Question Answer Option 1 Answer Option 2 Answer Option 3

1 Risk Management

You are reviewing Web server logs after

1 a Web application security breach. To Detective Preventative Compensating
what type of security control do log
reviews relate?

After analyzing the risk associated with

working with an external organization
to fulfil a government contract, you
2 decide to enter into a contractual Risk acceptance Risk mitigation Risk transfer
agreement after applying security
settings to the external organization.
What type of risk treatment is this?

Multiply the Annual Multiply the Asset Multiply the Annual

3 How is an asset's Single Loss Rate of Occurrence Value (AV) by the Rate of Occurrence
Expectancy (SLE) derived? (ARO) by the Exposure Factor (EF). (ARO) by the Asset
Exposure Factor (EF). Value (AV).

Multiply the Annual Multiply the Asset Multiply the Annual

4 How is the Annual Loss Expectancy Rate of Occurrence Value (AV) by the Rate of Occurrence
(ALE) calculated? (ARO) by the Exposure Factor (EF). (ARO) by the Asset
Exposure Factor (EF). Value (AV).

Which type of risk assessment is based

5 on subjective opinions regarding threat Risk heat map Qualitative Risk register
likelihood and threat impact severity?

2 Foundations of Cryptography

Which technique is used to enhance Multifactor

1 the security of password hashes? Password length Key pinning authentication
 Which technique is used to enhance Multifactor
1 the security of password hashes? Password length Key pinning authentication

3 Physical Security

Which type of device records

1 everything a user types? Common Access Card Ransomware Keylogger

2 Which physical security item mitigates Bollard Security guards Access control
the ramming of vehicles into buildings? vestibule

Your company runs sensitive medical

research equipment and servers on a
network named RNET-A. You need to
3 ensure external network access to VLANs Layer 4 firewall Air-gapping
RNET-A is not possible. Which
technique should you use?

Why is it important to install blanking Visual equipment

4 panels on equipment rack spaces that Rack security is Inventory gathering inspection is made
do not contain equipment? enhanced is made easier easier

Which server room consideration

5 focuses on pulling warm equipment Cold aisles Hot aisles Air conditioning
exhaust air away from equipment?

4 Identity and Account Management

Which of the following constitutes Username + password

1 multifactor authentication (MFA)? device PIN Fingerprint scan Facial recognition
 A user gains access to a secured Web
application using a digitally signed
2 security token in the form of a Web Accounting Authorization Availability
browser cookie. To which security term
does this best apply?

Which authentication mechanism Multifactor Single factor

3 generates a code for use only once? authentication authentication One-time password

You are configuring SSH public key

authentication for a Linux host that will User home directory User home directory Root directory on
4 be managed from a Windows on the Linux server on the Windows the Linux server
computer. Where must the public key host
be stored?

You are configuring a Windows file

server so that files marked as “PII-
5 Finance” are accessible only to full-time ABAC RBAC DAC
users in the Finance department. What
type of access control model are you
configuring?

Which technique adds location Global positioning

6 metadata to social media posts and Geofencing system Geotagging
pictures?

What type of authentication server is

7 used with IEEE 802.1x network access LDAP RADIUS Identity federation
control?

Which term describes an end user

device attempting to connect to an IEEE
8 802.1x Wi-Fi network configured with RADIUS client Applicant Supplicant
network authentication?
 Which term describes an end user
device attempting to connect to an IEEE
8 802.1x Wi-Fi network configured with RADIUS client Applicant Supplicant
network authentication?

You are building a Web application that

will allow users to sign in with their Multifactor
9 Google account. Which term best authentication Identity federation SAML
describes this scenario?

5 Tools of the Trade

1 Which file extension is normally used BAT PY PS1

for Microsoft PowerShell scripts?

You are a Linux sys admin attempting to

execute privileged commands in Linux
2 but you keep receiving “Permission Use the sudo Use the chmod Login as root
denied” messages. What should you command command
do?

Which Linux command can be used to

3 create an SSH public and private key md5sum sha256sum ssh
pair?

You are logged into a Linux host and

4 need to view its IP address. Which dig nslookup ipconfig
command should you use?

6 Securing Individual Systems

Which of the following Wi-Fi

1 configurations is considered to be the WPA3 RADIUS Disable DHCP
weakest? authentication

You are planning the configuration of Enable security

2 HTTPS for a Web site. Which items Client PKI certificates Server PKI certificate protocols that
should be acquired/configured? precede SSL v3.0
 You are planning the configuration of Enable security
2 HTTPS for a Web site. Which items Client PKI certificates Server PKI certificate protocols that
should be acquired/configured? precede SSL v3.0

3 Which type of security flaw is not Firmware Denial of service Application

known by the vendor?

Which type of password attack tries

5 every possible combination of letters, Dictionary Brute-force Spraying
numbers and symbols?

While comparing previous and current Client devices are Client devices are Client devices are
network traffic patterns, you notice performing normal performing normal infected and are
6 new numerous DNS client queries for forward lookup DNS reverse lookup DNS attempting to
TXT records. What might this indicate? queries for Web sites. queries for IP remove the
addresses. infection.

You need a network security solution

7 that can not only detect, but also stop Layer 4 firewall Reverse proxy server Network intrusion
current suspicious activity. What should prevention system
you implement?

You are configuring the disks in a server

so that in the event of a single disk loss,
8 a second disk will already have all of RAID 0 RAID 1 RAID 5
the data. Which RAID level should you
configure?

You are ordering laptops for sales

executives that travel for work. The
laptops will run the Windows 10 Order laptops with Order laptops with Order laptops with
Enterprise operating system. You need HSM chips and HSM chips and TPM chips and
9 to ensure that protection of data at rest configure BitLocker configure EFS configure EFS
is enabled for internal laptop disks. The disk encryption. encryption. encryption.
encryption must be tied to the specific
laptop. What should you do?

7 Secuirng the Basic LAN

1 Which type of encryption uses a single Asymmetric RSA Symmetric
key for encryption and decryption?

Which block cipher mode uses the

ciphertext from the previous block to
2 be fed into the algorithm to encrypt the CFB ECB CBC
next block?

You are decrypting a message sent over

3 the network. Which key will be used for Your public key Sender public key Your private key
decryption?

You are verifying a digital signature.

4 Which key will be used? Your public key Sender public key Your private key

Your company has numerous public-

facing Web sites that use the same DNS
domain suffix. You need to use PKI to Generate self-signed Acquire public Acquire a wildcard
5 secure each Web site. Which solution certificates for each certificates for each certificate
involves the least amount of Web sit Web site
administrative effort?

6 TCP port numbers apply to which layer 2 3 4

of the OSI model?

Network devices Network devices Network devices

modify their DNS modify their ARP modify their ARP
What is the general premise of ARP cache to use the cache to use the cache to use the
7 cache poisoning? attacker MAC address attacker IP address attacker MAC
for the default for the default address for the
gateway. gateway. default gateway.

8 Which mitigation can prevent network Disable link auto MAC filtering Intrusion detection
switching loops? negotiation sensor

Which load balancing algorithm sends

9 each client app request to the next Weighted Active/passive Round robin
backend virtual machine?
 Which load balancing algorithm sends
9 each client app request to the next Weighted Active/passive Round robin
backend virtual machine?

10 To which OSI layer do packet filtering 2 3 4

firewalls apply?

You need to force user authentication

and time-based restrictions for internal
client devices connecting out to the
11 Internet. You also need to ensure client Reverse proxy server Port address Network address
device IP addresses are not exposed to translation translation
the Internet. What should you
implement?

8 Securing Wireless LANs

1 Which Wi-Fi standard pairs devices WPA WPS WEP

together using a PIN?

Your hotel provides free Wi-Fi to

guests. The Wi-Fi network is secured. Send automated
You would like to provide a simple emails to registered Provide guests with Use RFID tags that
2 convenient way for guests to guests with Wi-Fi a printout of Wi-Fi contain Wi-Fi
immediately connect to the Wi-Fi connection connection connection
network using their smartphones. What information. information. information.
should you do?

3 What approximate range do Bluetooth 10 feet 30 feet 60 feet

Class 2 devices have?
You are performing a Wi-Fi site survey
due to complaints about slow wireless
4 network connectivity. Which reading -120 dBm -80 dBm -50 dBm
indicates a strong signal that will
provide the best wireless network
speeds?
To forcibly disconnect To forcibly
When pen testing Wi-Fi networks, why Wi-Fi clients to disconnect Wi-Fi To test RADIUS
5 is deauthentication sometimes used? observe clients to prevent authentication
authentication their Wi-Fi resiliency.
connectivity.

6 Which Wi-Fi EAP configuration uses EAP-FAST EAP-TTLS EAP-TLS

both client and server PKI certificates?
 When connecting to a public Wi-Fi
hotspot you are presented with a Web
7 page where you must agree to the Reverse proxy server Port address RADIUS
terms of use before gaining Internet translation authentication
access. What is this?

9 Securing Virtual and Cloud Environments

You need to start a Docker container
named “cust-dev-lamp1.” The
container image has a small HTTP Web sudo docker init –d –p sudo docker run –d – sudo docker run –d
1 server stack configure for TCP port 443 4443:443 cust-dev- p 443:4443 cust-dev- –p 4443:443 cust-
but you want connectivity to occur lamp1 lamp1 dev-lamp1
using TCP port 4443. Which Docker
command should you use?

Which type of hypervisor runs within

2 an existing operating system? Type 1 Type 2 Type A

Which type of cloud is owned and used

3 by a single organization? Pubic Hybrid Community

With which cloud service model is the

4 cloud tenant responsible for patching SaaS IaaS SECaaS
virtual machines?

Which cloud configuration enforces

5 security policies when accessing cloud CSP CASB SLA
resources?

10 Securing Dedicated and Mobile Systems

Which term describes a specialized

computer interface that controls
1 industrial devices such as PLC SLA ICS
manufacturing robots and centrifuges?
 Which term describes a specialized
computer interface that controls
1 industrial devices such as PLC SLA ICS
manufacturing robots and centrifuges?

2 Which smart home wireless networking ICS PLC Zigbee

protocol does not use TCP/IP?

3 What is the proposed maximum speed 1 Gbps 3 Gbps 10 Gbps

of a 5G network?

4 What is the approximate signal range 1 mile 3 miles 6 miles

for 4G cell towers?

Which cryptographic algorithm uses

5 smaller keys but provides just as much ECC RSA MD5
crypto strength as other algorithms
with larger key spaces?

Which term describes installing a smart

6 phone app directly, without going Geotagging Geofencing Registering
through an app store?

11 Secure Protocols and Applications

You need to ensure that DNS client

query responses are authentic and
1 have not been tampered with. What IPsec DNSSEC PKI
should you configure?

Which TCP/IP protocol is used for

2 configuring and gathering remote SNMP DNSEC IPsec
network host statistics?
 What type of attack hijacks Cross-site request
3 authenticated sessions between a Cross-site scripting Denial of service forgery
client and a server?

Which language is commonly used by

4 attackers for XSS attacks? PowerShell Python Perl

In the client Web In the client

5 Where do XSS attacks execute? On the Web server browser operating system

You are developing a Web application

that uses cookies. You want to prevent
6 client Javascript access to cookies. Samesite Secure HTTPOnly
Which HTTP response header attribute
flag should you set?

12 Testing Infrastructure

What type of document is often signed

1 by pen testers before starting a pen MOU NDA ISA
test engagement?

What are some options we can scan for

2 possible vulernabilities A network A host An application

Social Engineering attackers exploit

behaviors and human interactions
Misinformation/
3 to get the things they want. What Impoersonation Urgency
Disinformation
are some of the tactics that social
engineering attackers use?
13 Business Security Impact
 Your company is hiring new employees
that may come into contact with
sensitive data during the course of their
1 jobs. Which type of document is ISA NDA MOU
normally signed by employees during
the user on-boarding process to ensure
that they will not disclose sensitive
data?

It protects EU It protects EU
The General Data Protection It protects EU
citizens data based citizen's data
2 Regulation protects EU citizens data citizen's data based
on time, location, regardless of
under what conditions? on location
and data useless location
Which of the following is a
Operating
3 consideration in change Backout plans Employee Results
procedures
management?
14 Dealing with Incidents

Which type of planning is designed to Business continuity Incident response

1 deal with security events as they occur? Disaster recovery plan plan plan

Your company has determined that

incident response to security events
2 must be automated to reduce incident SOAR SIEM ICS
response time. What type of solution
should be implemented?

You have determined that your

department can withstand the loss of
no more than 3 hours of data, so you
3 have adjusted your backups to occur SLA HSM RPO
once every three hours. To which term
does this scenario best apply?
Answer Option 4 Correct Explanation

Correct Answer: Reviewing logs allows technicians to detect anomalous

activity.

Technical Detective Incorrect Answers: Preventative controls take steps to reduce the possibility of
threat incidents such as keeping antivirus databases up to date. Compensating
controls are used when it is not feasible to implement the preferred control
due to cost, time or complexity. Technical controls use technology to safeguard
assets, such as a firewall appliance.
Correct Answer: Mitigating risk means putting security controls in place to
eliminate or reduce the impact or realized threats.

Risk avoidance Risk mitigation

Incorrect Answers: Risk acceptance occurs when the potential benefit of
engaging in an activity outweighs the risks and no changes are made to
mitigate risk. Risk transfer shifts some or all risk responsibility to a third party,
as is the case with cybersecurity attack insurance. With risk avoidance, the risk
is not undertaken due to potential benefits not outweighing the risks.

Correct Answer: Multiple the Asset Value (AV) by the Exposure Factor (EF). The
Multiply the Multiply the Asset SLE reflects the cost associated with an asset being unavailable, such as a
Exposure Factor (EF) Value (AV) by the server going down for a period of time. The Single Loss Expectancy (SLE) is
by the risk severity Exposure Factor calculated by multiplying the Asset Value (AV) by the Exposure Factor (EF)
rating. (EF). where the EF is a percentage expressing how much of an asset’s value is loss
due to a negative event.
Incorrect Answers: The listed options do not reflect the values used to
calculate the SLE.

Multiply the
Multiply the Single Single Loss Correct Answer: Multiply the Single Loss Expectancy (SLE) by the Annual Rate
Loss Expectancy Expectancy (SLE) of Occurrence (ARO). The Annual Loss Expectancy (ALE) represents a cost
(SLE) by the Annual by the Annual related to the downtime of an asset over a one-year period. It is calculated by
Rate of Occurrence Rate of multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence
(ARO). Occurrence (ARO).
(ARO). Incorrect Answers: The listed options do not reflect the values used to
calculate the ALE.

Correct Answer: A qualitative risk assessment organizes risks by a severity or

threat rating which may differ from one organization to another.

Quantitative Qualitative
Incorrect Answers: A risk heat map plots risks on a grid using colors to
represent severities; red is normally high severity and green is normally low
severity. A risk register is a centralized list of risks that includes details such as
a risk priority value, risk severity rating, mitigating controls, responsible person
and so on. Quantitative risk assessments use numbers (such as dollar values
and percentages) to calculate the impact realized threats can have on assets;
the goal is to determine if the cost of protecting an asset is less than the
projected annual cost of negative security incidents.

Correct Answer: Salting adds random data to passwords before they are
hashed thus making them much more difficult to crack.

Salting Salting
 Salting Salting
Incorrect Answers: The listed items do not enhance the security of password
hashes. The password length does not affect the password hash; the hash is
always a fixed length. Key pinning is an older technique that associates a
certificate stored on a client device with a Web site. Multifactor authentication
(MFA) uses multiple factors for authentication, such as a username (something
you know) and a private key (something you have).

Correct Answer: Keyloggers come in the form of hardware and software. User
keystrokes are captured and can later be viewed by malicious actors.

Hardware security
module Keylogger
Incorrect Answers: A Common Access Card (CAC) is a single card used to
authenticate to many systems such as buildings, floors in a building, as well as
computer systems. Ransomware is malware that encrypts user data files and
demands a ransom payment in exchange for a decryption key. A Hardware
Security Module (HSM) is a tamper-proof device used for cryptographic
operations and the secure storage of cryptographic keys.
Correct Answer: Bollards are concrete or steel pillars embedded deep into the
ground near sensitive areas to prevent vehicle ramming.

Door locks Bollard Incorrect Answers: Security guards cannot effectively prevent vehicles from
ramming buildings. Access control vestibules (man traps) prevent a second
inner door from opening until the first outer door closes and locks. Door locks
prevent physical entry to a room but do not mitigate vehicles ramming
buildings.
Correct Answer: Air-gapping ensures that there is not a physical wired or
wireless connection to a sensitive network.
Reverse proxy Air-gapping Incorrect Answers: The listed items can be used for optimizing network
throughput (VLAN) and limiting network access (Layer 4 firewall, reverse
proxy), but these options do not ensure external network access to RNET-A is
impossible.
Correct Answer: Air flow is improved by installing blanking panels in racks
Air flow is where there is no equipment.
Air flow is improved
improved
Incorrect Answers: The listed items are not valid reasons for installing blanking
panels.
Correct Answer: Hot aisles are designed to pull warm exhaust air away from
equipment.
Blanking panels Hot aisles
Incorrect Answers: The listed items are not focused on removing warm
exhaust air from server rooms.

Correct Answer: Username + password device PIN. MFA uses multiple

categories of authentication such as something you know (username,
password) along with something you have (a device on which you receive a
Username + Username + PIN).
password + answer password device
to security question PIN
Incorrect Answers: The listed items constitute only single factor authentication
(SFA) because they use only one authentication category such as something
you are (fingerprint scan, facial recognition) or something you know
(username, password, answer to security question).
 Correct Answer: Authorization (gaining access to a resource) occurs only after
successful authentication.
Authentication Authorization Incorrect Answers: Accounting, also referred to as auditing, is used to track
activity in an IT environment. Availability ensures that data or IT systems are
available when needed. Authentication proves the identity of a user, device, or
software component in an IT environment.

Correct Answer: One-time passwords (OTPs) enhance user sign in security

since the code is supplied through a separate mechanism than the login
mechanism (out of band), and the code can only be used once.
One-time
Digital signature password
Incorrect Answers: Multifactor authentication (MFA) combines authentication
categories such as a username (something you know) with a private key
(something you have), where single factor uses only one category. Digital
signatures are used to prove the authenticity of received network messages.

Correct Answer: User home directory on the Linux server. SSH public keys
Root directory on User home must be stored on the server in the user home directory in a file called
the Windows host directory on the “authorized_keys”.
Linux server
Incorrect Answers: None of the listed options specifies the correct location of
the SSH public key.
Correct Answer: Access-based Access Control (ABAC) allows resource access
based on user, device and resource attributes.

MAC ABAC Incorrect Answers: Role-based Access Control (RBAC) uses roles, which are
collections of related permissions, to control resource access. Discretionary
Access Control (DAC) allows the data custodian to set permissions in
accordance with policies set forth by the data owner. Mandatory Access
Control (MAC) labels resources and ties security clearance levels to specific
labels to allow resource access.

Correct Answer: Geotagging uses GPS coordinates or IP address block

information to add detailed location information to social media posts and
pictures.
Triangulation Geotagging
Incorrect Answers: Geofencing is used to allow app access within a specific
location. The Global Positioning System (GPS) uses satellites to pinpoint the
location of objects on the Earth’s surface. Triangulation is a technique used to
determine the distances and relative positions of points spread over a
geographical region.

Correct Answer: Remote Authentication Dial-In User Service (RADIUS) servers

are centralized authentication servers that receive authentication requests
from RADIUS clients such as network switches and Wi-Fi routers.
Active Directory RADIUS

Incorrect Answers: The Lightweight Directory Access Protocol (LDAP) is a

protocol used to access a central network directory. Identity federation uses a
central trusted Identity Provider (IdP) to allow access to resources such as Web
sites. Active Directory is a Microsoft Windows Server role that uses a replicated
database containing user, computer and application configuration information.
Correct Answer: RADIUS supplicants (client devices) initiate authentication
requests.
RADIUS requester Supplicant
RADIUS requester Supplicant Incorrect Answers: RADIUS clients are network edge devices such as Wi-Fi
routers or network switches that forward RADIUS supplication authentication
requests to a RADIUS server. Application is not a valid term in this context.
RADIUS requester is not a valid term in this context.
Correct Answer: Identity federation uses a central trusted Identity Provider
(IdP) to allow access to resources such as Web sites.

Identity Incorrect Answers: Multifactor authentication (MFA) combines authentication

LDAP federation categories such as a username (something you know) with a private key
(something you have). Security Assertion Markup Language (SAML) is an
authentication scheme whereby an identity provider issues digitally signed
security tokens which are then used to gain resource access. The Lightweight
Directory Access Protocol (LDAP) is a protocol used to access a central network
directory.

Correct Answer: PS1. Microsoft PowerShell scripts normally use a .PS1 file
extension.
SH PS1
Incorrect Answers: Batch files use a .BAT extension, Python scripts use a .PY
extension and shell scripts often use the .SH file extension.

Correct Answer: The sudo command prefix allows non-root users to run
privileged commands as long as they are granted this permission in the
sudoers file.
Disable SELinux Use the sudo
enforcing mode command
Incorrect Answers: The chmod command is used to set Linux file system
permissions. Logging in as root is not recommended because it is such a
powerful account. Security Enhanced Linux (SELinux) is not causing permission
denied messages in this scenario.
Correct Answer: The ssh-keygen command creates an SSH public and private
key pair.
ssh-keygen ssh-keygen
Incorrect Answers: The listed commands do not create key pairs. md5sum and
sha256sum are used to generate file hashes. The ssh command allows remote
management of any device with an SSH daemon over an encrypted connection.
Correct Answer: The ifconfig command shows Linux network interfaces and IP
address information.

ifconfig ifconfig Incorrect Answers: The dig command in Linux can be used to test and
troubleshoot DNS name resolution. The name server lookup (nslookup)
command is used to test and troubleshoot DNS name resolution in both
Windows and Linux. Ipconfig is used to view network interface and IP address
information in Windows.

Correct Answer: Wired Equivalent Privacy (WEP) is a deprecated insecure

wireless security protocol and should not be used.

WEP WEP
Incorrect Answers: Wi-Fi Protected Access 3 (WPA3) is a current wireless
network security protocol. Remote Access Dial-in User Service (RADIUS)
authentication uses a central authentication server to service authentication
requests from RADIUS clients. Disabling DHCP is a hardening technique
because it makes it more difficult for attackers to get on an IP network.
Correct Answer: Server PKI certificate. HTTP Web sites require a server PKI
certificate to secure communications and normally use TCP port 443.
Enable security Server PKI
protocols that certificate
precede TLS v1.0
 Enable security Server PKI
protocols that certificate Incorrect Answers: Client PKI certificates are not required to enable an HTTPS
precede TLS v1.0 Web application. TLS v1.2 should be configured on clients and servers as the
network security protocol used for HTTPS; SSL v3.0 and TLS v1.0 are
deprecated and should not be used.
Correct Answer: Zero-days are security flaws not yet known by vendors.
Zero-day Zero-day Incorrect Answers: The listed flaw types do not reflect security problems
unknown to the vendor.

Correct Answer: Brute-force attacks use automation tools to try every possible
combination of letters, numbers and symbols to crack passwords.

Offline Brute-force Incorrect Answers: Dictionary attacks use dictionary word or phrase files to try
them in combination with a username in an attempt to crack user passwords.
Password spraying blasts many accounts with a best-guess common password
before trying a new password; this is slower (per-user account basis) than
traditional attacks and is less likely to trigger account lockout thresholds.
Offline password attacks use an offline copy of passwords for cracking
passwords.
Client devices are
Client devices are infected and are Correct Answer: Client devices are infected and are attempting to discover a
infected and are attempting to command and control server. Client devices normally query IPv4 A records or
attempting to discover a IPv6 AAAA records to resolve FQDNs to IP addresses. Clients querying DNS TXT
discover a command command and records is abnormal.
and control server. control server.
Incorrect Answers: The listed reasons are invalid in this scenario.
Correct Answer: A network intrusion prevention system can not only detect
but also be configured to stop suspicious activity.
Network intrusion
Network intrusion prevention
detection system Incorrect Answers: Layer 4 firewalls are packet filtering firewalls which do not
system detect or prevent suspicious activity. Reverse proxy servers map public IP
addresses and ports to internal servers to protect their true identities.
Intrusion detection systems only detect and report, log, or notify of suspicious
activity.
Correct Answer: RAID level 1 (disk mirroring) writes each file to all disks in the
mirrored array.

RAID 6 RAID 1 Incorrect Answers: RAID 0 (disk striping) writes data across an array of disks to
improve performance. RAID 5 (disk striping with distributed parity) writes data
across an array of disks but also write parity (error recovery information)
across the disks in the array, thus providing a performance improvement in
addition to resiliency against a single failed disk in the array. RAID 6 uses at
least 4 disks for striping and stores 2 parity stripes on each disk in the array;
this allows for a tolerance of 2 disk failures within the array.

Correct Answer: Order laptops with TPM chips and configure BitLocker disk
encryption. A Trusted Platform Module (TPM) chip in a computer is used to
Order laptops with Order laptops secure the integrity of the machine boot process and to store disk volume
TPM chips and with TPM chips encryption keys.
configure BitLocker and configure
disk encryption. BitLocker disk
encryption.
Incorrect Answers: A Hardware Security Module (HSM) is not a chip installed
within a computer; it is a tamper-resistant device used for cryptographic
operations and the storage of encryption keys. Encrypting File System (EFS) file
encryption is tied to the user account, not tied to the machine.
 Correct Answer: Symmetric encrypting uses a single “secret” key for encrypting
and decrypting.

SHA256 Symmetric
Incorrect Answers: Asymmetric keys (public and private keys) are used for
security in the form of encryption, digital signatures and so on; the recipient
public key is used to encrypt and the related private key is used to decrypt. RSA
is a public and private key pair cryptosystem. SHA256 is a hashing algorithm.

Correct Answer: With Cipher Feedback Mode (CFB), each previous block
ciphertext is encrypted and fed into the algorithm to encrypt the next block.
OFB CFB
Incorrect Answers: Electronic Code Book (ECB), given the same plaintext,
always results in the same ciphertext and is thus considered insecure. Cipher
Block Chaining (CBC) is similar to ECB except that it used a random Initialization
Vector (IV). Output Feedback Mode (OFB) uses a keystream of bits to encrypt
data blocks.

Sender private key Your private key Correct Answer: Your private key. Recipient private keys decrypt network
messages (the recipient’s related public key encrypts network messages).
Incorrect Answers: The listed keys are not used for decryption.

Correct Answer: Sender public key. Verifying digital signatures is done using
Sender private key Sender public key the sender’s public key (the sender’s private key creates the digital signature).

Incorrect Answers: The listed keys are not used to verify a digital signature.
Correct Answer: Wildcard certificates allow a single certificate tied a DNS
domain to be used by hosts within subdomains.
Acquire an extended Acquire a
validation certificate wildcard Incorrect Answers: Using self-signed or public certificates for each Web site
certificate requires more effort than using a wildcard certificate. Extended validation
certificates require the certificate issuer to perform extra due diligence in
ensuring that the certificate request is legitimate.

7 4 Correct Answer: Port numbers apply to the OSI model transport layer (layer 4).
Incorrect Answers: The listed OSI layers are not related to port numbers.

Network devices Network devices

modify their DNS modify their ARP Correct Answer: Network devices modify their ARP cache to use the attacker
cache to use the cache to use the MAC address for the default gateway. ARP cache poisoning forces client traffic
attacker IP address attacker MAC destined for a router (default gateway) first through an attacker machine.
for the default address for the
gateway. default gateway. Incorrect Answers: The listed items do not properly describe ARP cache
poisoning.
Correct Answer: The Spanning Tree Protocol (STP) is a network switch
Spanning Tree Spanning Tree configuration option that can prevent network switching loops.
Protocol Protocol
Incorrect Answers: The listed mitigations are not designed to prevent network
switching loops.
Correct Answer: Round robin load balancing sends each client app request to
the next backend server.

Least connections Round robin

Least connections Round robin
Incorrect Answers: Weighted load balancing uses a configured relative weight
value for each backend server to determine how much traffic each server gets.
Active/passive is a load balancing redundancy configuration where a standby
server is not active until the active server fails. Least connections send client
app requests to the backend server that is currently the least busy.
Correct Answer: Layer 4. Packet filtering firewall can examine only packets
headers (OSI layers 2-4).
7 4
Incorrect Answers: The listed layers do not correctly represent where packet
filtering firewalls fit into the OSI model.

Correct Answer: Forward proxy servers fetch content on behalf of internal

client devices, and they can require authentication and enforce time of day
restrictions.

Forward proxy Forward proxy

server server
Incorrect Answers: Reverse proxy servers map public IP addresses and port
numbers to internal servers. Port Address Translation (PAT) allows many
internal clients to get to the Internet using a single public IP address. Network
Address Translation (NAT) is similar to a reverse proxy server except it cannot
force user authentication or time of day restrictions; it applies to OSI model 4
(transport layer), not layer 7 (the application layer).

Correct Answer: Wi-Fi Protected Setup (WPS) pairs Wi-Fi devices using a PIN.
TKIP WPS
Incorrect Answers: The listed Wi-Fi standards do not pair Wi-Fi devices using a
PIN.

Use NFC tags that Use NFC tags that Correct Answer: Use NFC tags that contain Wi-Fi connection information. With
contain Wi-Fi contain Wi-Fi a smartphone app, you can write data to a physical NFC tag that can be
connection connection purchased inexpensively. Users with NFC-enabled smartphones can retrieve
information. information. NFC tag information such as Wi-Fi connection details.

Incorrect Answers: The listed options are not as convenient as using NFC tags.
Correct Answer: Bluetooth Class 2 devices have a range of approximately 30
150 feet 30 feet feet.
Incorrect Answers: The listed ranges are not valid.

-30 dBm -30 dBm Correct Answer: A -30 dBm wireless signal strength is considered excellent.
Incorrect Answers: The listed wireless signal strengths are sub-standard.

To forcibly Correct Answer: To forcibly disconnect Wi-Fi clients to observe authentication.

To perform offline disconnect Wi-Fi Deauthentication kicks connected devices off the Wi-Fi network in order
dictionary attacks. clients to observe observe the reconnection authentication information.
authentication Incorrect Answers: The listed explanations do not explain why
deauthentication is often used with Wi-Fi pen testing.
Correct Answer: EAP-TLS can use client and server PKI certificates for mutual
authentication.
Protected EAP EAP-TLS
Incorrect Answers: The listed EAP configurations do not require both client
and server PKI certificates.
 Correct Answer: Captive portals present a Web page when users connect to a
Wi-Fi network; sometimes a user account is required (often users must agree
to the terms of use before connecting to the Internet).
Captive portal Captive portal

Incorrect Answers: The listed security configurations would not result with the
Web page presented when connection to a public Wi-Fi hotspot.

Correct Answer: sudo docker run –d –p 4443:443 cust-dev-lamp1. The first

sudo docker init –d sudo docker run – port number is the local Docker host port number, the second port number
–p 443:4443 cust- d –p 4443:443 after the colon is the configured listening port number within the application
dev-lamp1 cust-dev-lamp1 container.
Incorrect Answers: The listed syntax options are incorrect.
Correct Answer: Type 2 hypervisors run as an app within an existing operating
system.
Type B Type 2
Incorrect Answers: Type 1 hypervisors are a specialized operating system
designed to host multiple virtual machine guests. Type A and B are not valid
hypervisor types.

Correct Answer: Private clouds are owned and used by a single organization.
Private Private Incorrect Answers: Public clouds are accessible by anybody over the Internet.
Hybrid clouds combine Public and Private clouds. Community clouds serve the
specific cloud computing needs of a group of tenants, such as for government
cloud usage.

Correct Answer: Infrastructure as a Service (IaaS) includes storage, network

and virtual machines. IaaS virtual machine software patching is the
responsibility of the cloud tenant.

PaaS IaaS
Incorrect Answers: Software as a Service (SaaS) refers to end-user productivity
software running in the cloud, Security as a Service (SECaaS) refers to cloud
security services, and Platform as a Service (PaaS) refers to database and
software development platforms, all of which do not place the responsibility of
virtual machine patching on the cloud tenant.
Correct Answer: A Cloud Access Security Broker (CASB) sits between users and
cloud services to enforce organizational security policies.

IaaS CASB
Incorrect Answers: Cloud Service Providers (CSPs) host cloud services. Service
Level Agreements (SLAs) guarantee cloud service uptime. Infrastructure as a
Service (IaaS) includes storage, network and virtual machines. IaaS virtual
machine software patching is the responsibility of the cloud tenant.

Correct Answer: Programmable Logic Controllers (PLCs) are used extensively in

manufacturing and various industries such as oil refining, electricity and water
treatment.

HSM PLC
 HSM PLC
Incorrect Answers: Service Level Agreements (SLAs) guarantee uptime for
services such as those offered in the cloud. An Industrial Control System (ICS)
refers to a collection of computerized solution used for industrial process
control. A Hardware Security Module (HSM) is a tamper-resistant device used
for cryptographic operations and the storage of cryptographic keys.
Correct Answer: Zigbee is designed to make connecting smart home devices
together simple and convenient, and it does not use TCP/IP.

IoT Zigbee
Incorrect Answers: An Industrial Control System (ICS) refers to a collection of
computerized solution used for industrial process control. Programmable Logic
Controllers (PLCs) are used extensively in manufacturing and various industries
such as oil refining, electricity and water treatment. Internet of Things (IoT)
refers to devices that connect to and send and receive data over the Internet.
Correct Answer: The maximum proposed speed for 5G is 10 Gbps.
50 Gbps 10 Gbps
Incorrect Answers: The listed transmission rates are incorrect.
Correct Answer: 4G cell towers have an approximate range of 6 miles.
20 miles 6 miles
Incorrect Answers: The listed distances are incorrect.
Correct Answer: Elliptic Curve Cryptography (ECC) uses small keys to achieve
strong crypto strength.
SHA256 ECC
Incorrect Answers: RSA keys are larger than ECC keys. MD5 and SHA256 do not
use keys; they are hashing algorithms.
Correct Answer: Sideloading refers to installing mobile device apps directly
from installation files, without using an app store.

Sideloading Sideloading
Incorrect Answers: Geotagging adds geographic metadata (such as GPS
coordinates) to files, such as photos taken with a smart phone. Geofencing
uses geographical location to control app access. Registering refers to linking a
mobile device to a centralized Mobile Device Management (MDM) system.

Correct Answer: DNS Security (DNSSEC) digitally signs DNS zone records.
Clients validate the signature to ensure DNS responses are authentic.
HTTPS DNSSEC
Incorrect Answers: IP security (IPsec) is a suite of network security protocols
that can be used to encrypt and authenticate network messages. Public Key
Infrastructure (PKI) is a hierarchy of digital security certificates. Hyper Text
Transfer Protocol Secure (HTTPS) encrypts HTTP network transmissions
between clients and servers.

Correct Answer: The Simple Network Management Protocol (SNMP) uses a

management station that connects to network devices to retrieve statistics and
to allow remote configuration.

HTTPS SNMP
Incorrect Answers: DNS Security (DNSSEC) digitally signs DNS zone records.
Clients validate the signature to ensure DNS responses are authentic. IP
security (IPsec) is a suite of network security protocols that can be used to
encrypt and authenticate network messages. Hyper Text Transfer Protocol
Secure (HTTPS) encrypts HTTP network transmissions between clients and
servers.
 Correct Answer: A Cross-site Request Forgery (CSRF) attack occurs when the
attacker takes over an existing authenticated user session and issues
commands to the server that appear to originate from the authenticated user.

Distributed denial of Cross-site request

service forgery Incorrect Answers: A Cross-site Scripting (XSS) attack occurs when a victim
views a Web page where a malicious user has injected malicious code,
normally written in JavaScript, that executes in the victim Web browser. A
Denial of Service (DoS) attack renders a service unreachable by legitimate
users, often by flooding the network or host with useless traffic. A Distributed
Denial of Service (DDoS) is similar to a DoS attack but instead uses multiple
hosts to attack the victim host or network.

Correct Answer: JavaScript. A Cross-site Scripting (XSS) attack occurs when a

JavaScript JavaScript victim views a Web page where a malicious user has injected malicious code,
normally written in JavaScript, that executes in the victim Web browser.
Incorrect Answers: The listed languages are not commonly used for XSS
attacks.

Correct Answer: In the client Web browser. A Cross-site Scripting (XSS) attack
occurs when a victim views a Web page where a malicious user has injected
On the Web server In the client Web malicious code, normally written in JavaScript, that executes in the victim Web
operating system browser browser.
Incorrect Answers: The listed locations do not correctly identity where XSS
attacks execute.

Correct Answer: The HTTPOnly flag ensures that client Javascript cannot access
the cookie which can help mitigate cross-site scripting (XSS) attacks.
Domain HTTPOnly

Incorrect Answers: The Samesite attribute helps mitigate cross-site request

forgery (CSRF) attacks. The Secure attribute requires HTTPS connectivity. The
Domain attribute controls the target host to which the cookie will be sent.

Correct Answer: A Non-disclosure Agreement (NDA) ensures that pen testers

will not divulge any sensitive information they might encounter with
unauthorized parties.

MOA NDA
Incorrect Answers: A Memorandum of Understanding (MOU) consists of a
general agreement with broad terms between 2 parties. An Inter-connection
Security Agreement (ISA) defines how 2 parties will securely connect their
networks and systems together. A Memorandum of Agreement (MOA) consists
of details terms agreed upon by two parties in a business arrangement.

Correct Answer: All of the above covers the full grasp of what we can scan for
All of the above All of the above vulnerabilities. Incorrect Answer: This answer doesn't cover the full grasp of
vulnerabilities we can scan.

Correct Answer: All answers are correct options for social engineering attacks.
Impersonation All of the above
Incorrect Answer: This answer doesn't cover the full scope of possibilities for
social engineering attacks.
 Correct Answer: A Non-disclosure Agreement (NDA) is used to ensure that any
sensitive data will not be disclosed to unauthorized parties.

MOA NDA Incorrect Answers: An Interconnection Security Agreement (ISA) defines how
to secure communications when linking organizations, sites, or government
agencies together. A Memorandum of Understanding (MOU) defines general
terms of agreement between two parties, where a Memorandum of
Understanding (MOA) defines granular contractual details between two
It protects EU parties.
It protects EU
citizen's data
citizen's data Correct Answer: No matter the location in the world, the General Data
based on location
regardless of Protection Regulation protects EU citzens data.
but regardless of Incorrect Answer: This is not the correct answer.
location
time and data use.
Correct Answer: Backout plans are something important to consider when you
Company attitude Backout plans are looking at change management.
Incorrect Answer: This is not the correct answer.

Correct Answer: An Incident Response Plan (IRP) is a plan created to deal with
incidents as they occur such as enabling incident containment and ultimately
eradication.

Incident response
Backup plan plan
Incorrect Answers: A Disaster Recovery Plan (DRP) is specific to a business
process, IT system, or data, and it focuses on recovering from a security
incident as quickly as possible. A Business Continuity Plan (BCP) is a document
specifying general terms organizations will take to ensure continued business
operations. A backup plan is not a standard accepted term in this context.

Correct Answer: A Security, Orchestration, Automation, and Response (SOAR)

solution allows the creation of playbooks that can automate some or all
incident response tasks.

PLC SOAR
Incorrect Answers: Security Information Event Management (SIEM) is a
solution that ingests activity data from numerous sources in order to detect
indicators of compromise. An Industrial Control System (ICS) is a collection of
computerized solutions used for industry, such as with manufacturing, oil
refining, or power plants. A Programmable Logic Controller (PLC) is a network
device that connects with some kind of industrial component such as robotics,
sensors, gauges, values, centrifuges, and so on.

Correct Answer: The Recovery Point Objective (RPO) specifies, in time, the
maximum tolerable amount of data loss due to a negative occurrence.
RTO RPO
Incorrect Answers: The Service Level Agreement (SLA) is a document detailing
guaranteed service uptime. A Hardware Security Module (HSM) is a tamper-
resistant device used for cryptographic operations. The Recovery Time
Objective (RTO) specifies, in time, the maximum amount of tolerable downtime
for a business process or IT system.
Reference Episode

1.06 Security Controls

1.07 Risk Assessments and Treatments

1.08 Quantitative Risk Assessments

1.08 Quantitative Risk Assessments

1.09 Qualitative Risk Assessments

2.04 Password Cracking

3.02 Physical Security

3.02 Physical Security

3.02 Physical Security

3.04 Environmental Controls

3.04 Environmental Controls

4.01 Identification, Authentication, and

Authorization
4.01 Identification, Authentication, and
Authorization

4.05 Authentication Methods

4.05 Authentication Methods

4.06 Access Control Schemes

4.07 Account Management

4.08 Network Authentication

4.08 Network Authentication

4.08 Network Authentication

4.09 Identity Management Systems

5.04 Microsoft PowerShell

5.05 Linux Shells

5.05 Linux Shells

5.05 Linux Shells

6.02 Weak Configurations

6.02 Weak Configurations

6.02 Weak Configurations

6.03 Common Attacks

6.05 Password Attacks

6.06 Bots and Botnets

6.06 Bots and Botnets

6.07 Disk RAID Levels

6.08 Securing Hardware

7.03 Symmetric Cryptosystems

7.04 Symmetric Block Modes

7.05 Asymmetric Cryptosystems

7.06 Understanding Digital Certificates

7.09 Certificate Types

7.12 The OSI Model

7.13 ARP Cache Poisoning

7.14 Other Layer 2 Attacks

7.17 Load Balancing

7.17 Load Balancing

7.21 Firewalls

7.22 Proxy Servers

8.01 Wi-Fi Encryption Standards

8.02 RFID, NFC, and Bluetooth

8.02 RFID, NFC, and Bluetooth

8.03 Wi-Fi Coverage and Performance

8.04 Wi-Fi Discovery and Attacks

8.06 Wi-Fi Hardening

8.06 Wi-Fi Hardening

9.04 Containers and Software-Defined

Networking

9.05 Hypervisors and Virtual Machines

9.06 Cloud Deployment Models

9.07 Cloud Service Models

9.08 Securing the Cloud

10.02 Industrial Control System (ICS)

10.02 Industrial Control System (ICS)

10.03 Internet of Things (IoT) Devices

10.04 Connecting to Dedicated and Mobile
Systems
10.04 Connecting to Dedicated and Mobile
Systems

10.05 Security Constraints for Dedicated

Systems

10.06 Mobile Device Deployment and

Hardening

11.01 DNS Security

11.01 DNS Security

11.04 Request Forgery Attacks

11.05 Cross-Site Scripting Attacks

11.05 Cross-Site Scripting Attacks

11.06 Web Application Security

12.04 Penetration Testing

12.03 Vulnerability Assessments

12.02 Social Engineering Attacks

13.09 Agreement Types

13.03 Data Types and Roles

14.01 Incident Response Plans (IRPs)

14.04 Threat Analysis and Mitigating

Actions

14.07 Data Backup