Felicia wants to deploy an encryption solution that will protect files in motion as they are copied between file shares as well as at rest, and also needs it to support granular, per‐user security. What type of solution should she select?
Partition encryption
File encryption
Full‐disk encryption
Record‐level encryption
B. File encryption meets all of the needs described. Full‐disk encryption is easier to deploy and manage but does not protect individual files in motion and does not effectively support multiuser scenarios. Partition‐level encryption has the same challenges, albeit at a partition rather than full‐disk level. Record‐level encryption is typically used in databases to protect individual records or entries.
100
Brent’s organization is profiling threat actors that may target their infrastructure and systems. Which of the following is most likely a motivation for a nation‐state actor?
Financial gain
Blackmail
Espionage
Blackmail
C. Nation‐state actors are typically advanced persistent threats (APTs) and their motivations commonly include espionage, data exfiltration, disruption/chaos, and war. Financial gain is more commonly associated with organized crime, blackmail with insider threats, and ethical with hacktivists.
100
Nancy wants to adopt a backup strategy that will meet her organization's desires about the amount of data that could be lost in a scenario where a restoration from backup was required and also wants to establish guidelines for how long a restoration should take. What two key objectives should she set?
An RPO and an RTO
An RFBT and an RPO
An RPO and an MTBF
An MTBF and an RFBT
A. Organizations set recovery point objectives (RPOs) which describe how much data is acceptable to lose in a data loss event, and recovery time objectives (RTOs), which describe the maximum amount of time that it should take to recover data. Together these two objectives help guide backup strategy and infrastructure design and implementation. MTBF (mean time before failure) describes the mean time before a device like a hard drive, power supply, or network switch will fail, typically described in hours of powered‐on operation. RFBT was made up for this question.
100
John wants to harden his organization's routers. If there are no currently known vulnerabilities or issues with the device, which of the following hardening options will provide the biggest benefit?
Moving their administrative interfaces to a protected VLAN
Disabling unnecessary services
Installing the most current patch level for the OS
Enabling SNMP‐based logging
A. While all of these are best practices, moving the device's administrative interface to a protected VLAN will provide the most significant improvement in security since there are no known issues or vulnerabilities at the moment. If there were, patching or disabling services would quickly move up the list.
100
The company that Scott works for has experienced a data breach, and the personal information of thousands of customers has been exposed. Which of the following impact categories is not a concern as described in this scenario?
Reputation
Financial
Availability loss
Data loss
C. This description does not include any risk to availability since there is no information about systems or services being down or offline. This scenario would likely result in reputational, financial, and data loss impacts for Scott's company.
200
Valerie wants to use a certificate to handle multiple subdomains for her website, including the sales.example.com and support.example.com subdomains. What type of certificate should she use?
A self‐signed certificate
A root of trust certificate
A CRL certificate
A wildcard certificate
D. Wildcard certificates are used to handle multiple subdomains with a single certificate. A self‐signed certificate will not be recognized by browsers and other services, creating confusion for customers. Root of trust certificates and CRL certificates are not types of certificates.
200
Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack?
Phishing
Social engineering
Spear phishing
Trojan horse
C. Spear phishing is targeted to a specific group, in this case insurance professionals. Although this is a form of phishing, the more specific answer is the one you will need to choose on questions like this. Phishing uses social engineering techniques to succeed but is once again a broader answer than spear phishing and thus is not the correct choice. Finally, a Trojan horse pretends to be a legitimate or desirable program or file, which this scenario doesn't describe.
200
John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this?
False positive
False negative
False trigger
False flag
A. When an intrusion detection system (IDS) or antivirus/antimalware mistakes legitimate traffic for an attack, this is called a false positive. A false negative is when the IDS mistakes an attack for legitimate traffic. It is the opposite of a false positive. Options C and D are both incorrect. Although these may be grammatically correct, these are not the terms used in the industry. In military operations, false flag operations attempt to transfer blame to another organization or adversary, thus a “false flag.”
200
Jackson is reviewing his organization's logs and discovers multiple new user accounts created after business hours using administrative credentials. What term describes searching for potential issues like this?
IoC creation
Threat hunting
Root cause analysis
Eradication
B. Threat hunting is the process of searching for threats, often using IoCs, threat intelligence, technological tools, and expertise to identify threats that might impact an organization. IoC creation involves documenting and defining an indicator of compromise. Root cause analysis looks for the underlying cause of an issue or event, and eradication is the complete removal of a threat or artifacts of malicious activity.
200
Sameer wants to assess whether the key risk indicators (KRIs) his team have suggested are appropriate for his organization. Which of the following is not a common characteristic of a useful KRI?
Actionable
Measurable
Relevant
Inexpensive
D. KRIs, or key risk indicators, need to be actionable so that the organization can use them to control or manage risk, they need to be measurable so that they can be assessed, and they must be relevant to the risks that they measure. They don't necessarily have to be inexpensive, as organizations may make choices about costs based on their risks and business models.
300
What information is analyzed during a gap analysis?
Control objectives and controls intended to meet the objectives
Physically separate networks and their potential connection points
Compensating controls and the controls they are replacing
Security procedures and the policies they are designed to support
A. Gap analysis considers control objectives and the controls that are intended to meet the objectives.
300
You are a security administrator for a medium‐sized bank. You have discovered a piece of software on your bank’s database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this?
Worm
Logic bomb
Trojan horse
Rootkit
B. A logic bomb is malware that performs its malicious activity when some condition is met. A worm is malware that self‐propagates. A Trojan horse is malware attached to a legitimate program, and a rootkit is malware that gets root or administrative privileges.
300
Enrique is concerned about backup data being infected by malware. The company backs up key servers to digital storage on a backup server. Which of the following would be most effective in preventing the backup data being infected by malware?
Place the backup server on a separate VLAN.
Air gap the backup server.
Place the backup server on a different network segment.
Use a honeynet.
B. Air gapping refers to the server not being on a network. This means literally that there is “air” between the server and the network. This prevents malware from infecting the backup server. A separate virtual local area network (VLAN) or physical network segment can enhance security but is not as effective as air gapping. A honeynet is used to detect attacks against a network, but it doesn't provide effective defense against malware in this scenario.
300
Cynthia is concerned about attacks against an application programming interface (API) that her company provides for its customers. What should she recommend to ensure that the API is only used by customers who have paid for the service?
Require authentication.
Install and configure a firewall.
Filter by IP address.
Install and use an IPS.
A. The simplest way to ensure that APIs are only used by legitimate users is to require the use of authentication. API keys are one of the most frequently used methods for this. If an API key is lost or stolen, the key can be invalidated and reissued, and since API keys can be matched to usage, Cynthia's company can also bill customers based on their usage patterns if they want to. A firewall or IP restrictions may be able to help, but they can be fragile; customer IP addresses may change. An intrusion prevention system (IPS) can detect and prevent attacks, but legitimate usage would be hard to tell from those who are not customers using an IPS.
300
Jill's organization wants to ensure that services and systems are back online and functioning normally within 4 hours of an event or incident. What term best describes this goal?
An RTO
An MTTR
An RPO
An MTBF
A. A recovery time objective (RTO) is set by organizations to describe how long restoring systems or services to normal function after a disruption can take. Mean time to repair (MTTR) is the average time it takes to repair a system or device. A recovery point objective (RPO) describes how much data can be lost in the event of an outage or issue, and the mean time between failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.
400
Susan's team has recommended an application restart for a production, customer‐facing application as part of an urgent patch due to a security update. What technical implication is the most common concern when conducting an application restart?
Application configuration changes caused by the restart
Whether the patch will properly apply
Lack of security controls during the restart
The downtime during the restart
D. In most production environments downtime is the primary concern when considering an application restart. Many application architectures are designed to allow restarts of individual systems or services without creating an outage or downtime. Configuration changes should not be created by a restart, patches generally apply properly, and security controls should be in place throughout the process.
400
The company that Yarif works for uses a third‐party IT support company to manage their cloud‐hosted web application infrastructure. How can Yarif best address concerns about potential threat vectors via the managed service provider (MSP)?
Conduct regular vulnerability scans.
Use shared incident response exercises to prepare.
Ensure appropriate contractual coverage for issues.
Require the MSP to have an annual pentest.
C. Using appropriate contractual terms is usually the best available option for handling third‐party vendor risk. The terms can include things like security practices, such as pentesting, incident response exercises, and vulnerability scanning, and can also have sufficient penalties to ensure ongoing compliance from responsible companies.
400
What type of system is used to control and monitor power plant power generation systems?
IPG
SEED
SCADA
ICD
C. SCADA, or supervisory control and data acquisition systems, are commonly used to manage facilities like power plants. The remaining options were made up.
400
Greg wants to gain admission to a network which is protected by a network access control (NAC) system that recognized the hardware address of systems. How can he bypass this protection?
Spoof a legitimate IP address.
Conduct a denial‐of‐service attack against the NAC system.
Use MAC cloning to clone a legitimate MAC address.
None of the above.
C. Greg can clone a legitimate Media Access Control (MAC) address if he can identify one on the network. Greg can do this by checking for a MAC label on some devices or by capturing traffic on the network if he can physically access it.
400
Eric's organization has created a policy document that describes how users can and cannot use the organization's network, systems, and services. What type of policy has he created?
Business continuity policy.
An acceptable use policy.
An incident response policy.
This is a standard, not a policy.
B. Acceptable use policies (AUPs) describe how and what users can use organizational resources, systems, and services for. Business continuity policies describe how an organization approaches business continuity, and incident response policies focus on how organizations respond to incidents. A standard acts as the rules to achieve an intent, while policies describe the organization's intent. This policy describes intent, not specific implementations.
500
Using a tool like git is most frequently associated with what critical change management process?
Having a backout plan
Stakeholder analysis
Version control
Standard operating procedures (SOPs)
C. Organizations frequently use tools like git to build repositories that support their need for version control. Backout plans might note that you need to return to the prior version but will need to include how to do so. Stakeholder analysis and SOPs are not specifically supported by or improved by using git.
500
Jill’s organization has received an advisory about a flaw that could allow software running on a virtual machine to execute code on the system that is running the VM hypervisor. What type of vulnerability is this?
A resource reuse issue
A VM escape issue
A jailbreaking issue
A sideloading issue
B. This is an example of a virtual machine (VM) escape vulnerability. Jailbreaking and sideloading are terms used to describe mobile device–related means of violating security, and resource reuse is a VM concern if data is not properly removed before a resource is given to another VM.
500
Geoff wants to establish a contract with a company to have datacenter space that is equipped and ready to go so that he can bring his data to the location in the event of a disaster. What type of disaster recovery site is he looking for?
A hot site
A cold site
A warm site
An RTO site
C. Geoff is looking for a warm site, which has some or all of the infrastructure and systems he needs but does not have data. If a disaster occurs, Geoff can bring any equipment that he needs or wants to the site along with his organization's data to resume operations. A hot site is a fully functional environment with all the hardware, software, and data needed to operate an organization. They are expensive to maintain and run but are used by organizations that cannot take the risk of downtime. A cold site is a location that can be brought online but does not have systems; cold sites typically have access to power and bandwidth but need to be fully equipped to operate after a disaster since they are just rented space. An RTO is a recovery time objective, and it measures how long it should take to resume operations; it is not a type of disaster recovery site.
500
Melissa's organization has deployed a firewall that uses three interfaces to provide services. The first interface connects to the Internet, the second to a network where the organization's web servers reside, and the third to a secured network where the organization's workstations are connected. What type of firewall architecture has Melissa's organization deployed?
An ACL
A screened subnet
A binary firewall
A multihomed, multiroute NGFW
B. Screened subnet designs use a firewall with three interfaces, one for the Internet or an untrusted network, one for a protected but front‐facing network, and one for a shielded or protected network. ACLs (access control lists) use rules to control access. This design may use ACLs, but an ACL alone does not describe it. Binary firewalls were made up for this question, and while an NGFW may be multihomed, “multiroute” is not a term used to describe this design.
500
Angie is performing a penetration test and has gathered information using the Shodan search engine about her target. What type of reconnaissance has she performed?
Active
Commercial
Scanner‐based
Passive
D. Angie has conducted passive reconnaissance. She did not perform a scan or otherwise take direct active action to gather her information. Instead, she used the existing Shodan engine to gather information. While Shodan is a commercial product and does gather information using scans, databases like Shodan are considered passive reconnaissance, and the Security+ exam objectives recognize two types of reconnaissance: active and passive.