with their computers. Which of the following tasks should you instruct users to perform when an incident occurs? (Choose all that apply)

A. Shut down the computer.
B. Contact the incident response team.
C. Document what they see on the screen.
D. Log off the network.

Answer: b, c



110. Asymmetric cryptography ensures that:

A. Encryption and authentication can take place without sharing private keys.
B. Encryption of the secret key is performed with the fastest algorithm available.
C. Encryption occurs only when both parties have been authenticated.
D. Encryption factoring is limited to the session key.

Answer: a


111. When securing a FTP (File Transfer Protocol) server, what can be done to ensure that only authorized users can access the server?

A. Allow blind authentication.
B. Disable anonymous authe ntication.
C. Redirect FTP (File Transfer Protocol) to another port.
D. Only give the address to users that need access.

Answer: b


112. As the Security Analyst for your companies network, you want to implement AES. What algorithm will it use?

A. Rijndael
B. Nagle
C. Spanning Tree
D. PKI

Answer: a


113. What are access decisions based on in a MAC (Mandatory Access Control) environment?

A. Access control lists
B. Ownership
C. Group membership
D. Sensitivity labels

Answer: d


114. IMAP4 requires port ____ to be open.

A. 80
B. 389
C. 22
D. 21
E. 23
F. 25
G. 110
H. 143
I. 443

Answer: h


115. Of the following services, which one determines what a user can change or view?

A. Data integrity
B. Data confidentiality
C. Data authentication
D. Access control

Answer: d


116. What technology was originally designed to decrease broadcast traffic but is also beneficial in reducing the likelihood of having information compromised by sniffers?

A. VPN (Virtual Private Network)
B. DMZ (Demilitarized Zone)
C. VLAN (Virtual Local Area Network)
D. RADIUS (Remote Authentic ation Dial- in User Service)

Answer: c


117. A autonomous agent that copies itself into one or more host programs, then propagates when the host is run, is best described as a:

A. Trojan horse
B. Back door
C. Logic bomb
D. Virus

Answer: d


118. Honey pots are useful in preventing attackers from gaining access to critical system. True or false?

A. True
B. False
C. It depends on the style of attack used.

Answer: a


119. Active detection IDS systems may perform which of the following when a unauthorized connection attempt is discovered?

(Choose all that apply)

A. Inform the attacker that he is connecting to a protected network.
B. Shut down the server or service.
C. Provide the attacker the usernames and passwords for administrative accounts.
D. Break off suspicious connections.

Answer: b, d



120. Which of the following results in a domain name server resolving the domain name to a different and thus misdirecting Internet traffic?

A. DoS (Denial of Service)
B. Spoofing
C. Brure force attack
D. Reverse DNS (Domain Name Service)

Answer: b


121. You have identified a number of risks to which your company’s assets are exposed, and want to implement policies, procedures, and various security measures. In doing so, what will be your objective?

A. Eliminate every threat that may affect the business.
B. Manage the risks so that the problems resulting from them will be minimized.
C. Implement as many security measures as possible to address every risk that an asset may be exposed to.
D. Ignore as many risks as possible to keep costs down.

Answer: b


122. What is one advantage of the NTFS file system over the FAT16 and FAT32 file systems?

A. Integral support for streaming audio files.
B. Integral support for UNIX compatibility.
C. Integral support for dual-booting with Red Hat Linux.
D. Integral support for file and folder level permissions.

Answer: d


123. What kind of attacks are hashed passwords vulnerable to?

A. Man in the middle.
B. Dictionary or brute force.
C. Reverse engineering.
D. DoS (Denial of Service)

Answer: b


124. By definition, how many keys are needed to lock and unlock data using symmetric- key encryption?

A. 3+
B. 2
C. 1
D. 0

Answer: c


125. Users who configure their passwords using simple and meaningful things such as pet names or birthdays are subject to having their account used by an intruder after what type of attack?

A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack
E. Man in the middle attack
F. Change list attack
G. Role Based Access Control attack
H. Replay attack
I. Mickey Mouse attack

Answer: b


126. After installing a new operating system, what configuration changes should be implemented?

A. Create application user accounts.
B. Rename the guest account.
C. Rename the administrator account, disable the guest accounts.
D. Create a secure administrator account.

Answer: c


127. What are two common methods when using a public key infrastructure for maintaining access to servers in a network?

A. ACL and PGP.
B. PIM and CRL.
C. CRL and OCSP.
D. RSA and MD2

Answer: c


128. A primary drawback to using shared storage clustering for high availability and disaster recover is:

A. The creation of a single point of vulnerability.
B. The increased network latency between the host computers and the RAID (Redundant Array of Independent Disk) subsystem.
C. The asynchronous writes which must be used to flush the server cache.
D. The highest storage capacity required by the RAID (Redundant Array of Independent Disks) subsystem.

Answer: a


129. What two functions does IPSec perform? (Choose two)

A. Provides the Secure Shell (SSH) for data confidentiality.
B. Provides the Password Authentication Protocol (PAP) for user authentication.
C. Provides the Authentication Header (AH) for data integrity.
D. Provides the Internet Protocol (IP) for data integrity.
E. Provides the Nonrepudiation Header (NH) for identity integrity.
F. Provides the Encapsulation Security Payload (ESP) for data confidentiality.

Answer: c, f



130. In context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:

A. Provide the same level of security as a wired LAN (Local Area Network).
B. Provide a collision preventive method of media access.
C. Provide a wider access area that that of wired LANs (Local Area Network).
D. Allow radio frequencies to penetrate walls.

Answer: a


131. In a decentralized privilege management environment, user accounts and passwords are stored on:

A. One central authentication server.
B. Each individual server.
C. No more than two servers.
D. One server configured for decentralized management.

Answer: b


132. Which of the following describes the concept of data integrity?

A. A means of determining what resources a user can use and view.
B. A method of security that ensures all data is sequenced, and numbered.
C. A means of minimizing vulnerabilities of assets and resources.
D. A mechanism applied to indicate a data’s level of security.

Answer: b


133. When examining the server’s list of protocols that are bound and active on each network interface card, the network administrator notices a relatively large number of protocols. Which actions should be taken to ensure network security?

A. Unnecessary protocols do not pose a significant to the system and should be left intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disable on all server and client machines on a network as they pose great risk.
D. Using port filtering ACLs (Access Control List) at firewalls and routers is sufficient to stop malicious attacks on unused protocols.

Answer: c


134. At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists?

A. Penetration
B. Control
C. Audit planning
D. Discovery

Answer: a



135. You are the first person to respond to the scene of an incident involving a computer being hacked. After determining the scope of the crime scene and securing it, you attempt to preserve evidence at the scene. Which of the following tasks will you perform to preserve evidence? (Choose all that apply)

A. Photograph any information displayed on the monitors of computers involved in the incident.
B. Document any observation or messages displayed by the computer.
C. Shut down the computer to prevent further attacks that may modify data.
D. Gather up manuals, nonfunctioning devices, and other materials and equipment in the area so they are ready for transport.

Answer: a, b


136. Advanced Encryption Standard (AES) is an encryption algorithm for securing sensitive but unclassified material by U.S. Government agencies. What type of encryption is it from the list below?

A. WTLS
B. Symmetric
C. Multifactor
D. Asymmetric

Answer: b


137. The term “due care” best relates to:

A. Policies and procedures intended to reduce the likelihood of damage or injury.
B. Scheduled activity in a comprehensive preventative maintenance program.
C. Techniques and methods for secure shipment of equipment and supplies.
D. User responsibilities involved when sharing passwords in a secure environment.

Answer: a


138. You are compiling estimates on how much money the company could lose if a risk occurred one time in the future. Which of the following would these amounts represent?

A. ARO
B. SLE
C. ALE
D. Asset identification

Answer: b



139. Which of the following backup methods copies only modified files since the last full backup?

A. Full
B. Differential
C. Incremental
D. Archive

Answer: b



140. Notable security organizations often recommend only essential services be provided by a particular host, and any unnecessary services be disable. Which of the following does NOT represent a reason supporting this recommendation?

A. Each additional service increases the risk of compromising the host, the services that run on the host, and potential clients of these services.
B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host, fewer log entries and fewer interactions between different services are expected, which simplifies the analysis and maintenance of the system from a security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this port, and an administrator will not be able to restrict access to this service.

Answer: d


141. One way to limit hostile sniffing on a LAN (Local Area Network is by installing:

A. An ethernet switch.
B. An ethernet hub.
C. A CSU/DSU (Channel Service Unit/Data Service Unit).
D. A firewall.

Answer: a


142. Documenting change levels and revision information is most useful for:

A. Theft tracking
B. Security audits
C. Disaster recovery
D. License enforcement

Answer: c


143. Giving each user or group of users only the access they need to do their job is an example of which security principal.

A. Least privilege
B. Defense in depth
C. Separation of duties
D. Access control

Answer: a


144. You are researching the ARO and need to find specific data that can be used for risk assessment. Which of the following will you use to find information?

A. Insurance companies
B. Stockbrokers
C. Manuals included with software and equipment.
D. None of the above. There is no way to accurately predict the ARO.

Answer: a



145. User A needs to send a private e-mail to User B. User A does not want anyone to have the ability to read the e-mail except for User B, thus retaining privacy. Which tenet of information security is User A concerned about?

A. Authentication
B. Integrity
C. Confidentiality
D. Non-repudiation

Answer: c


146. What kind of attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?

A. CRL
B. DOS
C. ACL
D. MD2

Answer: b


147. A DMZ (Demilitarized Zone) typically contains:

A. A customer account database
B. Staff workstations
C. A FTP (File Transfer Protocol) server
D. A SQL (Structured Query Language) based database server

Answer: c


148. Computer forensics experts collect and analyze data using which of the following guidelines so as to minimize data loss?

A. Evidence
B. Chain of custody
C. Chain of command
D. Incident response

Answer: b


149. Which two of the following are symmetric-key algorithms used for encryption? (choose 2)

A. Stream-cipher
B. Block
C. Public
D. Secret

Answer: a, b


150. Users of Instant Messaging clients are especially prone to what?

A. Theft of root user credentials.
B. Disconnection from the file server.
C. Hostile code delivered by file transfer.
D. Slow Internet connections.
E. Loss of email privileges.
F. Blue Screen of Death errors.

Answer: c



151. The primary purpose of NAT (Network Address Translation) is to:

A. Translate IP (Internet Protocol) addresses into user friendly names.
B. Hide internal hosts from the public network.
C. Use on public IP (Internet Protocol) address on the internal network as a name server.
D. Hide the public network from internal hosts.

Answer: b


152. In order to establish a secure connection between headquarters and a branch office over a public network, the router at each location should be configured to use IPSec (Internet Protocol Security) in ______ mode.

A. Secure
B. Tunnel
C. Transport
D. Data link

Answer: b


153. Following a disaster, while returning to the original site from an alternate site, the first process to resume at the original site would be the:

A. Least critical process
B. Most critical process.
C. Process most expensive to maintain at an alternate site.
D. Process that has a maximum visibility in the organization.

Answer: b


154. As the Security Analyst for your companies network, you become aware that your systems may be under attack. This kind of attack is a DOS attack and the exploit sends more traffic to a node than anticipated. What kind of attack is this?

A. Ping of death
B. Buffer Overflow
C. Logic Bomb
D. Smurf

Answer: d



155. A company uses WEP (Wired Equivalent Privacy) for wireless security. Who may authenticate to the company’s access point?

A. Only the administrator.
B. Anyone can authenticate.
C. Only users within the company.
D. Only users with the correct WEP (Wired Equivalent Privacy) key.

Answer: d


156. Packet sniffing can be used to obtain username and password information in clear text from which one of the following?

A. SSH (Secure Shell)
B. SSL (Secure Sockets Layer)
C. FTP (File Transfer Protocol)
D. HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)

Answer: c


157. A _____ occurs when a string of data is sent to a buffer that is larger than the buffer was designed to handle.

A. Brute Force attack
B. Buffer overflow
C. Man in the middle attack
D. Blue Screen of Death
E. SYN flood
F. Spoofing attack

Answer: b


158. What is the greatest benefit to be gained through the use of S/MINE (/Secure Multipurpose Internet Mail Extension) The ability to:

A. Encrypted and digitally sign e-mail messages.
B. Send anonymous e-mails.
C. Send e- mails with a return receipt.
D. Expedite the delivery of e-mail.

Answer: a


159. John wants to encrypt a sensitive message before sending it to one of his managers. Which type of encryption is often used for e-mail?

A. S/MIME
B. BIND
C. DES
D. SSL

Answer: c



160. A well defined business continuity plan must consist of risk and analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and:

A. Security labeling and classification.
B. Budgeting and acceptance.
C. Documentation and security labeling.
D. Integration and validation.

Answer: b


161. Access controls that are created and administered by the data owner are considered:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)

Answer: d


162. What design feature of Instant Messaging makes it extremely insecure compared to other messaging systems?

A. It is a peer-to-peer network that offers most organizations virtually no control over it.
B. Most IM clients are actually Trojan Horses.
C. It is a centrally managed system that can be closely monitored.
D. It uses the insecure Internet as a transmission medium.

Answer: a


163. Controlling access to information systems and associated networks is necessary for the preservation of their:

A. Authenticity, confidentiality, integrity and availability.
B. Integrity and availability.
C. Confidentiality, integrity and availability.
D. Authenticity, confidentiality and availability.

Answer: c


164. You are assessing risks and determining which asset protection policies to create first. Another member of the IT staff has provided you with a list of assets which have importance weighted on a scale of 1 to 10. Internet connectivity has an importance of 8, data has an importance of 9, personnel have an importance of 7, and software has an importance of 5. Based on the weights, what is the order in which you will generate new policies?

A. Internet policy, data security, personnel safety policy, software policy.
B. Data security policy, Internet policy, software policy, personnel safety policy.
C. Software policy, personnel safety policy, Internet policy, data security policy.
D. Data security policy, Internet policy, personnel safety policy, software policy.

Answer: d



165. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled server will first:

A. Use its digital certificate to establish its identity to the browser.
B. Validate the user by checking the CRL (Certificate Revocation List).
C. Request the user to produce the CRL (Certificate Revocation List).
D. Display the requested page on the browser, then provide its IP (Internet Protocol) address for verification

Answer: a


166. A recent audit shows that a user logged into a server with their user account and executed a program. The user then performed activities only available to an administrator. This is an example of an attack?

A. Trojan horse
B. Privilege escalation
C. Subseven back door
D. Security policy removal

Answer: b


167. Data integrity is best achieved using a(n)

A. Asymmetric cipher
B. Digital certificate
C. Message digest
D. Symmetric cipher

Answer: c


168. When evidence is acquired, a log is started that records who had possession of the evidence for a specific amount of time. This is to avoid allegations that the evidence may have been tampered with when it was unaccounted for, and to keep track of the tasks performed in acquiring evidence from a piece of equipment or materials. What is the term used to describe this process?

A. Chain of command.
B. Chain of custody.
C. Chain of jurisdiction.
D. Chain of evidence.

Answer: b


169. A piece of malicious code that can replicate itself has no productive purpose and exist only to damage computer systems or create further vulnerabilities is called a?

A. Logic Bomb
B. Worm
C. Trojan Horse
D. SYN flood
E. Virus

Answer: e



170. While connected from home to an ISP (Internet Service Provider), a network administrator performs a port scan against a corporate server and encounters four open TCP (Transmission Control Protocol) ports: 25, 110, 143 and 389. Corporate users in the organization must be able to connect from home, send and receive messages on the Internet, read e-mail by beams of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a directory services database for user e-mail addresses, and digital certificates. All the e-mail relates services, as well as the directory server, run on the scanned server. Which of the above ports can be filtered out to decrease unnecessary exposure without affecting functionality?

A. 25
B. 110
C. 143
D. 389

Answer: b


171. What statement is most true about viruses and hoaxes?

A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate user about a virus.
D. Hoaxes carry a malicious payload and can be destructive.

Answer: a


172. Which of the following media types is most immune to RF (Radio Frequency) eavesdropping?

A. Coaxial cable
B. Fiber optic cable
C. Twisted pair wire
D. Unbounded

Answer: b


173. You have been alerted to the possibility of someone using an application to capture and manipulate packets as they are passing through your network. What type of threat does this represent?

A. DDoS
B. Back Door
C. Spoofing
D. Man in the Middle

Answer: d


174. A problem with air conditioning is causing fluctuations in temperature in the server room. The temperature is rising to 90 degrees when the air conditioner stops working, and then drops to 60 degrees when it starts working again. The problem keeps occurring over the next two days. What problem may result from these fluctuations? (Select the best answer)

A. Electrostatic discharge
B. Power outages
C. Chip creep
D. Poor air quality

Answer: c


175. A honey pot is _____.

A. A false system or network to attract attacks away from your real network.
B. A place to store passwords.
C. A sage haven for your backup media.
D. Something that exist only in theory.

Answer: a




176. Access control decisions are based on responsibilities that an individual user or process has in an organization. This best describes:

A. MAC (Mandatory Access Control)
B. RBAC (Role Based Access Control)
C. DAC (Discretionary Access Control)
D. None of the above.

Answer: b


177. An administrator notices that an e-mail server is currently relaying e-mail (including spam) for any e-mail server requesting relaying. Upon further investigation the administrator notices the existence of /etc/mail/relay domains. What modifications should the administrator make to the relay domains file to prevent relaying for non-explicitly named domains?

A. Move the .* entry to the bottom of the relay domains file and restart the e- mail process.
B. Move the .* entry to the top of the relay domains file and restart the e- mail process.
C. Delete the .* entry in the relay domains file and restart the e- mail process.
D. Delete the relay domains file from the /etc/mail folder and restart the e-mail process.

Answer: c


178. You are explaining SSL to a junior administrator and come up to the topic of handshaking. How many steps are employed between the client and server in the SSL handshake process?

A. Five
B. Six
C. Seven
D. Eight

Answer: b


179. A company consists of a main building with two smaller branch offices at opposite ends of the city. The main building and branch offices are connected with fast links so that all employees have good connectivity to the network. Each of the buildings has security measures that require visitors to sign in, and all employees are required to wear identification badges at all times. You want to protect servers and other vital equipment so that the company has the best level of security at the lowest possible cost. Which of the following will you do to achieve this objective?

A. Centralize servers and other vital components in a single room of the main building, and add security measures to this room so that they are well protected.
B. Centralize most servers and other vital components in a single room of the main building, and place servers at each of the branch offices. Add security measures to areas where the servers and other components are located.
C. Decentralize servers and other vital components, and add security measures to areas where the servers and other components are located.
D. Centralize servers and other vital components in a single room in the main building. Because the building prevents unauthorized access to visitors and other persons, there is no need to implement physical security in the server room.

Answer: a



180. The start of the LDAP (Lightweight Directory Access Protocol) directory is called the:

A. Head
B. Root
C. Top
D. Tree

Answer: b


181. Providing false information about the source of an attack is known as:

A. Aliasing
B. Spoofing
C. Flooding
D. Redirecting

Answer: b


182. When visiting an office adjacent to the server room, you discover the lock to the window is broken. Because it is not your office you tell the resident of the office to contact the maintenance person and have it fixed. After leaving, you fail to follow up on whether the windows was actually repaired. What affect will this have on the likelihood of a threat associated with the vulnerability actually occurring?

A. If the window is repaired, the likelihood of the thread occurring will increase.
B. If the window is repaired, the likelihood of the threat occurring will remain constant.
C. If the window is not repaired the, the likelihood of the threat occurring will decrease.
D. If the window is not repaired, the likelihood of the threat occurring will increase.

Answer: d


183. While performing a routing site audit of your wireless network, you discover an unauthorized Access Point placed on your network under the desk of Accounting department security. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time.

What type of attack have you just become a victim of?

A. SYN Flood.
B. Distributed Denial of Service.
C. Man in the Middle attack.
D. TCP Flood.
E. IP Spoofing.
F. Social Engineering
G. Replay attack
H. Phone tag
I. Halloween attack

Answer: f


184. What transport protocol and port number does SSH (Secure Shell) use?

A. TCP (Transmission Control Protocol) port 22
B. UDP (User Datagram Protocol) port 69
C. TCP (Transmission Control Protocol) port 179
D. UDP (User Datagram Protocol) port 17

Answer: a



185. How many bits are employed when using hashing encryption?

A. 32
B. 64
C. 128
D. 256

Answer: c


186. An application that appears to perform a useful function but instead contains some sort of malicious code is called a _____.

A. Worm
B. SYN flood
C. Virus
D. Trojan Horse
E. Logic Bomb

Answer: d


187. If a private key becomes compromised before its certificate’s normal expiration, X.509 defines a method requiring each CA (Certificate Authority) to periodically issue a signed data structure called a certificate:

A. Enrollment list
B. Expiration list
C. Revocatio n list
D. Validation list

Answer: c


188. In order for a user to obtain a certificate from a trusted CA (Certificate Authority), the user must present proof of identity and a:

A. Private key
B. Public key
C. Password
D. Kerberos key

Answer: b


189. You are running cabling for a network through a boiler room where the furnace and some other heavy machinery reside. You are concerned about interference from these sources. Which of the following types of cabling provides the best protection

from interference in this area?

A. STP
B. UTP
C. Coaxial
D. Fiber-optic

Answer: d



190. The protection of data against unauthorized access or disclosure is an example of what?

A. Confidentiality
B. Integrity
C. Signing
D. Hashing

Answer: a


191. A high profile company has been receiving a high volume of attacks on their web site. The network administrator wants to be able to collect information on the attacker(s) so legal action can be taken.

What should be implemented?

A. A DMZ (Demilitarized Zone)
B. A honey pot
C. A firewall
D. A new subnet

Answer: b


192. The best protection against the abuse of remote maintenance of PBX (Private Branch Exchange) system is to:

A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance personnel

Answer: b






    

 Copyright © 2004- 2005 "MCSE Braindumps". All rights reserved. MCSE braindumps forum | Database Administration help

Offshore webhosting by ServersLease.net

=============================================================
Microsoft Security+ Certification Training Kit Questions

1. Although there is a need for information security, and there is a small chance of getting hacked, there is not normally any damage done and the cost to the company that is hacked is relatively minor.

A. True
B. False

Answer: B

Most computers that are connected to the Internet have been scanned, and many have been attacked. Recent studies show that computer hackers cost U.S. businesses almost 6 cents of every dollar of revenue.

2. You work for a company that sells tea and tea supplies. The total annual sales for the company are $5 million. The sales of tea total $2 million and the sales of tea supplies total $3 million. The tea has a very interesting taste that cannot be duplicated. Which of the following should be considered when placing a value on the tea formula, and why?

A. How the tea is produced
B. What the total annual sales of the tea is
C. Where the tea formula is stored
D. How many people in the company have access to the tea formula

Answer: B

In this case, the value of the asset can be based on the total sales of the tea. The sales of tea supplies would not be included in the worth of the tea formula.

3. You are responsible for creating a mitigation plan for threats to your company's information security. Which of the following should your mitigation plan identify as threats from fabricated and natural disasters? (Select all that apply.)

A. Incomplete backups
B. Power outages
C. Your building flooding
D. A virus infecting the servers at your company
E. A fire in your building

Answer: B, C, E

Although all of these are threats that should be considered in your mitigation plan, the ones that can be identified as fabricated or natural are power outages, flooding, and fire. Each of these could be man-made or could occur naturally.

4. When determining the risk posed by a threat, external threats are more dangerous than internal threats.

A. True
B. False

Answer: B

Threats from internal sources can be just as damaging to your C-I-A triad as threats from external sources, so the risk is the same.

5. Your company has a high-speed Internet connection that can be used to access the Internet and allows people on the Internet to access your company's Web site. Each user also has a modem that he or she can use for Internet access in case the high-speed connection fails. Users can select the Web browser they want to use and are allowed to manage their own computers. Which of the following are intrusion points for the hacker?

A. The high-speed connection
B. The Web browser on each of the client's computers
C. The modem that each user has
D. The Web server for your company's Web site
E. All of the above

Answer: E

All of these are intrusion points that can be used to gain access to your company's information.

6. When accessing Web sites, an intruder might exploit a Web server using the HTTP protocol.

A. True
B. False

Answer: A

HTTP is a protocol used to access a Web server. An intruder might be able to exploit the Web server using the HTTP protocol.

7. It is always better to have several access points to the Internet so that if a hacker takes one down your company still has access.

A. True
B. False

Answer: B

The fewer the connections to the Internet, the fewer intrusion points a hacker can use to gain access to your company's information.

8. Your company has a high-speed Internet connection that can be used to access the Internet and allows people on the Internet to access your company's Web site. Each user also has a modem that he or she can use for Internet access in case the high-speed connection fails. Users can select the Web browser they want to use and are allowed to manage their own computers. Which of the following are things you could do to defend against intrusion?

A. Increase the number of Web browsers that can be used to make it more difficult for a hacker to identify and exploit the Web browser application.
B. Limit the number of Web browsers that can be used to one or two so that you can better manage application updates.
C. Have each user access the Internet using his or her modem so that hackers will be confused by the number of physical connections your company has to the Internet.
D. Minimize the number of physical connection points to the Internet by removing the modem connections.

Answer: B, D

One way is to limit the types of applications that are used. This makes keeping up with current security patches and service packs easier. Another way to defend against intrusion is to minimize the number of intrusion points available to a hacker.

9. Auditing is used to secure the network and systems on your network.

A. True
B. False

Answer: B

Auditing does not secure the network and systems, but does record information that can be used to secure a network or system. By auditing, you record certain activity. This record can then be used to identify attack types and secure against them.

10. Your company wants to make sure that anyone with an administrator account for the network requires a more stringent form of user authentication than regular users. Name three methods that can be used.

A. Biometric authentication
B. Smart card authentication
C. Certificate-based authentication
D. Stronger password
E. Shorter password lifetime

Answer: A, B, C

11. You discover that an intruder has compromised your company's C-I-A triad. Of the choices listed below, which is the most appropriate action you should take in response to this threat, and why?

A. Attempt to identify the person that compromised the system.
B. Preserve the log files for a forensics expert.
C. Empty the log files so that you can try to capture specific data if another attack occurs.
D. Leave any log files with the company's receptionist so that the forensics expert can find them.

Answer: B

If your C-I-A triad is compromised, then your job is to secure potential evidence and not destroy any of the evidence. A forensics expert should be called in to attempt to identify the person who breached security and ensure that the chain of custody for the evidence is not broken.

12. What protocol and field store the address of the destination computer?

A. The source address of the Ethernet II frame
B. The destination address of the Ethernet II frame
C. The source address of the IP datagram
D. The destination address of the IP datagram

Answer: D

13. Which header contains a field that specifies the total size of a frame?

A. Transport layer header
B. Internet layer header
C. Network Interface layer header
D. All of the above

Answer: c

14. Select the answer that best describes cryptography.

A. Cryptography is encrypting messages with a secure hash function to provide information security.
B. Cryptography is decrypting messages with a secure hash function to provide information security.
C. Cryptography is encrypting and decrypting data to provide information security.
D. Cryptography is providing information confidentiality using a shared secret, also known as an asymmetric key pair.

Answer: C

15. Which of the following best describes a key?

A. A procedure for solving a mathematical problem in a fixed number of steps
B. A set of instructions that govern ciphering or deciphering messages
C. A one-way mathematical function that creates a fixed-sized representation of data
D. An algebraic equation for solving a mathematical problem in a fixed number of steps

Answer: B

16. What is a procedure for solving a mathematical problem in a fixed number of steps?

A. A secure hash function
B. A symmetric key
C. An asymmetric key
D. An algorithm

Answer: D

17. Which is the best mechanism for providing confidentiality?

A. Secure hash function
B. Symmetric key
C. Asymmetric key
D. Algorithm

Answer: B

18. You need to send an e-mail message to someone and ensure that the integrity is verifiable when it arrives. Which would best provide that capability?

A. Using a secure hash function to create a message digest
B. Using an asymmetric public key to create a digital signature
C. Using a symmetric key to create a digital signature
D. Using an algorithm to create a message digest

Answer: A

19. You need to provide a method to allow the receiver of an e-mail to be able to authenticate that a message came from a specific person. Which would best provide that capability?

A. Using a secure hash function to create a message digest
B. Using an asymmetric key pair to create and validate a message digest
C. Using a symmetric key to create and validate a message digest
D. Using an algorithm to create a message digest

Answer: B

20. You need to provide a mechanism that can establish nonrepudiation when sending e-mail to a business partner. Which would best provide that capability?

A. Using a secure hash function to create and validate a digital signature
B. Using an asymmetric key pair to create and validate a digital signature
C. Using a symmetric key to create and validate a digital signature
D. Using an algorithm to create and validate a digital signature

Answer: B

21. Which best describes a PKI (Public Key Infrastructure)?

A. A digital representation of information that identifies you as a relevant entity by a TTP
B. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate
C. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions
D. A list of certificates issued by a CA that are no longer valid

Answer: c

22. Which best describes a certificate?

A. A digital representation of information that identifies you as a relevant entity by a TTP (trusted third party)
B. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate
C. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions
D. A list of certificates issued by a CA that are no longer valid

Answer: A

23. Which best describes a CA (Certification Authority)?

A. A digital representation of information that identifies you as a relevant entity by a TTP
B. An entity that is recognized as an authority trusted by one or more users or processes to issue and manage a certificate
C. Uses asymmetric key pairs and combines software, encryption technologies, and services to provide a means of protecting the security of communications and business transactions
D. A list of certificates issued by a CA that are no longer valid

Answer: B

24. What are some reasons a certificate might be placed on a CRL? Select all correct answers.

A. The certificate owner lost the private key.
B. The certificate owner is going on a business trip and wants the certificate expiration refreshed so it does not expire.
C. The certificate owner left the company.
D. The certificate owner changed names.
E. The certificate owner lost the public key.

Answer: A, C, D

25. You are the security specialist for your company and you have just installed a third CA. Each CA supports three different geographical locations. You are attempting to access a server that was issued a certificate by the new CA, but your certificate is not being accepted. Which is the best way to solve the problem?

A. Have the new CA issue you a certificate
B. Have the new CA and each of the old CAs issue a certificate to each other
C. Reinstall the software on the new CA
D. Make the new CA a bridge CA

Answer: B

26. Which statements are true of a mesh architecture? Select all that apply.

A. Connects mesh and hierarchical architectures together.
B. There is a top-level CA known as a root CA.
C. Multiple peer CAs issue certificates to each other.
D. Does not issue certificates to end users.

Answer: c

27. Which statements are true of a hierarchical architecture?

A. Connects mesh and hierarchical architectures together.
B. There is a top-level CA known as a root CA.
C. Multiple peer CAs issue certificates to each other.
D. Does not issue certificates to end users.

Answer: B

28. Which statements are true of a bridge CA? Select all that apply.

A. Connects mesh and hierarchical architectures together.
B. There is a top-level CA known as a root CA.
C. Multiple peer CAs issue certificates to each other.
D. Does not issue certificates to end users.

Answer: A, D

29. What security steps are typically implemented on mobile devices that aren't usually necessary on workstations and servers? Select all that apply.

A. Antitheft devices
B. Additional identifying marks or colors
C. Data encryption
D. Anti-Virus software
E. Software firewall

Answer: A, B, C

30. What tools can you use to monitor your network infrastructure devices?

A. SNMP management devices
B. Intrusion detection systems
C. Anti-Virus software
D. Firewall
E. Honeypots
F. E-Mail

Answer: A, B, E

31. A technique used to identify modems connected to telephone lines is known as

A. Callback Control Protocol
B. War dialing
C. War driving
D. Threaking

Answer: B

32. During port-based access control interaction, an authenticator

A. Enforces authentication before it allows user access to the services
B. Requests access to the services
C. Checks the supplicant's credentials
D. Allows data exchange between two ports

Answer: A

33. Which protocols support VPN tunneling?

A. PPP
B. PPTP
C. TCP
D. SLIP

Answer: B

34. A RADIUS server can only provide authentication for one remote access server.

A. True
B. False

Answer: B

A RADIUS server provides centralized authentication for any number of remote access servers.

35. Select all of the following that are advantages of TACACS+:

A. Provides a standard method for managing dissimilar networks
B. Provides distributed user validation for users attempting to gain access to a router or access server
C. Provides centralized validation for users attempting to gain access to a router or access server
D. Runs over UDP for more efficient communications

Answer: A, C

36. The L2TP protocol uses which port?

A. 443
B. 1024
C. 1701
D. 29

Answer: C

37. Which do SSH protect against?

A. NFS mounting
B. Packet spoofing
C. Password sniffing
D. Internet attacks
E. Virus infection

Answer: B, C

38. What is the maximum transport speed supported by the 802.11b standard?

A. 8 Mbps
B. 2 Mbps
C. 11 Mbps
D. 10 Mbps

Answer: C

39. What is the encryption method employed by WEP (Wired Equivalent Privacy)?

A. RC4
B. RC5
C. MD5
D. SHA-1

Answer: A

40. What is the maximum bit encryption supported by WEP (Wired Equivalent Privacy)?

A. 64-bit
B. 128-bit
C. 256-bit
D. 1024-bit

Answer: B

41. How can you increase the privacy of e-mail?

A. Implement encryption
B. Use strong passwort authentication
C. Use biometric authentication
D. Implement digital signatures

Answer: A, D

42. How do you secure communications between a Web browser and client?

A. Use SSL
B. Use DES
C. Use SSH
D. Use TLS

Answer: A, D

43. What type of authentication does Kerberos provide?

A. One-way authentication
B. Mutual authentication
C. Direct authentication
D. Indirect authentication

Answer: B

44. With CHAP authentication, what information does a client return in response to a challenge? (Select all that apply)

A. Session ID
B. Random string of data
C. User name
D. Encrypted challenge
E. Password

Answer: A, C, D, E

45. Select the answer that best describes token authentication:

A. Something you have
B. Something you know
C. Something you are
D. None of the above

Answer: A

46. Select the answer that best describes user name and password authentication:

A. Something you have
B. Something you know
C. Something you are
D. None of the above

Answer: B

47. Select the answer that best describes biometric authentication:

A. Something you have
B. Something you know
C. Something you are
D. None of the above

Answer: C

48. With discretionary access control (DAC), there is no mechanism for creating and enforcing rules regarding access control. Access is configured at the discretion of the owner of the object.

A. True
B. False

Answer: True

49. Which description best fits role-based access control (RBAC)?

A. Access control is configured at the discretion of the object's owner.
B. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.
C. Access is granted based on the user's role.
D. None of the above

Answer: C

50. Which description best fits discretionary access control (DAC)?

A. Access control is configured at the discretion of the object's owner.
B. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.
C. Access is granted based on the user's role.
D. None of the above

Answer: A

51. Which description best fits mandatory access control (MAC)?

A. Access control is configured at the discretion of the object's owner.
B. Access to an object is restricted based on the sensitivity of the object and is granted through authorization.
C. Access is granted based on the user's role.
D. None of the above

Answer: B

52. How can you stop certain protocols from traversing your routers?

A. Access control lists (ACLs)
B. Firewall
C. Use a switch instead
D. Use a intrusion detection system

Answer: A

53. What can you do to make it more difficult for an attacker to sniff your network?

A. Disable the promiscuous mode
B. Use an intrusion detection system
C. Use network switches
D. Use encryption

Answer: A, C, D

Permanently disabling the promiscuous mode of the network card makes a network scanner useless on the compromised system. If you cannot permanently disable promiscuous mode, you might be able to disable it temporarily. The attacker would have to be sophisticated enough (and obtain the required access) to re-enable promiscuous mode. Other things that you can do include enabling encryption between connections, using network switching, and physically securing connection points to your network.

54. Which of the following attributes of cellular networking products make them a greater security risk than IEEE 802.11b wireless products?

A. Lower cost
B. Greater transmission range
C. Less susceptibility to interference from walls and barriers
D. Use of higher frequencies

Answer: B

55. Which of the following statements about users and groups is true?

A. A user can only be a member of one group.
B. A user's effective permissions can be inherited from multiple groups.
C. Creating groups enables the network administrator to create fewer user accounts.
D. Groups cannot have conflicting privileges.

Answer: B

56. How does centralized administration reduce the workload of the network administrator?

A. By reducing the number of resources to which users have to be granted privileges.
B. By reducing the number of groups that need to be created.
C. By reducing the number of users accounts that need to be created.
D. By reducing the number of privileges that have to be granted to each user.

Answer: C

57. When you grant a user account the minimal required permission, what rule are you applying?

A. Least privilege
B. Segregation of duties
C. Rule base access control
D. None of the above

Answer: A

58. Which of the following magnetic tape formats has the greatest storage capacity?

A. DAT
B. LTO
C. DLT
D. QIC

Answer: B

59. What is the term used to describe a hard disk that you can remove from the computer without shutting the system down?

A. Hot pluggable
B. Cluster system
C. RAID
D. Drive Mirror

Answer: A


60. Which of the following removable media is typically used to carry users' digital certificates?

A. Flashcards
B. Smart cards
C. CD-Rs
D. Floppy disks

Answer: B

61. Name a hardware technology that enables a computer to continue operating despite the failure of a hard disk.

A. RAID
B. Tape Backup
C. Clustering
D. None of the above

Answer: A

62. Utilities such as electric power are typically not included as part of a business continuity plan because their reliability rate is so high.

A. True
B. False

Answer: B

Utilities should be included in a business continuity plan if a business absolutely requires them to operate.

63. Which of the following statements is true about a business continuity management (BCM) effort?

A. BCM is a company process that must involve all departments and all levels.
B. BCM is an IT consideration that is devoted to keeping the company's computer network operational in the event of a disaster.
C. Each department manager in a company should create an individual business continuity plan for that department.
D. BCM is a government project that dictates preparatory requirements to individual businesses.

Answer: A

64. What type of policy would typically prohibit playing of computer games on organizational computers?

A. Acceptable use policy
B. Anti-Virus policy
C. Internet usage policy
D. None of the above

Answer: A

65. Select all the attacks that are based on using malicious code:

A. Trojan horse
B. Social engineering
C. Virus
D. Novice
E. Worm

Answer: A, C, E

A Trojan horse, virus, and worm are all examples of malicious code. Social engineering is an attack type, but is based on a person gaining access to your information using trickery of some sort. A novice is a hacker want-to-be that does not have the talent of a hacker.
======================================================================
Security + SYO-101A

1. Following a disaster, while returning to the original site from an alternate site, the first process to resume-at the original site would be the:

A. least critical process
B. most critical process
C. process most expensive to maintain at an alternate site
D. process that has maximum visibility in the organization

Answer: A

2. Documenting change levels and revision information is most useful for:

A. theft tracking
B. security audits
C. disaster recovery
D. license enforcement

Answer: C

3. A recent audit shows that a user logged into a server with their user account and executed a program. The user then performed activities only available to an administrator. This is an example of what type of an attack?

A. Trojan horse
B. privilege escalation
C. subseven back door
D. security policy removal

Answer: B

4. Notable security organizations often recommend only essential services be provided by a particular hosts and any unnecessary services is disabled. Which of the following does NOT represent a reason supporting this recommendation?

A. Each additional service increases the risk of compromising the hosts, the-services that run on the hosts, and potential clients of these services.

B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host fewer log entries and fewer interactions between different services are expected, which simplifies the analysis and maintenance of the system from a security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this ports and an administrator will not be able to restrict access to this service.

Answer: D

5. Which of the following is a technical solution that supports high availability?

A. UDP (User Datagram Protocol).
B. anti-virus solution.
C. RAID (Redundant Array of Independent Disks).
D. firewall.

Answer: C

6. In order for a user to obtain a certificate from a trusted CA (Certificate Authority), the user must present proof of identity and a:

A. private key.
B. public key.
C. password.
D. Kerberos key.

Answer: B

7. In the context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:

A. provide the same level of security as a wired LAN (Local Area Network).
B. provide a collision preventive method of media access.
C. provide a wider access area than that of wired LANs (Local Area Network).
D. allow radio frequencies to penetrate walls.

Answer: A

8. A primary drawback to using shared storage clustering for high availability and disaster recovery is:

A. the creation of a single point of vulnerability.
B. the increased network latency between the host computers and the RAID (Redundant Array of Independent Disks) subsystem.
C. the asynchronous writes which must be used to flush the server cache.
D. the higher storage capacity required by the RAID (Redundant Array of Independent Disks) subsystem.

Answer: A

9. What are access decisions based on in a MAC (Mandatory Access Control) environment?

A. access control lists.
B. ownership.
C. group membership.
D. sensitivity labels.

Answer: D

10. Packet sniffing can be used to obtain usename and password information in clear text from which one of the following?

A. SSH (Secure Shell).
B. SSL (Secure Sockets Layer).
C. FTP (File Transfer Protocol).
D. H1TPS (Hypertext Transfer Protocol over Secure Sockets Layer).

Answer: C

11. When securing a FTP (File Transfer Protocol) server, what can be done to ensure that only authorized users can access the server?

A. allow blind authentication.
B. disable anonymous authentication.
C. redirect FTP (File Transfer Protocol) to another port.
D. only give the address to users that need access.

Answer: B

12. Asymmetric cryptography ensures that:
A. encryption and authentication can take place without sharing private keys.
B. encryption of the secret key is performed with the fastest algorithm available.
C. encryption occurs only when both parties have been authenticated.
D. encryption factoring is limited to the session key.

Answer: A

13. Which of the following media types is most immune to RF (Radio Frequency) eavesdropping?
A. coaxial cable.
B. fiber optic cable.
C. twisted pair wire.
D. unbounded.

Answer: B

14. Access controls that are created and administered by the data owner are considered.
A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. LBACB (List Based Access Control).
D. DAC (Discretionary Access Control).

Answer: D

15. An administrator notices that an e-mail server is currently relaying e-mail (including spam) for an e-mail server requesting relaying. Upon further investigation the administrator notices the existence of/etc/mail relay domains. What modifications should the administrator make to the relay domains file to prevent relaying for non-explicitly named domains?

A. move the .* entry to the bottom of the relay domains file and restart the e-mail process.
B. move the .* entry to the top of the relay domains file and restart the e-mail process.
C. delete the .* entry in the relay domains file and restart the e-mail process.
D. delete the relay domains file from the /etc/mail folder and restart the e-mail process.

Answer: C

16. Providing false information about the source of an attack is known as:
A. aliasing.
B. spoofing.
C. flooding.
D. redirecting.

Answer: B

17. The term “due care” best relates to:

A. policies and procedures intended to reduce the likelihood of damage or injury.
B. scheduled activity in a comprehensive preventative maintenance program.
C. techniques and methods for secure shipment of equipment and supplies.
D. user responsibilities involved when sharing passwords in a secure environment.

Answer: A

18. A high profile company has been receiving a high volume of attacks on their public web site. The network administrator wants to be able to collect information on the attacker(s) so legal action can be taken. What should be implemented?

A. a DMZ (Demilitarized Zone).
B. a honey pot.
C. a firewall.
D. a new subnet.

Answer: B

19. Many intrusion detection systems look for known patterns or____ to aid in detecting attacks.

A. viruses.
B. signatures.
C. hackers.
D. malware.

Answer: B

20. After installing a new operating system, what configuration changes should be implemented?

A. create application user accounts.
B. rename the guest account.
C. rename the administrator account, disable the guest accounts.
D. create a secure administrator account.

Answer: C

21. In order to establish a secure connection between headquarters and a branch office over a public network, the router at each location should be configured to use IPSec (Intenet Protocol Security) in mode.

A. secure.
B. tunnel.
C. transport.
D. data link.

Answer: B

22. What type of authentication may be needed when a stored key and a memorized password are not strong enough and additional layers of security are needed?

A. mutual.
B. multi-factor.
C. biometric.
D. certificate.

Answer: B

23. What technology was originally designed to decrease broadcast traffic but is also beneficial in reducing the likelihood of having information compromised by sniffers?
A. VPN (Virtual Private Network).
B. DMZ (Demilitarized Zone).
C. VLAN (Virtual Local Area Network).
D. RADIUS (Remote Authentication Dial-in User Service).

Answer: C

24. A DMZ (Demilitarized Zone) typically contains:

A. a customer account database.
B. staff workstations.
C. a FTP (File Transfer Protocol) server.
D. a SQL (Structured Query Language) based database server.

Answer: C

25. What kind of attack are hashed passwords vulnerable to?

A. man in the middle.
B. dictionary or brute force.
C. reverse engineering. .
D. DoS (Denial of Service).

Answer: B

26. Controlling access to information systems and associated networks is necessary for the preservation of their:

A. authenticity, confidentiality,and availability.
B. integrity, availability and reliability.
C. confidentiality, integrity and availability.
D. authenticity, confidentiality and availability.

Answer: C

27. A collection of information that includes login, file access, other various activities, and actual or attempted legitimate and unauthorized security violations is a (n):

A. audit.
B. ACL (Access Control List).
C. audit trail.
D. syslog.

Answer: C

28. What transport protocol and port number does SSH (Secure Shell) use?
A. TCP (Transmission Control Protocol) port 22.
B. UDP (User Datagram Protocol) port 69.
C. TCP (Transmission Control Protocol) port 179.
D. UDP (User Datagram Protocol) port 17.

Answer: A

29. What statement is most true about viruses and hoaxes?
A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate users about a virus.
D. Hoaxes carry a malicious payload and can be destructive.

Answer: A

30. What is the greatest benefit to be gained through the use of S/MIME (Secure Multipurpose Internet Mail Extensions)? The ability to:
A. encrypt and digitally sign e-mail messages.
B. send anonymous e-mails.
C. send e-mails with a return receipt.
D. expedite the delivery of e-mail.

Answer: A

31. Access control decisions are based on responsibilities that an individual user or process has in an organization. This best describes:

A. MAC (Mandatory Access Control).
B. RBAC (Role Based Access Control).
C. DAC (Discretionary Access Control).
D. none of the above.

Answer: B

32. Which of the following results in a domain name server resolving the domain name to a different and wrong IP (internet Protocol) address and thus misdirecting Internet traffic?

A. DoS (Denial of Service).
B. spoofing.
C. brute force attack. D. reverse DNS (Domain Name Service).
D. Non of the above.
Answer: B

33. When examining the server’s list of protocols that are bound and active on each network interface card, the network administrator notices a relatively large number of protocols. Which actions should be taken to ensure network security?

A. Unnecessary protocols do net pose a significant risk to the system and should be left intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disabled on all server and client machines on a network as they pose great-risk.
D. Using port filtering ACL’s (Access Control List) at firewalls and routers is sufficient to stop malicious attacks on unused protocols.

Answer: C

34. If a private key becomes compromised before its certificate’s normal expiration date, X.509 defines a method requiring each CA (Certificate Authority) to periodically issue a signed data structure called a certificate:

A. enrollment list.
B. expiration list.
C. revocation list.
D. validation list.

Answer: C

35. DAC (Discretionary Access Control) systems operate following which guideline statement.

A. files that don’t have an owner CAN NOT be modified.
B. the administrator of the system is an owner of each object.
C. the operating system is an owner of each object.
D. each object has an owner, which has full control over the object.

Answer: D

36. An autonomous agent that copies itself into one or more host programs, then propagates when the host is run, is best described as a:

A. Trojan horse.
B. backdoor.
C. logic bomb.
D. virus.

Answer: D

37. The defacto IT (Information Technology) security evaluation criteria for the international community is called?

A. Common Criteria.
B. Global Criteria.
C. TCSEC (Trusted Computer System Evaluation Criteria).
D. 1TSEC (Information Technology Security Evaluation Criteria).

Answer: A

38. The best protection against the abuse of remote maintenance of a PBX (Private Branch Exchange) system is to:

A. keep maintenance features turned off until needed.
B. insist on strong authentication before allowing remote maintenance.
C. keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. check to see if the maintenance caller is on the list of approved maintenance personnel.

Answer: B

39. At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists?

A. penetration.
B. control.
C. audit planning.
D. discovery.

Answer: A

40. Computer forensics experts collect and analyze data using which of the following guidelines so as to minimize data loss?

A. evidence.
B. chain of custody.
C. chain of command.
D. incident response.

Answer: B

41. Data integrity is best achieved using a (n):

A. asymmetric cipher.
B. digital certificate.
C. message digest.
D. symmetric cipher.

Answer: C

42. A program that can infect other programs by modifying them to include a version of itself is a:

A. replicator.
B. virus.
C. Trojan horse.
D. logic bomb.

Answer: B

43. Which of the following is an example of an asymmetric algorithm?

A. CAST (Carlisle Adams Stafford Tavares).
B. RC5 (Rivest Cipher 5).
C. RSA (Rivest Shamir Adelman).
D. SHA-l (Secure Hashing Algorithm 1).

Answer: C

44. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled server will first:

A. use its digital certificate to establish its identity to the browser.
B. validate the user by checking the CRL (Certificate Revocation List).
C. request the user to produce the CRL (Certificate Revocation List).
D. display the requested page on the browser, then provide its (Internet Protocol) address for verification.

Answer: A

45. User A needs to send a private e-mail to User B. User A does not want anyone to have the ability to read the e-mail except for User B, thus retaining privacy. Which tenet of information security is User A concerned about?

A. authentication.
B. integrity.
C. confidentiality.
D. non-repudiation.

Answer: C

46. A company uses WEP (Wired Equivalent Privacy) for wireless security. Who may authenticate to the company’s access point?

A. only the administrator.
B. anyone can authenticate.
C. only users within the company.
D. only users with the correct WEP (Wired Equivalent Privacy) key.

Answer: D

47. Giving each user or group of users only the access they need to do their job is an example of which security principal:

A. least privilege
B. defense in depth
C. separation of duties
D. access control

Answer: A

48. The primary purpose of NAT (Network Address Translation) is to:

A. translate (internet Protocol) addresses into user friendly names.
B. hide internal hosts from the public network.
C. use one public IP (internet Protocol) address on the intimae network as a name server.
D. hide the public network from internal hosts.

Answer: B

49. The start of the LDAP (Lightweight Directory Access Protocol) directory is called the:

A. head
B. root
C. top
D. tree

Answer: B

50. The protection of data, against unauthorized access or disclosure is an example of what?

A. confidentiality
B. integrity
C. signing
D. hashing

Answer: A

51. Which of the following backup methods copies only modified files since the last full backup?

A. full.
B. differential.
C. incremental.
D. archive.

Answer: B

52. While connected from home to an ISP (Internet Service Provider), a network administrator performs sport scan against a corporate server and encounters four open TCP (Transmission Control Protocol) ports 25,110,143, and 389. Corporate users in the organization must be able to connect from home, send and receive messages on the Internet, read e-mail by means of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a directory services database for user e-mail addresses, and digital certificates. All the e-mail related services, as well as the directory server, run on the scanned server. Which of the above ports can be filtered out to decrease unnecessary exposure without affecting functionality?

A. 25.
B. 110.
C. 143.
D. 389.

Answer: B

53. In a decentralized privilege management environment, user accounts and passwords are stored on:

A. One central authentication server.
B. each individual server.
C. no more than two servers.
D. One server configured for decentralized management.

Answer: B

54. A well defined business continuity plan must consist of risk analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and:

A. security labeling and classification.
B. budgeting and acceptance.
C. documentation and security labeling.
D. integration and validation.

Answer: D

55. One way to limit hostile sniffing on a LAN (Local Area Network) is by installing:

A. an Ethernet switch.
B. an Ethernet hub.
C. a CSU/DSU (Channel Service Unit/Data Service Unit).
D. a firewall.

Answer: A

56. The WAP (Wireless Application Protocol) programming model is based on the following three elements:

A. client, original server, WEP (Wired Equivalent Privacy).
B. code design, code review, documentation.
C. client, original server, wireless interface card.
D. client, gateway, original server.

Answer: D

57. The first step in establishing a disaster recovery plan is to:

A. get budgetary approval for the plan.
B. agree on the objectives of the plan.
C. list possible alternative sites to be used in a disaster event.
D. prioritize processes requiring immediate attention in a disaster event.

Answer: B

58. When securing a DNS (Domain Name Service) server, and shutting down all unnecessary ports, which port should NOT be shut down?

A. 21
B. 23
C. 53
D. 55

Answer: C

59. What is the main advantage SSL (Secure Sockets Layer) has over HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)?

A. SSL (Secure Sockets Layer) offers full application security for HTTP (Hypertext Transfer Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
B. SSL (Secure Sockets Layer) supports additional application layer protocols such as FTP (File Transfer Protocol) and NNTP (Network News Transport Protocol) while HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.
C. SSL (Secure Sockets Layer) and Https (Hypertext Transfer Protocol over Secure Sockets Layer) are transparent to the application.
D. SSL (Secure Sockets Layer) supports user authentication and HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer) does not.

Answer: B

60. A sound security policy will define:

A. what is considered an organization’s assets.
B. what attacks are planned against the organization.
C. how an organization compares to others in security audits.
D. weaknesses in competitor’s systems.

Answer: A

61. What functionality should be disallowed between a DNS (Domain Name Service) server and untrusted node?

A. names resolutions.
B. reverse ARP (Address Resolution Protocol) requests.
C. system name resolutions.
D. zone transfers.

Answer: D

62. What is the most effective social engineering defensive strategy?
A. marking of documents.
B. escorting of guests.
C. badge security system.
D. training and awareness.

Answer: D

63. An IDS (Intrusion Detection System) is sending alerts that attacks are occurring which are not actually taking place. What is the IDS (Intrusion Detection System) registering?

A. false positives.
B. false negatives.
C. true negatives.
D. true positives.

Answer: A

64. When an employee is dismissed, the security administrator should:

A. allow the employee to backup computer files then disable network access.
B. change all network passwords.
C. disable the employee’s network access.
D. set rules to forward the employee’s e-mail to a home address.

Answer: C

65. How are honey pots used to collect information? Honey pots collect:

A. IP (Internet Protocol) addresses and identity of internal users.
B. data on the identity, access, and compromise methods used by the intruder.
C. data regarding and the identity of servers within the network.
D. IP (Internet Protocol) addresses and data of firewalls used within the network.

Answer: B

66. How must a firewall be configured to only allow employees within the company to download files from a FTP (File Transfer Protocol) server?

A. open port 119 to all inbound connections.
B. open port 119 to all outbound connections.
C. open port 20/21 to all inbound connections.
D. open port 20/21 to all outbound connections.

Answer: D

67. Administrators currently use telnet to remotely manage several servers. Security policy dictates that passwords and administrative activities must not be communicated in clear text. Which of the following is the best alterative to using telnet?

A. DES (Data Encryption Standard).
B. S-Telnet.
C. SSH (Secure Shell).
D. PKI (Public Key Infrastructure).

Answer: C

68. Which of the following provides privacy, data integrity and authentication for handheld devices in a wireless network environment?

A. WEP (Wired Equivalent Privacy).
B. WAP (Wireless Application Protocol).
C. WSET (Wireless Secure Electronic Transaction).
D. WTLS (Wireless Transport Layer Security).

Answer: D

69. Analyzing log files after an attack has started is an example of:

A. active detection.
B. overt detection.
C. covert detection.
D. passive detection.

Answer: D

70. How many characters should the minimum length of a password be to deter dictionary password cracks?

A. 6.
B. 8.
C. 10.
D. 12.

Answer: B

71. An acceptable use policy signed by an employee can be interpreted as an employee’s written______ for allowing an employer to search an employee’s workstation.

A. refusal.
B. policy.
C. guideline.
D. consent.

Answer: D

72. What protocol can be used to create a VPN (Virtual Private Network)?

A. PPP (Point-to-Point Protocol).
B. PPTP (Point-to-Point Tunneling Protocol).
C. SLIP (Serial Line Internet Protocol).
D. ESLIP (Encrypted Serial Line Internet Protocol).

Answer: B

73. An attack whereby two different messages using the same hash function produce a common message digest is also known as a:

A. man in the middle attack.
B. cipher text only attack.
C. birthday attack.
D. brute force attack.

Answer: C

74. A common algorithm used to verify the integrity of data from a remote user through the creation of a 128-bit hash from a data input is:

A. IPSec (Internet Protocol Security).
B. RSA (Rivest Shamir Adelman).
C. Blowfish.
D. MD5 (Message Digest).

Answer: D

75. In a RBAC (Role Based Access Control) contexts, which statement best describes the relation between users, roles and operations?

A. multiple users, single role and single operation.
B. multiple users, single role and multiple operations.
C. single user, single role and single operation.
D. multiple users, multiple roles and multiple operations.

Answer: D

76. An administrator is setting permissions on a file object in a network operating system which uses DAC (Discretionary Access Control). The ACL (Access Control List) of the file follows:

Owner: Read, Write, Execute; User. A: Read, Write, -; User B: -, -, - (None); Sales: Read,-, -; Marketing: -, Write,-; Other: Read, Write, -;

User "A" is the only owner of the file. User "B" is a member of the Sales group. What effective permissions does User "B" have on the file with the above access list?

A. User B has no permissions on the file.
B. User B has read permissions on the file.
C. User B has read and write permissions on the file.
D. User B has read, write and execute permissions on the file.

Answer: A

77. A user who has accessed an information system with a valid user ID and password combination is considered a (n):

A. manager
B. user
C. authenticated user
D. security officer

Answer: C

78. The use of embedded root certificates within web browsers is an example of which of the following trust models?

A. bridge.
B. mesh.
C. hierarchy.
D. trust list.

Answer: D

79. What is the most common method used by attackers to identify the presence of an 802.11b network?

A. war driving.
B. direct inward dialing.
C. war dialing.
D. packet driving.

Answer: A

80. The best way to harden an application that is developed in house is to:

A. use an industry recommended hardening tool.
B. ensure that security is given due considerations throughout the entire development process.
C. try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. ensure that the auditing system is comprehensive enough to detect and log any possible intrusion, identifying existing vulnerabilities.

Answer: B

81. A security consideration that is introduced by a VPN (Virtual Private Network) is:

A. an intruder can intercept VPN (Virtual Private Network) traffic and create a man in the middle attack.
B. captured data is easily decrypted because there are a finite number of encryption keys.
C. tunneled data CAN NOT be authenticated, authorized or accounted for.
D. a firewall CAN NOT inspect encrypted traffic.

Answer: D

82. Which of the following would NOT be considered a method for managing the administration of accessibility?

A. DAC (Discretionary Access Control) list.
B. SAC (Subjective Access Control) list.
C. MAC (Mandatory Access Control) list.
D. RBAC (Role Based Access Control) list.

Answer: B

83. Which of the following is required to use S/MIME (Secure Multipurpose Internet Mail Extensions)?

A. digital certificate.
B. server side certificate.
C. SSL (Secure Sockets Layer) certificate.
D. public certificate.

Answer: A

84. Non-repudiation is generally used to:

A. protect the system from transmitting various viruses, worms and Trojan horses to other computers on the same network.
B. protect the system from DoS (Denial of Service) attacks.
C. prevent the sender or the receiver from denying that the communication between them has occurred.
D. ensure the confidentiality and integrity of the communication.

Answer: C

85. Which of the following hash functions generates a 160-bit output?

A. MD4 (Message Digest 4).
B. MD5 (Message Digest5).
C. UDES (Data Encryption Standard).
D. SHA-1 (Secure Hashing Algorithm 1).

Answer: D

86. Why are unique user IDs critical in the review of audit trails?

A. They CAN NOT be easily altered.
B. They establish individual accountability.
C. They show which files were changed.
D. They trigger corrective controls.

Answer: B

87. A DRP (Disaster Recovery Plan) typically includes which of the following:

A. penetration testing.
B. risk assessment.
C. DoS (Denial of Service) attack.
D. ACL (Access Control List).

Answer: B

88. An attacker can determine what network services are enabled on a target system by:

A. installing a rootkit on the target system.
B. checking the services file.
C. enabling logging on the target system.
D. running a port scan against the target system.

Answer: D

89. A police department has three types of employees: booking officers, investigators, and judges. Each group of employees is allowed different rights to files based on their need. The judges do not need access to the fingerprint database, the investigators need read access and the booking officers need read/write access. The booking officer would need no access to warrants, while an investigator would need read access and a judge would need read/write access. This is an example of:

A. DAC (Discretionary Access Control) level access control.
B. RBAC (Role Based Access Control) level access control.
C. MAC (Mandatory Access Control) level access control.
D. ACL (Access Control List) level access control.

Answer: B

90. Which of the following access control models introduces user security clearance and data classification?

A. RBAC (Role Based Access Control).
B. NDAC (Non-Discretionary Access Control).
C. MAC (Mandatory Access Control).
D. DAC (Discretionary Access Control).

Answer: C

91. A wireless network with three access points, two of which are used as repeaters, exists at a company. What step should be taken to secure the wireless network?

A. Ensure that employees use complex passwords.
B. Ensure that employees are only using issued wireless cards in their systems.
C. Ensure that WEP (Wired Equivalent Privacy) is being used.
D. Ensure that everyone is using adhoc mode.

Answer: C

92. Digital certificates can contain which of the following items:

A. the CA’s (Certificate Authority) private key.
B. the certificate holder’s private key.
C. the certificate’s revocation information.
D. the certificate’s validity period.

Answer: D

93. Which encryption key is used to verify a digital signature?

A. the signer’s public key.
B. the signer’s private key.
C. the recipient's public key.
D. the recipient's private key.

Answer: A

94. NetBus and Back Orifice are each considered an example of a (n):

A. virus.
B. illicit server.
C. spoofing tool.
D. allowable server.

Answer: B


95. The theft of network passwords without the use of software tools is an example of:

A. Trojan programs.
B. social engineering.
C. sniffing.
D. hacking.

Answer: B

96. An alternate site configured with necessary system hardware, supporting infrastructure and an on site staff able to respond to an activation of a contingency plan 24 hours a day, 7 days a week is a:

A. cold site.
B. warm site.
C. mirrored site.
D. hot site.

Answer: D

97. Security controls may become vulnerabilities in a system unless they are:

A. designed and implemented by the system vendor.
B. adequately tested.
C. implemented at the application layer in the system.
D. designed to use multiple factors of authentication.

Answer: B

98. Which of the following is likely to be found after enabling anonymous FTP (File Transfer Protocol) read/write access?

A. an upload and download directory for each user.
B. detailed logging information for each user.
C. storage and distribution of unlicensed software.
D. fewer server connections and less network bandwidth utilization.

Answer: C

99. LDAP (Lightweight Directory Access Protocol) directories are arranged as:

A. linked lists.
B. trees.
C. stacks.
D. queues.

Answer: B

100. An inherent flaw of DAC (Discretionary Access Control) relating to security is:

A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.

Answer: A

Security+ SYO-101B


101. Which of the following is the greatest problem associated with Instant Messaging?

A. widely deployed and difficult to control.
B. created without security in mind.
C. easily spoofed.
D. created with file sharing enabled.

Answer: B

102. An organization is implementing Kerberos as its primary authentication protocol. Which of the following must be deployed for Kerberos to function properly?

A. dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. separate network segments for the realms.
C. token authentication devices.
D. time synchronization services for clients and servers.

Answer: D

103. Searching through trash is used by an attacker to acquire data such as network diagrams, IP (Internet Protocol) address lists and:

A. boot sectors.
B. process lists.
C. old passwords.
D. virtual memory.

Answer: C

104. Discouraging employees from misusing company e-mail is best handled by:

A. enforcing ACL (Access Control List).
B. creating a network security policy.
C. implementing strong authentication.
D. encrypting company e-mail messages.

Answer: B

105. The Diffie-Hellman algorithm allows:

A. access to digital certificate stores from s-certificate authority.
B. a secret key exchange over an insecure medium without any prior secrets.
C. authentication without the use of hashing algorithms.
D. multiple protocols to be used in key exchange negotiations.

Answer: B

106. Which of the following type of attack CAN NOT be deterred solely through technical means?

A. dictionary.
B. man in the middle.
C. DoS (Denial of Service).
D. social engineering.

Answer: D

107. Which of the following is the best description of “separation of duties”?

A. assigning different parts of tasks to different employees.
B. employees are granted only the privileges necessary to perform their tasks.
C. each employee is granted specific information that is required to carry out a job function.
D. screening employees before assigning them to a position.

Answer: A

108. How must a firewall be configured to make sure that a company can communicate with other companies using SMTP (Simple Mail Transfer Protocol) e-mail?

A. Open TCP (transmission Control Protocol) port 110 to all inbound and outbound connections.
B. Open UDP (User Datagram Protocol) port 110 to all inbound connections.
C. Open UUP (User Datagram Protocol) port 25 to all inbound connections.
D. Open TCP (Transmission Control Protocol) port 25 to all inbound and outbound connections.

Answer: D

109. An organization’s primary purpose in conducting risk analysis in dealing with computer security is:

A. to identify vulnerabilities to the computer systems within the organization.
B. to quantify the impact of potential threats in relation to the cost of lost business-functionality.
C. to identify how much it will cost to implement countermeasures.
D. to delegate responsibility.

Answer: B

110. A user wants to send an e-mail and ensure that the message is not tampered with while in transit. Which feature of modern cryptographic systems will facilitate this?

A. confidentiality.
B. authentication.
C. integrity.
D. non-repudiation.

Answer: C

111. WTLS (Wireless Transport Layer Security) provides security services between a mobile device and a:

A. WAP (Wireless Application Protocol) gateway.
B. web server.
C. wireless client.
D. wireless network interface card.

Answer: A

112. What are three measures which aid in the prevention of a social engineering attack?

A. education, limit available information and security policy.
B. education, firewalls and security policy.
C. security policy, firewalls and incident response.
D. security policy, system logging and incident response.

Answer: A

113. A server placed into service for the purpose of attracting a potential intruder’s attention is known as a:

A. honey pot.
B. lame duck.
C. teaser.
D. pigeon.

Answer: A

114. Which of the following would be most effective in preventing network traffic sniffing?

A. deploy an IDS (Intrusion Detection System).
B. disable promiscuous mode.
C. use hubs instead of routers.
D. use switches instead of hubs.

Answer: D

115. What ports does FTP (File Transfer Protocol) use?

A. 20 and 21.
B. 25 and 110.
C. 80 and 443.
D. 161 and 162.

Answer: A

116. A decoy system that is designed to devert an attacker from accessing critical systems while collecting information about the attacker’s activity, and encouraging the attacker to sts-y on the system long enough for administrators to respond is known as:

A. DMZ (Demilitarized Zone).
B. honey pot.
C. intrusion detector.
D. screened host.

Answer: B

117. An e-mail relay server is mainly used to:

A. block all spam, which allows the e-mail system to function more efficiently without the additional load of spam.
B. prevent viruses from entering the network.
C. defend the primary e-mail server and limit the effects of any attack.
D. eliminate e-mail vulnerabilities since all e-mail is passed through the relay first.

Answer: C

118. What network mapping tool uses ICMP (Internet Control Message Protocol)?

A. port scanner.
B. map scanner.
C. ping scanner.
D. share scanner.

Answer: C

119. Which two protocols are VPN (Virtual Private Network) tunneling protocols?

A. PPP (point-to-Point Protocol) and SliP (Serial Line Internet Protocol).
B. PPP (Point-Point-Protocol) and PPTP (Point-to-Point Tunneling Protocol).
C. L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol).
D. SMTP (Simple Mail Transfer Protocol) and L2TP (Layer Two Tunneling Protocol).

Answer: C

120. File encryption using symmetric cryptography satisfies what security requirement?

A. confidentiality.
B. access control.
C. data integrity.
D. authentication.

Answer: A

121. An e-mail is received alerting the network administrator to the presence of a virus on the system if a specific executable file exists. What should be the first course of action?

A. Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.
B. Immediately search for and delete the file if discovered.
C. Broadcast amessage to the entire organization to alert users to the presence of a virus.
D. Locate and download a patch to repair the file.

Answer: A

122. Part of a fire protection plan for a computer room should include;

A. procedures for an emergency shutdown of equipment.
B. a sprinkler system that exceeds local code requirements.
C. the exclusive use of non-flammable materials within the room.
D. fireproof doors that can be easily opened if an alarm is sounded.

Answer: A

123. Which of the following is an HTTP (Hypertext Transfer Protocol) extension or mechanism used to retain connection data, user information, history of sites visited, and can be used by attackers for spoofing an on-line identity?

A. HTTPS (Hypertext Transfer Protocol over SSL).
B. cookies.
C. HTTP (Hypertext Transfer Protocol)/l.0 Caching.
D. vCard v3.0.

Answer: B


124. ActiveX controls__________ to prove where they originated.

A. are encrypted.
B. are stored on the web server.
C. use SSL (Secure Sockets Layer).
D. are digitally signed.

Answer: D

125. A virus that hides itself by intercepting disk access requests is:

A. multipartite.
B. stealth.
C. interceptor.
D. polymorphic.

Answer: B

126. When a potential hacker looks through trash, the most useful items or information that might be found include all except:

A. an IP (Internet Protocol) address.
B. system configuration or network map.
C. old passwords.
D. system access requests.

Answer: D

127. A user logs onto a workstation using a smart card containing a private key. The user is verified when the public key is successfully factored with the private key. What security service is being provided?

A. authentication.
B. confidentiality.
C. integuity.
D. non-repudiation.

Answer: A

128. In cryptographic operations, digital signatures can be used for which of the following systems?

A. encryption.
B. asymmetric key.
C. symmetric and encryption.
D. public and decryption.

Answer: B

129. Which of the following programs is able to distribute itself without using a host file?

A. virus.
B. Trojan horse.
C. logic bomb.
D. worm.

Answer: D

130. Malicious code is installed on a server that will e-mail system keystrokes stored in a text file to the author and delete system logs every five days or whenever a backup is performed. What type of program is this?

A. virus.
B. back door.
C. logic bomb.
D. worm.

Answer: C

131. What is a common type of attack on web servers?

A. birthday.
B. buffer overflow.
C. spam.
D. brute force.

Answer: B

132. Digital signatures can be used for which of the following?

A. availability.
B. encryption.
C. decryption.
D. non-repudiation.

Answer: D

133. Malicious port scanning is a methed of attack to determine which of the following?

A. computer name
B. the fingerprint of the operating system
C. the physical cabling topology of a network
D. user IDs and passwords

Answer: B

134. What should be done to secure a DHCP (Dynamic Host Configuration Protocol) service?

A. block ports 67 and 68 at the firewall.
B. block port 53 at the firewall.
C. block ports 25 and 26 at the firewall.
D.block port 110 at the flrewall.

Answer: A

135. During the digital signature process, asymmetric cryptography satisfies what security requirement?

A. confidentiality.
B. access control.
C. data. integrity.
D. authentication.

Answer: D

136. Which security method is in place when the administrator of a network enables access lists on the routers to disable all ports that are not used?

A. MAC (Mandatory Access Control).
B. DAC (fliscretionary Access Control).
C. RBAC (Role Based Access Control).
D. SAC (Subjective Access Control).

Answer: A

137. What is the first step before a wireless solution is implemented?

A. ensure adhoc mode is enabled on the access points.
B. ensure that all users have strong passwords.
C. purchase only Wi-Fi (Wireless Fidelity) equipment.
D. perform a thorough site survey.

Answer: D

138. A system administrator discovers suspicious activity that might indicate a computer crime. The administrator should flrst:

A. refer to incident response plan.
B. change ownership of any related files to prevent tampering.
C. move any related programs and files to non-erasable media.
D. set the system time to ensure any logged information is accurate.

Answer: A

139. The information that governs and associates users and groups to certain rights to use, read, write, modify, or execute objects on the system is called a(n):

A. public key ring.
B. ACL (Access Control List).
C. digital signature.
D. CRL (Certificate Revocation Lists).

Answer: B

140. Which of the following is expected network behavior?

A. traffic coming from or going to unexpected locations.
B. non-standard or malformed packets/protocol violations.
C. repeated, failed connection attempts.
D. changes in network performance such as variations in traffic load.

Answer: D

141. Security training should emphasize that the weakest links in the security of an organization are typically:

A. firewalls.
B. policies.
C. viruses.
D. people.

Answer: D

142. For system logging to be an effective security measure, an administrator must:

A. review the logs on a regular basis.
B. implement circular logging.
C. configure the system to shutdown when the logs are fill.
D. configure SNMP (Simple Network Management Protocol) traps for logging events.

Answer: A

143. A perimeter router is configured with a restrictive ACL (Access Control List). Which transport layer protocols and ports must be allowed in order to support L2TP (Layer Two Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) connections respectively, through the perimeter router?

A. TCP (rransmission Control Protocol) port 635 and UDP (User Dalagram Protocol) port 654
B. TCP (Fransmission Control Protocol) port 749 and UDP (User Datagram Protocol) port 781
C. UDP (User Datagram Protocol) port 1701 and TCP (transmission Control Protocol) port 1723
D. TCP (rransmission Control Protocol) port 1812 and UDP (User Datagram Protocol) port 1813

Answer: C

144. Which of the following keys is contained in a digital certificate?

A. public key.
B. private key.
C. hashing key.
D. session key.

Answer: A

145. Which of the following options describes a challenge-response session?

A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identificatton Number).
B. a workstaiion or system Ihat generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).
C. a special hardware device that is used to generate random text in a cryptography system.
D. the authentication mechanism in the workstation or system does act determine if the owner should be authenticated.

Answer: A

146. Message authentication codes are used to provide which service?

A. integrity.
B. fault recovery.
C. key recovery.
D. acknowledgement.


Answer: A


147. Single servers are frequently the targets of attacks because they contain:

A. application launch scripts.
B. security policy settings.
C. credentials for many systems and users.
D. master encryption keys.

Answer: C

148. Sensitive data traffic can be confined to workstations on a specific subnet using privilege policy based tables in the:

A. router.
B. server.
C. modem.
D. VPN (Virtual Private Network).

Answer: A

149. Which one of the following would most likely lead to a CGI (Common Gateway Interface) security problem?

A. HTTP (Hypertext Transfer Protocol) protocol.
B. compiler or interpreter that DNS the CGI (Common Gateway Interface) script.
C. the web browser.
D. external data supplied by the user.

Answer: D

150. An attacker manipulates what field of an IP (Internet Protocol) packet in an IP (Internet Protocol) spoofing attack?

A. version field.
B. source address field.
C. source port field.
D. destination address field.

Answer: B

151. What is the best method of defense against IP (Internet Protocol) spoofing attacks?

A. deploying intrusion detection systems.
B. creating a DMZ (Demilitarized Zone).
C. applying ingress filtering to routers.
D. There is not a good defense against IP (Internet Protocol) spoofing.

Answer: C

152. What access control principle requires that every user or process is given the most restricted privileges?

A. control permissions.
B. least privilege.
C. hierarchical permissions.
D. access mode.

Answer: B

153. Incorrectly detecting authorized access as an intrusion or attack is called a false:

A. negative.
B. intrusion.
C. positive.
D. alarm.

Answer: C

154. A VPN (Virtual Private Network) using IPSec (Internet Protocol Security) in the tunnel mode will provide encryption for the:

A. one time pad used in handshaking.
B. payload and message header.
C. hashing algorithm and all e-mail messages.
D. message payload only.

Answer: B

155. When implementing Kerberos authentication, which of the following factors must be accounted for?

A. Kerberos can be susceptible to man in the middle attacks to gain unauthorized access.
B. Kerberos tickets can be spoofed using replay attacks to network resources.
C. Kerberos requires a centrally managed database of all user and resource passwords.
D. Kerberos uses clear text passwords.

Answer: C

156. Which of the following protocols is most similar to SSLv3 (Secure Sockets Layer version 3)?

A. TLS (transport Layer Security).
B. MPLS (Multi-Protocol Label Switching).
C. SASL (Simple Authentication and Security Layer).
D. MLS (Multi-Layer Switching).

Answer: A

157. How should a primary DNS (D)omain Name Service) server be configured to-provide the best security against DoS (Denial of Service) and hackers?

A. disable the DNS (Domain Name Service) cache function.
B. disable application services other than DNS (Domain Name Service).
C. disable the DNS (Domain Name Service) reverse lookup function.
D. allow only encrypted zone transfer to a secondary DNS (Domain Name Service) server.

Answer: B

158. What type of security process will allow others to verify the originator of an e-mail message?

A. authentication.
B. integrity.
C. non-repudiation.
D. confidentiality.

Answer: C

159. Which of the following statements is true about Network based IDS (Intrusion Detection System)?

A. Network based (Intrusion Detection System) are never passive devices that listen on a network wire-without interfering with the normal operation of a network.
B. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire while interfering with the normal operation of a network.
C. Network based IDS (Intrusion Detection System) are usually intrusive devices that listen on a network wire while interfering with the normal operation of a network.
D. Network based IDS (Intrusion Detection System) are usually passive devices that listen on a network wire without interfering with the normal operation of a network.

Answer: D

160. What physical access control most adequately protects against physical piggybacking?

A. man trap.
B. security guard.
C. CCTV (Closed-Circuit Television).
D. biometrics.

Answer: A

161. Management wants to track personnel who visit unauthorized web sites. What type of detection will this be?

A. abusive detection.
B. misuse detection.
C. anomaly detection.
D. site filtering.

Answer: B

162. An administrator of a web server notices many port scans to a server. To limit exposure and vulnerability exposed by these port scans
the administrator should:

A. disable the ability to remotely scan the registry.
B. leave all processes running for possible future use.
C. close all programs or processes that use a UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) port.
D. uninstall or disable any programs or processes that are not needed for the proper use of the server.

Answer: D

163. Which protocol is typically used for encrypting traffic between a web browser and web server?

A. IPSec (Internet Protocol Security).
B. HTTP (IIypertext Transfer Protocol).
C. SSL (Secure Sockets Layer).
D. VPN (Virtual Private Network).

Answer: C

164. Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?

A. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.
B. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party hosts to create new IP (Internet Protocol) addresses.
C. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the server.
D. The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the client.

Answer: A

165. A malformed MIME (Multipurpose Internet Mail Extensions) header can:

A. create a back door that will allow an attacker free access to a company private network.
B. create a virus that infects a user’s computer.
C. cause an unauthorized disclosure of private information.
D. cause an e-mail server to crash.

Answer: D

166. When a change to user security policy is made, the policy maker should provide appropriate documentation to:

A. the security-administrator.
B. auditors.
C. users.
D. all staff.

Answer: D

167. What technical impact may occur due to the receipt of large quantifies of spam?
A. DoS (Denial of Service).
B. processor underutilization.
C. reduction in hard drive space requirements.
D. increased network throughput.

Answer: A

168. A public key ___________ is a pervasive system whose services are implemented and delivered using public key technologies that include CAs (Certificate Authority), digital certificates, non-repudiation, and key history management.

A. cryptography scheme.
B. distribution authority.
C. exchange.
D. infrastructure.

Answer: D

169. Forging an IP (Internet Protocol) address to impersonate another machine is best defined as:

A. TCP/IP (Transmission Control Protocol/Intemet Protocol) hijacking.
B. IF (Internet Protocol) spoofing.
C. man in the middle.
D. replay.

Answer: B

170. When setting password rules, which of the following would LOWER the level of security of a network?

A. Passwords must be greater than six characters and consist at least one non-alpha.
B. All passwords are set to expire at regular intervals and users are required to choose new passwords that have not been used before.
C. Complex passwords that users CAN NOT remotely change are randomly generated by the administrator and given to users.
D. After a set number of failed attempts the server will lock out any user account forcing the user to call the administrator to re-enable the account.

Answer: C

171. Which of the following can be used to track a user’s browsing habits on the Internet
and may contain usernames and passwords?

A. digital certificates.
B. cookies.
C. ActiveX controls.
D. web server cache.

Answer: B

172. Currently, the most costly method of authentication is the use of:

A. passwords.
B. tokens.
C. biometrics.
D. shared secrets.

Answer: C

173. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. value of the information it is used to protect
B. cost and management fees
C. length of the asymmetric hash
D. data-available openly on the cryptographic system

Answer: A

174. FTP (Fi1e Transfer Protocol) is accessed through what ports?
A. 80 and 443.
B. 20 and 21.
C. 21 and 23.
D. 20 and 80.

Answer: B

175. The best method to use for protecting a password stored on the server used for user authentication is to:

A. store the server password in clear text.
B. hash the server password.
C. encrypt the server password with asymmetric keys.
D. encrypt the server password with a public key.

Answer: B

176. In a typical file encryption process, the asymmetric algorithm is used to?

A. encrypt symmetric keys.
B. encrypt file contents.
C. encrypt certiflcates.
D. encrypt hash results.

Answer: A

177. Which of the following protocols is used by web servers to encrypt data?

A. TCP/IP (transmission Control Protocol/Internet Protocol)
B. ActiveX
C. IPSec (Internet Protocol Security)
D. SSL (Secure Sockets Layer)

Answer: D

178. A piece of code that appears to do something useful while performing a harmful and unexpected function like stealing passwords is a:

A. virus.
B. logic bomb.
C. worm.
D. Trojan horse.

Answer: D

179. The integrity of a cryptographic system is considered compromised if which of the following conditions exist?

A. a 40-bit algorithm is used for a large financial transaction
B. the public key is disclosed
C. the private key is disclosed
D. the validity of the data source is compromised

Answer: C

180. During the digital signature process, hashing provides a means to verify what security requirement?

A. non-pudiation.
B. access control.
C. data integrity.
D. authentication.

Answer: C

181. Which of the following often requires the most effort when securing a server due to lack of available documentation?

A. hardening the OS (Operating System)
B. configuring the network
C. creating a proper security policy
D. installing the latest hot fixes and patches

Answer: A

182. One of the most effective ways for an administrator to determine what security holes reside on a network is is to:

A. perform a vulnerability assessment.
B. run a port scan.
C. run a sniffer.
D. install and monitor an IDS (Intrusion Detection System).

Answer: A

183. As it relates to digital certificates, SSLv3.0 (Secure Sockets Layer version 3.0) added which of the following key functionalities? The ability to:
A. act as a CA (Certificate Authority).
B. force client side authentication via digital certificates.
C. use x.400 certificates.
D. protect transmissions with 1024-bit symmetric encryption.

Answer: B

184. In responding to incidents such as security breaches, one of the most important steps taken is:

A. encryption.
B. authentication.
C. containment.
D. intrusion.

Answer: C

185. Missing audit log entries rnost seriously affect an organization’s ability to;

A. recover destroyed data.
B. legally prosecute an attacker.
C. evaluate system vulnerabilities.
D. create reliable system backups.

Answer: B

186. SSL (Secure Sockets Layer) is used for secure communications with:

A. file and print servers.
B. RADIUS (Remote Authentication Dial-in User Service) servers.
C. AAA (Authentication, Authorization, and Administration) servers.
D. web servers.

Answer: D

187. Non-repudiation is based on what type of key infrastructure?

A. symmetric.
B. distributed trust.
C. asymmetric.
D. user-centric.

Answer: C

188. The first step in effectively implementing a firewall is:

A. blocking unwanted incoming traffic.
B. blocking unwanted outgoing traffic.
C. developing a firewall policy.
D. protecting against DDoS (Distributed Denial of Service) attacks.

Answer: C

189. Which of the following provides the strongest authentication?

A. token
B. username and password
C. biometrics
D. one time password

Answer: C

190. A security administrator tasked with confining sensitive data traffic to a specific subnet would do so by manipulating privilege policy based tables in the networks:

A. server
B. router
C. VPN (Virtual Private Network)
D. switch

Answer: B

191. What is the best method to secure a web browser?

A. do not upgrade, as neW versions tend to have more security flaws.
B. disable any unused features of the web browser.
C. connect to the Internet using only a VPN (Virtual Private Network) connection.
D. implement a filtering policy for illegal, unknown and undesirable sites.

Answer: B

192. The most common form of authentication is the use of:

A. certificates.
B. tokens.
C. passwords.
D. biometrics.

Answer: C

193. What are the three main components of a Kerberos server?

A. authentication server, security database and a privilege server.
B. SAM (Sequential Access Method), security database and an authentication server.
C. application database, security database and system manager.
D. authentication server, security database and system manager.

Answer: A

194. Which of the following methods may be used to exploit the clear text nature of an instant-Messaging session?

A. packet sniffing.
B. port scanning.
C. crypt analysis.
D. reverse engineering.

Answer: A

195. A user receives an e-mail from a colleague in another company. The e-mail message warns of a virus that may have been accidentally sent in the pasts, and warns the user to delete a specific file if it appears on the user’s computer. The user checks and has the file. What is the best next step for the user?

A. Delete the file immediately.
B. Delete the file immediately and copy the e-mail to all distribution lists.
C. Report the contents of the message to the network administrator.
D. Ignore the message. This is a virus hoax and no action is required.

Answer: C

196. A need to know security policy Would grant access based on:

A. least privilege.
B. less privilege.
C. loss of privilege.
D. single privilege.

Answer: A

197. IDEA (International Data Encryption Algorithm), Blowfish, RC5 (Rivest Cipher 5)
and CAST-128 are encryption algorithms of which type?

A. symmetric.
B. asymmetric.
C. hashing.
D. elliptic curve.

Answer: A

198. A CRL (Certificate Revocation List) query that receives a response in near real time:

A. indicates that high availability equipment is used.
B. implies that a fault tolerant database is being used.
C. does not guarantee that fresh data is being returned.
D. indicates that the CA (Certificate Authority) is providing near real time updates.

Answer: C

199. Which of the following is a VPN (Virtual Private Network) tunneling protocol?

A. AH (Authentication Header).
B. SSH (Secure Shell).
C. IPSec (Internet Protocol Security).
D. DES (Data Encryption Standard).

Answer: C

200. Appropriate documentation of a security incident is important for each of the following reasons EXCEPT:

A. The documentation serves as a lessons learned which may help avoid further exploitation of the same vulnerability.
B. The documentation will serve as an aid to updating policy and procedure.
C. The documentation will indicate who should be fired for the incident.
D. The documentation will serve as a tool to assess the impact and damage for the incident.

Answer: C

Security+ SYO-101C


201. A network attack method that uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer is known as as:

A. man in the middle attack.
B. smurf attack.
C. ping of death attack.
D. TCP SYN (Transmission Control Protocol / Synchronized) attack.

Answer: C

202. The standard encryption algorithm based on Rijndeel is known as:

A. AES (Advanced Encryption Standard).
B. 3DES (rriple Data Encryption Standard).
C. DES (Data Encryption Standard).
D. Skipjack.

Answer: A

203. A DoS (Denial of Service) attack which takes advantage of TCP’s (Transmission Control Protocol) three way handshake for new connections is known as as:

A. SYN (Synchronize) flood.
B. ping of death attack.
C. land attack.
D. buffer overflow attack.

Answer: A

204. The Bell La-Padula access control model consists of four elements. These elements are

A. subjects, objects, access modes and security levels.
B. subjects, objects, roles and groups.
C. read only, read/write, write only and read/write/delete.
D. groups, roles, access modes and security levels.

Answer: A

205. What is generally the most overlooked element of security management?

A. security awareness.
B. intrusion detection.
C. risk assessment.
D. vulnerability control.

Answer: A

206. What is the advantage of a multi-homed firewall?

A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.

Answer: A

207. Which of the following is an example of an asymmetric encryption algorithm?

A. RCA (Rivest Cipher 4)
B. IDEA (International Data Encryption Algorithm)
C. MD5 (Message Digest-5)
D. RSA (Rivest Shamir Adelman)

Answer: D

208. Which of the following needs to be included in a SLA (Service Level Agreement) to ensure the availability of server based resources rather than guaranteed server performance levels?

A. network
B. hosting
C. application
D. security

Answer: B

209. Which access control method provides the most granular access to protected objects?

A. capabilities
B. access control lists
C. permission bits
D. profiles

Answer: B

210. The process by which remote users can make a secure connection to internal resources after establishing an Internet connection could correctly be referred to as:

A. channeling
B. tunneling
C. throughput
D. forwarding

Answer: B

211. When an ActiveX control is executed, it executes with the privileges of the:

A. current user account.
B. administrator account.
C. guest account.
D. system account.

Answer: A

212. Which of the following would best protect the confidentiality and integrity of an e-mail message?

A. SHA-1 (Secure Hashing Algorithm I).
B. IPSec (Internet Protocol Security).
C. digital signature.
D. S/MIME (Secure Multipurpose Internet Mail Extensions).

Answer: D

213. When does CHAP (Challenge Handshake Authentication Protocol) perform the handshake process?

A. when establishing a connection and at anytime after the connection is established.
B. only when establishing a connection and disconnecting.
C. only when establishing a connection.
D. only when disconnecting.

Answer: A

214. What should a firewall employ to ensure that each packet is part of an established TCP (Transmission Control Protocol) session?

A. packet filter.
B. stateless inspection.
C. stateful like inspection.
D. circuit level gateway.

Answer: C

215. Which of the following is most commonly used by an intruder to gain unauthorized-access to a system?

A. brute force attack.
B. key logging.
C. Trojan horse.
D. social engineering.

Answer: D

216. A minor configuration change which can help secure DNS (Domain Name Service) information is:

A. block all unnecessary traffic by using port filtering.
B. prevent unauthorized zone transfers.
C. require password changes every 30 days.
D. change the default password.

Answer: B


217. What determines if a user is presented with a dialog box prior to downloading an Active-X component?

A. the user’s browser setting.
B. the meta tag.
C. the condition of the sandbox.
D. the negotiation between the client and the server.

Answer: A

218. LDAP (Lightweight Directory Access Protocol) requires what ports by default?

A. 389 and 636
B. 389and 139
C. 636 and 137
D. 137 and 139

Answer: A

219. Which security method should be implemented to allow secure access to a web page, regardless of the browser type or vendor?

A. certificates with SSL (Secure Sockets Layer).
B. integrated web with NOS (Network Operating System) security.
C. SSL (Secure Sockets Layer) only.
D. secure access to a web page is not possible.

Answer: A

220. What is a common DISADVANTAGE of employing an IDS (Intrusion Detection System)?

A. false positives.
B. throughput decreases.
C. compatibility.
D. administration.

Answer: A

221. System administrators and hackers use what technique to review network traffic to determine what services are running?

A. sniffer.
B. IDS (Intrusion Detection System).
C. firewall.
D. router.

Answer: A

222. Servers or workstations running programs and utilities for recording probes and attacks against them are referred to as:

A. firewalls.
B. host based IDS (Intrusion Detection System).
C. proxies.
D. active targets.

Answer: B

223. To reduce vulnerabilities on a web server, an administrator should adopt which preventative measure?

A. use packet sniffing software on all inbound communications.
B. apply the most recent manufacturer updates and patches to the server.
C. enable auditing on the web server and periodically review the audit logs.
D. block all DNS (Domain Naming Service) requests coming into the server.

Answer: B

224. What is the greatest advantage to using RADIUS (Remote Authentication Dial-in User Service) for a multi-site VPN (Virtual Private Network) supporting a large population of remote users?
A. RADIUS (Remote Authentication Dial-in User Service) provides for a centralized user database.
B. RADIUS (Remote Authentication Dial-in User Service) provides for a decentralized user database.
C. No user database is required with RADIUS (Remote Authentication Dial-in User Service).
D. User database is replicated and stored locally on all remote systems.

Answer: A

225. What is NOT an acceptable use for smart card technology?

A. mobile telephones.
B. satellite television access cards.
C. a PKI (Public Key Infrastructure) token card shared by multiple users.
D. credit cards.

Answer: C

226. Which of the following is the best protection against an intercepted password?

A. VPN (Virtual Private Network).
B. PPTP (Pointsto-Point Tunneling Protocol).
C. one time password.
D. complex password requirement.

Answer: C

227. Which of the following statements most clearly outlines a major security vuInerability associated with Instant Messaging?

A. Instant Messaging does not support any form of message encryption.
B. Instant Messaging negatively impacts user productivity.
C. Instant Messaging uses TCP (rransmission Control Protocol) port 25 for message exchange.
D. Instant Messaging allows file attachments which could potentially contain viruses.

Answer: D

228. Using distinct key pairs to separate confidentiality services from integrity services to support non-repudiation describes which one of the following models?

A.discrete key pair.
B. dual key pair.
C. key escrow.
D. foreign key.

Answer: B

229. Which IETF (Internet Engineering Task Force) protocol uses All (Authentication Header) and ESP (Encapsulating Security Payload) to provide security in a networked environment?

A. SSL (Secure Sockets Layer).
B. IPSec (Internet Protocol Security).
C. S-HTrP (Secure Hypertext Transfer Protocol).
D. SSH (Secure Shell).

Answer: B

230. A honey pot is best described as

A. encryptor.
B. DMZ (Demilitarized Zone).
C. firewall.
D. decoy.

Answer: D

231. A program appearing to be useful that contains additional hidden code that allows unauthorized individuals to exploit or destroy data is commonly known as as:

A. virus.
B. Trojan horse.
C. worm.
D. back door.

Answer: B

232. Which of the following is typically included in a CRL (Certificate Revocation List)?

A. certificates that have had a limited validity period and have expired.
B. certificates that are pending renewal.
C. certificates that are considered invalid because they do not contain a valid CA (Certificate Authority) signature.
D. certificates that have been disabled before their scheduled expiration.

Answer: D

233. A CPS (Certificate Practice Statement) is a legal document that describes a CA’s (Certificate Authority):

A. class level issuing process.
B. copyright notice.
C. procedures.
D. asymmetric encryption schema.

Answer: C

234. A severed Tl line is most likely to be considered in planning.

A. data recovery.
B. off site storage.
C. media destraction.
D. incident response.

Answer: D

235. The primary DISADVANTAGE of symmetric cryptography is:

A. speed.
B. key distribution.
C. weak algorithms.
D. memory management.

Answer: B

236. How are clocks used in a Kerberos authentication system?

A. The clocks are synchronized to ensure proper connections.
B. The clocks are synchronized to ensure tickets expire correctly.
C. The clocks are used to generate the seed value for the encryptions keys.
D. The clocks are used to benchmark and set the optimal encryption algorithm.

Answer: B

237. An IT (Information Technology) security audit is generally focused on reviewing existing:

A. resources and goals
B. policies and procedures
C. mission statements
D. ethics codes

Answer: B

238. The action of determining which operating system is installed on a system simply by analyzing its response to certain network traffic is called:

A. OS (Operating System) scanning.
B. reverse engineering.
C. Fingerprinting.
D. host hijacking.

Answer: C

239. The most effective way an administrator can protect users from social engineering is:

A. education.
B. implement personal firewalls.
C. enable logging on at users’ desktops.
D. monitor the network with an IDS (Intrusion Detection System).

Answer: A

240. Instant Messaging is most vulnerable to:

A. DoS (Denial of Service).
B. fraud.
C. stability.
D. sniffing.

Answer: D

241. What type of security mechanism can be applied to modems to better authenticate remote users?

A. firewalls
B. encryption
C. SSH (Secure Shell)
D. callback

Answer: D

242. Despite regular system backups a significant risk still exists if:

A. recovery procedures are not tested
B. all users do not log off while the backup is made
C. backup media is moved to an off-site location
D. an administrator notices a failure during the backup process

Answer: A

243. What are three characteristics of a computer virus?

A. find mechanism, initiation mechanism and propagate
B. learning mechanism, contamination mechanism and exploit
C. search mechanism, connection mechanism and integrate
D. replication mechanism, activation mechanism and objective

Answer: D

244. Technical security measures and countermeasures are primarily intended to prevent:

A. unauthorized access, unauthorized modification, and denial of authorized access.
B. interoperability of the framework, unauthorized modification, and denial of authorized access.
C. potential discovesy of access, interoperability of the framework, and denial of authorized access.
D. interoperability of the framework, unauthorized modification, and unauthorized access.

Answer: A

245. Impersonating a dissatisfied customer of a company and requesting a password change on the customer’a account is a form of:

A. hostile code.
B. social engineering.
C. IP (Intemet Protocol) spoofing.
D. man in the middle attack.

Answer: B

246. The basic strategy that should be used when configuring the rules for a secure firewall is:

A. permit all.
B. deny all.
C. default permit.
D. default deny .

Answer: D

247. An employer gives an employee a laptop computer to use remotely. The user installs personal applications on the laptop and overwrites some system files. How might this have been prevented with minimal impact on corporate productivity?

A. Users should not be given laptop computers in order to prevent this type of occurrence.
B. The user should have received instructions as to what is allowed to be installed.
C. The hard disk should have been made read-only
D. Biometrics should have been used to authenticate the user before allowing software installation.

Answer: B

248. A fundamental risk management assumption is, computers can NEVER be completely.

A. secure until all vendor patches are installed.
B. secure unless they have a variable password.
C. secure.
D. secure unless they have only one user.

Answer: C

249. DDoS (Distributed Denial of Service) is most commonly accomplished by:

A. internal host computers simultaneously failing.
B. overwhelming and shutting down multiple services on a server.
C. multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.
D. an individual e-mail address list being used to distribute a virus.

Answer: C

250. IEEE (Institute of Electrical and Electronics Engineers) 802.llb is capable of providing data rates of up to:

A. 10Mbps (Megabits per second).
B. 10.5Mbps (Megabits per second).
C. 11 Mbps (Megabits per second).
D. 12 Mbps (Megabits per second).

Answer: C

251. A team organized for the purpose of handling security crises is called a(n):

A. computer information team.
B. security resources team.
C. active detection team.
D. incident response team.

Answer: D

252. Which security architecture utilizes authentication header and/or encapsulating security payload protocols?

A. IPSec (Internet Protocol Security).
B. SSL (Secure Sockets Layer).
C. TLS (Transport Layer Security).
D. PPTP (Point-to-Point Tunneling Protocol).

Answer: A

253. Tunneling is best described as the ac of encapsulating:

A. encrypted/secure IP packets inside of ordinary/non-secure IP packets.
B. ordinary/non-secure IP packets inside of encrypted/secure IP packets.
C. encrypted/secure IP packets inside of encrypted/non-secure IP packets.
D. ordinary/secure IP packets inside of ordinary/non-secure IP packets.

Answer: B

254. What is a good practice in deploying a CA (Certificate Authority)?

A. enroll users for policy based certificates.
B. create a CPS (Certificate Practice Statement).
C. register the CA (Certificate Authority) with a subordinate CA (Certificate Authority).
D. create a mirror CA (Certificate Authority) for fault tolerance.

Answer: B

255. What is the most common goal of operating system logging?
A. to determine the amount of time employees spend using various applications.
B. to keep a record of system usage.
C. to provide details of what systems have been compromised.
D. to provide details of which systems are interconnected.

Answer: B

256. Poor programming techniques and lack of code review can lead to which of the following type of attack?

A. CGI (Common Gateway Interface) script.
B. birthday.
C. buffer overflow.
D. dictionary.

Answer: C

257. When a patch is released for a server the administrator should:

A. immediately download and install the patch.
B. test the patch on a non-production server then install the patch to production.
C. not install the patch unless there is a current need.
D. install the patch and then backup the production server.

Answer: B

258. An attacker attempting to penetrate a company’s network through its remote access system would most likely gain access through what method?

A. war dialer.
B. Trojan horse.
C. DoS (Denial of Service).
D. worm.

Answer: A

259. A company’s web server is configured for the following services: HTTP (Hypertext Transfer Protocol), SSL (Secure Sockets Layer), FTP (Pile Transfer Protocol), SMTP (Simple Mail Transfer Protocol). The web server is placed into a DMZ (Demilitarized Zone). What are the standard ports on the firewall that must be opened to allow traffic to and from the server?

A. 119,23,21,80.
B. 443, 119,21,1250.
C. 80,443,21,25.
D. 80,443, 110,21.

Answer: C

260. Which systems should be included in a disaster recovery plan?

A. all systems.
B. those identified by the board of directors, president or owner.
C. financial systems and human resources systems.
D. systems identified in a formal risk analysis process.

Answer: D

261. A PKI (Public Key Infrastructure) document that serves as the vehicle on which to base common interoperability standards and common assurance criteria on an industry wide basis is a certificate:

A. policy.
B. practice.
C. procedure.
D. process.

Answer: A

262. When hardening a machine against external attacks, what process should be followed when disabling services?

A. disable services such as DHCP (Dynamic Host Configuration Protocol) client and print servers from servera that do not use/serve those functions.
B. disable one unnecessary service after another, while reviewing the effects of the previous action.
C. research the services and their dependencies before disabling any default services.
D. disable services not directly related to financial operations.

Answer: C

263. Which of the following will let a security administrator allow only if HTTP (Hypertext Transfer Protocol) traffic for outbound Intemet connections and set permissions to allow only certain users to browse the web?

A. packet filtering firewall.
B. protocol analyzer.
C. proxy server.
D. stateful firewall.

Answer: C

264. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?

A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network’s users, applications and data.

Answer: B

265. The system administrator concerned about security has designated a special area in which tops the web server away from other servers on the network. This area is commonly known as the?

A. honey pot
B. hybrid subuet
C. DMZ (Demilitarized Zone).
D. VLAN (Virtual Local Area Network)
Answer: C

266. Which of the following IP (Internet Protocol) address schemes will require NAT (Network Address Translation) to connect to the Intemet?
A. 204.180.0.0/24
B. 172.16.0.0/24
C. 192.172.0.0/24
D. 172.48.0.0/24

Answer: B

267. What is the primary DISADVANTAGE of a third party relay?

A. Spammers can utilize the relay.
B. The relay limits access to specific users.
C. The relay restricts the types of e-mail that maybe sent.
D. The relay restricts spaminers from gaining access.

Answer: A

268. A network administrator wants to connect a network to the Internet but does not want to compromise internal network IP (Internet Protocol) addresses. What should the network administrator implement?

A. a honey pot
B. a NAT (Network Address Translation)
C. a VPN (Virtual Private Network)
D. a screened network

Answer: B

269. Which of the following is NOT a field of a X.509 v.3 certificate?

A. private key
B. issuer
C. serial number
D. subject

Answer: A


270. What is the default transport layer protocol and port number that
SSL (Secure Sockets Layer) uses?


A. UDP (User Datagram Protocol) transport layer protocol and port 80
B. TCP (Transmission Control Protocol) transport layer protocol and port 80
C. TCP (Transmission Control Protocol) transport layer protocol and port 443
D. UDP (User Datagram Protocol) transport layer protocol and port 69

Answer: C

271. The greater the keyspace and complexity of a password, the longer a_______ attack may take to crack the password.

A. dictionary
B. brute force
C. inference
D. frontal

Answer: B


272. Security requirements for servers DO NOT typically include:

A. the absence of vulnerabilities used by known forms of attack against server hosts
B. the ability to allow administrative activities to all users
C. the ability to deny access to information on the server other than that intended to be available
D. the ability to disable unnecessary network services that may be built
into the operating system or server sofiware
Answer: B


273. When a cryptographic system’s keys are no longer needed, the keys should be:


A. destroyed or stored in a secure manner
B. deleted from the system’s storage mechanism
C. recycled
D. submitted to a key repository

Answer: A


274. Creation of an information inventory is most valuable when:

A. localizing license based attacks
B. trying to reconstruct damaged systems
C. determining virus penetration within an enterprise
D. terminating employees for security policy violations

Answer: B

275. A network administrator wants to restrict intenal access to other parts of the network.
The network restrictions must be implemented with the least amount of administrative overhead
and must be hardware based. What is the best solution?

A. implement firewalls between subnets to restrict access
B. implement a VLAN (Virtual Local Area Network) to restrict network access
C. implement a proxy server to restrict access
D. implement a VPN (Virtual Private Network)

Answer: B



276. Which of the following is the best reason for a CA (Certificate Authority) to-revoke a certificate?

A. The user’s certificate has been idle for two months.
B. The user has relocated to another address.
C. The user’s private key has been compromised.
D. The user’s public key has been compromised.

Answer: C


277. Which of the following correctly identifies some of the contents of an end user’s X.509 certificate?
A. user’s public key, object identifiers, and the location of the user’s electronic identity
B. user’s public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption
C. user’s public key, the certificate’s serial number, and the certificate’s validity dates
D. user’s public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point
Answer: C


278. Which of the following is a protocol generally used for secure web transactions?

A. S/MIME (Secure Multipurpose Internet Mail Extensions)
B. XML (Extensible Markup Language)
C. SSL (Secure Sockets Layer)
D. SMTP (Simple Mail Transfer Protocol)
Answer: C

279. Which of the following statements identifies a characteristic of a symmetric algorithm?

A. performs a fast transformation of data relative to other cryptographic methods
B. regardless of the size of the user’s input data, the size of the output data is fixed.
C. is relatively slow in transforming data when compared to other cryptographic methods
D. includes a one way function where it is computationally infeasible for another entity to determine the input data from the output data
Answer: A

280. Assuring the recipient that a message has not been altered in transit is an example of which of the following:

A. integrity
B. static assurance
C. dynamic assurance
D. cyclical check sequence

Answer: A


281. Being able to verify that a message received has not been modified in transit is defined as:
A. authorization
B. non-repudiation
C. integrity
D. cryptographic mapping

Answer: C


282. Which of the following terms represents a MAC (Mandatory Access Control) model?

A. Lattice
B. Bell La-Padla
C. BIBA
D. Clark and Wilson

Answer: A


283. The most common method of social engineering is:

A. looking through users’ trash for information
B. calling users and asking for information
C. e-mailing users and asking for information
D. e-mail

Answer: B


284. In the context of the Internet; what is tunneling? Tunneling is:

A. using the Internet as part of a private secure network
B. the ability to burrow through three levels of firewalls
C. the ability to pass information over the internet within the shortest amount of time
D. creating a tunnel which can capture data

Answer: A

285. An effective method of preventing computer viruses from spreading is to:

A. require root/administrator access to run programs
B. enable scanning of e-mail attachments
C. prevent the execution of .vbs files
D. install a host based IDS (Intrusion Detection System)

Answer: B

286. The term cold site refers to:
A. a low temperature facility for long term storage of critical data
B. a location to begin operations during disaster recovery
C. a facility seldom used for high performance equipment
D. a location that is transparent to potential attackers

Answer: B

287. Sensitive material is currently displayed on a user’s monitor. What is the best course of action for the user before leaving the area?

A. The user should leave the area. The monitor is at a personal desk so there is no risk.
B. turn off the monitor
C. wait for the screen saver to start
D. refer to the company's policy on securing sensitive data

Answer: D


288. The system administrator of the company has terminated employment unexpectedly. When the administrator’s user ID is deleted, the system suddenly begins deleting files.
This is an example of what type of malicious code?

A. logic bomb
B. virus
C. Trojan horse
D. worm

Answer: A

289. With regards to the use of Instant Messaging, which of the following type of attack strategies is effectively combated with user awareness training?

A. social engineering
B. stealth
C. ambush
D. multi-pronged

Answer: A


290. What would NOT improve the physical security of workstations?

A. lockable cases, keyboards, and removable media drives
B. key or password proteced configuration and setup
C. password required to boot
D. strong passwords

Answer: D


291. What authentication problem is addressed by single sign on?

A. authorization through multiple servers
B. multiple domains
C. multi-factor authentication
D. multiple usernames and passwords

Answer: D

292. Access controls based on security labels associated with each data item and each user are known as:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (t)iscretionary Access Control)

Answer: A

293. A network administrator has just replaced a hub with a switch. When using software to sniff packets from the networks, the administrator notices conversations the administrator’s computer is having with servers on the network, but can no longer see conversations taking place between other network clients and servers. Given that the switch is functioning properly, what is the most likely cause of this?

A. With the exception of broadcasts, switches do not forward traffic out all port .
B. The switch is setup with a VLAN (Virtual Local Area Network) utilizing all ports.
C. The software used to sniff packets is not configured properly.
D. The sniffer’s ethernet card is malfunctioning.

Answer: A

294. Which type of password generator is based on challenge-response mechanisms?

A. asynchronous
B. synchronous
C. cryptographic keys
D. smart cards

Answer: A


295. Which of the following is a characteristic of MAC (Mandatory Acces Control) systems? MACs (Mandatory Access Control):

A. uses levels of security to classify users and data
B. allows owners of documents to determine who has access to specific documents
C. uses access control lists which specify a list of authorized users
D. uses access control lists which specify a list of unauthorized users

Answer: A


296. Which of the following is considered the best technical solution for reducing the threat of a man in the middle attack?

A. Implement virtual LAN (Local Area Network)
B. Implement GRE (Generic Route Encapsulation) tunnel IPIP
(Internet Protocol-within-Internet Protocol)Encapsulation Protocol)
C. Implement PKI (Public Key Infrastructure)
D. Implement enforcement of badge system

Answer: C

297. Companies without an acceptable use policy (AUP) may give their employees an
expectation of:

A. intrusions
B. audits
C. privacy
D. prosecution

Answer: C

298. An administrator is concerned with viruses in e-mail attachments being distributed and inadvertently installed on users’ workstations. If the administrator set up an attachment filter, what types of attachments should be filtered from e-mails to minimize the danger of viruses?

A. textflles
B. image files
C. sound files
D. executable files

Answer: D


299. It is most difficult to eavesdrop on which of the following types of network cabling?

A. fiber optic cable
B. coaxial cable
C. UTP (DNShielded Twisted Pair)
D. STP (Shielded Twisted Pair)

Answer: A


300. Implementation of access control devices and technologies must fully reflect an organization’s security position as contained in its:

A. ACLs (Access Control List)
B. access control matrixes
C. information security policies
D. internal control procedures

Answer: C

Security+ SYO-101D

301. Which of the following are tunneling protocols?

A. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and SSL (Secure Sockets Layer)
B. IPSec (Internet Protocol Security), L2TP (Layer Two Tunneling Protocol), and PPP (Point-to-Point Protocol)
C. L2TP (Layer Two Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol), and SSL (Secure Sockets Layer)
D. PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer Two Tunneling Protocol), and IPSec (Internet Protocol Security)

Answer: D

302. What are TCP (Transmission Control Protocol) wrappers used for?
A. preventing IP (Internet Protocol) spoofing
B. controlling access to selected services
C. encrypting TCP (Transmission Control Protocol) traffic
D. sniffing TCP (Transmission Control Protocol) traffic to troubleshoot

Answer: B

303. Loki, NetCaZ, Masters Paradise and NetBus are all considered what type of attack?

A. brute force
B. spoofing
C. back door
D. man in the middle

Answer: C

304. Which protocol is used to negotiate and provide authenticated keying material for-security associations in a protected manner?

A. ISAKMP (Internet Security Association and Key Management Protocol)
B. ESP Incapsulating Security Payload) CompTiA SYO-101
C. SSH (Secure Shell)
D. SKEME (Secure Key Exchange Mechaniam)

Answer: A

305. An administrator wants to set up a system for an internal network that will examine all packets for known attack signatures. What type of system will be set up?

A. vulnerability scanner
B. packet filter
C. host based IDS (Intrusion Detection System)
D. network based IDS (Intrusion Detection System)

Answer: D


306. Which of the following steps in the SSL (Secure Sockets Layer) protocol allows for client and server authentication, MAC (Mandatory Acceas Control) and encryption algorithm negotiation, and selection of cryptographic keys?

A. SSL (Secure Sockets Layer) alert protocol
B. SSL (Secure Sockets Layer) change cipher spec protocol
C. SSL (Secure Sockets Layer) record protocol
D. SSL (Secure Sockets Layer) handshake protocol

Answer: D

307. What type of attack CAN NOT be detected by an IDS (Intrusion Detection System)?

A. DoS (Denial of Service)
B. exploits of bugs or hidden features
C. spoofed e-mail
D. port scan

Answer: C

308. A password management system designed to provide availability for a large number of users includes which of the following?

A. self service password resets
B. locally saved passwords
C. multiple access methods
D. synchronized passwords

Answer: A

309. What must be done to maximize the effectiveness of system logging?
A.encrypt log files
B. rotate log files
C. print and copy log files
D. review and monitor log files

Answer: D

310. Regarding security, biometrics are used for

A. accountability
B. certification
C. authorization
D. authentication

Answer: D

311. What fingerprinting technique relies on the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

A. TCP (Transmission Control Protocol) options
B. ICMP (Internet Control Message Protocol) error message quenching
C. Fragmentation handling
D. ICMP (Internet Control Message Protocol) message quoting

Answer: D

312. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?

A. PPP (Point-to-PointProtocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)

Answer: D

313. Turnstiles, double entry doors and security guards are all prevention measures for what type of social enginering?

A. piggybacking
B. looking over a co-worker’s shoulder to retrieve information
C. looking through a co-worker’s trash to retrieve information
D. impersonation
Answer: A

314. What is the major reason that social engineering attacks succeed?

A. strong passwords are not required
B. lack of security awareness
C. multiple logins are allowed
D. audit logs are not monitored frequently

Answer: B

315. Which authentication protocol should be employed to encrypt passwords?

A. PPTP (Point-to-Point Tunneling Protocol)
B. SMTP (Simple Mail Transfer Protocol)
C. Kerberos
D. CHAP (Challenge Handshake Authentication Protocol)

Answer: D

316. NAT (Network Address Translation) can be accomplished with which of the following?

A. static and dynamic NAT (Network Address Translation) and PAT (Port Address Translation)
B. static and hide NAT (Network Address Translation)
C. static and hide NAT (Network Address Translation) and PAT (Port Address Translation)
D. static, hide, and dynamic NAT (Network Address Translation)
Answer: C

317. In order for an SSL (Secure Sockets Layer) connection to be established between a web client and server automatically, the web client and server should have a(n):

A. shared password
B. certificate signed by a trusted root CA (Certificate Authority)
C. address on the same subnet
D. common operating system

Answer: B

318. A mobile sales force requires remote connectivity in order to access shared files and e-mail on the corporate network. All employees in the sales department have laptops equipped with ethemet adapters. Some also have moderns. What is the best remote access solution to allow all sales employees to access the corporate network?

A. ISDN (Integrated Services Digital Network)
B. dial-up
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)

Answer: D

319. An example of a physical access barrier would be

A. video surveillance
B. personnel traffic pattern management
C. security guard
D. motion detector

Answer: C

320. What media provides the best protection against electromagnetic interference?

A. coaxial cable
B. IJTP (DNShielded Twisted Pair)
C. STP (Shielded Twisted Pair)
D. fiber optic cable

Answer: D

321. Which of the following four critical functions of a VPN (Virtual Private Network) restricts users from using resources in a corporate network?

A. access control
B. authentication
C. confidentiality
D. data integrity

Answer: A


322. Of the following, what is the primary attribute associated with e-mail hoaxes?

A. E-mail hoaxes create unnecessary e-mail traffic and panic in non-technical users.
B. E-mail hoaxes take up large amounts of server disk space.
C. E-mail hoaxes can cause buflin overflows on the e-mail server.
D. E-mail hoaxes can encourage malicious users.

Answer: A



323. Most certificates used for authentication are based on what standard?

A. 1S019278
B. X.500
C. RFC 1205
D. X.509 v3

Answer: D


324. In order for User A to send User B an e-mail message that only User B can read, User A must encrypt the e-mail with which of the following keys?

A. User B’s public key
B. User B’s private key
C. User A’s public key
D. User A’s private key

Answer: A

325. What does the message recipient use with the hash value to verify a digital signature?

A. signer’s private key
B. receiver’s private key
C. signer’s public key
D. receiver’s public key
Answer: C

326. While surfing the Internet a user encounters a pop-up window that prompts the user to download abrowser plug-in. The pop-up window is a certificate which validates the identity of the plug-in developer. Which of the following best describes this type of certificate?

A. software publisher certificate
B. web certificate
C. CA (Certificate Authority) certificate
D. server certificate

Answer: A


327. The public key infrastructure model where certificates are issued and revoked via a
CA (Certificate Authority) is what type of model?

A. managed
B. distributed
C. centralized
D.standard

Answer: C

328. Company intranets, newsletters, posters, login banners and e-mails would be good tools to utilize in a security:

A. investigation
B. awareness program
C. policy review
D. control test
Answer: B

329. What is a network administrator protecting against by ingress/egress filtering traffic as follows:

Any packet coming into the network must not have a source address of the internal network. Any packet coming into the network must have a destination address from the internal netwoii Any packet leaving the network must have a source address from the internal network. Any packet leaving the network must not have a destination address from the internal networks Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.

A. SYN (Synchronize) flooding
B. spoofing
C. DoS (Denial of Service) attacks
D. dictionary attacks

Answer: B

330. When hosting a web server with CGI (Common Gateway Interface) scripts, the directories for public view should have:

A. execute permissions
B. read and write permissions
C. read, write, and execute permissions
D. full control permissions

Answer: A

331. When UserA applies to the CA (Certificate Authority) requesting a certificate to allow the start of communication with User B, User A must supply the CA (Certificate Authority) with

A. User A’s public key only
B. User B’s public key only
C. User A’s and User B’s public keys
D. User A’s and User B’s public and private keys

Answer: A

332. Which of the following most accurately describes a DMZ (Demilitarized Zone)?

A. an application program with a state that authenticates the user and allows the user to be categorized based on privilege
B. a network between a protected network and an external network in order to provide an additional layer of security
C. the entire area between the network of origin and the destination network
D. an application that allows the user to remove any offensive of an attacker


Answer: B

333. Privileged accounts are most vulnerable immediately after a:

A. successful remote login
B. privileged user is terminated
C. default installation is performed
D. full system backup is performed

Answer: C

334. A protocol specified in IEEE (Institute of Electrical and Electronics Engineers)
802.11b intended to provde a WLAN (Wireless Local AreaNetwork) with the level of security associated a WAN ( Wireless Local-Area Network) is:

A. WEP (Wired Equivalent Privacy)
B. ISSE (Information Systems Security Engineering)
C. ISDN (tntegrated Services Digital Network)
D. VPN (Virtual Private Network)

Answer: A

335. SSL (Secure Sockets Layer) operates between which two layers of the OSI (Open Systems Interconnection) model?

A. application and transport
B. transport and network
C. network and data link CompTIA SYO-1O1
D. data link and physical

Answer: A


336. A network attack that misuses TCP’s (Transmission Control Potocol) three way handshake to overload servers and deny access to legitimate users is called a:

A. man in the middle
B. smurf
C. teardrop
D. SYN

Answer: D (Synchronize)

337. What are the three entities of the SQL (Structured Query Language) security model?

A. actions, objects and tables
B. actions, objects and users
C. tables, objects and users
D. users, actions and tables

Answer: B

338. Which is of greatest importance when considering physical security?

A. reduce overall opportunity for an intrusion to occur
B. make alarm identification easy for security professionals
C. barricade all entry points against unauthorized entry
D. assess the impact of crime zoning and environmental considerations in the overall design
Answer: A

339. The flow of packets traveling through routers can be controlled by implementing what type of security mechanism?

A. ACLs (Access Control List)
B. fault tolerance tables
C. OSPF (Open Shortest Path First) policy
D. packet locks

Answer: A

340. Clients in Company A can view web sites that have been created for them, but CAN NOT navigate in them. Why might the clients not be able to navigate in the sites?

A. The sites have improper permissions assigned to them.
B. The server is in a DMZ (Demilitarized Zone).
C. The sites have IP (Internet Protocol) filtering enabled.
D. The server has heavy traffic.

Answer: A

341. The goal of TCP (Transmission Control Protocol) hijacking is:

A. taking over a legitimate TCP (Transmission Control Protocol) connection
B. predicting the TCP (Transmission Control Protocol) sequence number
C. identifying the TCP (Transmission Control Protocol) port for future exploitation
D. identifying source addresses for malicious use

Answer: A

342. The system administrator has just used a program that highlighted the susceptibility of several servers on the network to various exploits. The program also suggested fixes. What type of program was used?

A. intrusion detection
B. port scanner
C. vunerability scanner
D. Trojan scanner

Answer: C

343. A password security policy can help a system administrator to decrease the probability that a password can be guessed by reducing the password’s:

A. length
B. lifetime
C. encryption level
D. alphabet set
Answer: B

344. How can an e-mail administrator prevent malicious users from sending e-mails from non-existent domains?

A. enable DNS (Domain Name Service) reverse lookup on the e-mail server
B. enable DNS (Domain Name Service) forward lookup on the e-mail server
C. enable DNS (Domain Name Service) recursive queries on the DNS (Domain Name Service) server
D. enable DNS (Domain Name Service) reoccuring queries on the DNS (flomain Name Service) server

Answer: A

345. TCP/IP Transmission Control Protocol/Internet Protocol) hijacking resulted from exploitation of the fact that TCP/IP (Transmission Control Protocol/Internet Protocol):

A. has no authentication mechanism, thus allowing a cleartext password of 16 bytes
B. allows packets to be tunneled to an alternate network
C. has no authentication mechanism, and therefore allows connectionless packets from anyone
D. allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host

Answer: D

346. Intruders are detected accessing an internal network The source IP (Internet Protocol) addresses originate from trusted networks. The most comomon type of attack in this scenario is:

A. social engineering
B. TCP/IP hijacking
C. smurfing
D. spoofing

Answer: D

347. Which of the following is used to authenticate and encrypt IP (Internet Protocol) traffic?

A. ESP (Encapsulating Security Payload)
B. S/MIME (Secure Multipurpose Internet Mail Extensions)
C. IPSec (Internet Protocol Security)
D. IPv2 (Internet Protocol version 2)

Answer: C

348. An administrator is configuring a server to make it less susceptible to an attacker obtaining the user account passwords. The administrator decides to have the encrypted passwords contained within a file that is readable only by root. What is a common name for this file?

A. passwd
B. shadow
C. hosts.allow
D. hosts.deny

Answer: B

349. Which of the following is the best IDS (Intrusion Detection System) to monitor the-entire network?

A. a network based IDS (Intrusion Detection System)
B. a host based IDS (Intrusion Detection System)
C. a user based IDS (Intrusion Detection System)
D. a client based IDS (Intrusion Detection System)

Answer: A

350. SSL (Secure Sockets Layer) session keys are available in what two lengths?

A. 40-bit and 64-bit
B. 40-bit and 128-bit
C. 64-bit and 128-bit
D. 128-bit and 1,024-bit

Answer: B

351. One of the primary concerns of a centralized key management system is that?

A. keys must be stored and distributed securely
B. certificates must be made readily available
C. the key repository must be publicly accessible
D. the certificate contents must be kept confidential

Answer: A

352. An extranet would be best defined as an area or zone:

A. set aside for a business to store extra servers for internal use
B. accessible to the general public for accessing the business’ web site
C. that allows a business to securely transact with other businesses
D. added after the original network was built for additional storage

Answer: C

353. What standard security protocol provides security and privacy in a WLAN (Wireless Local Area Network)?

A. SWP (Secure WLAN Protocol)
B. WEP (Wired Equivalent Privacy)
C. SSL (Secure Sockets Layer)
D. S/MIME (Secure Multipurpose Internet Mail Extensions)

Answer: B

354. What port scanning technique is used to see what ports are in a listening state and then performs atwo way handshake?

A. TCP (transmission Control Protocol) SYN (Synchronize) scan
B. TCP (transmission Control Protocol) connect scan
C. TCP (transmission Control Protocol) fin scan
D. TCP (transmission Control Protocol) null scan

Answer: A

355. Performing a security vulnerability assessment on systems that a company relies on demonstrates:

A. that the site CAN NOT be hacked
B. a commitment to protecting data and customers
C. insecurity on the part of the organization
D. a needless fear of attack

Answer: B

356. The best reason to perform a business impact analysis as part of the business continuity planning process is to:

A. test the veracity of data obtained from risk analysis
B. obtain formal agreement on maximum tolerable downtime
C. create the framework for desiguing tests to determine efficiency of business continuity plans
D. satisfy documentation requirements of insurance companies covering risks of systems and data important for business continuity
Answer: B

357. A FTP (File Transfer Protocol) bounce attack is generally used to:

A. exploit a buffer overflow vulnerability on the FTP (File Transfer Protocol) server
B. reboot the FTP (File Transfer Protocol) server
C. store and distribute malicious code
D. establish a connection between the FTP (File Transfer Protocol) server and another computer

Answer: D

358. E-mail servers have a configuration choice which allows the relaying of messages from one e-mail server to another. An e-mail server should be configured to prevent e-mail relay because:

A. untraceable, unwanted e-mail can be sent
B. an attacker can gain access and take over the server
C. confidential information in the server’s e-mail boxes can be read using the relay
D. the open relay can be used to gain control of nodes on additional networks

Answer: A

359. S/MIME (Secure Multipurpose Internet Mail Extensions) is used to:

A. encrypt user names and profiles to ensure privacy
B. encrypt messages and files
C. encrypt network sessions acting as a VPN (Virtual Private Network) client
D. automatically encrypt all outbound messages

Answer: B


360. A security designer is planning the implementation of security mechanisms in a RBAC (Role Based Access Control) compliant system. The designer has determined that there are three types of resources in the system inclading files, printers, and mailboxes. The organization has four distinct departments with distinct functions including Sales, Marketing, Management, and Production. Each department needs access to different resources. Each user has a workstation. Which roles should be created to support the REAC (Role Based Access Control) model?

A. file, printer, and mailbox roles
B. sales, marketing, management, and production roles
C. user and workstation roles
D. allow access and deny access roles

Answer: B

361. A network administrator is having difficulty establishing a L2TP (Layer Two Tunneling Protocol) VPN (Virtual Private Network) tunnel with IPSec (Internet Protocol Security) between a remote dial-up client and the firewall, through a perimeter router. The administrator has confirmed that the cient's and firewall’s IKE (Internet Key Exchange) policy and IPSec (Internet Protocol Security) policy are identical. The appropriate L2TP (Layer Two Tunneling Protocol) and IKE (Internet Key Exchange) transport layer ports have also been allowed on the perimeter router and firewall.

What additional step must be performed on the perimeter router and firewall to allow (Authentication Header) and ESP (Encapsulating Security Payload) tunnel-encapsulated IPSec (Internet Protocol Security) traffic to flow between the client and the firewall?


A. configure the perimeter router and firewall to allow inbound protocol number 51 for ESP (Encapsulating Security Payload) encapsulated IPSec (Internet Protocol Security) traffic
B. configure the perimeter router and firewall to allow inbound protocol number 49 for ESP (Encapsulating Security Payload) and All (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.

C. configure the perimeter router and firewall to allow inbound protocol numbers 50 and 51 for ESP (Encapsulating Security Payload) and AH (Authentication Header) encapsulated IPSec (Internet Protocol Security) traffic.

D. configure the perimeter router and firewall to allow inbound protocol numbers 52 and 53 for AH (Authentication Header) and ESP (Encapsulating SecurityPayload) encapsulated IPSec (Internet Protocol Security) traffic

Answer: C

362. What is the best method of reducing vuneralbility from dumpster diving?

A. hire additional staff
B. destroy papers and other media
C. install surveillance
D. empty trash can frequently

Answer: B


363. One characteristic of biometrics is:

A. it does not require a password
B. it is 100% effective
C. false positives are rare
D. false negatives are rare

Answer: A


364. As a security administrator, what are the three categories of active responses relating to intrusion detection?

A. collect additional information, maintain the environment, and take action against the intruder

B. collect additional information, maintain the environment, and take action against the intruder

C. collect additional information, change the environment, and take action against the intruder

D. discard any additional information, change the environment, and take action against the intruder

Answer: C

365. Intrusion detection systems typically consist of two parts, a console and a:

A. sensor
B. router
C. processor
D. firewall

Answer: A

366. The owner of a file modifies the security settings of that file on the servers to
limit access to specific individuals. Which method of security is being applied?

A. MAC (Mandatory Access Control)
B. DAC (Discretionary Acess Control)
C. SAC (Subject Access Control)
D. RBAC (Role Based Access Control)

Answer: B

367. A block cipher is an example of which of the following encryption algorithms?

A. asymmetric key
B. public key
C. symmetric key
D. unkeyed

Answer: C

368. What is the best defense against man in the middle?

A. a firewall
B. strong encryption
C. strong authenication
D. strong passwords

Answer: B

369. There are a number of ports in TCP/IP that can be scanned, exploited or
attacked. How many ports are vunerable to such operations?

A. 32
B. 1,024
C. 65,535
D. 16,777,216

Answer: C

370. Which of the following makes a token based authentication system very diffult
to attack?

A. a token uses a digital certificates
B. a token is something that is physically possessed
C. a token can only be used once
D. a token can only be used by the intended owner.

Answer: B

371. What are the 4 major components of ISAKMP?
(Internet Security Association and Key Management Protocol)

A. authentication of peers, threat management, communication management, and cryptographic key establishment.
B. authentication of peers, threat management, communication management, and cryptographic key establishment.
C. authentication of peers, threat management, security association creation and management, cryptographic key establishment and management.
D. authentication of peers, threat management, security association creation, and cryptographic key establishment.

Answer: C

372. A major difference between a worm and a Trojan horse is :

A. worms are spread via e-mail and Trojans are not
B. worms are self replicating and Trojans are not
C. worms are a form malicious code and Trojans are not
D. there is no difference

Answer: B

373. When a user digitally signs a document an asymmetric algorithm is used to encrypt:

A. secret passkeys
B. file contents
C. certificates
D. hash results

Answer: D


374. The main purpose of digital certificates is to securely bind a:

A. public key to the identity of the signer and recipient
B. private key to the identity of the signer and recipient
C. public key to the entity that holds the corresponding private key
D. private key to the entity that holds the corresponding public key

Answer: C


375. What protocol should be used to prevent intruders from using access points on a wireless network?

A. ESP (Encapsulating Security Payload)
B. WEP (Wired Equivalent Privacy)
C. TLS (Transport Layer Security)
D. SSL (Secure Sockets Layer)

Answer: B


376. What are two common methods when using a public key infrastructure for maintaining access to servers in a network?



A. ACL and PGP.
B. PIM and CRL.
C. CRL and OCSP.
D. RSA and MD2

Answer: C

377. Missing audit log entries most seriously affect an organization's ability to:

A. Recover destroyed data.
B. Legally prosecute an attacker.
C. Evaluate system vulnerabilities.
D. Create reliable system backups.

Answer: B

378. File encryption using symmetric cryptography satisfies what security requirement?



A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: D


379. Dave is increasing the security of his Web site by adding SSL (Secure Sockets Layer).
Which type of encryption does SSL use?



A. Asymmetric
B. Symmetric
C. Public Key
D. Secret

Answer: B


380. During the digital signature process, asymmetric cryptography satisfied what security requirement?



A. Confidentiality
B. Access control
C. Data integrity
D. Authentication

Answer: D

381. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?



A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network's users, applications and data.

Answer: B

382. What would NOT improve the physical security of workstations?


A. Lockable cases, keyboards, and removable media drives.
B. Key or password protected configuration and setup.
C. Password required to boot.
D. Strong passwords.

Answer: D

383. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?


A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)

Answer: D


384. Which of the following describes the concept of data integrity?



A. A means of determining what resources a user can use and view.
B. A method of security that ensures all data is sequenced, and numbered.
C. A means of minimizing vulnerabilities of assets and resources.
D. A mechanism applied to indicate a data's level of security.

Answer: B


385. The best protection against the abuse of remote maintenance of PBX (Private Branch Exchange) system is to:


A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance personnel

Answer: B


386. You are the first person to arrive at a crime scene. An investigator and crime scene technician arrive afterwards to take over the investigation.
Which of the following tasks will the crime scene technician be responsible for performing?


A. Ensure that any documentation and evidence they possessed is handled over to the investigator.
B. Re-establish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.

Answer: D



387. Forensic procedures must be followed exactly to ensure the integrity of data obtained in an investigation.
When making copies of data from a machine that us being examined, which of the following tasks should be done to ensure it is an exact duplicate?


A. Perform a cyclic redundancy check using a checksum or hashing algorithm.
B. Change the attributes of data to make it read only.
C. Open files on the original media and compare them to the copied data.
D. Do nothing. Imaging software always makes an accurate image.

Answer: A

388. Privileged accounts are most vulnerable immediately after a:

A. Successful remote login.
B. Privileged user is terminated.
C. Default installation is performed.
D. Full system backup is performed.

Answer: C


389. Which tunneling protocol only works on IP networks?


A. IPX
B. L2TP
C. PPTP
D. SSH

Answer: C


390. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. Value of the information it is used to protect.
B. Cost and management fees.
C. Length of the asymmetric hash.
D. Data available openly on the cryptographic system.

Answer: A

391. Users who configure their passwords using simple and meaningful things such as pet names or birthdays are subject to having their account used by an intruder after what type of attack?


A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack
E. Man in the middle attack
F. Change list attack
G. Role Based Access Control attack
H. Replay attack
I. Mickey Mouse attack

Answer: A

392. What port does TACACS use?


A. 21
B. 161
C. 53
D. 49

Answer: D

393. What is the advantage of a multi-homed firewall?


A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.

Answer: A


394. What type of attack CANNOT be detected by an IDS (Intrusion Detection System)?


A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e- mail
D. Port scan

Answer: C


395. By definition, how many keys are needed to lock and unlock data using symmetric- key encryption?


A. 3+
B. 2
C. 1
D. 0

Answer: C


396. Data integrity is best achieved using a(n)

A. Asymmetric cipher
B. Digital certificate
C. Message digest
D. Symmetric cipher


Answer: C


397. Which of the following correctly identifies some of the contents of an user's X.509 certificate?

A. User's public key, object identifiers, and the location of the user's electronic identity.
B. User's public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption.
C. User's public key, the certificate's serial number, and the certificate's validity dates.
D. User's public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point.


Answer: c

398. SSL uses which port?

A. UDP 443
B. TCP 80
C. TCP 443
D. UDP and TCP 445

Answer: C

399. Which of the following is an asymmetric cryptographic algorithm?

A. AES
B. EIGamal
C. IDEA
D. DES

Answer: B


400. The Bell La-Padula access control model consists of four elements. These elements are

A. subjects, objects, roles and groups.
B. read only, read/write, write only and read/write/delete.
C. subjects, objects, access modes and security levels.
D. groups, roles, access modes and security levels.

Answer: C


Viloler8

Security+ Demo Questions


1. Message authentication codes are used to provide which service?

A. Integrity
B. Fault recovery
C. Key recovery
D. Acknowledgement


Answer: A


2. When a change to user security policy is made, the policy maker should provide appropriate documentation to:

A. The security administrator.
B. Auditors
C. Users
D. All staff.


Answer: D


3. A major difference between a worm and a Trojan horse program is:

A. Worms are spread via e-mail while Trojan horses are not.
B. Worms are self replicating while Trojan horses are not.
C. Worms are a form of malicious code while Trojan horses are not.
D. There is no difference.


Answer: B


4. A common algorithm used to verify the integrity of data from a remote user through a the creation of a 128-bit hash from a data input is:

A. IPSec (Internal Protocol Security)
B. RSA (Rivest Shamir Adelman)
C. Blowfish
D. MD5 (Message Digest 5)


Answer: D


5. What is the best method of reducing vulnerability from dumpster diving?

A. Hiring addit ional security staff.
B. Destroying paper and other media.
C. Installing surveillance equipment.
D. Emptying the trash can frequently.


Answer: B


6. What is the best method of defence against IP (Internet Protocol) spoofing attacks?

A. Deploying intrusion detection systems.
B. Creating a DMZ (Demilitarized Zone).
C. Applying ingress filtering to routers.
D. Thee is not a good defense against IP (Internet Protocol) spoofing.


Answer: C


7. A need to know security policy would grant access based on:

A. Least privilege
B. Less privilege
C. Loss of privilege
D. Singe privilege


Answer: A


8. When a user digitally signs a document an asymmetric algorithm is used to encrypt:

A. Secret passkeys
B. File contents
C. Certificates
D. Hash results


Answer: D


9. The best way to harden an application that is developed in house is to:

A. Use an industry recommended hardening tool.
B. Ensure that security is given due considerations throughout the entire development process.
C. Try attacking the application to detect vulnerabilities, then develop patches to fix any vulnerabilities found.
D. Ensure that the auditing system is comprehensive enough to detect and log any possible intrusion, identifying existing vulnerabilities.


Answer: B


10. Security requirements for servers DO NOT typically include:

A. The absence of vulnerabilities used by known forms of attack against server hosts.
B. The ability to allow administrative activities to all users.
C. The ability to deny access to information on the server other than that intended to be available.
D. The ability to disable unnecessary network services that may be built into the operating system or server software.


Answer: B


11. How can an e-mail administrator prevent malicious users from sending e-mails from non-existent domains?

A. Enable DNS (Domain Name Service) reverse lookup on the e- mail server.
B. Enable DNS (Domain Name Service) forward lookup on the e- mail server.
C. Enable DNS (Domain Name Service) recursive queries on the DNS (Domain Name Service) server.
D. Enable DNS (Domain Name Service) reoccurring queries on the DNS (Domain Name Service)


Answer: A


12. A network attack that misuses TCP's (Transmission Control Protocol) three way handshake to overload servers and deny access to legitimate users is called a:

A. Man in the middle.
B. Smurf
C. Teardrop
D. SYN (Synchronize)


Answer: D


13. Which of the following options describes a challenge -response session?

A. A workstation or system that generates a random challenge string that the user enters when prompted along with the proper PIN (Personal Identification Number).
B. A workstation or system that generates a random login ID that the user enters when prompted along with the proper PIN (Personal Identification Number).
C. A special hardware device that is used to generate random text in a cryptography system.
D. The authentication mechanism in the workstation or system does not determine if the owner should be authenticated.


Answer: A


14. A server placed into service for the purpose of attracting a potential intruder's attention is known as a:

A. Honey pot
B. Lame duck
C. Teaser
D. Pigeon


Answer: A


15. A network administrator wants to restrict internal access to other parts of the network. The network restrictions must be implemented with the least amount of administrative overhead and must be hardware based.
What is the best solution?

A. Implement firewalls between subnets to restrict access.
B. Implement a VLAN (Virtual Local Area Network) to restrict network access.
C. Implement a proxy server to restrict access.
D. Implement a VPN (Virtual Private Network).


Answer: B


16. Which one of the following would most likely lead to a CGI (Common Gateway Interface) security problem?

A. HTTP (Hypertext Transfer Protocol) protocol.
B. Compiler or interpreter that runs the CGI (Common Gateway Interface) script.
C. The web browser.
D. External data supplied by the user.


Answer: D


17. SSL (Secure Sockets Layer) session keys are available in what two lengths?

A. 40-bit and 64-bit.
B. 40-bit and 128-bit.
C. 64-bit and 128-bit.
D. 128-bit and 1,024-bit.


Answer: B


18. Which access control method provides the most granular access to protected objects?

A. Capabilities
B. Access control lists
C. Permission bits
D. Profiles


Answer: B


19. The primary DISADVANTAGE of symmetric cryptography is:

A. Speed
B. Key distribution
C. Weak algorithms
D. Memory management


Answer: B


20. Missing audit log entries most seriously affect an organization's ability to:

A. Recover destroyed data.
B. Legally prosecute an attacker.
C. Evaluate system vulnerabilities.
D. Create reliable system backups.


Answer: B


21. File encryption using symmetric cryptography satisfies what security requirement?

A. Confidentiality
B. Access control
C. Data integrity
D. Authentication


Answer: D


22. Which of the following provides privacy, data integrity and authentication for handles devices in a wireless network environment?

A. WEP (Wired Equivalent Privacy)
B. WAP (Wireless Application Protocol)
C. WSET (Wireless Secure Electronic Transaction)
D. WTLS (Wireless Transport Layer Security)


Answer: D


23. The integrity of a cryptographic system is considered compromised if which of the following conditions exist?

A. A 40-bit algorithm is used for a large financial transaction.
B. The public key is disclosed.
C. The private key is disclosed.
D. The validity of the data source is compromised.


Answer: C


24. The system administrator concerned about security has designated a special area in which to place the web server away from other servers on the network.
This area is commonly known as the?

A. Honey pot
B. Hybrid subnet
C. DMZ (Demilitarized Zone)
D. VLAN (Virtual Local Area Network)


Answer: C


25. An administrator of a web server notices many port scans to a server. To limit exposure and vulnerability exposed by these port scans the administrator should:

A. Disable the ability to remotely scan the registry.
B. Leave all processes running for possible future use.
C. Close all programs or processes that use a UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) port.
D. Uninstall or disable any programs or processes that are not needed for the proper use of the server.


Answer: D


26. Which encryption scheme relies on both the sender and receiver to use different keys to encrypt and decrypt messages?

A. Symmetric
B. Blowfish
C. Skipjack
D. Asymmetric


Answer: D


27. Which tunneling protocol only works on IP networks?

A. IPX
B. L2TP
C. PPTP
D. SSH


Answer: c


28. What functionality should be disallowed between a DNS server and untrusted node?

A. name resolutions
B. reverse ARP requests
C. system name resolutions
D. zone transfers


Answer: D


29. A document written by the CEO that outlines PKI use, management and deployment is a: _______.

A. PKI policy
B. PKI procedure
C. PKI practice
D. best practices guideline


Answer: A


30. Which one does not use Smart Card Technology?

A. CD Player
B. Cell Phone
C. Satellite Cards
D. Handheld Computer


Answer: A


31. What port does SNMP use?

A. 21
B. 161
C. 53
D. 49


Answer: B


32. What port does TACACS use?

A. 21
B. 161
C. 53
D. 49


Answer: D


33. What type of authentication may be needed when a stored key and memorized password are not strong enough and additional layers of security is needed?

A. Mutual
B. Multi-factor
C. Biometric
D. Certificate


Answer: B


34. You are the first to arrive at a crime scene in which a hacker is accessing unauthorized data on a file server from across the network.
To secure the scene, which of the followings actions should you perform?

A. Prevent members of the organization from entering the server room.
B. Prevent members of the incident response team from entering the server room.
C. Shut down the server to prevent the user from accessing further data.
D. Detach the network cable from the server to prevent the user from accessing further data.


Answer: A,D


35. You are the first person to arrive at a crime scene. An investigator and crime scene technician arrive afterwards to take over the investigation.
Which of the following tasks will the crime scene technician be responsible for performing?

A. Ensure that any documentation and evidence they possessed is handled over to the investigator.
B. Re-establish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.


Answer: D


36. A ___________ occurs when a string of data is sent to a buffer that is larger than the buffer was designed to handle.

A. Brute Force attack
B. Buffer owerflow
C. Man in the middle attack
D. Blue Screen of Death
E. SYN flood
F. Spoofing attack


Answer: B


37. Packet sniffing can be used to obtain username and password information in clear text from which one of the following?

A. SSH (Secure Shell)
B. SSL (Secure Sockets Layer)
C. FTP (File Transfer Protocol)
D. HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer)


Answer: C


38. A company uses WEP (Wired Equivalent Privacy) for wireless security.
Who may authenticate to the company's access point?

A. Only the administrator.
B. Anyone can authenticate.
C. Only users within the company.
D. Only users with the correct WEP (Wired Equivalent Privacy) key.


Answer: D


39. As the Security Analyst for your companies network, you become aware that your systems may be under attack. This kind of attack is a DOS attack and the exploit sends more traffic
to a node than anticipated. What kind of attack is this?

A. Ping of death
B. Buffer Overflow
C. Logic Bomb
D. Smurf


Answer: D


40. Following a disaster, while returning to the original site from an alternate site, the first process to resume at the original site would be the:

A. Least critical process
B. Most critical process.
C. Process most expensive to maintain at an alternate site.
D. Process that has a maximum visibility in the organization.


Answer: A


41. In order to establish a secure connection between headquarters and a branch office over a public network, the router at each location should be configured to use IPSec (Internet Protocol Security) in .......... mode.

A. Secure
B. Tunnel
C. Transport
D. Data link


Answer: B


42. The primary purpose of NAT (Network Address Translation) is to:

A. Translate IP (Internet Protocol) addresses into user friendly names.
B. Hide internal hosts from the public network.
C. Use on public IP (Internet Protocol) address on the internal network as a name server.
D. Hide the public network from internal hosts.


Answer: B


43. Users of Instant Messaging clients are especially prone to what?

A. Theft of root user credentials.
B. Disconnection from the file server.
C. Hostile code delivered by file transfer.
D. Slow Internet connections.


Answer: C


44. Which two of the following are symmetric-key algorithms used for encryption?

A. Stream-cipher
B. Block
C. Public
D. Secret


Answer: A,B


45. Computer forensics experts collect and analyze data using which of the following guidelines so as to minimize data loss?

A. Evidence
B. Chain of custody
C. Chain of command
D. Incident response


Answer: B


46. A DMZ (Demilitarized Zone) typically contains:

A. A customer account database
B. Staff workstations
C. A FTP (File Transfer Protocol) server
D. A SQL (Structured Query Language) based database server


Answer: C


47. What kind of attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?

A. CRL
B. DOS
C. ACL
D. MD2


Answer: B


48. User A needs to send a private e-mail to User B. User A does not want anyone to have the ability to read the e-mail except for User B, thus retaining privacy.
Which tenet of information security is User A concerned about?

A. Authentication
B. Integrity
C. Confidentiality
D. Non-repudiation


Answer: C


49. You are researching the ARO and need to find specific data that can be used for risk assessment.
Which of the following will you use to find information?

A. Insurance companies
B. Stockbrokers
C. Manuals included with software and equipment.
D. None of the above. There is no way to accurately predict the ARO.


Answer: A


50. Giving each user or group of users only the access they need to do their job is an example of which security principal?

A. Least privilege
B. Defense in depth
C. Separation of duties
D. Access control


Answer: A

51. Documenting change levels and revision information is most useful for:

A. Theft tracking
B. Security audits
C. Disaster recovery
D. License enforcement


Answer: C


52. One way to limit hostile sniffing on a LAN (Local Area Network is by installing:

A. An ethernet switch.
B. An ethernet hub.
C. A CSU/DSU (Channel Service Unit/Data Service Unit).
D. A firewall.


Answer: A


53. Notable security organizations often recommend only essential services be provided by a particular host, and any unnecessary services be disabled.
Which of the following does NOT represent a reason supporting this recommendation?

A. Each additional service increases the risk of compromising the host, the services that run on the host, and potential clients of these services.
B. Different services may require different hardware, software, or a different discipline of administration.
C. When fewer services and applications are running on a specific host, fewer log entries and fewer interactions between different services are expected, which simplifies the analysis and maintenance of the system from a security point of view.
D. If a service is not using a well known port, firewalls will not be able to disable access to this port, and an administrator will not be able to restrict access to this service.


Answer: D


54. Which of the following backup methods copies only modified files since the last full backup?

A. Full
B. Differential
C. Incremental
D. Archive


Answer: B


55. You are compiling estimates on how much money the company could lose if a risk occurred one time in the future.
Which of the following would these amounts represent?

A. ARO
B. SLE
C. ALE
D. Asset identification


Answer: B


56. The term "due care" best relates to:

A. Policies and procedures intended to reduce the likelihood of damage or injury.
B. Scheduled activity in a comprehensive preventative maintenance program.
C. Techniques and methods for secure shipment of equipment and supplies.
D. User responsibilities involved when sharing passwords in a secure environment.


Answer: A


57. Advanced Encryption Standard (AES) is an encryption algorithm for securing sensitive but unclassified material by U.S. Government agencies.
What type of encryption is it from the list below?

A. WTLS
B. Symmetric
C. Multifactor
D. Asymmetric


Answer: B


58. You are the first person to respond to the scene of an incident involving a computer being hacked. After determining the scope of the crime scene and securing it, you attempt to preserve evidence at the scene.
Which of the following tasks will you perform to preserve evidence? (Choose all that apply)

A. Photograph any information displayed on the monitors of computers involved in the incident.
B. Document any observation or messages displayed by the computer.
C. Shut down the computer to prevent further attacks that may modify data.
D. Gather up manuals, nonfunctioning devices, and other materials and equipment in the area so they are ready for transport.


Answer: A,B


59. At what stage of an assessment would an auditor test systems for weaknesses and attempt to defeat existing encryption, passwords and access lists?

A. Penetration
B. Control
C. Audit planning
D. Discovery


Answer: A


60. When examining the server's list of protocols that are bound and active on each network interface card, the network administrator notices a relatively large number of protocols.
Which actions should be taken to ensure network security?

A. Unnecessary protocols do not pose a significant to the system and should be left intact for compatibility reasons.
B. There are no unneeded protocols on most systems because protocols are chosen during the installation.
C. Unnecessary protocols should be disable on all server and client machines on a network as they pose great risk.
D. Using port filtering ACLs (Access Control List) at firewalls and routers is sufficient to stop malicious attacks on unused protocols.


Answer: C


61. Which of the following describes the concept of data integrity?

A. A means of determining what resources a user can use and view.
B. A method of security that ensures all data is sequenced, and numbered.
C. A means of minimizing vulnerabilities of assets and resources.
D. A mechanism applied to indicate a data's level of security.


Answer: B


62. In a decentralized privilege management environment, user accounts and passwords are stored on:

A. One central authentication server.
B. Each individual server.
C. No more than two servers.
D. One server configured for decentralized management.


Answer: B


63. In context of wireless networks, WEP (Wired Equivalent Privacy) was designed to:

A. Provide the same level of security as a wired LAN (Local Area Network).
B. Provide a collision preventive method of media access.
C. Provide a wider access area that that of wired LANs (Local Area Network).
D. Allow radio frequencies to penetrate walls.


Answer: A


64. What two functions does IPSec perform? (Choose two)

A. Provides the Secure Shell (SSH) for data confidentiality.
B. Provides the Password Authentication Protocol (PAP) for user authentication.
C. Provides the Authentication Header (AH) for data integrity.
D. Provides the Internet Protocol (IP) for data integrity.
E. Provides the Nonrepudiation Header (NH) for identity integrity.
F. Provides the Encapsulation Security Payload (ESP) for data confidentiality.


Answer: C,F


65. A primary drawback to using shared storage clustering for high availability and disaster recover is:

A. The creation of a single point of vulnerability.
B. The increased network latency between the host computers and the RAID (Redundant Array of Independent Disk) subsystem.
C. The asynchronous writes which must be used to flush the server cache.
D. The highest storage capacity required by the RAID (Redundant Array of Independent Disks) subsystem.


Answer: A


66. What are two common methods when using a public key infrastructure for maintaining access to servers in a network?

A. ACL and PGP.
B. PIM and CRL.
C. CRL and OCSP.
D. RSA and MD2


Answer: C


67. After installing a new operating system, what configuration changes should be implemented?

A. Create application user accounts.
B. Rename the guest account.
C. Rename the administrator account, disable the guest accounts.
D. Create a secure administrator account.


Answer: C


68. Users who configure their passwords using simple and meaningful things such as pet names or birthdays are subject to having their account used by an intruder after what type of attack?

A. Dictionary attack
B. Brute Force attack
C. Spoofing attack
D. Random guess attack


Answer: A


69. By definition, how many keys are needed to lock and unlock data using symmetric- key encryption?

A. 3+
B. 2
C. 1
D. 0


Answer: C


70. What kind of attack are hashed password vulnerable to?

A. Man in the middle.
B. Dictionary or brute force.
C. Reverse engineering.
D. DoS (Denial of Service)


Answer: B


71. What is one advantage if the NTFS file system over the FAT16 and FAT32 file systems?

A. Integral support for streaming audio files.
B. Integral support for UNIX compatibility.
C. Integral support for dual-booting with Red Hat Linux.
D. Integral support for file and folder level permissions.


Answer: D


72. You have identified a number of risks to which your company's assets are exposed, and want to implement policies, procedures, and various security measures.
In doing so, what will be your objective?

A. Eliminate every threat that may affect the business.
B. Manage the risks so that the problems resulting from them will be minimized.
C. Implement as many security measures as possible to address every risk that an asset may be exposed to.
D. Ignore as many risks as possible to keep costs down.


Answer: B


73. Which of the following results in a domain name server resolving the domain name to a different and thus misdirecting Internet traffic?

A. DoS (Denial of Service)
B. Spoofing
C. Brure force attack
D. Reverse DNS (Domain Name Service)


Answer: B


74. Active detection IDS systems may perform which of the following when a unauthorized connection attempt is discovered? (Choose all that apply)

A. Inform the attacker that he is connecting to a protected network.
B. Shut down the server or service.
C. Provide the attacker the usernames and passwords for administrative accounts.
D. Break off suspicious connections.


Answer: B,D


75. Honey pots are useful in preventing attackers from gaining access:

A. to critical systems
B. all systems
C. It depends on the style of attack used
D. it depends upon the PKI


Answer: A


76. An autonomous agent that copies itself into one or more host programs, then propagates when the host is run, is best described as a:

A. Trojan horse
B. Back door
C. Logic bomb
D. Virus


Answer: D


77. What technology was originally designed to decrease broadcast traffic but is also beneficial in reducing the likelihood of having information compromised by sniffers?

A. VPN (Virtual Private Network)
B. DMZ (Demilitarized Zone)
C. VLAN (Virtual Local Area Network)
D. RADIUS (Remote Authentic ation Dial- in User Service)


Answer: C


78. Of the following services, which one determines what a user can change or view?

A. Data integrity
B. Data confidentiality
C. Data authentication
D. Access control


Answer: D


79. IMAP4 requires port ___________ to be open.

A. 80
B. 53
C. 22
D. 21
E. 23
F. 25
G. 110
H. 143
I. 443


Answer: H


80. What are access decisions based on in a MAC (Mandatory Access Control) environment?

A. Access control lists
B. Ownership
C. Group membership
D. Sensitivity labels


Answer: D


81. As the Security Analyst for your companies network, you want to implement AES. What algorithm will it use?

A. Rijndael
B. Nagle
C. Spanning Tree
D. PKI


Answer: A


82. When securing a FTP (File Transfer Protocol) server, what can be done to ensure that only authorized users can access the server?

A. Allow blind authentication.
B. Disable anonymous authentication.
C. Redirect FTP (File Transfer Protocol) to another port.
D. Only give the address to users that need access.


Answer: B


83. Asymmetric cryptography ensures that:

A. Encryption and authentication can take place without sharing private keys.
B. Encryption of the secret key is performed with the fastest algorithm available.
C. Encryption occurs only when both parties have been authenticated.
D. Encryption factoring is limited to the session key.


Answer: A


84. You are promoting user awareness in forensics, so users will know what to do when incidents occur with their computers.
Which of the following tasks should you instruct users to perform when an incident occurs? (Choose all that apply)

A. Shut down the computer.
B. Contact the incident response team.
C. Documents what they see on the screen.
D. Log off the network.


Answer: B,C


85. When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exist to handle the usually rapid "hand-shaking" exchange of messages that sets up the session.
What kind of attack exploits this functionality?

A. Buffer Overflow
B. SYN Attack
C. Smurf
D. Birthday Attack


Answer: B


86. A program that can infect other programs by modifying them to include a version of itself is a:

A. Replicator
B. Virus
C. Trojan horse
D. Logic bomb


Answer: B


87. A collection of information that includes login, file access, other various activities, and actual or attempted legitimate and unauthorized violations is a(n):

A. Audit
B. ACL (Access Control List)
C. Audit trail
D. Syslog


Answer: C


88. Forensic procedures must be followed exactly to ensure the integrity of data obtained in an investigation.
When making copies of data from a machine that us being examined, which of the following tasks should be done to ensure it is an exact duplicate?

A. Perform a cyclic redundancy check using a checksum or hashing algorithm.
B. Change the attributes of data to make it read only.
C. Open files on the original media and compare them to the copied data.
D. Do nothing. Imaging software always makes an accurate image.


Answer: A


89. DAC (Discretionary Access Control) system operate which following statement:

A. Files that don't have an owner CANT NOT be modified.
B. The administrator of the system is an owner of each object.
C. The operating system is an owner of each object.
D. Each object has an owner, which has full control over the object.


Answer: D


90. You have decided to implement biometrics as part of your security system. Before purchasing a locking system that uses biometrics to control access to secure areas, you need to decide what will be used to authenticate users.
Which of the following options relies solely on biometric authentication?

A. Username and password.
B. Fingerprints, retinal scans, PIN numbers, and facial characteristics.
C. Voice patterns, fingerprints, and retinal scans.
D. Strong passwords, PIN numbers, and digital imaging.


Answer: C


91. As the Security Analyst for your companies network, you want to implement Single Signon technology.
What benefit can you expect to get when implementing Single Signon?

A. You will need to log on twice at all times.
B. You can allow for system wide permissions with it.
C. You can install multiple applications.
D. You can browse multiple directories.


Answer: D


92. Many intrusion detection systems look for known patterns or ______ to aid in detecting attacks.

A. Viruses
B. Signatures
C. Hackers
D. Malware


Answer: B


93. What type of authentication may be needed when a stored key and memorized password are not strong enough and additional layers of security is needed?

A. Mutual
B. Multi-factor
C. Biometric
D. Certificate


Answer: B


94. You are the first to arrive at a crime scene in which a hacker is accessing unauthorized data on a file server from across the network.
To secure the scene, which of the followings actions should you perform?

A. Prevent members of the organization from entering the server room.
B. Prevent members of the incident response team from entering the server room.
C. Shut down the server to prevent the user from accessing further data.
D. Detach the network cable from the server to prevent the user from accessing further data.


Answer: A,D


95. You are the first person to arrive at a crime scene. An investigator and crime scene technician arrive afterwards to take over the investigation.
Which of the following tasks will the crime scene technician be responsible for performing?

A. Ensure that any documentation and evidence they possessed is handled over to the investigator.
B. Re-establish a perimeter as new evidence presents itself.
C. Establish a chain of command.
D. Tag, bag, and inventory evidence.


Answer: D


96. The defacto IT (Information Technology) security evaluation criteria for the international community is called?

A. Common Criteria
B. Global Criteria
C. TCSEC (Trusted Computer System Evaluation Criteria)
D. ITSEC (Information Technology Security Evaluation Criteria)


Answer: A


97. Which of the following is a technical solution that supports high availability?

A. UDP (User Datagram Protocol)
B. Anti-virus solution
C. RAID (Redundant Array of Independent Disks)
D. Firewall


Answer: C


98. Which of the following is an example of an asymmetric algorithm?

A. CAST (Carlisle Adams Stafford Tavares)
B. RC5 (Rivest Cipher 5)
C. RSA (Rivest Shamir Adelman)
D. SHA-1 (Secure Hashing Algorithm 1)


Answer: C


99. Dave is increasing the security of his Web site by adding SSL (Secure Sockets Layer).
Which type of encryption does SSL use?

A. Asymmetric
B. Symmetric
C. Public Key
D. Secret


Answer: B


100. What would NOT improve the physical security of workstations?

A. Lockable cases, keyboards, and removable media drives.
B. Key or password protected configuration and setup.
C. Password required to boot.
D. Strong passwords.


Answer: D

101. What are the four major components of ISAKMP (Internet Security Association and Key Management Protocol)?

A. Authentication of peers, threat management, communication ma nagement, and cryptographic key establishment.
B. Authentication of peers, threat management, communication management, and cryptographic key establishment and management.
C. Authentication of peers, threat management, security association creation and management cryptographic key establishment and management.
D. Authentication of peers, threat management, security association creation and management and cryptographic key management.


Answer: C


102. Security training should emphasise that the weakest links in the security of an organization are typically:

A. Firewalls
B. Polices
C. Viruses
D. users


Answer: D


103. IEEE (Institute of Electrical and Electronics Engineers) 802.11b is capable of providing data rates of:

A. 10 Mbps (Megabits per second)
B. 10.5 Mbps (Megabits per second)
C. 11 Mbps (Megabits per second)
D. 12 Mbps (Megabits per second)


Answer: C


104. The standard encryption algorithm based on Rijndael is known as:

A. AES (Advanced Encryption Standard)
B. 3DES (Triple Data Encryption Standard)
C. DES (Data Encryption Standard)
D. Skipjack


Answer: A


105. Security controls may become vulnerabilities in a system unless they are:

A. Designed and implemented by the system vendor.
B. Adequately tested.
C. Implemented at the application layer in the system.
D. Designed to use multiple factors of authentication.


Answer: B


106. Which of the following is considered the best technical solution for reducing the treat of a man in the middle attack?

A. Virtual LAN (Local Area Network)
B. GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol- within- Internet Protocol Encapsulation Protocol)
C. PKI (Public Key Infrastructure)
D. Enforcement of badge system


Answer: C


107. Access controls based on security labels associated with each data item and each user are known as:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)


Answer: A


108. An extranet would be best defined as an area or zone:

A. Set aside for business to store extra servers for internal use.
B. Accessible to the general public for accessing the business' web site.
C. That allows a business to securely transact with other businesses.
D. Added after the original network was built for additional storage.


Answer: C


109. What authentication problem is addressed by single sign on?

A. Authorization through multiple servers.
B. Multiple domains.
C. Multi-factor authentication.
D. Multiple usernames and passwords.


Answer: D


110. An administrator is concerned with viruses in e-mail attachments being distributed and inadvertently installed on user's workstations.
If the administrator sets up and attachment filter, what types of attachments should be filtered from e-mails to minimize the danger of viruses?

A. Text file
B. Image files
C. Sound files
D. Executable files


Answer: D


111. When an ActiveX control is executed, it executes with the privileges of the:

A. Current user account
B. Administrator account
C. Guest account
D. System account


Answer: A


112. IDEA (International Data Encryption Algorithm), Blowfish, RC5 (Rivest Cipher 5) and CAST-128 are encryption algorithms of which type?

A. Symmetric
B. Asymmetric
C. Hashing
D. Elliptic curve


Answer: A


113. An example of a physical access barrier would be:

A. Video surveillance
B. Personnel traffic pattern management
C. Security guard
D. Motion detector


Answer: C


114. Which of the following is likely to be found after enabling anonymous FTP (File Transfer Protocol) read/write access?

A. An upload and download directory for each user.
B. Detailed logging information for each user.
C. Storage and distribution of unlicensed software.
D. Fewer server connections and less network bandwidth utilization.


Answer: C


115. A network attack method that uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer is known as a:

A. Man in the middle attack
B. Smurf attack
C. Ping of death attack
D. TCP SYN (Transmission Control Protocol / Synchronized) attack


Answer: C


116. What is NOT an acceptable use for smart card technology?

A. Mobile telephones
B. Satellite television access cards
C. A PKI (Public Key Infrastructure) token card shared by multiple users
D. Credit cards


Answer: C


117. An effective method of preventing computer viruses from spreading is to:

A. Require root/administrator access to run programs.
B. Enable scanning of e-mail attachments.
C. Prevent the execution of .vbs files.
D. Install a host based IDS (Intrusion Detection System)


Answer: B


118. A PKI (Public Key Infrastructure) document that serves as the vehicle on which to base common interoperability standards and common assurance criteria on an industry wide basis is a certificate:

A. Policy
B. Practice
C. Procedure
D. Process


Answer: A


119. Currently, the most costly method of an authentication is the use of:

A. Passwords
B. Tokens
C. Biometrics
D. Shared secrets


Answer: C


120. Which systems should be included in a disaster recover plan?

A. All systems.
B. Those identified by the board of directors, president or owner.
C. Financial systems and human resources systems.
D. Systems identified in a formal risk analysis process.


Answer: D


121. What is the best defense against man in the middle attacks?

A. A firewall
B. Strong encryption
C. Strong authentication
D. Strong passwords


Answer: B


122. One of the most effective ways for an administrator to determine what security holes reside on a network is to:

A. Perform a vulnerability assessment.
B. Run a port scan.
C. Run a sniffer.
D. Install and monitor and IDS (Intrusion Detection System)


Answer: A


123. Analyzing log files after an attack has started as an example of:

A. Active detection
B. Overt detection
C. Covert detection
D. Passive detection


Answer: D


124. A malformed MIME (Multipurpose Internet Mail Extensions) header can:

A. Create a back door that will allow an attacker free access to a company's private network.
B. Create a virus that infects a user's computer.
C. Cause an unauthorized disclosure of private information.
D. Cause an e-mail server to crash.


Answer: D


125. An attacker can determine what network services are enabled on a target system by:

A. Installing a rootkit on the target system.
B. Checking the services file.
C. Enabling logging on the target system.
D. Running a port scan against the target system.


Answer: D


126. What type of attack CANNOT be detected by an IDS (Intrusion Detection System)?

A. DoS (Denial of Service)
B. Exploits of bugs or hidden features
C. Spoofed e- mail
D. Port scan


Answer: C


127. Regarding security, biometrics are used for:

A. Accountability
B. Certification
C. Authorization
D. Authentication


Answer: D


128. What is the most effective social engineering defense strategy?

A. Marking of documents
B. Escorting of guests
C. Badge security system
D. Training and awareness


Answer: D


129. A security administrator tasked with confining sensitive data traffic to a specific subnet would do so by manipulating privilege policy based tables in the networks:

A. Server
B. Router
C. VPN (Virtual Private Network)
D. Switch


Answer: B


130. For system logging to be an effective security measure, an administrator must:

A. Review the logs on a regular basis.
B. Implement circular logging.
C. Configure the system to shutdown when the logs are full.
D. Configure SNMP (Simple Network Management Protocol) traps for logging events.


Answer: A


131. With regards to the use of Instant Messaging, which of the following type of attack strategies is effectively combated with user awareness training?

A. Social engineering
B. Stealth
C. Ambush
D. Multi-prolonged


Answer: A


132. The process by which remote users can make a secure connection to internal resources after establishing an Internet connection could correctly be referred to as:

A. Channeling
B. Tunneling
C. Throughput
D. Forwarding


Answer: B


133. Appropriate documentation of a security incident is important for each of the following reasons EXCEPT:

A. The documentation serves as a lessons learned which may help avoid further exploitation of the same vulnerability.
B. The documentation will server as an aid to updating policy and procedure.
C. The documentation will indicate who should be fired for the incident.
D. The documentation will server as a tool to assess the impact and damage for the incident.


Answer: C


134. Assuring the recipient that a message has not been altered in transit is an example of which of the following:

A. Integrity
B. Static assurance
C. Dynamic assurance
D. Cyclical check sequence


Answer: A


135. Which of the following is expected network behavior?

A. Traffic coming from or going to unexpected locations.
B. Non-standard or malformed packets/protocol violations.
C. Repeated, failed connection attempts.
D. Changes in network performance such as variations in traffic load.


Answer: D


136. Which of the following steps in the SSL (Secure Socket Layer) protocol allows for client and server authentication, MAC (Mandatory Access Control) and encryption algorithm negotiation, and selection of cryptographic keys?

A. SSL (Secure Sockets Layer) alert protocol.
B. SSL (Secure Sockets Layer) change cipher spec protocol.
C. SSL (Secure Sockets Layer) record protocol.
D. SSL (Secure Sockets Layer) handshake protocol.


Answer: D


137. Which of the following correctly identifies some of the contents of an user's X.509 certificate?

A. User's public key, object identifiers, and the location of the user's electronic identity.
B. User's public key, the CA (Certificate Authority) distinguished name, and the type of symmetric algorithm used for encryption.
C. User's public key, the certificate's serial number, and the certificate's validity dates.
D. User's public key, the serial number of the CA (Certificate Authority) certificate, and the CRL (Certificate Revocation List) entry point.


Answer: c


138. An organization is implementing Kerberos as its primary authentication protocol.
Which of the following must be deployed for Kerberos to function properly?

A. Dynamic IP (Internet Protocol) routing protocols for routers and servers.
B. Separate network segments for the realms.
C. Token authentication devices.
D. Time synchronization services for clients and servers.


Answer: D


139. The WAP (Wireless Application Protocol) programming model is based on the following three elements:

A. Client, original server, WEP (Wired Equivalent Privacy)
B. Code design, code review, documentation
C. Client, original server, wireless interface card
D. Client, gateway, original server


Answer: D


140. Technical security measures and countermeasures are primary intended to prevent:

A. Unauthorized access, unauthorized modification, and denial of authorized access.
B. Interoperability of the framework, unauthorized modification, and denial of authorized access.
C. Potential discovery of access, interoperability of the framework, and denial of authorized access.
D. Interoperability of the framework, unauthorized modification, and unauthorized access.


Answer: A


141. Poor programming techniques and lack of code review can lead to which of the following type of attack?

A. CGI (Common Gateway Interface) script
B. Birthday
C. Buffer overflow
D. Dictionary


Answer: C


142. Which of the following is NOT a characteristic of DEN (Directory Enabled Networking)?

A. It is mapped into the directory defined as part of the LDAP (Lightweight Directory Access Protocol).
B. It is inferior to SNMP (Simple Network Management Protocol).
C. It is an object oriented information model.
D. It is an industry standard indicating how to construct and store information about a network's users, applications and data.


Answer: B


143. Privileged accounts are most vulnerable immediately after a:

A. Successful remote login.
B. Privileged user is terminated.
C. Default installation is performed.
D. Full system backup is performed.


Answer: C


144. What is the advantage of a multi-homed firewall?

A. It is relatively inexpensive to implement.
B. The firewall rules are easier to manage.
C. If the firewall is compromised, only the systems in the DMZ (Demilitarized Zone) are exposed.
D. An attacker must circumvent two firewalls.


Answer: A


145. A password security policy can help a system administrator to decrease the probability that a password can be guessed by reducing the password's:

A. Length
B. Lifetime
C. Encryption level
D. Alphabet set


Answer: B


146. An inherent flaw of DAC (Discretionary Access Control) relating to security is:

A. DAC (Discretionary Access Control) relies only on the identity of the user or process, leaving room for a Trojan horse.
B. DAC (Discretionary Access Control) relies on certificates, allowing attackers to use those certificates.
C. DAC (Discretionary Access Control) does not rely on the identity of a user, allowing anyone to use an account.
D. DAC (Discretionary Access Control) has no known security flaws.


Answer: A


147. What is the most common method used by attackers to identify the presence of an 801.11b network?

A. War driving
B. Direct inward dialing
C. War dialing
D. Packet driving


Answer: A


148. The best method to use for protecting a password stored on the server used for user authentication is to:

A. Store the server password in clear text.
B. Hash the server password.
C. Encrypt the server password with asymmetric keys.
D. Encrypt the server password with a public key.


Answer: B


149. During the digital signature process, asymmetric cryptography satisfied what security requirement?

A. Confidentiality
B. Access control
C. Data integrity
D. Authentication


Answer: D


150. The most effective way an administrator can protect users from social engineering is:

A. Education
B. Implement personal firewalls.
C. Enable logging on at user's desktops.
D. Monitor the network with an IDS (Intrusion Detection System)


Answer: A


151. The action of determining which operating system is installed on a system simply by analyzing its response to certain network traffic is called:

A. OS (Operating System) scanning.
B. Reverse engineering.
C. Fingerprinting
D. Host hijacking.


Answer: C


152. One of the factors that influence the lifespan of a public key certificate and its associated keys is the:

A. Value of the information it is used to protect.
B. Cost and management fees.
C. Length of the asymmetric hash.
D. Data available openly on the cryptographic system.


Answer: A


153. A DRP (Disaster Recovery Plan) typically includes which of the following:

A. Penetration testing.
B. Risk assessment.
C. DoS (Denial of Service) attack.
D. ACLs (Access Control List).


Answer: B


154. Which of the following is the best description of "separation of duties"?

A. Assigning different parts of tasks to different employees.
B. Employees are granted only the privileges necessary to perform their tasks.
C. Each employee is granted specific information that is required to carry out the job function.
D. Screening employees before assigning them to a position.


Answer: A


155. Which of the following is a popular VPN (Virtual Private Network) protocol operating at OSI (Open Systems Interconnect) model Layer 3?

A. PPP (Point-to-Point Protocol)
B. SSL (Secure Sockets Layer)
C. L2TP (Layer Two Tunneling Protocol)
D. IPSec (Internet Protocol Security)


Answer: D


156. The system administrator has just used a program that highlighted the susceptibility of several servers on the network to various exploits. The program also suggested fixes.
What type of program was used?

A. Intrusion detection
B. Port scanner
C. Vulnerability scanner
D. Trojan scanner


Answer: C


157. Which protocol is typically used for encrypting traffic between a web browser and web server?

A. IPSec (Internet Protocol Security)
B. HTTP (Hypertext Transfer Protocol)
C. SSL (Secure Sockets Layer)
D. VPN (Virtual Private Network)


Answer: C


158. What fingerprinting technique relies on the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

A. TCP (Transmission Control Protocol) options.
B. ICMP (Internet Control Message Protocol) error message quenching.
C. Fragmentation handling.
D. ICMP (Internet Control Message Protocol) message quoting.


Answer: D


159. Incorrectly detecting authorized access as an intrusion or attack is called a false:

A. Negative
B. Intrusion
C. Positive
D. Alarm


Answer: C


160. When hardening a machine against external attacks, what process should be followed when disabling services?

A. Disable services such as DHCP (Dynamic Host Configuration Protocol) client and print servers from servers that do not use/serve those functions.
B. Disable one unnecessary service after another, while reviewing the effects of the previous action.
C. Research the services and their dependencies before disabling any default services.
D. Disable services not directly related to financial operations.


Answer: C


161. The best protection against the abuse of remote maintenance of PBX (Private Branch Exchange) system is to:

A. Keep maintenance features turned off until needed
B. Insists on strong authentication before allowing remote maintenance
C. Keep PBX (Private Branch Exchange) in locked enclosure and restrict access to only a few people.
D. Check to see if the maintenance caller is on the list of approved maintenance personnel


Answer: A


162. A high profile company has been receiving a high volume of attacks on their web site. The network administrator wants to be able to collect information on the attacker(s) so legal action can be taken.
What should be implemented?

A. A DMZ (Demilitarized Zone)
B. A honey pot
C. A firewall
D. A new subnet


Answer: B


163. The protection of data against unauthorized access or disclosure is an example of what?

A. Confidentiality
B. Integrity
C. Signing
D. Hashing


Answer: A


164. You are running cabling for a network through a boiler room where the furnace and some other heavy machinery reside. You are concerned about interference from these sources.
Which of the following types of cabling provides the best protection from interference in this area?

A. STP
B. UTP
C. Coaxial
D. Fiber-optic


Answer: D


165. In order for a user to obtain a certificate from a trusted CA (Certificate Authority), the user must present proof of identity and a:

A. Private key
B. Public key
C. Password
D. Kerberos key


Answer: B


166. If a private key becomes compromised before its certificate's normal expiration, X.509 defines a method requiring each CA (Certificate Authority) to periodically issue a signed data structure called a certificate:

A. Enrollment list
B. Expiration list
C. Revocation list
D. Validation list


Answer: C


167. An application that appears to perform a useful function but instead contains some sort of malicious code is called a ..........

A. Worm
B. SYN flood
C. Virus
D. Trojan Horse
E. Logic Bomb


Answer: D


168. How many bits are employed when using has encryption?

A. 32
B. 64
C. 128
D. 256


Answer: C


169. What transport protocol and port number does SHH (Secure Shell) use?

A. TCP (Transmission Control Protocol) port 22
B. UDP (User Datagram Protocol) port 69
C. TCP (Transmission Control Protocol) port 179
D. UDP (User Datagram Protocol) port 17


Answer: A


170. While performing a routing site audit of your wireless network, you discover an unauthorized Access Point placed on your network under the desk of Accounting department security. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several time s, including taking her to lunch one time.
What type of attack have you just become a victim of?

A. SYN Flood.
B. Distributed Denial of Service.
C. Man in the Middle attack.
D. TCP Flood.
E. IP Spoofing.
F. Social Engineering


Answer: F


171. When visiting an office adjacent to the server room, you discover the lock to the window is broken. Because it is not your office you tell the resident of the office to contact the maintenance person and have it fixed. After leaving, you fail to follow up on whether the windows was actually repaired.
What affect will this have on the likelihood of a threat associated with the vulnerability actually occurring?

A. If the window is repaired, the likelihood of the thread occurring will increase.
B. If the window is repaired, the likelihood of the threat occurring will remain constant.
C. If the window is not repaired the, the likelihood of the threat occurring will decrease.
D. If the window is not repaired, the likelihood of the threat occurring will increase.


Answer: D


172. Providing false information about the source of an
attack is known as:

A. Aliasing
B. Spoofing
C. Flooding
D. Redirecting


Answer: B


173. The start of the LDAP (Lightweight Directory Access Protocol)
directory is called the:

A. Head
B. Root
C. Top
D. Tree


Answer: B


174. A company consists of a main building with two smaller branch offices at opposite ends of the city. The main building and branch offices are connected with fast links so that all employees have good connectivity to the network.
Each of the buildings has security measures that require visitors to sign in, and all employees are required to wear identification badges at all times. You want to protect servers and other vital equipment so that the company has the best level of security at the lowest possible cost.
Which of the following will you do to achieve this objective?

A. Centralize servers and other vital components in a single room of the main building, and add security measures to this room so that they are well protected.
B. Centralize most servers and other vital components in a single room of the main building, and place servers at each of the branch offices. Add security measures to areas where the servers and other components are located.
C. Decentralize servers and other vital components, and add security measures to areas where the servers and other components are located.
D. Centralize servers and other vital components in a single room in the main building. Because the building prevents unauthorized access to visitors and other persons, there is no need to implement physical security in the server room.


Answer: A


175. You are explaining SSL to a junior administrator and
come up to the topic of handshaking.
How many steps are employed between the client and server in the SSL handshake process?

A. Five
B. Six
C. Seven
D. Eight


Answer: B


176. An administrator notices that an e-mail server is currently relaying e-mail (including spam) for any e-mail server requesting relaying. Upon further investigation the administrator notices the existence of /etc/mail/relay domains.
What modifications should the administrator make to the relay domains file to prevent relaying for non-explicitly named domains?

A. Move the .* entry to the bottom of the relay domains file and restart the e- mail process.
B. Move the .* entry to the top of the relay domains file and restart the e- mail process.
C. Delete the .* entry in the relay domains file and restart the e- mail process.
D. Delete the relay domains file from the /etc/mail folder and restart the e-mail process.


Answer: C


177. Access control decisions are based on responsibilities that an individual user or process has in an organization.
This best describes:

A. MAC (Mandatory Access Control)
B. RBAC (Role Based Access Control)
C. DAC (Discretionary Access Control)
D. None of the above.


Answer: B


178. A honey pot is define as ________.

A. A decoy system or network to attract attacks away from your real network.
B. A place to store passwords.
C. A sage haven for your backup media.
D. Something that exist only in theory.


Answer: A


179. A problem with air conditioning is causing fluctuations in temperature in the server room. The temperature is rising to 90 degrees when the air conditioner stops working, and then drops to 60 degrees when it starts working again.
The problem keeps occurring over the next two days.
What problem may result from these fluctuations? (Select the best answer)

A. Electrostatic discharge
B. Power outages
C. Chip creep
D. Poor air quality


Answer: C


180. You have been alerted to the possibility of someone using an application to capture and manipulate packets as they are passing through your network.
What type of threat does this represent?

A. DDos
B. Back Door
C. Spoofing
D. Man in the Middle


Answer: D


181. Which of the following media types is most immune to RF (Radio Frequency) eavesdropping?

A. Coaxial cable
B. Fiber optic cable
C. Twisted pair wire
D. Unbounded


Answer: B


182. What statement is most true about viruses and hoaxes?

A. Hoaxes can create as much damage as a real virus.
B. Hoaxes are harmless pranks and should be ignored.
C. Hoaxes can help educate user about a virus.
D. Hoaxes carry a malicious payload and can be destructive.


Answer: A


183. While connected from home to an ISP (Internet Service Provider), a network administrator performs a port scan against a corporate server and encounters four open TCP (Transmission Control Protocol) ports: 25, 110, 143 and 389. Corporate users in the organization must be able to connect from home, send and receive messages on the Internet, read e-mail by beams of the IMAPv.4 (Internet Message Access Protocol version 4) protocol, and search into a directory services database for user e-mail addresses, and digital certificates.
All the e-mail relates services, as well as the directory server, run on the scanned server.

Which of the above ports can be filtered out to decrease unnecessary exposure without affecting functionality?

A. 25
B. 110
C. 143
D. 389


Answer: B


184. A piece of malicious code that can replicate itself has no productive purpose and exist only to damage computer systems or create further vulnerabilities is called a?

A. Logic Bomb
B. Worm
C. Trojan Horse
D. SYN flood
E. Virus


Answer: E


185. When evidence is acquired, a log is started that records who had possession of the evidence for a specific amount of time. This is to avoid allegations that the evidence may have been tampered with whe n it was unaccounted for, and to keep track of the tasks performed in acquiring evidence from a piece of equipment or materials.
What is the term used to describe this process?

A. Chain of command.
B. Chain of custody.
C. Chain of jurisdiction.
D. Chain of evidence.


Answer: B


186. Data integrity is best achieved using a(n)

A. Asymmetric cipher
B. Digital certificate
C. Message digest
D. Symmetric cipher


Answer: C


187. A recent audit shows that a user logged into a server with their user account and executed a program. The user then performed activities only available to an administrator.
This is an example of an attack?

A. Trojan horse
B. Privilege escalation
C. Subseven back door
D. Security policy removal


Answer: B


188. When a user clicks to browse a secure page, the SSL (Secure Sockets Layer) enabled server will first:

A. Use its digital certificate to establish its identity to the browser.
B. Validate the user by checking the CRL (Certificate Revocation List).
C. Request the user to produce the CRL (Certificate Revocation List).
D. Display the requested page on the browser, then provide its IP (Internet Protocol) address for verification


Answer: A


189. You are assessing risks and determining which asset protection policies to create first. Another member of the IT staff has provided you with a list of assets which have importance weighted on a scale of 1 to 10. Internet connectivity has an importance of 8, data has an importance of 9, personnel have an importance of 7, and software has an importance of 5.
Based on the weights, what is the order in which you will generate new policies?

A. Internet policy, data security, personnel safety policy, software policy.
B. Data security policy, Internet policy, software policy, personnel safety policy.
C. Software policy, personnel safety policy, Internet policy, data security policy.
D. Data security policy, Internet policy, personnel safety policy, software policy.


Answer: D


190. Controlling access to information systems and associated networks is necessary for the preservation of their:

A. Authenticity, confidentiality, integrity and availability.
B. Integrity and availability.
C. Confidentiality, integrity and availability.
D. Authenticity, confidentiality and availability.


Answer: C


191. What design feature of Instant Messaging makes it extremely insecure compared to other messaging systems?

A. It is a peer-to-peer network that offers most organizations virtually no control over it.
B. Most IM clients are actually Trojan Horses.
C. It is a centrally managed system that can be closely monitored.
D. It uses the insecure Internet as a transmission medium.


Answer: A


192. Access controls that are created and administered by the data owner are considered:

A. MACs (Mandatory Access Control)
B. RBACs (Role Based Access Control)
C. LBACs (List Based Access Control)
D. DACs (Discretionary Access Control)


Answer: D


193. A well defined business continuity plan must consist of risk and analysis, business impact analysis, strategic planning and mitigation, training and awareness, maintenance and audit and:

A. Security labeling and classification.
B. Budgeting and acceptance.
C. Documentation and security labeling.
D. Integration and validation.


Answer: D


194. John wants to encrypt a sensitive message before sending it to one of his managers.
Which type of encryption is often used for e-mail?

A. S/MINE
B. BIND
C. DES
D. SSL


Answer: A


195. What is the greatest benefit to be gained through the use of S/MINE /Secure Multipurpose Internet Mail Extension)? The ability to:

A. Encrypted and digitally sign e-mail messages.
B. Send anonymous e-mails.
C. Send e- mails with a return receipt.
D. Expedite the delivery of e-mail.


Answer: A
==================================================