CompTIA SY0-401 Security+ 100-Question Practice Exam

Developed for www.GetCertify4Less.com

(Author to remain anonymous)

This practice exam has been developed exclusively for GetCertif4Less.Com. Answers and explanations

on last pages.

1. Which of the following answers refers to a dedicated device for managing secure connections

established over an untrusted network, such as the Internet?

A. Load balancer

B. VPN concentrator

C. Spam filter

D. Web server

2. Which of the following acronyms refers to a network or host based monitoring system designed to

automatically alert administrators of known or suspected unauthorized activity?

A. IDS

B. AES

C. TPM

D. EFS

3. A software tool used to monitor and examine contents of network traffic is known as: (Select all that

apply)

A. Port scanner

B. Packet sniffer

C. Vulnerability scanner

D. Protocol analyzer

4. Which of the following acronyms refers to a network security solution combining the functionality of a

firewall with additional safeguards such as URL filtering, content inspection, or malware inspection?

A. MTU

B. STP

C. UTM

D. XML

5. Which of the following network security solutions inspects network traffic in real-time and has the

capability to stop the ongoing attack?

A. NIPS

B. HIDS

C. HIPS

D. NIST

6. Which of the following actions can be taken by passive IDS? (Select 2 answers)

A. Reconfiguring firewall

B. Closing down connection

C. Logging

D. Terminating process

E. Sending an alert

7. Which of the following answers refers to a set of rules that specify which users or system processes

are granted access to objects as well as what operations are allowed on a given object?

A. CRL

B. NAT

C. BCP

D. ACL

8. Which type of Intrusion Detection System (IDS) relies on the previously established baseline of normal

network activity in order to detect intrusions?

A. Signature-based

B. URL filter

C. Anomaly-based

D. ACL

9. 802.1x is an IEEE standard defining:

A. Token ring networks

B. Port-based network access control

C. VLAN tagging

D. Wireless networking

10. Which of the following security solutions provides a countermeasure against denial-of-service attack

characterized by increasing number of half-open connections?

A. Flood guard

B. MAC filter

C. Honeypot

D. Port scanner

11. Which of the following protocols protects against switching loops?

A. UTP

B. SSH

C. STP

D. HMAC

12. Which type of Intrusion Detection System (IDS) relies on known attack patterns to detect an

intrusion?

A. Load balancer

B. Signature-based

C. Protocol analyzer

D. Anomaly-based

13. A lightly protected subnet placed on the outside of the company's firewall consisting of publicly

available servers is known as:

A. VPN

B. Access Point (AP)

C. VLAN

D. DMZ

14. Which of the following acronyms refers to a solution allowing companies to cut costs related to

managing of internal calls?

A. PBX

B. POTS

C. P2P

D. PSTN

15. Which security measure is in place when a client is denied access to the network due to outdated

antivirus software?

A. NAC

B. DMZ

C. VLAN

D. NAT

16. Which of the following solutions is used to hide the internal IP addresses by modifying IP address

information in IP packet headers while in transit across a traffic routing device?

A. NAC

B. ACL

C. NAT

D. DMZ

17. In which of the cloud computing infrastructure types clients, instead of buying all the hardware and

software, purchase computing resources as an outsourced service from suppliers who own and maintain

all the necessary equipment?

A. IaaS

B. SaaS

C. P2P

D. PaaS

18. Which of the following cloud service types would provide the best solution for a web developer

intending to create a web app?

A. SaaS

B. API

C. PaaS

D. IaaS

19. A cloud computing infrastructure type where applications are hosted over a network (typically

Internet) eliminating the need to install and run the software on the customer's own computers is

called:

A. Thick client

B. SaaS

C. Virtualization

D. IaaS

20. Which of the following protocols is used in network management systems for monitoring network-

attached devices?

A. RTP

B. SNMP

C. IMAP

D. RTP

21. Which of the protocols listed below is used by the PING utility?

A. TLS

B. SNMP

C. FCoE

D. ICMP

22. FTP runs by default on ports: (Select 2 answers)

A. 25

B. 23

C. 20

D. 21

E. 22

23. Which of the following protocols run(s) on port number 22? (Select all that apply)

A. FTP

B. SSH

C. SMTP

D. SCP

E. SFTP

24. Port number 23 is used by:

A. SMTP

B. SSH

C. Telnet

D. TFTP

25. Which of the following TCP ports is used by SMTP?

A. 25

B. 53

C. 80

D. 23

26. Which of the following ports enable(s) retrieving email messages from a remote server? (Select all

that apply)

A. 80

B. 139

C. 110

D. 443

E. 143

27. Which of the following answers lists the default port number for a Microsoft-proprietary remote

connection protocol?

A. 139

B. 443

C. 3389

D. 53

28. Which of the following wireless encryption schemes offers the highest level of protection?

A. WEP

B. WPA2

C. WAP

D. WPA

29. A network access control method whereby the 48-bit address assigned to each network card is used

to determine access to the network is known as:

A. EMI shielding

B. Hardware lock

C. MAC filter

D. Quality of Service (QoS)

30. Disabling SSID broadcast:

A. Is one of the measures used for securing networks

B. Makes a WLAN harder to discover

C. Blocks access to WAP

D. Prevents wireless clients from accessing the network

31. AES-based encryption mode implemented in WPA2 is known as:

A. CCMP

B. TPM

C. TKIP

D. MTBF

32. Which of the following WAP configuration settings allows for adjusting the boundary range of the

wireless signal?

A. Beacon frame

B. Power level controls

C. Quality of Service (QoS)

D. MAC filtering

33. Which of the following answers refers to a solution allowing administrators to block Internet access

for users until they perform required action?

A. Access logs

B. Mantrap

C. Post-admission NAC

D. Captive portal

34. An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an

example of:

A. Fault tolerance

B. False positive error

C. Incident isolation

D. False negative error

35. Which of the following terms refers to a situation where no alarm is raised when an attack has taken

place?

A. False negative

B. True positive

C. False positive

D. True negative

36. A policy outlining ways of collecting and managing personal data is known as:

A. Acceptable use policy

B. Audit policy

C. Privacy policy

D. Data loss prevention

37. Which of the following acronyms refers to a set of rules enforced in a network that restrict the use

to which the network may be put?

A. OEM

B. AUP

C. UAT

D. ARO

38. One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent

activity within the company.

A. True

B. False

39. Which of the following answers refers to a concept of having more than one person required to

complete a given task?

A. Acceptable use policy

B. Privacy policy

C. Multifactor authentication

D. Separation of duties

40. A security rule that prevents users from accessing information and resources that lie beyond the

scope of their responsibilities is known as:

A. Order of volatility

B. Principle of least privilege

C. Privacy policy

D. Single sign-on

41. Which of the following acronyms refers to a risk assessment formula defining probable financial loss

due to a risk over a one-year period?

A. ARO

B. ALE

C. SLE

D. UAT

42. Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)

The Exposure Factor (EF) used in the formula above refers to the impact of the risk over the asset, or

percentage of asset lost when a specific threat is realized. Which of the following answers lists the

correct EF value for an asset that is entirely lost?

A. 0

B. 100

C. 1.0

D. 0.1

43. Contracting out a specialized technical component when the company's employees lack the

necessary skills is an example of:

A. Risk deterrence

B. Risk avoidance

C. Risk acceptance

D. Risk transference

44. Disabling certain system functions or shutting down the system when risks are identified is an

example of:

A. Risk acceptance

B. Risk avoidance

C. Risk transference

D. Risk deterrence

45. What type of risk management strategy is in place when accessing the network involves a login

banner warning designed to inform potential attacker of the likelihood of getting caught?

A. Risk avoidance

B. Risk acceptance

C. Risk deterrence

D. Risk transference

46. Which of the following terms refers to one of the hardware-related disadvantages of the

virtualization technology?

A. Single point of failure

B. Server clustering

C. Privilege escalation

D. Power and cooling costs

47. An agreement between a service provider and the user(s) defining the nature, availability, quality,

and scope of the service to be provided is known as:

A. SLE

B. BPA

C. SLA

D. DLP

48. A document established between two or more parties to define their respective responsibilities in

accomplishing a particular goal or mission is known as:

A. BPA

B. MOU

C. SLE

D. ISA

49. Which of the following answers refers to an agreement established between the organizations that

own and operate connected IT systems to document the technical requirements of the interconnection?

A. ISA

B. ALE

C. MOU

D. BPA

50. In forensic procedures, a sequence of steps in which different types of evidence should be collected

is known as:

A. Order of volatility

B. Layered security

C. Chain of custody

D. Transitive access

51. In forensic procedures, a chronological record outlining persons in possession of an evidence is

referred to as:

A. Proxy list

B. Order of volatility

C. Access log

D. Chain of custody

52. Taking hashes ensures that data retains its:

A. Confidentiality

B. Integrity

C. Order of volatility

D. Availability

53. A sticky note with a password kept on sight in user's cubicle would be a violation of which of the

following policies?

A. Data labeling policy

B. Clean desk policy

C. User account policy

D. Password complexity

54. Which of the following security controls is used to prevent tailgating?

A. Hardware locks

B. Mantraps

C. Video surveillance

D. EMI shielding

55. Zero-day attack exploits:

A. New accounts

B. Patched software

C. Vulnerability that is present in already released software but unknown to the software developer

D. Well known vulnerability

56. Which of the following solutions provide(s) availability? (Select all that apply)

A. RAID 5

B. RAID 0

C. Encryption

D. RAID 1

E. Hot site

57. Hardware-based RAID Level 0: (Select 2 answers)

A. Offers redundancy

B. Requires at least three drives to implement

C. Doesn't offer fault tolerance

D. Requires at least two drives to implement

E. Offers fault tolerance

58. In a differential backup strategy, restoring data from backup requires only a working copy of the last

full backup.

A. True

B. False

59. A United States federal government initiative aimed at enabling agencies to continue their essential

functions across a broad spectrum of emergencies is known as:

A. OVAL

B. TACACS

C. COOP

D. OCSP

60. Which of the following security controls provides confidentiality?

A. CCTV

B. Encryption

C. Digital signatures

D. Hashing

61. Steganography allows for:

A. Checking data integrity

B. Calculating hash values

C. Hiding data within another piece of data

D. Data encryption

62. Which of the following security controls provide(s) integrity? (Select all that apply)

A. Hashing

B. Fault tolerance

C. Digital signatures

D. Non-repudiation

E. Encryption

63. What is the purpose of non-repudiation?

A. Hiding one piece of data in another piece of data

B. Ensuring that received data hasn't changed in transit

C. Preventing someone from denying that they have taken specific action

D. Transforming plaintext into ciphertext

64. Which of the following answers refers to a general term used to describe software designed

specifically to damage or disrupt the operation of a computer system?

A. Adware

B. Spyware

C. Spam

D. Malware

65. What is adware?

A. Unsolicited or undesired electronic messages

B. Malicious program that sends copies of itself to other computers on the network

C. Software that displays advertisements

D. Malicious software that collects information about users without their knowledge

66. A computer program containing malicious segment that attaches itself to an application program or

other executable component is called:

A. Adware

B. Virus

C. Spam

D. Flash cookie

67. Malicious software collecting information about users without their knowledge/consent is called:

A. Logic bomb

B. Adware

C. Computer worm

D. Spyware

68. Which of the following answers refers to malicious software performing unwanted and harmful

actions in disguise of a legitimate and useful program?

A. Trojan horse

B. Spyware

C. Logic bomb

D. Adware

69. A collection of software tools used by a hacker in order to mask intrusion and obtain administrator-

level access to a computer or computer network is known as:

A. Backdoor

B. Botnet

C. Rootkit

D. Armored virus

70. Which of the following answers refers to an undocumented way of gaining access to a program,

online service or an entire computer system?

A. Tailgating

B. Rootkit

C. Trojan horse

D. Backdoor

71. Malicious code activated by a specific event is known as:

A. Logic bomb

B. Spyware

C. Trojan horse

D. Armored virus

72. A group of computers running malicious software under control of a hacker is referred to as:

A. Intranet

B. Botnet

C. Ethernet

D. Subnet

73. Malware that restricts access to a computer system by encrypting files or locking the entire system

down until the user performs requested action is known as:

A. Grayware

B. Adware

C. Ransomware

D. Spyware

74. The process by which malicious software changes its underlying code to avoid detection is called:

A. Fuzzing

B. Polymorphism

C. Pharming

D. Spoofing

75. A type of virus that takes advantage of various mechanisms specifically designed to make tracing,

disassembling and reverse engineering its code more difficult is known as:

A. Armored virus

B. Rootkit

C. Logic bomb

D. Backdoor

76. Which of the following is an example of active eavesdropping?

A. Phishing

B. DDoS

C. Xmas attack

D. MITM

77. Which of the following attacks uses multiple compromised computer systems against its target?

(Select best answer)

A. Spear phishing

B. DoS

C. Watering hole attack

D. DDoS

78. A replay attack occurs when an attacker intercepts user credentials and tries to use this information

later for gaining unauthorized access to resources on a network.

A. True

B. False

79. Which of the following authentication protocols offer(s) countermeasures against replay attacks?

(Select all that apply)

A. NTP

B. PAP

C. Kerberos

D. CHAP

80. An email sent from unknown source disguised as a source known to the message receiver is an

example of:

A. Spoofing

B. Shoulder surfing

C. Backdoor

D. Birthday attack

81. Which of the following answers apply to smurf attack? (Select 3 answers)

A. IP spoofing

B. Privilege escalation

C. DDoS

D. Polymorphic malware

E. Order of volatility

F. Large amount of ICMP echo replies

82. URL hijacking is also referred to as:

A. Session hijacking

B. Sandboxing

C. Typo squatting

D. Shoulder surfing

83. What is tailgating?

A. Looking over someone's shoulder in order to get information

B. Scanning for unsecured wireless networks while driving in a car

C. Manipulating a user into disclosing confidential information

D. Gaining unauthorized access to restricted areas by following another person

84. Which of the following terms refers to a rogue access point?

A. Computer worm

B. Backdoor

C. Evil twin

D. Trojan horse

85. The practice of sending unsolicited messages over Bluetooth is known as:

A. Vishing

B. Bluejacking

C. Phishing

D. Bluesnarfing

86. Gaining unauthorized access to a Bluetooth device is referred to as:

A. Xmas attack

B. Bluesnarfing

C. Bluejacking

D. Pharming

87. A monitored host or network specifically designed to detect unauthorized access attempts is known

as:

A. Botnet

B. Rogue access point

C. Honeypot

D. Flood guard

88. Penetration testing: (Select all that apply)

A. Bypasses security controls

B. Only identifies lack of security controls

C. Actively tests security controls

D. Exploits vulnerabilities

E. Passively tests security controls

89. Finding vulnerability in an application by feeding it incorrect input is known as:

A. Patching

B. Exception handling

C. Application hardening

D. Fuzzing

90. The term Trusted OS refers to an operating system:

A. Admitted to a network through NAC

B. Implementing patch management

C. That has been authenticated on the network

D. With enhanced security features

91. Which of the following acronyms refers to a microchip embedded on the motherboard of a personal

computer or laptop that can store keys, passwords and digital certificates?

A. FRU

B. EFS

C. TPM

D. HCL

92. An authentication subsystem that enables a user to access multiple, connected system components

(such as separate hosts on a network) after a single login at only one of the components is known as:

A. SSO

B. TLS

C. SSL

D. WAP

93. Which of the following is an example of a multi-factor authentication?

A. Password and biometric scan

B. User name and PIN

C. Smart card and identification badge

D. Iris and fingerprint scan

94. Which of the following technologies simplifies configuration of new wireless networks by providing

non-technical users with a capability to easily configure network security settings and add new devices

to an existing network?

A. WPA

B. WPS

C. WEP

D. WAP

95. Penetration test with the prior knowledge on how the system that is to be tested works is known as:

A. White hat

B. Sandbox

C. White box

D. Black box

96. The practice of finding vulnerability in an application by feeding it incorrect input is referred to as:

A. Patching

B. Exception handling

C. Application hardening

D. Fuzzing

97. Which of the following answers refers to a stream cipher?

A. DES

B. AES

C. RC4

D. 3DES

98. Which of the following solutions would be the fastest in validating digital certificates?

A. IPX

B. OCSP

C. CRL

D. OSPF

99. Copies of lost private encryption keys can be retrieved from a key database by:

A. Power users

B. Recovery agents

C. GPS tracking

D. Backup operators

100. What is the name of a storage solution used to retain copies of private encryption keys?

A. Trusted OS

B. Key escrow

C. Proxy

D. Recovery agent

ANSWERS

1. Answer: B. VPN concentrator

Explanation: Virtual Private Network (VPN) is a logical, restricted-use network created with the use of

encryption and tunneling protocols over physical, public network links. A dedicated device for managing

VPN connections established over an untrusted network, such as the Internet, is called VPN

concentrator.

2. Answer: A. IDS

Explanation: Intrusion Detection Systems (IDSs) rely on passive response which might include recording

an event in logs or sending a notification alert. An IDS doesn't take any active steps in order to prevent

an intrusion.

3. Answers: B and D. Packet sniffer and Protocol analyzer

Explanation: Protocol analyzer is a software tool used to monitor and examine contents of network

traffic. Protocol analyzers are also referred to as packet sniffers.

4. Answer: C. UTM

Explanation: The term Unified Threat Management (UTM) refers to a network security solution

(commonly in the form of a dedicated device called UTM appliance) which combines the functionality of

a firewall with additional safeguards such as for example URL filtering, spam filtering, gateway antivirus

protection, intrusion detection or prevention, content inspection, or malware inspection.

5. Answer: A. NIPS

Explanation: Network Intrusion Prevention system (NIPS) inspects network traffic in real-time and has

the capability to stop the attack.

6. Answers: C and E. Logging and Sending an alert

Explanation: Intrusion Detection Systems (IDSs) rely on passive response which might include recording

an event in logs or sending a notification alert. An IDS doesn't take any active steps in order to prevent

an intrusion.

7. Answer: D. ACL

Explanation: An Access Control List (ACL) contains a set of rules that specify which users or system

processes are granted access to objects as well as what operations are allowed on a given object.

8. Answer: C. Anomaly-based

Explanation: Anomaly-based Intrusion Detection System (IDS) relies on the previously established

baseline of normal network activity in order to detect intrusions. A Signature-based IDS relies on known

attack patterns to detect an intrusion.

9. Answer: B. Port-based network access control

Explanation: 802.1x is an Institute Electrical and Electronics Engineers (IEEE) standard for port-based

network access control. 802.1X provides mechanisms to authenticate devices connecting to a Local Area

Network (LAN), or Wireless Local Area Network (WLAN). Due to a similar name, 802.1X is sometimes

confused with 802.11x (a general term used in reference to a family of wireless networking standards).

10. Answer: A. Flood guard

Explanation: Flooding is a type of Denial of Service (DoS) attack aimed at providing more input than a

networked host can process properly so that it becomes overwhelmed with false requests and in result

doesn't have time and/or system resources to handle legitimate requests. Enabling flood detection on

networking equipment provides a countermeasure against this type of attack.

11. Answer: C. STP

Explanation: Spanning Tree Protocol (STP) is used to prevent switching loops. Switching loop occurs

when there's more than one active link between two network switches, or when two ports on the same

switch become connected to each other.

12. Answer: B. Signature-based

Explanation: Signature-based Intrusion Detection System (IDS) relies on known attack patterns to detect

an intrusion. Anomaly-based IDS relies on the previously established baseline of normal network activity

in order to detect intrusions. Load balancers are network devices designed for managing the optimal

distribution of workloads across multiple computing resources. A protocol analyzer (also known as

packet sniffer) is a software tool used to monitor and examine contents of network traffic.

13. Answer: D. DMZ

Explanation: In the context of computer security, the term Demilitarized Zone (DMZ) refers to a lightly

protected subnet consisting of publicly available servers placed on the outside of the company's firewall.

14. Answer: A. PBX

Explanation: Private Branch Exchange (PBX) is an internal telephone exchange or switching system

implemented in a particular business or office. PBX allows for handling of internal communications

without the use of paid Public Switched Telephone Network (PSTN) service.

15. Answer: A. NAC

Explanation: Network Access Control (NAC) defines a set of rules enforced in a network that the clients

attempting to access the network must comply with. With NAC, policies can be enforced before or after

end-stations gain access to the network. NAC can be implemented as Pre-admission NAC, where a host

must, for example, be virus free or have patches applied before it is allowed to connect to the network,

and/or Post-admission NAC, where a host is being granted/denied permissions based on its actions after

it has been provided with the access to the network.

16. Answer: C. NAT

Explanation: Network Address Translation (NAT) is a technology that provides an IP proxy between a

private Local Area Network (LAN) and a public network such as the Internet. Computers on the private

LAN can access the Internet through a NAT-capable router which handles the IP address translation. NAT

hides the internal IP addresses by modifying IP address information in IP packet headers while in transit

across a traffic routing device.

17. Answer: A. IaaS

Explanation: Infrastructure as a Service (IaaS) is one of the cloud computing infrastructure types where

clients, instead of buying all the hardware and software, purchase computing resources as an

outsourced service from suppliers who own and maintain all the necessary equipment. The clients

usually pay for computational resources on a per-use basis. In IaaS, cost of the service depends on the

amount of consumed resources.

18. Answer: C. PaaS

Explanation: Platform as a Service (PaaS) is a category of cloud computing services providing cloud-

based application development tools, in addition to services for testing, deploying, collaborating on,

hosting, and maintaining applications.

19. Answer: B. SaaS

Explanation: Software as a Service (SaaS) is a type of cloud computing infrastructure where applications

are hosted over a network (typically Internet) eliminating the need to install and run the software on the

customer's own computers and simplifying maintenance and support. Compared to conventional

software deployment which requires licensing fee and often investment in additional hardware on the

client side, SaaS can be delivered at a lower cost by providing remote access to applications and pricing

based on monthly or annual subscription fee.

20. Answer: B. SNMP

Explanation: Simple Network Management Protocol (SNMP) is a protocol used in network management

systems to monitor network-attached devices. SNMP is typically integrated into most modern network

infrastructure devices such as routers, bridges, switches, servers, printers, copiers, fax machines, and

other network-attached devices. An SNMP-managed network consists of three key components: a

managed device, a network-management software module that resides on a managed device (Agent),

and a network management system (NMS) which executes applications that monitor and control

managed devices and collect SNMP information from Agents. All SNMP-compliant devices include a

virtual database called Management Information Base (MIB) containing information about configuration

and state of the device that can be queried by the SNMP management station. The manager receives

notifications (Traps and InformRequests) on UDP port 162. The SNMP Agent receives requests on UDP

port 161, and before answering a request from SNMP manager, SNMP Agent verifies that the manager

belongs to an SNMP community with access privileges to the Agent. An SNMP community is a group that

consists of SNMP devices and one or more SNMP managers. The community has a name, and all

members of a community have the same access privileges. An SNMP device or Agent may belong to

more than one SNMP community and it will not respond to requests from management stations that do

not belong to one of its communities. The relationship between SNMP server system and the client

systems is defined by the so called community string which acts like a password. Versions 1 and 2 of the

SNMP protocol (SNMPv1 and SNMPv2) offer only authentication based on community strings sent in

cleartext. SNMPv3 provides authentication, packet encryption, and hashing mechanisms that allow for

checking whether data has changed in transit.

21. Answer: D. ICMP

Explanation: PING is a command-line utility used for checking the reachability of a remote host. It

operates by sending Internet Control Message Protocol (ICMP) echo request packets to the destination

host.

22. Answers: C and D. 20 and 21

Explanation: File Transfer Protocol (FTP) is an unencrypted file exchange protocol. FTP employs TCP

ports 20 and 21. Connection established over TCP port 20 (the data connection) is used for exchanging

data, connection made over TCP port 21 (the control connection) remains open for the duration of the

whole session and is used for session administration (commands, identification, and passwords).

23. Answers: B, D, and E. SSH, SCP, and SFTP

Explanation: Secure Shell (SSH) runs by default on the TCP port 22. Apart from providing the ability to

log in remotely and execute commands on a remote host, SSH is also used for secure file transfer

through the SSH-based protocols such as Secure Copy (SCP) or SSH File Transfer Protocol (SFTP).

24. Answer: C. Telnet

Explanation: Port number 23 is used by Telnet.

25. Answer: A. 25

Explanation: TCP port 25 is used by the Simple Mail Transfer Protocol (SMTP). The purpose of SMTP is to

facilitate the exchange of email messages between email servers.

26. Answers: C and E. 110 and 143

Explanation: TCP port number 110 is used by the Post Office Protocol v3 (POP3). TCP port 143 is used by

the Internet Message Access Protocol (IMAP). POP and IMAP are protocols enabling retrieval of email

messages from servers.

27. Answer: C. 3389

Explanation: Remote Desktop Protocol (RDP) is a Microsoft-proprietary remote connection protocol.

RDP runs by default on TCP port 3389.

28. Answer: B. WPA2

Explanation: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are encryption

standards designed for securing wireless networks. WEP is an older standard and due to its

vulnerabilities is not recommended. WPA was designed as an interim replacement for WEP, and WPA2

was introduced as the official standard offering the strongest security of the three.

29. Answer: C. MAC filter

Explanation: Network access control method based on the physical address (MAC address) of the

Network Interface Card (NIC) is called MAC filtering or MAC address filtering. 48-bit MAC address is a

unique number assigned to every network adapter. Devices acting as network access points can have

certain MAC addresses blacklisted or whitelisted and based on the entry on either of the lists grant or

deny access to the network.

30. Answer: B. Makes a WLAN harder to discover

Explanation: Service Set Identifier (SSID) is another term for the name of a Wireless Local Area Network

(WLAN). Wireless networks advertise their presence by regularly broadcasting the SSID in a special

packet called beacon frame. In wireless networks with disabled security features knowing the network

SSID is enough to get access to the network. SSID can be hidden by disabling the SSID broadcast on the

Wireless Access Point (WAP), but hidden SSID makes a WLAN only harder to discover and is not a true

security measure. Wireless networks with hidden SSID can still be discovered with the use of a packet

sniffing software. Security measures that help in preventing unauthorized access to a wireless network

include strong encryption schemes such as WPA and WPA2.

31. Answer: A. CCMP

Explanation: Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an

encryption mode implemented in the Wi-Fi Protected Access II (WPA2) security protocol. CCMP relies on

the Advanced Encryption Standard (AES) providing much stronger security than the Wired Equivalent

Privacy (WEP) protocol and Temporal Key Integrity Protocol (TKIP) implemented in Wi-Fi Protected

Access (WPA).

32. Answer: B. Power level controls

Explanation: Power level controls in Wireless Access Point (WAP) configuration settings allow for

adjusting the boundary range of the wireless signal. From a security standpoint, this functionality keeps

the signal coverage within the designated area and serves as a countermeasure against unauthorized

network access attempts from outside.

33. Answer: D. Captive portal

Explanation: Captive portals allow administrators to block Internet access for users until they perform

required action. An example captive portal could be a web page requiring authentication and/or

payment (e.g. at a public Wi-Fi hotpot) before a user is allowed to proceed and use the Internet access

service.

34. Answer: B. False positive error

Explanation: An antivirus software identifying non-malicious file as a virus due to faulty virus signature

file is an example of a false positive error.

35. Answer: A. False negative

Explanation: A situation where no alarm is raised when an attack has taken place is an example of a false

negative error.

36. Answer: C. Privacy policy

Explanation: A policy outlining ways of collecting and managing personal data is known as privacy policy.

37. Answer: B. AUP

Explanation: Acceptable Use Policy (AUP) is a set of rules enforced in a network that restrict the use to

which the network may be put.

38. Answer: A. True

Explanation: One of the goals behind the mandatory vacations policy is to mitigate the occurrence of

fraudulent activity within the company.

39. Answer: D. Separation of duties

Explanation: A concept of having more than one person required to complete a given task is known as

separation of duties. By delegating tasks and associated privileges for a specific process among multiple

users this internal control type provides a countermeasure against fraud and errors.

40. Answer: B. Principle of least privilege

Explanation: A security rule that prevents users from accessing information and resources that lie

beyond the scope of their responsibilities is known as principle of least privilege.

41. Answer: B. ALE

Explanation: A risk assessment formula defining probable financial loss due to a risk over a one-year

period is known as Annual Loss Expectancy (ALE).

42. Answer: C. 1.0

Explanation: The Exposure Factor (EF) for an example asset that is entirely lost due to the impact of the

risk over the asset equals 1.

43. Answer: D. Risk transference

Explanation: Contracting out a specialized technical component when the company's employees lack the

necessary skills is an example of risk transference.

44. Answer: B. Risk avoidance

Explanation: Disabling certain system functions or shutting down the system when risks are identified is

an example of risk avoidance.

45. Answer: C. Risk deterrence

Explanation: A login banner warning designed to inform potential attacker of the likelihood of getting

caught falls into the category of risk deterrence measures.

46. Answer: A. Single point of failure

Explanation: Virtualization is a technology that allows multiple operating systems to work

simultaneously on the same hardware. One of the disadvantages of virtualization relates to the fact that

hardware used for the purpose of virtualization becomes a single point of failure.

47. Answer: C. SLA

Explanation: Service-Level Agreement (SLA) is an agreement between a service provider and the user(s)

defining the nature, availability, quality, and scope of the service to be provided.

48. Answer: B. MOU

Explanation: A document established between two or more parties to define their respective

responsibilities in accomplishing a particular goal or mission is known as Memorandum of

Understanding (MoU).

49. Answer: A. ISA

Explanation: The term Interconnection Security Agreement (ISA) refers to an agreement established

between the organizations that own and operate connected IT systems to document the technical

requirements of the interconnection.

50. Answer: A. Order of volatility

Explanation: In forensic procedures, a sequence of steps in which different types of evidence should be

collected is known as order of volatility.

51. Answer: D. Chain of custody

Explanation: In forensic procedures, a chronological record outlining persons in possession of an

evidence is referred to as chain of custody.

52. Answer: B. Integrity

Explanation: Taking hashes ensures that data retains its integrity. Hash functions allow for mapping large

amounts of data content to small string of characters. The result of hash function provides the exact

"content in a nutshell" (in the form of a string of characters) derived from the main content. In case

there's any change to the data after the original hash was taken, the next time when hash function is

applied the resulting hash value calculated after content modification will be different from the original

hash. In computer forensics procedures comparing hashes taken at different stages of evidence handling

process ensures that the evidence hasn't been tampered with and stays intact.

53. Answer: B. Clean desk policy

Explanation: A sticky note with a password kept on sight in user's cubicle would be a violation of clean

desk policy.

54. Answer: B. Mantraps

Explanation: Mantraps are two-door entrance points connected to a guard station. A person entering

mantrap from the outside remains inside until he/she provides authentication token required to unlock

the inner door. Mantraps are used to prevent tailgating, which is the practice of gaining unauthorized

access to restricted areas by following another person.

55. Answer: C. Vulnerability that is present in already released software but unknown to the software

developer

Explanation: Zero-day attacks exploit vulnerabilities that are present in already released software but

unknown to the software developer.

56. Answers: A, D, and E. RAID 5, RAID 1, and Hot site

Explanation: Availability provides assurance that resources can be used when needed. Redundant Array

of Independent Disks (RAID) is a collection of different data storage schemes (referred to as RAID levels)

that allow for combining multiple hard disks into a single logical unit in order to increase fault tolerance

and performance. RAID levels increase availability allowing the system to remain operational even when

one of its components (hard drives) fails (this applies to all RAID levels except RAID 0 which doesn't

provide any fault tolerance). Hot site is an alternate site where a company can move its operations in

case of failure of the main site.

57. Answers: C and D. Doesn't offer fault tolerance and Requires at least two drives to implement

Explanation: Redundant Array of Independent Disks (RAID) is a collection of different data storage

schemes (referred to as RAID levels) that allow for combining multiple hard disks into a single logical unit

in order to increase fault tolerance and performance. RAID Level 0 breaks data into fragments called

blocks and each block of data is written to a separate disk drive. This greatly improves performance as

every physical disk drive handles only a part of the workload related to write and read operations. Each

consecutive physical drive included in this type of array improves the speed of read/write operations by

adding more hardware resources to handle decreasing amount of workload. The main disadvantage of

RAID 0 is that it doesn't offer any fault tolerance. Each of the drives holds only part of the information

and in case of failure of any of the drives there is no way to rebuild the array which in turn results in the

loss of all data. Hardware-based RAID Level 0 requires minimum of two disk drives to implement.

58. Answer: B. False

Explanation: In a differential backup strategy, restoring data from backup requires working copies of the

most recent full backup and the last differential backup.

59. Answer: C. COOP

Explanation: Continuity of Operation Planning (CCOP) is a United States federal government initiative

aimed at enabling agencies to continue their essential functions across a broad spectrum of

emergencies.

60. Answer: B. Encryption

Explanation: Confidentiality is achieved by encrypting data so that it becomes unreadable to anyone

except the person with the decryption key.

61. Answer: C. Hiding data within another piece of data

Explanation: Steganography allows for hiding data within another piece of data.

62. Answers: A, C, and D. Hashing, Digital signatures, and Non-repudiation

Explanation: Hashing, digital signatures, and non-repudiation fall into the category of security controls

aimed at providing integrity.

63. Answer: C. Preventing someone from denying that they have taken specific action

Explanation: The purpose of non-repudiation is to prevent someone from denying that they have taken

a specific action.

64. Answer: D. Malware

Explanation: Unwanted programs designed specifically to damage or disrupt the operation of a

computer system are referred to as malicious software, or malware.

65. Answer: C. Software that displays advertisements

Explanation: Adware is a type of software that displays advertisements on the user system, often in the

form of a pop-up window. Unsolicited or undesired electronic messages are known as spam. Malicious

program that sends copies of itself to other computers on the network is called computer worm.

Malicious software that collects information about users without their knowledge is called spyware.

66. Answer: B. Virus

Explanation: The term computer virus refers to a program containing malicious segment that attaches

itself to an application program or other executable component.

67. Answer: D. Spyware

Explanation: Malicious software collecting information about users without their knowledge/consent is

called spyware.

68. Answer: A. Trojan horse

Explanation: Software that performs unwanted and harmful actions in disguise of a legitimate and useful

program is referred to as a Trojan horse. This type of malware may act like a legitimate program and

have all the expected functionalities, but apart from that it will also contain a portion of malicious code

appended to it that the user is unaware of.

69. Answer: C. Rootkit

Explanation: A collection of software tools used by a hacker in order to mask intrusion and obtain

administrator-level access to a computer or computer network is known as rootkit.

70. Answer: D. Backdoor

Explanation: The term backdoor refers to an undocumented way of gaining access to a program, online

service or an entire computer system.

71. Answer: A. Logic bomb

Explanation: Malicious code activated by a specific event is known as logic bomb.

72. Answer: B. Botnet

Explanation: A group of computers running malicious software under control of a hacker is referred to as

a botnet.

73. Answer: C. Ransomware

Explanation: Malware that restricts access to a computer system by encrypting files or locking the entire

system down until the user performs requested action is known as ransomware.

74. Answer: B. Polymorphism

Explanation: The process by which malicious software changes its underlying code to avoid detection is

called polymorphism.

75. Answer: A. Armored virus

Explanation: A type of virus that takes advantage of various mechanisms specifically designed to make

tracing, disassembling and reverse engineering its code more difficult is known as armored virus.

76. Answer: D. MITM

Explanation: Man-In-The-Middle attack (MITM) falls into the category of active eavesdropping.

77. Answer: D. DDoS

Explanation: As opposed to the simple Denial of Service (DoS) attacks that usually are performed from a

single system, a Distributed Denial of Service (DDoS) attack uses multiple compromised computer

systems to perform an attack against its target. The intermediary systems that are used as platform for

the attack are the secondary victims of the DDoS attack; they are often referred to as zombies, and

collectively as a botnet. The goal of DoS and DDoS attacks is to flood the bandwidth or resources of a

targeted system so that it becomes overwhelmed with false requests and in result doesn't have time or

resources to handle legitimate requests.

78. Answer: A. True

Explanation: A replay attack occurs when an attacker intercepts user credentials and tries to use this

information later for gaining unauthorized access to resources on a network.

79. Answers: C and D. Kerberos and CHAP

Explanation: A replay attack occurs when an attacker intercepts user credentials and tries to use this

information later for gaining unauthorized access to resources on a network. Kerberos and Challenge

Handshake Authentication Protocol (CHAP) are authentication protocols offering countermeasures

against replay attacks. Kerberos supports a system of time-stamped tickets that grant access to

resources and expire after a certain period of time. CHAP prevents replay attacks by periodically

reauthenticating clients during session.

80. Answer: A. Spoofing

Explanation: An email sent from unknown source disguised as a source known to the message receiver is

an example of spoofing.

81. Answers: A, C, and F. IP spoofing, DDoS, and Large amount of ICMP echo replies

Explanation: The smurf attack is a Distributed Denial of Service (DDoS) attack in which large numbers of

Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are sent

to all hosts on a network through the network broadcast address. In result, the targeted system gets

flooded with large amount of ICMP echo replies.

82. Answer: C. Typo squatting

Explanation: URL hijacking is also known as typo squatting. The term refers to a practice of registering

misspelled domain name closely resembling other well established and popular domain name in hopes

of getting Internet traffic from users who would make errors while typing in the web address in their

browsers.

83. Answer: D. Gaining unauthorized access to restricted areas by following another person

Explanation: The practice of gaining unauthorized access to restricted areas by following another person

is called tailgating. Looking over someone's shoulder in order to get information is known shoulder

surfing. The term war driving refers to scanning for unsecured wireless networks while driving in a car.

Manipulating/deceiving users into disclosing confidential information is known as social engineering.

84. Answer: C. Evil twin

Explanation: Evil twin is another term for a rogue access point. Rogue access point will have the same

network name as the legitimate access point and can be set up by a hacker in order to steal user

credentials or for the purpose of traffic eavesdropping.

85. Answer: B. Bluejacking

Explanation: Sending unsolicited messages over Bluetooth is known as bluejacking.

86. Answer: B. Bluesnarfing

Explanation: Gaining unauthorized access to a Bluetooth device is referred to as bluesnarfing.

87. Answer: C. Honeypot

Explanation: A monitored host or network specifically designed to detect unauthorized access attempts

is known as a honeypot. This type of system contains no valuable data and is used to divert the

attacker's attention from the corporate network. Multiple honeypots set up on a network are known as

a honeynet.

88. Answers: A, C, and D. Bypasses security controls, Actively tests security controls, and Exploits

vulnerabilities

Explanation: Penetration testing bypasses security controls and actively tests security controls by

exploiting vulnerabilities. Passive testing of security controls, identification of vulnerabilities and missing

security controls, or common misconfigurations are the features of a vulnerability scan.

89. Answer: D. Fuzzing

Explanation: Finding vulnerability in an application by feeding it incorrect input is known as fuzzing, or

fuzz test.

90. Answer: D. With enhanced security features

Explanation: The term Trusted OS refers to an operating system with enhanced security features. The

most common access control model used in Trusted OS is Mandatory Access Control (MAC). Examples of

Trusted OS implementations include Security Enhanced Linux (SELinux) and FreeBSD with the

TrustedBSD extensions.

91. Answer: C. TPM

Explanation: Trusted Platform Module (TPM) is a specification, published by the Trusted Computing

Group (TCG), for a microcontroller that can store secured information, and also the general name of

implementations of that specification. Trusted Platform Modules are hardware based security

microcontrollers that store keys, passwords and digital certificates and protect this data from external

software attacks and physical theft. TPMs are usually embedded on the motherboard of a personal

computer or laptop, but they can also be used in other devices such as mobile phones or network

equipment.

92. Answer: A. SSO

Explanation: An authentication subsystem that enables a user to access multiple, connected system

components (such as separate hosts on a network) after a single login at only one of the components is

known as Single Sign-On (SSO). A single sign-on subsystem typically requires a user to log in once at the

beginning of a session, and then during the session grants further access to multiple, separately

protected hosts, applications, or other system resources without further login action by the user.

93. Answer: A. Password and biometric scan

Explanation: Authentication is proving user identity to a system. Authentication process can be based on

different categories of authentication factors, including unique physical traits of each individual such as

fingerprints ("something you are"), physical tokens such as smart cards ("something you have"), or user

names and passwords ("something you know"). Additional factors might include geolocation

("somewhere you are"), or user-specific activity patterns such as for example keyboard typing style

("something you do"). Multi-factor authentication systems require implementation of authentication

factors from two or more different categories.

94. Answer: B. WPS

Explanation: Wi-Fi Protected Setup (WPS) is a network security standard which simplifies configuration

of new wireless networks by providing non-technical users with a capability to easily configure network

security settings and add new devices to an existing network. WPS has known vulnerabilities and

disabling this functionality is one of the recommended ways of securing the network.

95. Answer: C. White box

Explanation: Penetration test of a computer system with the prior knowledge on how the system works

is known as white box testing.

96. Answer: D. Fuzzing

Explanation: The practice of finding vulnerability in an application by feeding it incorrect input is

referred to as fuzzing, or fuzz test.

97. Answer: C. RC4

Explanation: Rivest Cipher 4 (RC4) is a symmetric stream cipher. Advanced Encryption Standard (AES),

Data Encryption Standard (DES) and Triple DES (3DES) are all block ciphers. RC4 is used in Wired

Equivalent Privacy (WEP) standard for wireless encryption and Secure Sockets Layer (SSL) for Internet

traffic encryption.

98. Answer: B. OCSP

Explanation: Online Certificate Status Protocol (OCSP) allows for querying Certificate Authority (CA) for

validity of a digital certificate. Another solution for checking whether a certificate has been revoked is

Certificate Revocation List (CRL). CRLs are updated regularly and sent out to interested parties.

Compared to CRL, OCSP allows for querying the CA at any point in time and retrieving information

without any delay.

99. Answer: B. Recovery agents

Explanation: Copies of lost private encryption keys can be retrieved from key escrow by recovery agents.

Recovery agent is an individual with access to key database and permission level allowing him/her to

extract keys from escrow.

100. Answer: B. Key escrow

Explanation: Key escrow is a storage solution used to retain copies of private encryption keys.