Question 1 A security engineer installs fingerprint scanners on all of the organization's

laptops in order to control laptop authentication. Employees must scan

their fingerprints in order to login to their work laptops. What type of

security control is this an example of?

Administrative Incorrect

Physical Incorrect

Technical Correct

Directive Incorrect

"Technical" is correct. Technical controls are hardware or software components that protect

computing and network resources such as computers, servers, mobile devices, computer networks, or

data stored within a system. In this case the biometric authentication system is controlling access to

the organization's laptops.

Question 2 Which of the following attacks causes a victim's browser to execute

malicious scripts?

"Cross site scripting" is correct. Cross site scripting is an attack where the attacker injects a malicious

script into a website trusted by the victim. The script is then executed by the victim's browser causing

the malicious activity.

Buffer overflow Incorrect

Cross site scripting Correct

Backdoor Incorrect

Timing attack Incorrect

"Buffer overflow" is incorrect. A buffer overflow is an attack where the attacker exceeds the capacity

of an application's memory buffer causing an erroneous operation.

"Timing attack" is incorrect. A timing attack is any attack that takes advantage of a program's

dependence on a sequence of events. Timing attacks may or may not involve browsers so this is not

the best answer.

"Backdoor" is incorrect. A backdoor is a feature of many kinds of attacks whereby an unauthorized

user can bypass access or security controls to gain access.

Question 3 A security operations analyst has confirmed that an active security incident

is under way. Which of the following is the best next step to take?

Explanation

"Activate the incident response plan" is correct. Activating the incident response plan is the best next

step to take in this scenario.

Inform law enforcement. Incorrect

Activate the incident response plan. Correct

Activate the disaster recovery plan. Incorrect

Notify the head of HR. Incorrect

"Inform law enforcement" is incorrect. Informing law enforcement is not the best next step to take.

Law enforcement may need to be notified depending on the nature of the incident, but this is not the

best answer given the question.

"Activate the disaster recovery plan" is incorrect. Disaster recovery plans are used to rescue the

organization by putting specific business functions back into place after an incident. Activating the

DRP is not the best next step given the information in the question.

"Notify the head of HR" is incorrect. Notifying the head of HR would not be the best next step to

take. Notifying HR may be warranted depending on the incident in question but this is not the best

answer given the scenario

Question 4 • Access Controls Concepts Incorrect

Which of the following can be used as a countermeasure against fraud

because it causes two employees to collude to accomplish a fraudulent

act?

Asymmetric cryptography Incorrect

Segregation of duties Correct

Principle of least privilege Incorrect

Two-factor authentication Incorrect

"Segregation of duties" is correct. Segregation (or separation) of duties requires job functions to be

assigned so that one employee cannot commit fraud by themself since the critical job function is split

between two or more employees. As a result, the employees must collude with each other to commit

fraud.

"Asymmetric cryptography" is incorrect. Asymmetric cryptography requires two keys: one private

and one public but that feature is not an enabler of fraud.

"Principle of least privilege" is incorrect. The principle of least privilege is the concept that a user

should have access to the resources they need to do their job but no more than that.

"Two-factor authentication" is incorrect. Two-factor authentication is an access control method that

requires two access control factors (Type 1, 2, or 3) used in combination.

Question 5 • Access Controls Concepts Correct

Which method of authentication provides the strongest security?

Explanation

"Dual-factor" is correct. In general two factors used in combination are almost always better than any

single factor used by itself.

"Type 1" is incorrect. In general two factors used in combination are almost always better than any

single factor used by itself.

Type 1 Incorrect

Type 3 Incorrect

Type 2 Incorrect

Dual-factor Correct

"Type 2" is incorrect. In general two factors used in combination are almost always better than any

single factor used by itself.

"Type 3" is incorrect. In general two factors used in combination are almost always better than any

single factor used by itself.

Question 6 • Network Security Incorrect

Which of the following is not a category of social engineering?

Explanation

"Mantrap" is correct. While the word mantrap might sound like sound social engineering, the term

actually refers to a special kind of vestibule used to protect a secure area. It has two doors and

requires a visitor to go through the first door and close it before going through the second door to

gain entry to the secure area.

Quid Pro Quo Incorrect

Mantrap Correct

Pretexting Incorrect

Baiting Incorrect

All topics All answers

"Pretexting" is incorrect. Pretexting is a category of social engineering that uses a fake scenario to

deceive the victim.

"Quid Pro Quo" is incorrect. QPP is a category of social engineering that uses an exchange of

information or goods such as a purchase to deceive the victim.

"Baiting" is incorrect. Baiting is a category of social engineering that lures the victim into a trap.

Question 7 • Network Security Incorrect

Which technology would an organization use to control which devices

could connect to their network?

Explanation

"NAC" is correct. NAC or Network Access Control allows organizations to control which devices are

permitted to connect to their network based on policy.

SIEM Incorrect

DMZ Incorrect

IDS Incorrect

NAC Correct

"IDS" is incorrect. An intrusion detection system may be used to detect a new or rogue device but

not control if the device can connect.

"SIEM" is incorrect. A Security Event and Incident Management system provides real time analysis,

monitoring, and alerting but is not normally used to control access to the network.

"DMZ" is incorrect. A demilitarized zone (DMZ) is a portion of the network that separates the

organization's internal resources from untrusted ones. It is not used for network access control.

Question 8 • Security Principles Correct

Which of the following is an example of a technical control?

Explanation

"Antivirus" is correct. Antivirus is an example of a technical control.

"Surveillance Camera" is incorrect. A surveillance camera is an example of a physical control.

"Vulnerability Management Procedure" is incorrect. A vulnerability management procedure is an

Security Awareness Training Incorrect

Vulnerability Management Procedure Incorrect

Surveillance Camera Incorrect

Antivirus Correct

example of an administrative control.

"Security Awareness Training" is incorrect. Security awareness training is an example of an

administrative control.

Question 9 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Incorrect

A security engineer determines that a computer on the organization's

network has been infected with malware. The IRP has been enacted and

the engineer is working on containing the malware. Which of the following

is the best course of action for containment?

Disconnect the infected computer from the network using the organization's EDR

tooling. Correct

Update perimeter firewall rules. Incorrect

Disable the users account. Incorrect

Call 911 Incorrect

Explanation

"Disconnect the infected computer from the network using the organization's EDR tooling" is

correct. Disconnecting the infected computer from the network using the organization's endpoint

detection and response (EDR) tooling is the best containment strategy in this scenario for an infected

computer.

"Update perimeter firewall rules" is incorrect. While updating perimeter firewall rules might be a

containment strategy for containing an incident to a certain network in question, that is not the best

option given this scenario.

"Call 911" is incorrect. Calling 911 is not a containment strategy. Informing law enforcement may be

part of the organization's incident response plan, however, this is not the best option for containment

in this scenario.

"Disable the users account" is incorrect. While disabling the user's

Question 10 • Access Controls Concepts Correct

Which of the following is not considered a privileged account?

Explanation

"Clerk" is correct. Of the choices, only the clerk would have privileges that are not elevated as the

clerk would not need to make impactful changes to the environment such as changing configurations

or other user's accounts.

"Domain administrator" is incorrect. A domain administrator can add or delete user accounts or

Local administrator Incorrect

Clerk Correct

Domain administrator Incorrect

Superuser Incorrect

change permissions making it a privileged account.

"Local administrator" is incorrect. A local admin can change configuration setting that are otherwise

unavailable to regular users.

"Superuser" is incorrect. A superuser of OSs like Linux can have virtually unlimited functions such as

changing configuration settings, file settings, permissions, and user access rights

Question 11 • Security Principles Correct

Which of the following is an example of an administrative control?

Explanation

"Security Awareness Training" is correct. Security awareness training is an example of an

administrative control.

"CCTV" is incorrect. CCTV is an example of a physical control.

CCTV Incorrect

Bollard Incorrect

Security Awareness Training Correct

Biometric authentication used to login to a computer Incorrect

"Biometric authentication used to login to a computer" is incorrect. Biometric authentication used

to login to a computer is an example of a technical control.

"Bollard" is incorrect. A bollard is an example of a physical control

Question 12 • Security Principles Correct

Which of the following is an example of a physical control?

Explanation

"Bollard" is correct. Physical controls are tangible controls put in place to protect resources against

physical threats (such as fires, theft, physical harm, and so on). A bollard is a pillar or sphere made out

of concrete or metal that is used to protect buildings from vehicles driving into them.

"Firewall" is incorrect. A firewall is an example of a technical control.

Bollard Correct

Firewall Incorrect

MFA Incorrect

HR Policy Incorrect

"HR Policy" is incorrect. An HR Policy is an example of an administrative control.

"MFA" is incorrect. Multifactor authentication (or MFA) is an example of a technical control.

Question 13 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Incorrect

Which of the following would not occur during the preparation phase of

the incident response process?

Explanation

"Conduct a lessons learned" is correct. The preparation phase is the first phase in the incident

response process. Lessons learned occur as part of the post-incident activity phase of the incident
response process, which is the last phase.

Train staff on the incident response plan. Incorrect

Conduct a lessons learned. Correct

Develop stakeholder communication plans. Incorrect

Document an incident response plan. Incorrect

"Document an incident response plan" is incorrect. The preparation phase is the first phase in the

incident response process. This phase includes activities such as documenting the incident response

plan, staffing the incident response function, developing communication plans, and training staff on

the incident response plan.

"Develop stakeholder communication plans" is incorrect. The preparation phase is the first phase in

the incident response process. This phase includes activities such as documenting the incident

response plan, staffing the incident response function, developing communication plans, and training

staff on the incident response plan.

"Train staff on the incident response plan" is incorrect. The preparation phase is the first phase in the

incident response process. This phase includes activities such as documenting the incident response

plan, staffing the incident response function, developing communication plans, and training staff on

the incident response plan.

Question 14 • Access Controls Concepts Incorrect

Which method of authentication factor is most likely to falsely reject a

valid user?

Explanation

"Type 3" is correct. Type 3, something you are, uses biometrics which is an improving technology that

is not perfect and can falsely reject a valid user or falsely accept an unknown user.

None of these answers Incorrect

Type 3 Correct

Type 1 Incorrect
Type 2 Incorrect

"Type 1" is incorrect. Type 1, something you know, such as a password, is less likely to falsely reject a

valid user than Type 3.

"Type 2" is incorrect. Type 2, something you have, such as a smartcard, is less likely to falsely reject a

valid user than Type 3.

"None of these answers" is incorrect. Type 3, something you are, uses biometrics which is an

improving technology that is not perfect and can falsely reject a valid user or falsely accept an

unknown us

Question 15 • Network Security Incorrect

Which of the following correctly matches the protocol with its well-known

port? Question 3

HTTP: 22

HTTPS: 80

DNS: 53

SSH: 443

Incorrect

HTTP: 443

HTTPS: 80

DNS: 53

SSH: 22

Incorrect

HTTP: 80

HTTPS: 443

DNS: 53

SSH: 22

Correct
"HTTP: 80..." is correct. Hypertext Transfer Protocol (HTTP) typically operates over port 80. Hypertext

Transfer Protocol Secure (HTTPS) leverages SSL/TLS with HTTP to add encryption for transmitted

information and typically runs over port 443. The Domain Name System (DNS) protocol typically

leverages port 53. Secure Shell (SSH) typically runs over port 22.

Question 16 • Security Operations Correct

Which of the following is not an example of a physical destruction method

for media sanitization?

Explanation

"Zeroization" is correct. Zeroization occurs when data is overwritten with other data such as binary

1’s and 0’s using other data, patterns, or random data. This is a secure sanitization method but not a

physical destruction method.

Shredding Incorrect

Zeroization Correct

Dissolving using chemical compounds Incorrect

Burning Incorrect

The other answers are incorrect. Physical destruction includes shredding, crushing, burning,

disintegration, or dissolving using chemical compounds.

Question 17 • Security Operations Incorrect

Which of the following is a key benefit of using an SIEM?

Explanation

"Greater security visibility and monitoring" is correct. A key benefit of using a security information

and event management (SIEM) system is greater security visibility and monitoring. SIEM systems

collect and analyze security-related data from multiple sources, including network devices, servers,
and applications. This provides security analysts with a comprehensive view of the organization’s

security posture and helps them identify and respond to security threats more effectively.

Greater security visibility and monitoring Correct

Improved system availability Incorrect

Greater network performance Incorrect

Enhanced user productivity Incorrect

"Greater network performance", "Enhanced user productivity", and "Improved system availability"

are incorrect. SIEMs do not necessarily increase network performance, user productivity, or system

availability

Question 18 • Access Controls Concepts Incorrect

What is the main purpose of a bollard?

Explanation

"Prevent a vehicle from driving into a building" is correct. A bollard is a large sphere or pillar made

of hard material such as concrete or metal designed to help prevent a vehicle from driving into a

building. Multiple bollards are typically used.

"Control data center access" is incorrect. A bollard is a large sphere or pillar made of hard material

Control facility access Incorrect

Prevent a vehicle from driving into a building Correct

Prevent people from entering a building Incorrect

Control data center access Incorrect

such as concrete or metal designed to help prevent a vehicle from driving into a building. Multiple

bollards are typically used.

"Control facility access" is incorrect. A bollard is a large sphere or pillar made of hard material such

as concrete or metal designed to help prevent a vehicle from driving into a building. Multiple bollards

are typically used.

"Prevent people from entering a building" is incorrect. A bollard is a large sphere or pillar made of
hard material such as concrete or metal designed to help prevent a vehicle from driving into a

building. Multiple bollards are typically used.

Question 19 • Network Security Correct

Which of the following is the best description of a computer virus?

Explanation

"Malware that infects a legitimate program and causes it to perform a function it was not intended

to do" is correct. A virus is malware that infects a legitimate program and causes it to perform a

function it was not intended to perform.

Malware that causes a legitimate program to produce a payload Incorrect

Malware that infects a legitimate program and causes it to perform a function it was

not intended to do Correct

Malicious software Incorrect

Malware that infects a legitimate program and causes it to replicate itself Incorrect

"Malicious software" is incorrect. A virus is a type of malicious software but there are many kinds of

malicious software so it isn't the best answer of the choices given.

"Malware that infects a legitimate program and causes it to replicate itself" is incorrect. Malware

that replicates itself is called a worm.

"Malware that causes a legitimate program to produce a payload" is incorrect. A virus does not

cause a legitimate program to produce a payload. The payload is the portion of the virus that infects

the legitimate program and causes it to perform its malicious function.

Question 20 • Network Security Incorrect

Joe is a network engineer who wants to deploy the most basic and least

expensive firewall. All he needs is to set up Access Control Lists to

accomplish his goals. Which type of firewall is best for his needs?

Explanation
Stateful inspection/Dynamic packet filter Incorrect

Packet filter Correct

Web filter Incorrect

Proxy Incorrect

"Packet filter" is correct. A packet filter (Gen 1) is the simplest and least expensive type of firewall and

uses Access Control Lists to control traffic.

"Proxy" is incorrect. Proxies (Gen 2) do not allow direct communication between the networks and

they hide the IP address of devices in the protected network. This is greater functionality than Joe

needs.

"Stateful inspection/Dynamic packet filter" is incorrect. The Stateful inspection/Dynamic packet filter

(Gen 3) takes into account the nature of the communication and uses more than just ACLs.

"Web filter" is incorrect. Web filters are specialized software that limits the web sites users can access.

They are not considered firewalls.

Question 21 • Security Operations Correct

Which of the following is not considered a secure method of data

sanitization?

Explanation

"Deleting a file on your computer and emptying the recycling bin" is correct. When you press the

DELETE key on a computer or empty the recycle bin on your desktop the data is not actually removed

from the hard drive. This action simply tells the operating system that the location on the hard drive

Deleting a file on your computer and emptying the recycling bin Correct

Physical media destruction Incorrect

Zeroization Incorrect

Overwriting data with other data such as binary 1’s and 0’s Incorrect

is available for future use. The data is still there and can be accessed with the right tools. To properly
remove data from media, sanitization methods must be used.

"Physical media destruction" is incorrect. Physical media (hard drives, disks, etc.) can be destroyed so

that it cannot be reused and the data cannot be accessed. Physical destruction methods that can be

used to securely destroy data include shredding, crushing, burning, disintegration, or dissolving using

chemical compounds.

"Zeroization" is incorrect. A common technique to securely destroy data is to overwrite data with

other data, patterns, or random data. The more times the data is overwritten (referred to as a pass),

the harder the original data is to recover. This is often referred to as overwriting or zeroization.

"Overwriting data with other data such as binary 1’s and 0’s" is incorrect. A common technique to

securely destroy data is to overwrite data with other data such as binary 1’s and 0’s using other data,

patterns, or random data. The more times the data is overwritten (referred to as a pass), the harder

the original data is to recover. This is often referred to as overwriting or zeroization.

Question 22 • Access Controls Concepts Correct

Which of the following is not an example of a biometric authentication

factor?

Explanation

"USB hardware token" is correct. Using a USB hardware token for authentication is not an example of

biometric authentication. The three authentication factors include type 1 (something you know), type

2 (something you have), and type 3 (something you are). A USB hardware token is an example of type

Keystroke patterns Incorrect

Iris scan Incorrect

Fingerprint scan Incorrect

USB hardware token Correct

(something you have). Biometric authentication is type 3 (something you are). Examples of

biometric authentication include fingerprint or palm scans, iris scans, retina scans, as well as

behavioral characteristics such as computer keystroke patterns, written signature patterns, or voice

patterns.

"Fingerprint scan" is incorrect. Biometric authentication is used to identify and authenticate people
using their personal attributes or characteristics. Examples include fingerprint or palm scans, iris

scans, retina scans, as well as behavioral characteristics such as computer keystroke patterns, written

signature patterns, or voice patterns.

"Iris scan" is incorrect. Biometric authentication is used to identify and authenticate people using

their personal attributes or characteristics. Examples include fingerprint or palm scans, iris scans,

retina scans, as well as behavioral characteristics such as computer keystroke patterns, written

signature patterns, or voice patterns.

"Keystroke patterns" is incorrect. Biometric authentication is used to identify and authenticate people

using their personal attributes or characteristics. Examples include fingerprint or palm scans, iris

scans, retina scans, as well as behavioral characteristics such as computer keystroke patterns, written

signature patterns, or voice patterns.

Previous N

Question 23 • Security Operations Incorrect

Which of the following is a best practice regarding making changes to

configuration settings on production servers?

Explanation

Changes can be made by system administrators without approval or documentation

as long as the admins are experienced and know what they are doing. Incorrect

Changes should never be made on production servers. Incorrect

Changes can be made but only in response to security incidents. Incorrect

Changes should only be made following a change management process that includes

approvals and documentation. Correct

"Changes should only be made following a change management process that includes approvals

and documentation" is correct. Changes to production systems and security baselines should only be

made following a change management process that includes approvals and documentation.

"Changes can be made by system administrators without approval or documentation as long as

the admins are experienced and know what they are doing" is incorrect. Regardless of how good or

experienced the administrators are, all changes should go through a formal approval process.

"Changes can be made but only in response to security incidents" is incorrect. Security incidents
may require quick changes to production systems but this should only occur following established

processes and with proper approval.

"Changes should never be made on production servers" is incorrect. Changes to production servers

occur all the time but they should happen following proper procedures.

Question 24 • Security Principles Correct

Which step of the risk management process involves listing and describing

the risks the organization may face?

Explanation

"Risk identification" is correct. Risk identification is the first step of risk management and involves

listing and describing the risks each asset may face.

Risk identification Correct

Risk testing Incorrect

Risk treatment Incorrect

Risk assessment Incorrect

"Risk assessment" is incorrect. Risk assessment involves building off of the risk identification by

assessing the impact of each threat using qualitative or quantitative methods.

"Risk treatment" is incorrect. During the risk treatment step approaches to handling risk are made to

management. Approaches include transfer, accept, avoid, or mitigate.

"Risk testing" is incorrect because risk testing is not normally part of the risk management process

and would not include listing and describing risks.

Question 25 • Access Controls Concepts Correct

Why is a privileged account considered higher risk than a regular user

account?

Explanation

A privileged account costs more than a regular user account. Incorrect

Privileged accounts require greater auditing and monitoring than regular user

accounts. Incorrect

Privileged accounts are usually managed by separate PAM tools and solutions. Incorrect

A compromise of a privileged account could cause more damage than a compromise

of a regular user account Correct

"A compromise of a privileged account could cause more damage than a compromise of a regular

user account" is correct. Privileged accounts are higher risk due to the impact of their compromise.

"A privileged account costs more than a regular user account" is incorrect. privileged accounts may

cost (or may not) cost more to administer but that is not why they are higher risk.

"Privileged accounts are usually managed by separate PAM tools and solutions" is incorrect. While

it is true that privileged accounts are usually managed by separate PAM tools and solutions, that does

not make them higher risk.

"Privileged accounts require greater auditing and monitoring than regular user accounts" is

incorrect. It is true that privileged accounts should be subject to greater auditing and monitoring, but

that is because they are higher risk, not why they are higher risk.

Question 26 • Access Controls Concepts Correct

Which of the following describes a door system that is configured to

automatically close and lock during a power outage?

Explanation

"Fail-secure" is correct. Fail-secure (also known as fail-closed) means that during a disaster (such as a

power outage), the door systems are set to automatically close and lock.

Fail-secure Correct
Fail-open Incorrect

Always fail Incorrect

Fail-safe Incorrect

"Always fail" is incorrect. Always fail is a made-up term.

"Fail-safe" and "Fail-open" are incorrect. Fail-safe (also known as fail-open) means that the doors are

configured to open and remain unlocked.

Question 27 • Security Principles Correct

After performing a risk assessment, a security engineer determines that

the organization should implement a network firewall to segment off the

organization's manufacturing environment. What type of control

functionality is being provided?

Explanation

Preventive Correct

Detective Incorrect

Directive Incorrect

None of these answers Incorrect

"Preventive" is correct. A network firewall is an example of a preventive control as it prevents certain

network traffic from passing through based on a set of rules.

"Directive" is incorrect. Directive controls communicate expected behavior. A network firewall does

not communicate expected behavior. An example of a directive control would be a stop sign or a

company policy.

"Detective" is incorrect. Detective controls detect when something bad might have occurred. A

firewall is used to control traffic that is allowed to certain portions of the network but does not detect

when something bad happens. An example of a detective control would be an intrusion detection

system.

"None of these answers" is incorrect. A network firewall is an example of a preventive control as it

prevents certain network traffic from passing through based on a set of rules.

Question 28 • Access Controls Concepts Correct

Which of the following best describes RBAC?

Access control model that leverages a central authority that regulates access based

on security labels. Incorrect

Access control model that provides the owner of the resource complete control to

configure which subjects can access an object. Incorrect

Access control model that grants permissions based on a variety of attributes such as

who is making the request, what resource is being requested, and other

environmental conditions such as the time of day or location.

Incorrect

Access control model that enforces access based on predefined roles. Correct

"Access control model that enforces access based on predefined roles" is correct. Role-based access

control (RBAC) enforces access based on roles that define permissions and the level of access

provided to any subjects assigned to that role. Roles are typically developed for similar users with the

same access needs (e.g., HR, Sales, IT, Security).

"Access control model that provides the owner of the resource complete control..." is incorrect.

Discretionary access control (DAC) provides the owner of the resource, typically the creator, full

control to configure which subjects (e.g., users, groups) can access the object (e.g., file, folder). This

allows the user (object owner) the ability (“discretion”) to make decisions such as what permissions

other users or groups of users have over the object.

"Access control model that leverages a central authority..." is incorrect. Mandatory access control

(MAC) leverages a central authority, typically a security administrator, that regulates access based on

security labels, such as the clearance level that a subject (user) has been approved for, as well as the

classification of the object (file, database, etc.).

"Access control model that grants permissions based on a variety of attributes..." is incorrect.

Attribute-based access control (ABAC) grants permissions based on a variety of attributes such as

who is making the request (subject), what resource is being requested (object), environmental
conditions (e.g., time of day or location), and what action is being requested (e.g., read, write).

Question 29 • Access Controls Concepts Incorrect

Which part of the access control mechanism provides information used by

auditors and investigators?

Explanation

"Accountability" is correct. Accountability is the function of using logs to record access control

events that can be used to support security investigations and auditing.

Authentication Incorrect

Accountability Correct

Identification Incorrect

Authorization Incorrect

"Identification" is incorrect. Identification is the act of a subject providing identifying information to

the system.

"Authentication" is incorrect. Authentication is the method by which the system verifies the user is

who they claim to be.

"Authorization" is incorrect. Authorization is the bestowing of a set of permissions to objects or

resources within a system.

Which of the following best describes MAC?

Explanation

Access control model that leverages a central authority that regulates access based

on security labels. Correct

Access control model that enforces access based on predefined roles. Incorrect

Access control model that provides the owner of the resource complete control to

configure which subjects can access an object. Incorrect

Access control model that grants permissions based on a variety of attributes such as
who is making the request, what resource is being requested, and other

environmental conditions such as the time of day or location.

Incorrect

"Access control model that leverages a central authority that regulates access based on security

labels" is correct. Mandatory access control (MAC) leverages a central authority, typically a security

administrator, that regulates access based on security labels, such as the clearance level that a subject

(user) has been approved for, as well as the classification of the object (file, database, etc.).

"Access control model that provides the owner of the resource complete control to configure

which subjects can access an object" is incorrect. Discretionary access control (DAC) provides the

owner of the resource, typically the creator, full control to configure which subjects (e.g., users,

groups) can access the object (e.g., file, folder). This allows the user (object owner) the ability

(“discretion”) to make decisions such as what permissions other users or groups of users have over

the object.

"Access control model that enforces access based on predefined roles" is incorrect. Role-based

access control (RBAC) enforces access based on roles that define permissions and the level of access

provided to any subjects assigned to that role. Roles are typically developed for similar users with the

same access needs (e.g., HR, Sales, IT, Security).

"Access control model that grants permissions based on a variety of attributes such as who is

making the request, what resource is being requested, and other environmental conditions such as

the time of day or location" is incorrect. Attribute-based access control (ABAC) grants permissions

based on a variety of attributes such as who is making the request (subject), what resource is being

Question 31 • Security Principles Correct

Which of the following best describes security controls?

Explanation

"Processes or technologies put into place to protect the confidentiality, integrity, and availability of

systems, assets, and information" is correct. Security controls are processes or technologies put into

place to protect the confidentiality, integrity, and availability of systems, assets, and information.
The process of defining strategies to oversee the organization Incorrect

The discipline of how an organization chooses and implements the right level of

security Incorrect

Moral standards or principles that govern behavior Incorrect

Processes or technologies put into place to protect the confidentiality, integrity, and

availability of systems, assets, and information Correct

"The process of defining strategies to oversee the organization" is incorrect. Governance is the

process of defining strategies to oversee the organization.

"The discipline of how an organization chooses and implements the right level of security" is

incorrect. Risk management is the discipline of how an organization chooses and implements the

right level of security.

"Moral standards or principles that govern behavior" is incorrect. Ethics are moral standards or

principles that govern behavior with a focus on acting responsibly with integrity and accountability.

While implementing an ethics program might be an example of a control, this is not the best answer.

Question 32 • Network Security Incorrect

Which type of attack uses an email that looks legitimate but is really fake

to trick the recipient into revealing information?

Explanation

"Phishing" is correct. Phishing is a fake email that looks like legitimate business communications.

"Brute force" is incorrect. Brute force is a method of guessing passwords using trial and error.

Scripting Incorrect

Brute force Incorrect

Phishing Correct

Buffer overflow Incorrect

All topics All answers

Return to course

• About • Become an Instructor • • Help • • Accessibility •

LinkedIn Corporation © 2024

"Buffer overflow" is incorrect. A buffer overflow is an attack where the attacker exceeds the capacity

of an application's memory buffer causing an erroneous operation.

"Scripting" is incorrect. Scripting is using a script or set of instructions to automate computing tasks

including malicious tasks. While an email attack might contain an embedded script, the name of such

an attack is a phishing attack.

Question 33 • Security Operations Correct

Which of the following types of encryption uses the same key for both the

encryption and decryption operation?

Explanation

"Symmetric Encryption" is correct. Symmetric encryption uses the same key for encryption and

decryption.

Hashing Incorrect

Public Key Cryptography Incorrect

Symmetric Encryption Correct

Asymmetric Encryption Incorrect

"Asymmetric Encryption" is incorrect. Asymmetric encryption uses two keys that are mathematically

related: a public key and a private key. Asymmetric encryption is sometimes called public key

cryptography due to there being a public key that can be freely shared with anyone the sender wants

to communicate with securely. The private key must remain private and only be known to the owner.

"Public Key Cryptography" is incorrect. Asymmetric encryption uses two keys that are mathematically

related: a public key and a private key. Asymmetric encryption is sometimes called public key

cryptography due to there being a public key that can be freely shared with anyone the sender wants

to communicate with securely. The private key must remain private and only be known to the owner.

"Hashing" is incorrect. Hashing is another type of cryptography that uses special algorithms known

as hash algorithms that transform information into fixed-length output known as a message digest

(MD). An MD output is also commonly referred to as a hash, hash value, or fingerprint. Unlike

encryption, which can be reversed via decryption, hashing is a one-way process, meaning the original

information or message cannot be reproduced from the hash value output. In addition, there is no
key involved when using a hash algorithm

Question 34 • Network Security Incorrect

A systems administrator wants to ensure that all of the organization's

systems and network devices are utilizing a common time synchronization

service to facilitate tracing of events and system activity. Which of the

following protocols would facilitate this?

Explanation

HTTP Incorrect

SFTP Incorrect

NTP Correct

ARP Incorrect

"NTP" is correct. Network Time Protocol (NTP) is a protocol for the synchronization of time between

the system clocks of computers. This is particularly important when it comes to logging and

monitoring and investigating when a security event took place. If your systems all have different times

set on their system clocks, good luck getting them to synchronize!

"HTTP" is incorrect. Hypertext Transfer Protocol (HTTP) is a communication protocol that provides a

means of transmitting and formatting messages between clients and servers. It is the primary way

web browsers communicate with web servers to access web pages over the Internet. It is not used for

time synchronization across systems and devices.

"ARP" is incorrect. Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses

(and vice versa) on a LAN. ARP serves as the bridge that connects the IP address and the MAC

address. Computers on a network use ARP to learn which MAC address corresponds to which IP

address and store that information for future communication. It is not used for time synchronization

across systems and devices.

"SFTP" is incorrect. Secure File Transfer Protocol (SFTP) is used for transferring files between systems.

SFTP leverages the SSH protocol to encrypt communications. It is not used for time synchronization

across systems and devices.

Previous
Question 35 • Security Operations Correct

Which of the following is not an example of protecting data at rest?

Explanation

"HTTPS" is correct. Hypertext Transfer Protocol Secure (HTTPS) leverages SSL/TLS with HTTP to add

encryption for transmitted information. This is used to protect data in-transit, not data at rest.

"Server encryption" is incorrect. Server encryption is an example of protecting data at rest.

Server encryption Incorrect

HTTPS Correct

File encryption Incorrect

Database encryption Incorrect

"Database encryption" is incorrect. Database encryption is an example of protecting data at rest.

"File encryption" is incorrect. File encryption is an example of protecting data at rest

Question 36 • Network Security Correct

Which of the following is considered an "insecure" protocol?

Explanation

"HTTP" is correct. Hypertext Transfer Protocol (HTTP) is a communication protocol that serves as the

primary way web browsers communicate with web servers to access web pages over the Internet.

HTTP is considered an insecure protocol since the information is transmitted in plaintext (not

encrypted) between the client and the server. Hypertext Transfer Protocol Secure (HTTPS) is the

secure alternative to HTTP which leverages SSL/TLS to encrypt the communication session.

HTTP Correct

FTPS Incorrect

SSH Incorrect

SFTP Incorrect
"FTPS" is incorrect. File Transfer Protocol Secure (FTPS) leverages Transport Layer Security (TLS) for

encrypting communication sessions.

"SFTP" is incorrect. SSH File Transfer Protocol (SFTP) leverages the Secure Shell (SSH) protocol to

encrypt communications

"Secure Shell (SSH)" is incorrect. SSH is a protocol used for remotely logging into and interacting

with Unix/Linux computers through a text-only command-line interface. SSH is considered a secure

protocol, as it encrypts the communication from the client to the server during the session.

Question 37 • Network Security Correct

A company has purchased a subscription-based customer relationship

management service that is accessible over the Internet. The service is

developed by a third party that manages the infrastructure and platform

while the customer manages specific configurations within the web

application. Which type of cloud service model is this an example of?

IaaS Incorrect

IDaaS Incorrect

SaaS Correct

PaaS Incorrect

Explanation

"SaaS" is correct. In a Software as a Service (SaaS) model, a software service or application is hosted

by a cloud provider and provided to customers (typically over the Internet). The cloud provider

manages the infrastructure and platform, and the customer only needs to manage specific

configurations within the application. Examples of SaaS include web-based e-mail, social media sites,

and other web-based applications.

"IaaS" is incorrect. In an Infrastructure as a Service (IaaS) model, the cloud provider gives customers

self-service access to a pool of infrastructure resources (such as network, server, storage, etc.) that can

be virtually provisioned and deprovisioned on-demand. In the question scenario, a web-based

customer relationship management service is being provided.

"PaaS" is incorrect. In a Platform as a Service (PaaS) model, the cloud service provider gives

customers access to platforms where they can develop, test, and run code for applications developed
in various programming languages. In the question scenario, a web-based customer relationship

management service is being provided.

"IDaaS" is incorrect. IDaaS stands for identity as a service. This term is sometimes used to describe a

Question 38 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Correct

A security analyst is reviewing system logs and notices that another

employee has been copying large amounts of sensitive data from the

system. What is the best next step for the security analyst to take?

Explanation

Do nothing. Incorrect

Notify the employee in question. Incorrect

Notify management. Correct

Notify law enforcement. Incorrect

"Notify management" is correct. The security analyst should notify management of their findings.

"Notify law enforcement" is incorrect. Notifying law enforcement is not the best next step.

Depending on the violation, notifying law enforcement may be necessary, however, management

should always be notified first.

"Notify the employee in question" is incorrect. Notifying the employee in question is not the best

next step. The employee may be performing nefarious activity that should be reported to

management for review.

"Do nothing" is incorrect. Do nothing is never the best next step when a security professional

identifies suspicious behavior. This is a distractor.

Question 39 • Security Principles Correct

A systems administrator is installing antivirus on all company laptops to

protect against malware. What type of control is this an example of?

Explanation

"Technical" is correct. Antivirus is an example of a technical control. Technical controls are hardware
or software components that protect computing and network resources.

Administrative Incorrect

Physical Incorrect

Directive Incorrect

Technical Correct

"Administrative" is incorrect. Administrative controls are management-oriented controls that provide

directives and instruction aimed at people within the organization.

"Physical" is incorrect. Physical controls are tangible controls put in place to protect physical

resources against physical threats, including but not limited to break-ins, fires, theft, physical harm,

and so on.

"Directive" is incorrect. Directive is a control functionality which describes the protection a control

provides. It is not a control type. Directive controls communicate expected behavior (such as policies,

standards, and so on).

Question 40 • Security Principles Correct

The CISO of a healthcare company has decided to shut down a data center

that is located in an area prone to flooding and redeploy the assets to a

safer location. This is an example of which kind of risk treatment?

Explanation

Risk mitigation Incorrect

Risk acceptance Incorrect

Risk transference Incorrect

Risk avoidance Correct

"Risk avoidance" is correct. Shutting down the data center eliminates the risk altogether.

"Risk transference" is incorrect. In this example the responsibility for risk is not being transferred to

another entity, instead the risk is being avoided altogether.

"Risk acceptance" is incorrect. Risk acceptance occurs when the organization does nothing and

accepts the consequences of what may happen but that is not what is happening here.
"Risk mitigation" is incorrect. Mitigation is putting countermeasures or controls in place. While

moving the data center assets may sound like mitigation, the purpose of moving them is to avoid the

risk and therefore "Risk avoidance" is the better answer

Question 41 • Access Controls Concepts Correct

When describing the mechanism for access control, what must happen

before authorization can occur?

Explanation

"Before authorization can happen the system must validate who the user is" is correct. After the

system validates who the user is (authenticates the user) by comparing the credentials with

Before authorization can happen the resource must be available. Incorrect

Before authorization can happen the system must validate who the user is. Correct

Before authorization can happen the user must present their token. Incorrect

Before authorization can happen the system must determine if the user is in the

correct network segment. Incorrect

All topics All answers

information in the access management system, then authorization can take place.

"Before authorization can happen the resource must be available" is incorrect. Availability of the

resource is not a factor in the authorization process.

"Before authorization can happen the system must determine if the user is in the correct network

segment" is incorrect. Access control may be based on network location but not always so this is not

the best answer.

"Before authorization can happen the user must present their token" is incorrect. A token is only

required when the type 2 authentication factor is used.

Question 42 • Security Operations Incorrect

A server admin wants to ensure that the server's hard drive is encrypted to
protect the sensitive data on the server in case the server is ever stolen.

Which of the following would enable the best configuration for disk

encryption?

Explanation

HTTPS Incorrect

AES Correct

SSL/TLS Incorrect

SFTP Incorrect

"AES" is correct. The Advanced Encryption Standard (AES) algorithm is the most commonly used

symmetric encryption algorithm due to its maturity, security, and international recognition. Symmetric

encryption (and particularly AES) is most commonly used to encrypt data in bulk and large files (such

as hard drive encryption).

"HTTPS" is incorrect. Hypertext Transfer Protocol Secure (HTTPS) leverages SSL/TLS with HTTP to add

encryption for transmitted information. This is used to protect data in-transit, not data at rest.

"SSL/TLS" is incorrect. Secure Socket Layer/Transport Layer Security (SSL/TLS) is often used with

protocols, such as HTTP, to help secure, encrypt, and protect the integrity of communication. This is

for protecting data in-transit not data at rest (such as server hard drive encryption).

"SFTP" is incorrect. SSH File Transfer Protocol (SFTP) is used for transferring files between systems

and leverages the SSH protocol to encrypt communications. This protects data in-transit but not data

at rest such as server hard drive encryption.

Question 43 • Access Controls Concepts Incorrect

Which of the following best describes DAC?

Explanation

Access control model that provides the owner of the resource (typically the creator)

complete control to configure which subjects can access an object. Correct

Access control model that grants permissions based on a variety of attributes such as

who is making the request, what resource is being requested, and other
environmental conditions such as the time of day or location.

Incorrect

Access control model that enforces access based on predefined roles. Incorrect

Access control model that leverages a central authority that regulates access based

on security labels. Incorrect

"Access control model that provides the owner of the resource (typically the creator)..." is correct.

Discretionary access control (DAC) provides the owner of the resource, typically the creator, full

control to configure which subjects (e.g., users, groups) can access the object (e.g., file, folder). This

allows the user (object owner) the ability (“discretion”) to make decisions such as what permissions

other users or groups of users have over the object.

"Access control model that leverages a central authority that regulates access based on security

labels" is incorrect. Mandatory access control (MAC) leverages a central authority, typically a security

administrator, that regulates access based on security labels, such as the clearance level that a subject

(user) has been approved for, as well as the classification of the object (file, database, etc.).

"Access control model that enforces access based on predefined roles" is incorrect. Role-based

access control (RBAC) enforces access based on roles that define permissions and the level of access

provided to any subjects assigned to that role. Roles are typically developed for similar users with the

same access needs (e.g., HR, Sales, IT, Security).

"Access control model that grants permissions based on a variety of attributes such as who is

making the request..." is incorrect. Attribute-based access control (ABAC) grants permissions based

on a variety of attributes such as who is making the request (subject), what resource is being

requested (object), environmental conditions (e.g., time of day or location), and what action is b

Question 44 • Access Controls Concepts Incorrect

Which of the following is not a technique for monitoring logical access?

Explanation

"Review the sign-in sheet" is correct. A sign-in sheet is an example of a physical access log, not a

logical access log.

"Review SIEM alerts" is incorrect. Logical access is focused on access to computer and network
resources. Logical access can be monitored through regular account audits, review of logical access

Review the sign-in sheet. Correct

Review SIEM alerts. Incorrect

Carry out regular account audits. Incorrect

Access the log review. Incorrect

logs, as well as automated tooling such as SIEM alerts.

"Access the log review" is incorrect. Logical access is focused on access to computer and network

resources. Logical access can be monitored through regular account audits, review of logical access

logs, as well as automated tooling such as SIEM alerts.

"Carry out regular account audits" is incorrect. Logical access is focused on access to computer and

network resources. Logical access can be monitored through regular account audits, review of logical

access logs, as well as automated tooling such as SIEM alert

Question 45 • Access Controls Concepts Correct

A systems administrator has redesigned the organization's identity

management system so that employees can authentication once and

access a range of resources (such as email, file storage, payroll, and so on)

without having to authenticate with each system individually. Which of the

following technologies is most likely being used?

SSO Correct

Biometric authentication Incorrect

RBAC Incorrect

CPTED Incorrect

"SSO" is correct. Single sign-on (SSO) is a technology that allows users to access a range of resources

after authenticating just once. For example, with SSO, employees can access separate corporate
systems (such as e-mail, payroll, and document management) by authenticating once instead of

having users create and remember separate passwords for each system.

"RBAC" is incorrect. Role-based access control (RBAC) is an access control model that enforces access

based on roles that define permissions and the level of access provided to any subjects assigned to

that role. Roles are typically developed for similar users with the same access needs (e.g., HR, Sales, IT,

Security). Single sign-on is often implemented leveraging RBAC, however, RBA"SSO" is not the best

answer.

"CPTED" is incorrect. Crime prevention through environmental design (CPTED) is a design technique

focused on preventing crime by leveraging environmental design elements that discourage criminal

activity by changing human behavior.

"Biometric authentication" is incorrect. Biometric authentication is used to identify and authenticate

people using their personal attributes or characteristics. Examples include fingerprint or palm scans,

Question 46 • Security Operations Correct

What is the main difference between symmetric and asymmetric

encryption?

Explanation

Asymmetric encryption uses the same key for encryption and decryption, while

symmetric encryption uses different keys. Incorrect

Symmetric encryption uses the same key for encryption and decryption, while

asymmetric encryption uses different keys. Correct

Symmetric encryption is less secure than asymmetric encryption. Incorrect

Both symmetric and asymmetric use the same key for encryption and decryption. Incorrect

"Symmetric encryption uses the same key for encryption and decryption, while asymmetric

encryption uses different keys" is correct. Symmetric encryption uses the same key for encryption

and decryption, while asymmetric encryption uses different keys.

"Symmetric encryption is less secure than asymmetric encryption" is incorrect. Neither symmetric

nor asymmetric encryption are more secure than the other.

"Both symmetric and asymmetric use the same key for encryption and decryption" is incorrect.

Asymmetric encryption does not use the same key for encryption and decryption.

"Asymmetric encryption uses the same key for encryption and decryption, while symmetric

encryption uses different keys" is incorrect. Symmet

Question 47 • Access Controls Concepts Correct

Which of the following is a term used to describe a design technique

focused on preventing crime by leveraging environmental design elements

that discourage criminal activity by changing human behavior?

Explanation

DAC Incorrect

CPTED Correct

RBAC Incorrect

MAC Incorrect

"CPTED" is correct. Crime prevention through environmental design (CPTED) is a design technique

focused on preventing crime by leveraging environmental design elements that discourage criminal

activity by changing human behavior.

The other answers are incorrect. MAC, DAC, and RBAC are access control models.

Question 48 • Security Operations Correct

Craig wants to know if he can use his smartphone to access his company's

Salesforce application so he can update his task status. Where should he

look for guidance?

Explanation
AUP Incorrect

BYOD Policy Correct

Privacy Policy Incorrect

Data Handling Policy Incorrect

"BYOD Policy" is correct. The Bring Your Own Device (BYOD) policy defines requirements for

employee use of their own equipment.

"Data Handling Policy" is incorrect. The Data Handling Policy defines the requirements for how the

organization handles data , usually covering the entire data life cycle.

"Privacy Policy" is incorrect. The Privacy Policy defines the requirements for how the organization

protects personal data and meets privacy regulations it must follow

"AUP" is incorrect. The Acceptable Use Policy (AUP) defines what employees may and may not do

with company resources, usually stating such resources are to be used for official business purposes

only.

Question 49 • Access Controls Concepts Correct

Lisa is the facilities manager for a large organization that has commercial

buildings with heavy foot traffic. Her responsibilities include managing the

physical security of the organization's personnel and buildings. After

performing a physical security assessment, she determines that there is a

risk of a vehicle driving into the building and through the lobby. Which of

the following physical control would best help mitigate this risk?

Bollard Correct

MFA for the lobby door Incorrect

Security guard Incorrect

All topics All answers

Explanation

"Bollard" is correct. A bollard is a physical control designed to help prevent a vehicle from driving

into a building
"MFA for the lobby door" is incorrect. MFA on a lobby door would not help mitigate the risk of a

vehicle driving into a building.

"Surveillance camera" is incorrect. While surveillance cameras are physical controls, they do not

mitigate the risk of a vehicle driving into a building.

"Security guard" is incorrect. While a security guard is a physical control, it is not the best option to

help mitigate the risk of a vehicle driving into the building.

Question 50 A security administrator is creating a document that outlines the steps for

troubleshooting problems with the organization's web application firewall.

Which of the following is this document an example of?

Explanation

Policy Incorrect

Regulation Incorrect

Procedure Correct

Law Incorrect

All topics All answers

"Procedure" is correct. Procedures are step-by-step workflows or instructions that define how a task

should be accomplished. In this case, the engineer is documenting procedures for how to

troubleshoot the web application firewall.

"Policy" is incorrect. A policy is a management document that contains high-level statements that

provide directives to the organization. A policy does not include step-by-step workflows.

"Law" is incorrect. A law is a rule of conduct established by a governmental body that is legally

enforceable.

"Regulation" is incorrect. Regulations are standards and rules adopted by administrative agencies

that govern how laws are interpreted and enforced.

Question 51 • Security Operations Incorrect

A data center technician needs to securely dispose of several hard drives

for systems that are being decommissioned. Which of the following

techniques is not sufficient to ensure the data is not recoverable?

Explanation

Zeroization Incorrect

Physical destruction Incorrect

Erasure Correct

Overwriting Incorrect

"Erasure" is correct. Erasure is not a secure means of data sanitization. Erasure occurs when you

delete data by pressing the Delete key on a computer or emptying the recycle bin on your desktop.

When this occurs, the data is not actually removed from the hard drive and may be recovered. Secure

sanitization methods must be used such as zeroization, overwriting, or physical destruction.

"Zeroization" is incorrect. Zeroization, overwriting, and physical destruction are all methods that can

be used to securely sanitize media.

"Overwriting" is incorrect. Overwriting or zeroization occurs when data is overwritten with other data

such as binary 1’s and 0’s using other data, patterns, or random data.

"Physical destruction" is incorrect. Physical destruction occurs when physical media (hard drives,

disks, etc.) are destroyed so that they cannot be reused and the data cannot be accessed. Physical

Question 52 • Security Operations Correct

Mike and Steve want to exchange sensitive information but don't want

anyone to be able to read their messages. Mike encrypts messages he

sends to Steve with Steve's public key (which has been shared with Mike).

When Steve receives the message from Mike, he decrypts it with his

private key which is only known to him. Similarly, if Steve wants to send a

message to Mike, he encrypts the message with Mike's public key, and

Mike decrypts the message with his private key. What is this an example
of?

Asymmetric Encryption Correct

Symmetric Encryption Incorrect

Secret key cryptography Incorrect

All topics All answers

Explanation

"Asymmetric Encryption" is correct. Asymmetric encryption uses two keys that are mathematically

related: a public key and a private key. Asymmetric encryption is sometimes called public key

cryptography due to there being a public key that can be freely shared with anyone the sender wants

to communicate with securely. The private key must remain private and only be known to the owner.

"Symmetric Encryption" is incorrect. Symmetric encryption uses the same key for encryption and

decryption.

"Hashing" is incorrect. Hashing is another type of cryptography that uses special algorithms known

as hash algorithms that transform information into fixed-length output known as a message digest

(MD). Unlike encryption, which can be reversed via decryption, hashing is a one-way process,

meaning the original information or message cannot be reproduced from the hash value output. In

addition, there is no key involved when using a hash algorithm.

"Secret key cryptography" is incorrect. Symmetric encryption is sometimes referred

Which cloud deployment model consists of cloud resources that are

available for purchase and consumption by the general public?

Explanation

"Public" is correct. A public cloud consists of cloud computing resources operated by a third party

that are deployed for use by the general public for purchase and consumption (typically a

subscription or on-demand pricing model). Examples of public cloud service providers include

Public Correct

Hybrid Incorrect
Community Incorrect

Private Incorrect

Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud

Infrastructure (OCI).

"Private" is incorrect. A private cloud consists of dedicated cloud computing resources used by a

single organization, not available for the general public.

"Community" is incorrect. A community cloud is a variation of a private cloud where cloud resources

are shared between multiple communities, organizations, or businesses typically for a specific

purpose or mission (such as collaboration, security or compliance requirements, or some other

reasons). Like a private cloud, a community cloud is only available to members of the community, not

the general public.

"Hybrid" is incorrect. A hybrid cloud is a combination of two or more of the other models (public,

private, or community). For example, an organization might operate a private cloud in its own onpremises data center
but leverage a public cloud provider to help load-balance traffic if there is a

spike in demand.

Question 54 • Network Security Correct

Which of the following is not true regarding UDP?

Explanation

"UDP is a connection-oriented protocol" is correct. User Datagram Protocol (UDP) is a protocol for

transmitting data between computers. In contrast to TCP, UDP is not a connection-oriented protocol

and is instead referred to as a connectionless protocol, as it does not establish a connection (threeway handshake) before
transmitting data. This makes UDP less reliable than TCP but also faster as it

requires less overhead for communication.

UDP is a connection-oriented protocol. Correct

UDP is a connectionless protocol. Incorrect

UDP does not use a three-way handshake for establishing connections. Incorrect
UDP is less reliable than TCP. Incorrect

"UDP does not use a three-way handshake for establishing connections" is incorrect. User

Datagram Protocol (UDP) is a protocol for transmitting data between computers. In contrast to TCP,

UDP is not a connection-oriented protocol and is instead referred to as a connectionless protocol, as

it does not establish a connection (three-way handshake) before transmitting data.

"UDP is a connectionless protocol" is incorrect. User Datagram Protocol (UDP) is a protocol for

transmitting data between computers. In contrast to TCP, UDP is not a connection-oriented protocol

and is instead referred to as a connectionless protocol, as it does not establish a connection (threeway handshake) before
transmitting data.

"UDP is less reliable than TCP" is incorrect. User Datagram Protocol (UDP) is a protocol for

transmitting data between computers. In contrast to TCP, UDP is not a connection-oriented protocol

and is instead referred to as a connectionless protocol, as it does not establish a connection (threeway handshake) before
transmitting data. This makes UDP less reliable than TCP but also faster as it

requires less overhead for communication.

Question 55 • Security Principles Correct

A security engineer has designed the organization's network to have

multiple layers of controls in place including antivirus on endpoints,

network segmentation through the use of firewalls, and MFA for all

administrative access to systems. What is this an example of?

Explanation

Defense-in-depth Correct

Risk Management Incorrect

Zero Trust Incorrect

Security Governance Incorrect

"Defense-in-depth" is correct. The use of multiple layers of security controls is referred to as defensein-depth. Defense-
in-depth is the concept of coordinating and leveraging multiple layers of controls

to increase the effort required for a potential attacker to succeed in their attack.

"Risk Management" is incorrect. Risk management is the practice of studying potential threats facing
an organization and choosing the right kind of security to protect the organization against those

threats. While risk management may have influenced the security engineer's decisions of which

controls to implement, that is not the best answer given this scenario.

"Security Governance" is incorrect. Security governance is the practice of developing strategies to

oversee the security program to facilitate alignment with the goals and objectives of the organization.

While security governance does influence the implementation of security controls, this is not the best

choice given the scenario.

"Zero Trust" is incorrect. Zero trust is a security concept that requires all users to be specifically

authenticated and authorized before being granted access to a resource. While some of these design

techniques may be used to help facilitate zero trust, that is not the best answer.

Question 56 • Security Principles Correct

Mary is conducting a risk analysis for her organization. Her boss, the CISO,

feels strongly that the organization's biggest risk is from hackers trying to

steal intellectual property from their engineering database server so that is

where their defensive focus should lie. This is an example of what kind of

analysis?

Qualitative risk analysis Correct

Quantitative risk analysis Incorrect

Defense in depth Incorrect

Zero trust Incorrect

Explanation

"Qualitative risk analysis" is correct. Qualitative analysis considers priorities to evaluate the impact of

threats to the business and may be as simple as an executive saying, "this asset is important to us

therefore I designate it as high risk".

"Quantitative risk analysis" is incorrect. Quantitative risk analysis assigns financial or numerical values

to assets along with factors with numerical weights which is not the case in this example.

"Defense in depth" is incorrect. Defense in depth is the concept of coordinating and leveraging

multiple layers of controls which is not what is being described in the question.
"Zero trust" is incorrect. Zero trust is a security concept that requires all users to be specifically

authenticated and authorized before being granted access to a resource. It may be part of the

defensive solution the CISO is seeking but it is not the best answe

Question 57 • Access Controls Concepts Correct

When an employee is terminated, what is the best course of action

regarding the provisioning of their user access accounts?

Explanation

"Disable the employee's access to all accounts" is correct. When there is no longer a need for access,

the access should be revoked.

Do nothing. If anyone tries to use the accounts, it will be detected by IDS and

monitoring systems. Incorrect

Remove access to only accounts for which the user does not have write access. Incorrect

Disable the employee's access to all accounts after a grace period. Incorrect

Disable the employee's access to all accounts. Correct

"Do nothing. If anyone tries to use the accounts, it will be detected by IDS and monitoring

systems" is incorrect. When there is no longer a need for access, the access should be revoked.

Detective controls should not be relied upon for preventive measures.

"Remove access to only accounts for which the user does not have write access" is incorrect.

Regardless of the type of access, if the access is no longer required it should be revoked.

"Disable the employee's access to all accounts after a grace period" is incorrect. When there is no

longer a need for access, the access should be revoked. A grace period would rarely apply in the

event of a terminated employee so this is not the best answer.

Question 58 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Correct

Which of the following focuses on plans and processes to ensure the

business can continue to perform essential business functions in the event

of a disaster or security incident?

Explanation

Information assurance Incorrect

Business continuity Correct

Disaster recovery Incorrect

Incident response Incorrect

"Business continuity" is correct. Business continuity management encompasses planning for and

executing how and organization can continue to operate in the event of an incident.

"Disaster recovery" is incorrect. Disaster recovery is a subset of business continuity that focuses on

the IT or business processing aspects of recovering from an incident.

"Incident response" is incorrect. Incident response involves planning and processes for responding to

security incidents.

"Information assurance" is incorrect. Information assurance refers to the measure of information

security or the extent to which security is achieved.

Question 59 • Security Principles Incorrect

A systems administrator realizes that the production database has become

corrupt. In order to recover the database he restores it from the most

recent backup. What control functionality is this an example of?

Explanation

Corrective Correct

Detective Incorrect

Preventive Incorrect

Directive Incorrect

All topics All answers

Return to course

"Corrective" is correct. Corrective controls provide functionality that fixes a system, process, or

activity after an adverse event has occurred (such as recovering the production database from a

backup).
"Preventive" is incorrect. Preventive controls prevent or stop an adverse event or incident. In this

example the incident (database corruption) has already occurred.

"Detective" is incorrect. Detective controls help to detect or identify when something bad might have

occurred.

"Directive" is incorrect. Directive controls communicate expected behavior

Question 60 • Security Operations Correct

Which of the following is not an example of protecting data in-transit?

Explanation

"Database encryption" is incorrect. Database encryption is an example of protecting data at rest.

"SSL/TLS" is incorrect. Secure Socket Layer/Transport Layer Security (SSL/TLS) is often used with

protocols, such as HTTP, to help secure, encrypt, and protect the integrity of communication to help

prevent manipulation, eavesdropping, man-in-the-middle, and spoofing attacks. SSL/TLS protects

Database encryption Correct

VPN encryption Incorrect

SSL/TLS Incorrect

SSH Incorrect

data in-transit.

"VPN encryption" is incorrect. VPN encryption is an example of protecting data in-transit. An

encrypted VPN is a secure connection to a private network through a public network such as the

Internet. The connection is encrypted and secured virtually, extending the organization’s private

network to authorized users outside of it.

"SSH" is incorrect. Secure Shell (SSH) is a protocol used for remotely logging into and interacting with

Unix/Linux computers through a text-only command-line interface. SSH encrypts the communication

from the client to the server during the session, providing protection for data in transit

Question 61 • Security Operations Correct

Ali was conducting a check of systems and found a server that was not

compliant with the corresponding security baseline. What is the best

course of action?

Explanation

Install HIDS immediately. Incorrect

Check the system for malware and indicators of malicious activity, properly disinfect,

configure, and test the system. Correct

Run a virus scan and if the server is clean it is ok to remain in production. Incorrect

Remove the system from production, wipe the hard drive and reinstall the OS and

applications. Incorrect

All topics All answers

Return to course

"Check the system for malware and indicators of malicious activity, properly disinfect, configure,

and test the system" is correct. The system may have been compromised so it should be checked

before properly configuring the system and redeploying it

"Run a virus scan and if the server is clean it is ok to remain in production" is incorrect. Simply

running a virus scan is not enough as the system remains non-compliant and can be a security risk

"Remove the system from production, wipe the hard drive and reinstall the OS and applications" is

incorrect. Wiping the hard drive without first checking to see if the system was compromised loses

the opportunity to discover if malicious activity occurred

"Install HIDS immediately" is incorrect. Installing Host-based IDS software does not solve the

problem of a misconfigured server

Question 62 • Network Security Correct

What is the most important governance element for a customer to use to

ensure a cloud service provider is delivering on expectations?

Explanation

"SLA" is correct. A service level agreement (SLA) is a contractual agreement between a service
provider or supplier and a customer that defines the level of service the customer can expect. These

include provisions around things like performance, availability, security, response times, and

SOC Reports Incorrect

Verbal Agreement Incorrect

SLA Correct

ISO/IEC Certification Incorrect

accountability, as well as metrics by which the service can be measured to ensure the provider is

adhering to stated requirements. SLAs (and other similar contracts) are very important when it comes

to a customer’s ability to govern the relationship with the provider, as they serve as the primary legal

and contractual guarantee of the level of service and responsibility the provider takes on. SLAs may

even have provisions that the provider maintain a specific ISO/IEC certification or have SOC reports

available for customer review.

"SOC Reports" is incorrect. A system and organization controls (SOC) audit is an audit performed on

a service organization (such as a cloud service provider) by a third-party audit firm that assesses the

internal controls of the provider. When the audit is concluded, the audit firm issues a SOC report

attesting to the controls implemented by the provider. While SOC reports are beneficial to a

customer to understand the controls the provider has in place, it is not the best option for governing

the relationship between the customer and the provider. Just because a provider has a SOC report

now does not mean they have contractually agreed to have one in the future.

"ISO/IEC Certification" is incorrect. The International Organization for Standardization (ISO) and the

International Electrotechnical Commission (IEC) work together to develop joint international

standards. Organizations may seek to become certified against these standards by being audited by

an accredited third party. While ISO/IEC certification can be helpful in ensuring a provider has specific

controls in place, it is not the best option for governing the relationship between the customer and

Question 63 • Access Controls Concepts Correct

A cyberattacker hacks into a system and steals data they are not

authorized to access. This is an example of what type of situation?

Explanation
"Malicious unauthorized access" is correct. If someone bypasses access control mechanisms to gain

access, it is an example of malicious unauthorized access.

Malicious unauthorized access Correct

System misconfiguration Incorrect

Explicit unauthorized access Incorrect

Unusual access Incorrect

"Unusual access", "System misconfiguration", and "Explicit unauthorized access" are incorrect.

Unusual and explicit unauthorized access are make-believe terms, while system misconfiguration

refers to configuration settings, not just access control settings.

Question 64 • Network Security Correct

Viruses, trojans, and rootkits are types of what?

Explanation

"Malware" is correct. Malware (malicious software) is software designed to infiltrate and gain

unauthorized access to systems for malicious purposes. Malware includes viruses, trojans, worms,

botnets, ransomware, and rootkits.

"Scripts" is incorrect. A script is a set of instructions.

Ransomware Incorrect

Malware Correct

Scripts Incorrect

Social engineering Incorrect

"Social engineering" is incorrect. Social engineering is manipulating someone into doing something

that may not be in their best interests.

"Ransomware" is incorrect. Ransomware is a type of malware that forces the victim to either pay a

ransom or deal with the damage the ransomware causes to the system on which it resides.
Question 65 • Security Principles Correct

Of the reasons listed which is the best reason why an organization would

choose to perform qualitative risk analysis over quantitative risk analysis?

Explanation

"Quantitative analysis requires a lot of data and can be very complex to perform" is correct.

Quantitative analysis requires a lot of data and can be very complex to perform which is why many

organizations choose to do qualitative or a hybrid instead.

Qualitative analysis can be subjective and open to interpretation. Incorrect

Quantitative analysis requires a lot of data and can be very complex to perform. Correct

Quantitative analysis can be subjective and open to interpretation. Incorrect

Qualitative analysis requires a lot of data and can be very complex to perform. Incorrect

"Quantitative analysis can be subjective and open to interpretation" is incorrect and is not a true

statement. Quantitative is based on hard numbers and is usually not subjective.

"Qualitative analysis requires a lot of data and can be very complex to perform" is incorrect and is

not a true statement. Qualitative is usually chosen because it requires comparatively less data and is

less complex.

"Qualitative analysis can be subjective and open to interpretation" is incorrect. While the statement

is true, it isn't the best answer because it presents a reason why an organization might not want to

use qualitative analy

Question 66 • Access Controls Concepts Correct

The IT Director for an organization has revamped the organization's

identity management structure so that pre-built permission groups are

developed for each department such as IT, Finance, Sales, HR, and so on.

Users are then assigned to those corresponding groups depending on

what team they are on. Which access control model is most likely being

utilized?
MAC Incorrect

ABAC Incorrect

RBAC Correct

Explanation

"RBAC" is correct. Role-based access control (RBAC) enforces access based on roles that define

permissions and the level of access provided to any subjects assigned to that role. Roles are typically

developed for similar users with the same access needs (e.g., HR, Sales, IT, Security).

"DAC" is incorrect. Discretionary access control (DAC) provides the owner of the resource, typically

the creator, full control to configure which subjects (e.g., users, groups) can access the object (e.g.,

file, folder). This allows the user (object owner) the ability (“discretion”) to make decisions such as

what permissions other users or groups of users have over the object.

"MAC" is incorrect. Mandatory access control (MAC) leverages a central authority, typically a security

administrator, that regulates access based on security labels, such as the clearance level that a subject

(user) has been approved for, as well as the classification of the object (file, database, etc.).

Question 67 • Security Principles Incorrect

Which of the following is an example of a detective control?

Explanation

"IDS" is correct. An intrusion detection system (IDS) is an example of a detective control.

"IPS" is incorrect. This isn't the best answer because an intrusion prevention system is both a

detective and a preventive control.

Bollard Incorrect

IPS Incorrect

IDS Correct

"Firewall" is incorrect. A firewall is an example of a preventive control.

"Bollard" is incorrect. A bollard is an example of a preventive control.

Question 68 • Security Operations Incorrect

Which of the following lists of topics should be included in most

organization's security training and awareness programs? Question 3

Company security policies

Social engineering defenses

Security best practices

Incorrect

Company security policies

Social engineering defenses

Security best practices

Job-specific security practices

Correct

Company security policies

Cryptography

Security best practices

Incorrect

Explanation

"Company security policies, Social engineering defenses, Security best practices" is correct. Most

organizations should cover these topics in their awareness programs:

-Company security policies

-Social engineering defenses

-Security best practices

-Job-specific security practice

"Company security policies, Cryptography, Security best practices" is incorrect. From the list,

cryptography is not a topic most organizations need to cover.

"Company security policies, Social engineering defenses, Security best practices" is incorrect.

Question 69 • Security Operations Correct

Joe fell victim to a social engineering attack by a cybercriminal, then he

remembered learning about a similar trick during his company's security

training. What feature of training and awareness programs did his

organization likely fail to implement?

Explanation

Modular training Incorrect

Progress tracking Incorrect

Establishing goals Incorrect

Practice testing Correct

"Practice testing" is correct. If Joe's organization had a program of practicing and testing what

students were taught Joe may have remembered how to recognize the signs of a social engineering

attack.

"Modular training" is incorrect. It is unlikely modular training would have helped Joe recognize the

attack.

"Modular training" is incorrect. If Joe's organization had good or bad ways to track his training

progress, it is unlikely that it would have helped Joe recognize the attack.

"Modular training" is incorrect. It is unlikely that establishing goals would have helped Joe recognize

the attack, since the topic was covered in his training.

Question 70 • Network Security Incorrect

Which of the following methods is not commonly used to launch

ransomware attacks?

Explanation

"Ping attack" is correct. A ping attack is a denial of service attack in which the attacker floods the

victim system with ping requests. By itself it does not enable a ransomware attack.

Social engineering tricks Incorrect

Phishing emails Incorrect

Ping attack Correct

Exploiting known vulnerabilities in operating systems or applications Incorrect

"Phishing emails" is incorrect. Phishing emails are a common method of launching ransomware

attacks.

"Social engineering tricks" is incorrect. Exploiting known vulnerabilities is a common method of

launching ransomware attacks.

"Exploiting known vulnerabilities in operating systems or applications" is incorrect. Social

engineering tricks are often used to launch ransomware attacks.

Question 71 • Access Controls Concepts Correct

Which of the following can be used to monitor physical access?

Explanation

"All of these answers" is correct. Security guards, physical access logs, and security cameras may be

used to monitor physical access.

"Security guard" is incorrect. Security guards, physical access logs, and security cameras may be used

to monitor physical access.

Security camera Incorrect

Security guard Incorrect

All of these answers Correct

Physical access logs Incorrect

"Physical access logs" is incorrect. Security guards, physical access logs, and security cameras may be

used to monitor physical access.

"Security camera" is incorrect. Security guards, physical access logs, and security cameras may be

used to monitor physical access.

Question 72 • Network Security Correct

Which of the following involves a sophisticated attack in which a hacker

maintains a stealthy long term presence in a victim's network?

Explanation

"Advanced persistent threat" is correct. An advanced persistent threat is an attack in which the

attacker maintains a stealthy long term presence in a victim's network.

Backdoor Incorrect

Advanced persistent threat Correct

Denial of service Incorrect

Distributed denial of service Incorrect

"Denial of service" is incorrect. A denial of service attack is any attack against availability.

"Distributed denial of service" is incorrect. A distributed denial of service attack is a DoS attack

launched from many computers usually in the form of a botnet and not necessarily persistent or

stealthy.

"Backdoor" is incorrect. A backdoor is a feature of many kinds of attacks whereby an unauthorized

user can bypass access or security controls to gain acces

Question 73 • Security Operations Correct

Which of the following topics would not normally be found in an

organization's security policy?

Explanation

"The latest news about security incidents" is correct. A security policy would never contain the latest

news about security incidents. That information would normally be found on the organization's

security website, newsletter, or on public news sources.

List of Acronyms Incorrect

Policy Scope Incorrect

Policy Enforcement Incorrect

The latest news about security incidents Correct

"List of Acronyms" is incorrect. A policy can certainly contain a list of acronyms if the policy contains

terms that warrant such a section.

"Policy Scope" is incorrect. Good security policies usually contain a section describing the scope of

the policy and its applicability.

"Policy Enforcement" is incorrect. Many security policies have a section on enforcement which covers

how the organization enforces the policy and the ramifications of non-compliance.

Question 74 • Security Principles Correct

What type of control functionality does a fence provide?

Explanation

"Preventive" is correct. A fence provides preventive control functionality as it prevents someone from

entering somewhere they shouldn't be.

"Detective" is incorrect. Detective controls helps to detect or identify when something bad might

have occurred.

Question 75 • Security Operations Incorrect

The legal department of an organization is concerned that they are not

keeping certain legal files long enough in order to comply with specific

laws governing how long data must be kept. What element of the data

lifecycle is the organization concerned with?

Explanation

Data classification Incorrect

Data retention Correct

Data destruction Incorrect

Data encryption Incorrect

"Data retention" is correct. There are many state and federal laws that require organizations to retain

data for specific periods of time. As a result, when data is no longer needed by an organization, it

may still need to be stored for a period of time. This type of storage is called data retention.
"Data destruction" is incorrect. Data destruction occurs when data is no longer needed, and must be

securely sanitized. Sanitization methods include overwriting, degaussing, and physical destruction

"Data classification" is incorrect. Data classification is the process of assigning classification levels to

data types based on risk. The classification of the data dictates the controls that are utilized to protect

it appropriately.

"Data encryption" is incorrect. Data encryption is the process of transforming plaintext (information

that is in a readable format) into ciphertext (information that is in an encrypted, unreadable format).

Question 76 • Network Security Correct

A systems administrator is assisting an employee with an issue they are

having with their work laptop. When the employee attempts to connect to

the company network they are unable to get an IP address assigned and

thus cannot access company resources. Which of the following protocols is

most relevant for the systems administrator when investigating and

troubleshooting this issue?

HTTP Incorrect

SMTP Incorrect

DHCP Correct

"DHCP" is correct. Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign IP

addresses to devices. A server (DHCP server) checks for available IP addresses from a pool and

automatically assigns them to client devices. The systems administrator should investigate to see

whether DHCP is configured and working properly.

"HTTP" is incorrect. Hypertext Transfer Protocol (HTTP) is a communication protocol that provides a

means of transmitting and formatting messages between clients and servers. It is the primary way

web browsers communicate with web servers to access web pages over the Internet. It is not related

to IP address assignment.

"SMTP" is incorrect. Simple Mail Transfer Protocol (SMTP) is an email protocol used for sending

messages. It is not related to IP address assignment.

"FTP" is incorrect. File Transfer Protocol (FTP) is used for transferring files between systems. FTP

transmits information in plaintext so it is considered an insecure protocol. It

Question 77 • Security Operations Incorrect

Which policy would normally include requirements for employees

accessing their social media accounts on company-owned computers?

Explanation

"AUP" is correct. The Acceptable Use Policy (AUP) defines what employees may and may not do with

company resources, usually stating such resources are to be used for official business purposes only

Data Handling Policy Incorrect

BYOD Policy Incorrect

AUP Correct

Privacy Policy Incorrect

"BYOD Policy" is incorrect, The Bring Your Own Device (BYOD) policy defines requirements for

employee use of their own equipment but the question refers to company-owned equipment.

"Data Handling Policy" is incorrect. The Data Handling Policy defines the requirements for how the

organization handles data , usually covering the entire data life cycle.

"Privacy Policy" is incorrect. The Privacy Policy defines the requirements for how the organization

protects personal data and meets privacy regulations it must follow

Question 78 • Network Security Correct

Which of the following would a hacker not usually learn by conducting

scans against a targeted network?

Explanation

"Reveal user accounts on endpoints that have excessive privileges" is correct. Scanners cannot tell if

user accounts have too many privileges since that is dependent upon the user's role in the

organization and their need to know.

Enumerate the IP addresses and operating system types and versions of endpoints. Incorrect
Reveal user accounts on endpoints that have excessive privileges. Correct

Reveal any known vulnerabilities on endpoints. Incorrect

Reveal open ports on endpoints. Incorrect

"Enumerate the IP addresses and operating system types and versions of endpoints" is incorrect.

Scanners typically can enumerate the IP addresses and operating system types and versions of

endpoints.

"Reveal open ports on endpoints" is incorrect. Scanners typically can reveal open ports on

endpoints.

"Reveal any known vulnerabilities on endpoints" is incorrect. Scanners typically can reveal any

known vulnerabilities on endpoints.

Question 79 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Correct

Which disaster recovery option provides the fastest restoration of

operations?

Explanation

"Hot site" is correct. A hot site is ready to go at a moment's notice and can be up and running within

a few hours.

Hot site Correct

Tertiary site Incorrect

Cold site Incorrect

Warm site Incorrect

"Warm site" is incorrect. A warm site has power and infrastructure but not the computing equipment

itself which must be brought in.

"Cold site" is incorrect. A cold site is an empty building with no IT infrastructure or computing

equipment.

"Tertiary site" is incorrect. A tertiary site is a secondary backup site used if the primary backup site is

not available. It could be hot, warm, or cold, but it is not the best answer
Question 80 • Security Operations Correct

Which of the following terms describes the process of transforming

plaintext into ciphertext?

Explanation

"Encryption" is correct. Encryption is the process of transforming plaintext (information that is in a

readable format) into ciphertext (information that is in an encrypted, unreadable format).

Salting Incorrect

Hashing Incorrect

Encryption Correct

Decryption Incorrect

"Decryption" is incorrect. Decryption is the process of transforming ciphertext back to plaintext.

"Hashing" is incorrect. Hashing is another type of cryptography that uses special algorithms that

transform information into fixed-length output known as a message digest (MD). An MD output is

also commonly referred to as a hash, hash value, or fingerprint. Unlike encryption, which can be

reversed via decryption, hashing is a one-way process, meaning the original information or message

cannot be reproduced from the hash value output.

The IT Director for a large organization is reviewing options to migrate

their servers and infrastructure from their on-prem data center to the

cloud. Which cloud service model best fits the organization's needs?

Explanation

IaaS Correct

On-prem Incorrect

SaaS Incorrect

PaaS Incorrect
"IaaS" is correct. In an Infrastructure as a Service (IaaS) model, the cloud provider gives customers

self-service access to a pool of infrastructure resources (such as network, server, storage, etc.) that can

be virtually provisioned and deprovisioned on-demand. In this case, the IT Director wants to move

their on-prem servers to the cloud so IaaS is the option that most closely aligns.

"SaaS" is incorrect. In a Software as a Service (SaaS) model, a software service or application is hosted

by a cloud provider and provided to customers (typically over the Internet). The cloud provider

manages the infrastructure and platform, and the customer only needs to manage specific

configurations within the application. Examples of SaaS include web-based e-mail, social media sites,

and other web-based applications. In this case, the IT Director wants to move physical on-prem

servers to the cloud so SaaS is not the best option.

"IaaS" is incorrect. In a Platform as a Service (PaaS) model, the cloud service provider gives customers

access to platforms where they can develop, test, and run code for applications developed in various

programming languages. In this case, the IT Director wants to move physical on-prem servers to the

cloud so PaaS is not the best option.

"On-prem" is incorr

Question 82 • Network Security Correct

A security engineer is trying to decide on the best course of action to take

to block internet traffic from specific IP addresses at the perimeter of the

company network. Which of the following controls would allow the

security engineer to configure such rules?

Explanation

Network Firewall Correct

Host-based Firewall Incorrect

Network IDS Incorrect

Network Fence Incorrect

"Network Firewall" is correct. A firewall is a network device used to enforce certain security rules that

govern how traffic may flow, such as allowing certain types of traffic and denying other types of

traffic.

"Network Fence" is incorrect. Network fence is a made up term here.

"Network IDS" is incorrect. A network intrusion detection system (IDS) merely detects and reports on

potential malicious activity. It will not block traffic.

"Host-based Firewall" is incorrect. A host-based firewall is a firewall on an individual computer that

allows or denies connections to that computer based on a set of rules. This is not the best option for

blocking IP addresses at the perimeter of the company network

Question 83 • Access Controls Concepts Correct

Which term refers to the process of validating a user's identity?

Explanation

"Authentication" is correct. Authentication is the method by which a system validates a user is who

they claim to be.

"Authorization" is incorrect. Authorization is the bestowing of a set of permissions and can only

occur after authenticatio

Question 84 • Security Operations Incorrect

A systems administrator suspects that a server has been infected with

malware. When investigating the concern, they realize that the appropriate

events have not been captured so they are unable to produce a chain of

events. Which of the following is the root cause of this issue pertaining to

the investigation?

Lack of monitoring Incorrect

Lack of logging Correct

Lack of network security Incorrect

Lack of MFA Incorrect

Explanation
"Lack of logging" is correct. The appropriate events have not been captured due to a lack of logging.

This prevents the system administrator from being able to establish a chain of events during their

investigation.

"Lack of monitoring" is incorrect. While monitoring is critical for detecting incidents, logging must be

in place so that the appropriate events are captured for later monitoring. In this scenario, the

organization was not capturing key events that would be needed for monitoring to be effective.

"Lack of MFA" is incorrect. Multi-factor authentication (MFA) would not have helped in the

investigation.

"Lack of network security" is incorrect. Increased network security measures possibly could have

helped prevent the malware incident but would not have helped in the investigation

Question 85 • Access Controls Concepts Incorrect

Which access control model is commonly used in military and government

environments to protect classified information?

Explanation

"MAC" is correct. Mandatory access control (MAC) is an access control model that is commonly used

in military and government environments to protect classified information. In MAC, access to

resources is based on a hierarchical system of security labels and clearances that are assigned by a

MAC Correct

ABAC Incorrect

RBAC Incorrect

DAC Incorrect

central authority. This allows for a high level of security and ensures that only users with the

appropriate clearances can access classified information.

"DAC" is incorrect. Discretionary access control (DAC) is an access control model that allows owners

or administrators to control access to resources based on the identity of the user and the permissions

assigned to them. While DAC can be used in military and government environments, mandatory

access control (MAC) is the best answer.

"RBAC" is incorrect. Role-based access control (RBAC) is an access control model that provides

granular access control based on a user’s job responsibilities. While RBAC can be used in military and
government environments, mandatory access control (MAC) is the best answer.

"ABAC" is incorrect. Attribute-based access control (ABAC) is an access control model that grants

access to resources based on a user’s attributes or characteristics, such as job title, location, or

department. While ABAC can be used in military and government environments, mandatory access

control (MAC) is the best answe

Question 86 • Security Operations Correct

What method of sanitization uses extremely powerful magnets to

demagnetize media?

Explanation

"Degaussing" is correct. Degaussing demagnetizes magnetic media by exposing the media to an

extremely powerful magnetic field. This sanitizes the magnetic media. The media itself can then be

reused; however, degaussing will make most modern hard drives inoperable.

Overwriting Incorrect

Zeroization Incorrect

Disintegration Incorrect

Degaussing Correct

"Zeroization" is incorrect. A common technique for data sanitization is to overwrite data with other

data, patterns, or random data. The more times the data is overwritten (referred to as a pass), the

harder the original data is to recover. This is often referred to as overwriting or zeroization.

"Overwriting" is incorrect. A common technique for data sanitization is to overwrite data with other

data, patterns, or random data. The more times the data is overwritten (referred to as a pass), the

harder the original data is to recover. This is often referred to as overwriting or zeroization.

"Disintegration" is incorrect. Disintegration is a physical media destruction technique. It does not use

magnets to demagnetize media

Question 87 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Correct

Which of the following techniques is not a method for identifying a

security incident.

Explanation

"Disabling system accounts" is correct. Disabling system accounts may be done as a containment

strategy as part of the incident response process, however, this is not a method for identifying a

security incident.

SIEM alerts Incorrect

Disabling system accounts Correct

Reviewing security logs Incorrect

IDS alerts Incorrect

"Reviewing security logs" is incorrect. Reviewing security logs is a method for identifying a security

incident.

"IDS alerts" is incorrect. Intrusion Detection System (IDS) alerts can be used to identify a security

incident.

"SIEM alerts" is incorrect. Security Information and Event Management (SIEM) alerts can be used to

identify a security incident.

Question 88 • Security Principles Incorrect

Of the choices listed, which quantitative measure indicates how much

money an organization is predicted to lose if a given threat event occurs

one time?

Explanation

Annualized Rate of Occurrence Incorrect

Single Loss Expectancy Correct

Annual Loss Expectancy Incorrect

Single Exposure Factor Incorrect

"Single Loss Expectancy" is correct. The Single Loss Expectancy (SLE) is the potential loss due to

single threat event, such as a cyberattack or natural disaster.

"Annual Loss Expectancy" is incorrect. Annual (or Annualized) Loss Expectancy (ALE) is the potential

loss due to all threat events occurring over the course of one year.

"Single Exposure Factor" is incorrect. Single Exposure Factor is not a valid term used in quantitative

analysis.

"Annualized Rate of Occurrence" is incorrect. Annualized Rate of Occurrence is a prediction of how

many times the event may occur during a year

Question 89 • Security Principles Correct

A data center administrator installs a biometric authentication system that

controls access to the data center. In order for employees to enter the

data center, they must scan their palm to gain access. What type of

security control is this an example of?

Explanation

Administrative Incorrect

Technical Incorrect

Physical Correct

Directive Incorrect

"Physical" is correct. Physical controls are controls put in place to protect physical resources against

physical threats, including but not limited to break-ins, fires, theft, physical harm, and so on. In this

example the biometric authentication system is controlling access to the data center to protect

against unauthorized access.

"Technical" is incorrect. Technical controls are hardware or software components that protect

computing and network resources such as computers, servers, mobile devices, computer networks, or

data stored within a system. In this case, the biometric system is controlling access to a physical

building (the data center), not a computer or network resource.

"Administrative" is incorrect. Administrative controls are management-oriented controls that provide

directives and instruction aimed at people within the organization.

"Directive" is incorrect. Directive is a type of control functionality.

Question 90 • Security Operations Correct

Joe ran a vulnerability scan and posted the results on his organization's

unsecured website so it would be easy for his employees to see the results.

Was this a good idea?

Yes, because it is important for scan results to be easily accessible by the security

staff. Incorrect

Yes, because storing the results in a secure location would make it harder for the

vulnerability remediation staff to do their job. Incorrect

No, because scan results contain sensitive information which could be used by

cybercriminals to launch attacks against the organization. Correct

No, because scan results must be encrypted according to NIST standards. Incorrect

All topics All answers

Return to course

Explanation

"No, because scan results contain sensitive information which could be used by cybercriminals to

launch attacks against the organization" is correct. Scan results should be stored and handled in a

secure manner and dissemination should be tightly controlled because they contain sensitive

information regarding the organization's assets and vulnerabilities.

"Yes, because it is important for scan results to be easily accessible by the security staff" is

incorrect. While it is important for scan results to be easily accessible, they should also be secured

and tightly controlled as they contain sensitive information.

"Yes, because storing the results in a secure location would make it harder for the vulnerability

remediation staff to do their job" is incorrect. While it is important for scan results to be easily

accessible, they should also be secured and tightly controlled as they contain sensitive information.

"No, because scan results must be encrypted according to NIST standards" is incorrect. NIST

standards do not require scan results to be encrypted, although scan results should be stored and

transmitted in a secure manner

Question 91 • Security Operations Correct

Which of the following is considered the best practice regarding patch

management?

Explanation

"Test patches before deploying them to production devices" is correct. Patches may have

unintended consequences so they should be first tested before deploying them to production.

Test patches before deploying them to production devices. Correct

Install patches as quickly as possible. Incorrect

Install patches on a weekly basis. Incorrect

Deploy patches of the most reputable vendors first. Incorrect

"Install patches as quickly as possible" is incorrect. As quickly as possible may be ok as long as they

are tested and fully understood first.

"Deploy patches of the most reputable vendors first" is incorrect. Vendor reputation should not be a

factor in the patch management process.

"Install patches on a weekly basis" is incorrect. Patches could be installed on a regular basis but only

after they are tested.

Question 92 • Network Security Correct

Which of the following is a logical address assigned to devices connected

to a network or the Internet?

Explanation

"Internet Protocol (IP) address" is correct. IP addresses are used for identifying devices for the

purpose of routing traffic. An IP address is referred to as a logical address or software address as it is

a virtual address that is not hardcoded into hardware like a MAC address.

Internet Protocol (IP) address Correct

Address Resolution Protocol (ARP) Incorrect

Media access control (MAC) address Incorrect

Mailing address Incorrect

"Media access control (MAC) address" is incorrect. A MAC address is a unique string of numbers and

letters assigned to the network interface of a computing device used to uniquely identify devices on

the same network. The MAC address is often referred to as a physical address or hardware address

since it is assigned to the device’s physical network interface hardware.

"Address Resolution Protocol (ARP)" is incorrect. Address Resolution Protocol (ARP) is used to map

IP addresses to MAC addresses (and vice versa) on a LAN. ARP serves as the bridge that connects the

IP address and the MAC address. Computers on a network use ARP to learn which MAC address

corresponds to which IP address and store that information for future communication. It is not used

for time synchronization across systems and devices.

"Mailing address" is incorrect. A mailing address is an address used for receiving physical mail. This is

not a type of system address.

Question 93 • Security Operations Correct

Which of the following best describes the phases of the data lifecycle?

Explanation

"Create > Store, Use, Share > Archive > Destroy" is correct. Data passes through stages starting

from when data is created and progressing through how it is stored, used, shared, archived, and

eventually destroyed when it no longer serves a purpose

Question 94 • Network Security Correct

What layer of the OSI model does a WAF operate at?

Explanation

"Application" is correct. A web application firewall (WAF) is a type of firewall used to protect web

applications from malicious traffic. To perform this function a WAF needs insight into the HTTP web

traffic to the application which means it operates at Layer 7 (Application Layer) of the OSI model. The

Application Layer consists of protocols used by computer applications to perform certain functions

(such as a web browser using the HTTP protocol to access a website).

Presentation Incorrect

Session Incorrect

Application Correct

Transport Incorrect

"Session" is incorrect. A web application firewall (WAF) is a type of firewall used to protect web

applications from malicious traffic. To perform this function a WAF needs insight into the HTTP web

traffic to the application which means it operates at Layer 7 (Application Layer) of the OSI model. The

Application Layer consists of protocols used by computer applications to perform certain functions

(such as a web browser using the HTTP protocol to access a website).

Question 95 • Access Controls Concepts Correct

Sally is a manager responsible for ensuring her department's server room

is locked every night. What is the best way to ensure this happens?

Explanation

"Implement a two-person rule for locking the server room" is correct. By requiring that two-people

work in tandem it is less likely the room will be unlocked or forgotten.

Implement a two-person rule for locking the server room. Correct

Issue keys to many people so anyone can lock the room. Incorrect

Assign the locking of the server room to a responsible person. Incorrect

Install a combination lock that is easy to use. Incorrect

"Assign the locking of the server room to a responsible person" is incorrect. While assigning the

locking to a responsible person is a good idea, this solution isn't as good as implementing a twoperson rule.

"Issue keys to many people so anyone can lock the room" is incorrect and is a bad idea because it

increases the likelihood of fraud or abuse.

"Install a combination lock that is easy to use" is incorrect. While using a lock that is easy to use is a

great idea, it does not solve the problem and is not as good as deploying a two-person
Question 96 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Incorrect

What is the primary purpose of succession planning?

Explanation

"To define plans for how to handle the sudden loss of an executive or key employee of the

organization" is correct. A succession plan lays out a process and timeline for actions in the event a

key executive or employee is lost to the organization.

Question 97 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Incorrect

Which of the following would not occur during the post-incident activity

phase of the incident response process?

Explanation

"Begin training staff on the incident response plan" is correct. Training staff on the incident

response plan should be done as part of the preparation phase of the incident response process. The

post-incident activity phase is the final phase of the incident response process. This is where the team

Document opportunities for improvement. Incorrect

Conduct a lessons learned. Incorrect

Analyze how the incident was handled. Incorrect

Begin training staff on the incident response plan. Correct

reviews everything that happened, analyzes how the incident was handled, conducts a lessons

learned, and documents opportunities for improvement. As part of the lessons learned the

organization may determine that more training is needed, but the training itself would occur as part

of the preparation phase (you can't effectively respond to an incident if you haven't been trained on

the process!).

"Conduct a lessons learned" is incorrect. The final phase of the incident response process is the postincident activity
phase. This is where the team reviews everything that happened, analyzes how the

incident was handled, conducts a lessons learned, and documents opportunities for improvement.

"Document opportunities for improvement" is incorrect. The final phase of the incident response

process is the post-incident activity phase. This is where the team reviews everything that happened,
analyzes how the incident was handled, conducts a lessons learned, and documents opportunities for

improvement.

"Analyze how the incident was

Question 98 • Access Controls Concepts Correct

Which type of access card has a microprocessor in the card and is capable

of both storing and processing information?

Explanation

"Smart card" is correct. A smart card has a microprocessor in the card and is capable of both storing

and processing information. A smart card can store biometric data, cryptographic keys, and other

information.

None of these answers Incorrect

Barcode card Incorrect

Smart card Correct

Magnetic stripe card Incorrect

"Barcode card" is incorrect. A barcode is simply a visual representation of data. You will see these on

grocery store products that are scanned at the checkout (like a can of soup). Information can be

stored in the barcode but it does not have a microprocessor and cannot process information.

"Magnetic stripe card" is incorrect. Magnetic stripe cards require the card to be physically swiped

into the card reader (similar to a credit card or hotel card). Data is encoded in the dark black

magnetic stripe of the card. They can store data but do not have a microprocessor and cannot

process information.

"None of these answers" is incorrect. One of the other answer options is correct

Question 99 • Business Continuity (BC) and Disaster Recovery (DR) and Incident Response Concepts Correct

Fortification of facilities, deployment of uninterruptible power supplies or

generators, communication link redundancy, and fire detection and

suppression systems are all examples of what?

Explanation
Deterrent controls Incorrect

Detective controls Incorrect

Preventive controls Correct

Corrective controls Incorrect

"Preventive controls" is correct. All of the controls listed are preventive which are controls designed

to stop unwanted things from occurring.

"Deterrent controls" is incorrect. A deterrent control is one that is intended to discourage a potential

adversary from proceeding with their malicious activity.

Question 100 • Access Controls Concepts Correct

Joe is designing a new identity management solution for his organization.

His company has many divisions and departments but he wants the IT

organization to manage the access control for all of them. Which type of

administration is best for his organization?

Explanation

Type 2 Incorrect

Decentralized Incorrect

Type 1 Incorrect

Centralized Correct

"Centralized" is correct. Centralized access control administration is where one department is

responsible for governing, managing, and configuring tools for access administration for all systems.

"Decentralized" is incorrect. Decentralized access control administration is where access control is

managed by different departments or people for different systems throughout the organization.

"Type 1" is incorrect. Type 1 is an authentication factor not an access control administration method.

"Type 2" is incorrect. Type 2 is an authentication factor not an access control administration method.