Question Answer 1 Answer 2

1 Risk Management

Which type of malicious actor is

1 characterized by lacking sophisticated Hacktivist State-sponsored
technical skills and using cracking tools
created by others?

You need to subscribe to a threat

intelligence feed using your Unified
2 Threat Management (UTM) solution. STIX HSM
Which standard protocol is used by
UTM tools to exchange threat
intelligence information?

You are reviewing Web server logs after

3 a Web application security breach. To Detective Preventative
what type of security control do log
reviews relate?

After analysing the risk associated with

working with an external organization
to fulfil a government contract, you
4 decide to enter into a contractual Risk acceptance Risk mitigation
agreement after applying security
settings to the external organization.
What type of risk treatment is this?

Multiply the Annual

Rate of Occurrence Multiple the Asset
5 How is an asset's Single Loss (ARO) by the Value (AV) by the
Expectancy (SLE) derived? Exposure Factor Exposure Factor (EF).
(EF).

Multiply the Annual

Rate of Occurrence Multiple the Asset
6 How is the Annual Loss Expectancy (ARO) by the Value (AV) by the
(ALE) calculated? Exposure Factor Exposure Factor (EF).
(EF).
 Which type of risk assessment is based
7 on subjective opinions regarding threat Risk heat map Qualitative
likelihood and threat impact severity?

Your company is hiring new employees

that may come into contact with
sensitive data during the course of their
jobs. Which type of document is
8 normally signed by employees during ISA NDA
the user on-boarding process to ensure
that they will not disclose sensitive
data?

2 Cryptography

Which term describes the result of

plaintext that has been fed into an Hash Ciphertext
1 encryption algorithm along with an
encryption key?

You are ordering laptops for sales

executives that travel for work. The
laptops will run the Windows 10 Order laptops with Order laptops with
2 Enterprise operating system. You need HSM chips and HSM chips and
to ensure that protection of data at rest configure BitLocker configure EFS
is enabled for internal laptop disks. The disk encryption. encryption.
encryption must be tied to the specific
laptop. What should you do?

3 Which type of encryption uses a single Asymmetric RSA

key for encryption and decryption?

You are decrypting a message sent over

4 the network. Which key will be used for Your public key Sender public key
decryption?

You are verifying a digital signature.

5 Which key will be used? Your public key Sender public key
 6 Which technique is used to enhance Password length Key pinning
the security of password hashes?

Which block cipher mode uses the

7 ciphertext from the previous block to CFB ECB
be fed into the algorithm to encrypt the
next block?

Your company has numerous public-

facing Web sites that use the same DNS Generate self- Acquire public
8 domain suffix. You need to use PKI to signed certificates certificates for each
secure each Web site. Which solution for each Web sit Web site
involves the least amount of
administrative effort?

3 Identity and Account Management

Username +
Which of the following constitutes password device Fingerprint scan
1 multifactor authentication (MFA)? PIN

A user gains access to a secured Web

application using a digitally signed
2 security token in the form of a Web Accounting Authorization
browser cookie. To which security term
does this best apply?

3 Which authentication mechanism Multifactor Single factor

generates a code for use only once? authentication authentication

You are configuring SSH public key

authentication for a Linux host that will User home User home directory
4 be managed from a Windows directory on the on the Windows
computer. Where must the public key Linux server host
be stored?
 You are configuring a Windows file
server so that files marked as “PII-
5 Finance” are accessible only to full-time ABAC RBAC
users in the Finance department. What
type of access control model are you
configuring?

Which technique adds location

6 metadata to social media posts and Geofencing Global positioning
pictures? system

You are building a Web application that

7 will allow users to sign in with their Multifactor Identity federation
Google account. Which term best authentication
describes this scenario?

What type of authentication server is

8 used with IEEE 802.1x network access LDAP RADIUS
control?

4 Tools of the Trade

Which file extension is normally used
1 for Microsoft PowerShell scripts? BAT PY

You are a Linux sys admin attempting to

execute privileged commands in Linux Use the sudo Use the chmod
2 but you keep receiving “Permission command command
denied” messages. What should you
do?

Which Linux command can be used to

3 create an SSH public and private key md5sum sha256sum
pair?

You have created a Python script You must be logged The chgrp command
named “remove_temp.py.” When you in as root to was not used to set
4 attempt to run the script at the Linux execute Python the script owning
command line, it does not execute at scripts. group.
all. What is the most probable reason?
 You need to use the Windows
5 command line to determine if the RDP netstat –p tcp –n | netstat –p tcp –n |
listener is running. Which command find “3389” find “389”
should you use?

You need to test DNS name resolution

6 on a Windows client device. Which dig nslookup
command should you use?

You are logged into a Linux host and

7 need to view its IP address. Which dig nslookup
command should you use?

You are setting file system permissions

for a Linux script named “script1.sh.”
8 You need to ensure that anybody can chmod 777 chmod 074
execute the script. Which command script1.sh script1.sh
should you use?

5 Securing Individual Systems

Which of the following Wi-Fi

1 configurations is considered to be the WPA3 RADIUS
weakest? authentication

You are planning the configuration of

2 HTTPS for a Web site. Which items Client PKI Server PKI certificate
should be acquired/configured? certificates

Which type of security flaw is not

3 known by the vendor? Firmware Denial of service

4 Which type of security problem stems Race condition Driver shimming

from improper memory handling?
 Which type of password attack tries
5 every possible combination of letters, Dictionary Brute-force
numbers and symbols?

Client devices are Client devices are

While comparing previous and current performing normal performing normal
6 network traffic patterns, you notice forward lookup DNS reverse lookup DNS
new numerous DNS client queries for queries for Web queries for IP
TXT records. What might this indicate? sites. addresses.

You are configuring the disks in a server

so that in the event of a single disk loss,
7 a second disk will already have all of RAID 0 RAID 1
the data. Which RAID level should you
configure?

You need a network security solution

8 that can not only detect, but also stop Layer 4 firewall Reverse proxy server
current suspicious activity. What should
you implement?

6 The Basic LAN

TCP port numbers apply to which layer
1 of the OSI model? 2 3

Network devices Network devices

modify their DNS modify their ARP
2 What is the general premise of ARP cache to use the cache to use the
cache poisoning? attacker MAC attacker IP address
address for the for the default
default gateway. gateway.

Which mitigation can prevent network Disable link auto

3 switching loops? negotiation MAC filtering

Which load balancing algorithm sends

4 each client app request to the next Weighted Active/passive
backend virtual machine?
 Which term describes an end user
5 device attempting to connect to an IEEE RADIUS client Applicant
802.1x Wi-Fi network configured with
network authentication?

To which OSI layer do packet filtering

6 firewalls apply? 2 3

You need to force user authentication

and time-based restrictions for internal
client devices connecting out to the
7 Internet. You also need to ensure client Reverse proxy Port address
device IP addresses are not exposed to server translation
the Internet. What should you
implement?

7 Securing Wireless LANs

1 Which Wi-Fi term is synonymous with BSSID WPA

the WLAN name?

Which Wi-Fi standard pairs devices

2 together using a PIN? WPA WPS

Your hotel provides free Wi-Fi to

guests. The Wi-Fi network is secured. Send automated
You would like to provide a simple emails to registered Provide guests with
3 convenient way for guests to guests with Wi-Fi a printout of Wi-Fi
immediately connect to the Wi-Fi connection connection
network using their smartphones. What information. information.
should you do?

4 What approximate range do Bluetooth 10 feet 30 feet

Class 2 devices have?

You are performing a Wi-Fi site survey

due to complaints about slow wireless
5 network connectivity. Which reading -120 dBm -80 dBm
indicates a strong signal that will
provide the best wireless network
speeds?

To forcibly
To forcibly disconnect Wi-Fi
6 When pen testing Wi-Fi networks, why disconnect Wi-Fi clients to prevent
is deauthentication sometimes used? clients to observe their Wi-Fi
authentication connectivity.
 Which Wi-Fi EAP configuring uses both
7 client and server PKI certificates? EAP-FAST EAP-TTLS

When connecting to a public Wi-Fi

hotspot you are presented with a Web Reverse proxy Port address
8 page where you must agree to the server translation
terms of use before gaining Internet
access. What is this?

8 Securing Public Servers

You are developing a Web application
that uses cookies. You want to prevent
1 client Javascript access to cookies. Samesite Secure
Which HTTP response header attribute
flag should you set?

You need to start a Docker container

named “cust-dev-lamp1.” The
container image has a small HTTP Web sudo docker init –d sudo docker run –d
2 server stack configure for TCP port 443 –p 4443:443 cust- –p 443:4443 cust-
but you want connectivity to occur dev-lamp1 dev-lamp1
using TCP port 4443. Which Docker
command should you use?

Which type of hypervisor runs within

3 an existing operating system? Type 1 Type 2

Which type of cloud is owned and used

4 by a single organization? Pubic Hybrid

With which cloud service model is the

5 cloud tenant responsible for patching SaaS IaaS
virtual machines?

Which cloud configuration enforces

6 security policies when accessing cloud CSP CASB
resources?

9 Securing Dedicated Systems

 Which term describes a specialized
1 computer interface that controls PLC SLA
industrial devices such as
manufacturing robots and centrifuges?

2 Which smart home wireless networking ICS PLC

protocol does not use TCP/IP?

What is the proposed maximum speed

3 of a 5G network? 1 Gbps 3 Gbps

What is the approximate signal range

4 for 4G cell towers? 1 mile 3 miles

Which cryptographic algorithm uses

smaller keys but provides just as much
5 crypto strength as other algorithms ECC RSA
with larger key spaces?

Which term describes installing a smart

6 phone app directly, without going Geotagging Geofencing
through an app store?

10 Physical Security

1 Which type of device records Common Access Ransomware

everything a user types? Card

2 Which physical security item mitigates Bollard Security guards

the ramming of vehicles into buildings?

Why is it important to install blanking Rack security is Inventory gathering

3 panels on equipment rack spaces that enhanced is made easier
do not contain equipment?

Which server room consideration

4 focuses on pulling warm equipment Cold aisles Hot aisles
exhaust air away from equipment?
 Your company runs sensitive medical
research equipment and servers on a
5 network named RNET-A. You need to VLANs Layer 4 firewall
ensure external network access to
RNET-A is not possible. Which
technique should you use?

11 Secure Protocols and Applications

You need to ensure that DNS client

1 query responses are authentic and IPsec DNSSEC
have not been tampered with. What
should you configure?

Which TCP/IP protocol is used for

2 configuring and gathering remote SNMP DNSEC
network host statistics?

What type of attack hijacks

3 authenticated sessions between a Cross-site scripting Denial of service
client and a server?

Which language is commonly used by

4 attackers for XSS attacks? PowerShell Python

5 Where do XSS attacks execute? On the Web server In the client Web
browser

12 Testing Infrastructure

1 Which term is the most closely related Firewall Ransomware

to social engineering?

2 What is the most prevalent risk related Impersonation Shoulder surfing

to NOT shredding paper documents?
 3 Which type of phishing attack occurs Vishing Smishing
over SMS text messaging?

What type of document is often signed

4 by pen testers before starting a pen MOU NDA
test engagement?

Which Linux command-line tool can be

5 used to download files from a Web scanless hping3
server?

13 Dealing with Incidents

Which type of planning is designed to Disaster recovery Business continuity

1 deal with security events as they occur? plan plan

You have determined that your

department can withstand the loss of
no more than 3 hours of data, so you
2 have adjusted your backups to occur SLA HSM
once every three hours. To which term
does this scenario best apply?

Your company has determined that

incident response to security events
3 must be automated to reduce incident SOAR SIEM
response time. What type of solution
should be implemented?

When gathering digital evidence, what

is the correct order of volatility that Hard disk, USB Hard disk, USB
4 dictates the order in which evidence thumb drive, RAM, thumb drive, RAM,
should be acquired? CPU registers temporary files
 Which term refers to hiding files within
5 other files? Digital signature Hashing
 Answer 3 Answer 4 Correct Answer

Script kiddie Criminal syndicate Script kiddie

PKI TAXII TAXII

Compensating Technical Detective

Risk transfer Risk avoidance Risk mitigation

Multiply the Annual Multiply the Multiple the Asset

Rate of Occurrence Exposure Factor (EF) Value (AV) by the
(ARO) by the Asset by the risk severity Exposure Factor (EF).
Value (AV). rating.

Multiply the Single

Multiply the Annual Loss Expectancy Multiply the Single
Rate of Occurrence (SLE) by the Annual Loss Expectancy (SLE)
(ARO) by the Asset Rate of Occurrence by the Annual Rate of
Value (AV). (ARO). Occurrence (ARO).
 Risk register Quantitative Qualitative

MOU MOA NDA

Message digest Digital signature Ciphertext

Order laptops with Order laptops with Order laptops with

TPM chips and TPM chips and TPM chips and
configure EFS configure BitLocker configure BitLocker
encryption. disk encryption. disk encryption.

Symmetric SHA256 Symmetric

Your private key Sender private key Your private key

Your private key Sender private key Sender public key

 Multifactor Salting Salting
authentication

CBC OFB CFB

Acquire an
Acquire a wildcard extended validation Acquire a wildcard
certificate certificat certificate

Username +
Facial recognition password + answer Username + password
to security question device PIN

Availability Authentication Authorization

One-time password Digital signature One-time password

Root directory on Root directory on User home directory

the Linux server the Windows host on the Linux server
 DAC MAC ABAC

Geotagging Triangulation Geotagging

SAML LDAP Identity federation

Identity federation Active Directory RADIUS

PS1 SH PS1

Disable SELinux Use the sudo

Login as root enforcing mode command

ssh ssh-keygen ssh-keygen

The script does not The script does not The script does not
include the include the include the
#!/usr/bin/bash #!/usr/bin/env #!/usr/bin/env
python directive. python directive. python directive.
netstat –p udp –n | netstat –p icmp –n | netstat –p tcp –n |
find “3389” find “3389” find “3389”

tracert icacls nslookup

ipconfig ifconfig ifconfig

chmod o+rx chmod u+rw chmod o+rx script1.sh

script1.sh script1.sh

Disable DHCP WEP WEP

Enable security Enable security

protocols that protocols that Server PKI certificate
precede SSL v3.0 precede TLS v1.0

Application Zero-day Zero-day

Buffer overflow Driver refactoring Buffer overflow

 Spraying Offline Brute-force

Client devices are Client devices are Client devices are

infected and are infected and are infected and are
attempting to attempting to attempting to
remove the discover a command discover a command
infection. and control server. and control server.

RAID 5 RAID 6 RAID 1

Network intrusion Network intrusion Network intrusion

prevention system detection system prevention system

4 7 4

Network devices Network devices Network devices

modify their ARP modify their DNS modify their ARP
cache to use the cache to use the cache to use the
attacker MAC attacker IP address attacker MAC address
address for the for the default for the default
default gateway. gateway. gateway.

Intrusion detection Spanning Tree Spanning Tree

sensor Protocol Protocol

Round robin Least connections Round robin

 Supplicant RADIUS requester Supplicant

4 7 4

Network address Forward proxy Forward proxy server

translation server

TKIP ESSID ESSID

WEP TKIP WPS

Use RFID tags that Use NFC tags that Use NFC tags that
contain Wi-Fi contain Wi-Fi contain Wi-Fi
connection connection connection
information. information. information.

60 feet 150 feet 30 feet

-50 dBm -30 dBm -30 dBm

To test RADIUS To forcibly disconnect

authentication To perform offline Wi-Fi clients to
resiliency. dictionary attacks. observe
authentication
 EAP-TLS Protected EAP EAP-TLS

RADIUS
authentication Captive portal Captive portal

HTTPOnly Domain HTTPOnly

sudo docker run –d sudo docker init –d sudo docker run –d –

–p 4443:443 cust- –p 443:4443 cust- p 4443:443 cust-dev-
dev-lamp1 dev-lamp1 lamp1

Type A Type B Type 2

Community Private Private

SECaaS PaaS IaaS

SLA IaaS CASB

 ICS HSM PLC

Zigbee IoT Zigbee

10 Gbps 50 Gbps 10 Gbps

6 miles 20 miles 6 miles

MD5 SHA256 ECC

Registering Sideloading Sideloading

Keylogger Hardware security Keylogger

module

Access control Door locks Bollard

vestibule

Visual equipment
inspection is made Air flow is improved Air flow is improved
easier

Air conditioning Blanking panels Hot aisles

 Air-gapping Reverse proxy Air-gapping

PKI HTTPS DNSSEC

IPsec HTTPS SNMP

Cross-site request Distributed denial of Cross-site request

forgery service forgery

Perl JavaScript JavaScript

In the client On the Web server In the client Web

operating system operating system browser

Password Deception Deception

Dumpster diving Tailgating Dumpster diving

 Spear-phishing Whaling Smishing

ISA MOA NDA

dnsenum curl curl

Incident response Incident response

plan Backup plan plan

RPO RTO RPO

ICS PLC SOAR

CPU registers, hard CPU registers, RAM,

disk, RAM, temporary files,
temporary files hard disk
Encrypting Steganography
 Explanation

Correct Answer: Script kiddies have basic IT knowledge and the ability to read tutorials to learn
how to execute attacks.

Incorrect Answers: Hacktivists are motivated by a belief or ideology and execute attacks in an
attempt to bring about social change. State-sponsored actors are funded by one or more nations,
often for the purposes of protecting national interests. Criminal syndicate actors are related to
organized crime that use technology to ply their nefarious trade.

Correct Answer: Trusted Automated Exchange of Intelligence (TAXII) is a standard that defines how
threat intelligence information is relayed from sources to subscribers.
Incorrect Answers: Structured Threat Information Expression (STIX) defines a standard format
used to express threat intelligence data. A Hardware Security Module (HSM) is a cryptographic
tamper-proof appliance used to carry out cryptographic operations, as well as to securely store
encryption keys. A Public Key Infrastructure (PKI) is a hierarchy of digital security certificates.

Correct Answer: Reviewing logs allows technicians to detect anomalous activity.

Incorrect Answers: Preventative controls take steps to reduce the possibility of threat incidents
such as keeping antivirus databases up to date. Compensating controls are used when it is not
feasible to implement the preferred control due to cost, time or complexity. Technical controls use
technology to safeguard assets, such as a firewall appliance.

Correct Answer: Mitigating risk means putting security controls in place to eliminate or reduce the
impact or realized threats.
Incorrect Answers: Risk acceptance occurs when the potential benefit of engaging in an activity
outweighs the risks and no changes are made to mitigate risk. Risk transfer shifts some or all risk
responsibility to a third party, as is the case with cybersecurity attack insurance. With risk
avoidance, the risk is not undertaken due to potential benefits not outweighing the risks.

Correct Answer: Multiple the Asset Value (AV) by the Exposure Factor (EF). The SLE reflects the
cost associated with an asset being unavailable, such as a server going down for a period of time.
The Single Loss Expectancy (SLE) is calculated by multiplying the Asset Value (AV) by the Exposure
Factor (EF) where the EF is a percentage expressing how much of an asset’s value is loss due to a
negative event.
Incorrect Answers: The listed options do not reflect the values used to calculate the SLE.

Correct Answer: Multiply the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO).
The Annual Loss Expectancy (ALE) represents a cost related to the downtime of an asset over a
one-year period. It is calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate
of Occurrence (ARO).
Incorrect Answers: The listed options do not reflect the values used to calculate the ALE.
 Correct Answer: A qualitative risk assessment organizes risks by a severity or threat rating which
may differ from one organization to another.
Incorrect Answers: A risk heat map plots risks on a grid using colours to represent severities; red is
normally high severity and green is normally low severity. A risk register is a centralized list of risks
that includes details such as a risk priority value, risk severity rating, mitigating controls,
responsible person and so on. Quantitative risk assessments use numbers (such as dollar values
and percentages) to calculate the impact realized threats can have on assets; the goal is to
determine if the cost of protecting an asset is less than the projected annual cost of negative
security incidents.

Correct Answer: A Non-disclosure Agreement (NDA) is used to ensure that any sensitive data will
not be disclosed to unauthorized parties.
Incorrect Answers: An Interconnection Security Agreement (ISA) defines how to secure
communications when linking organizations, sites, or government agencies together. A
Memorandum of Understanding (MOU) defines general terms of agreement between two parties,
where a Memorandum of Understanding (MOA) defines granular contractual details between two
parties.

Correct Answer: Ciphertext results from feeding plaintext and an encryption key into an
encryption algorithm.
Incorrect Answers: A hash is a unique representation of data that was fed into a one-way hashing
algorithm; no key is used. “Message digest” is synonymous with hash. A digital signature is created
with a sender’s private key and verified by the recipient with the related public key; it assures the
recipient of message authenticity and that the message has not been tampered with.

Correct Answer: Order laptops with TPM chips and configure BitLocker disk encryption. A Trusted
Platform Module (TPM) chip in a computer is used to secure the integrity of the machine boot
process and to store disk volume encryption keys.
Incorrect Answers: A Hardware Security Module (HSM) is not a chip installed within a computer; it
is a tamper-resistant device used for cryptographic operations and the storage of encryption keys.
Encrypting File System (EFS) file encryption is tied to the user account, not tied to the machine.

Correct Answer: Symmetric encrypting uses a single “secret” key for encrypting and decrypting.
Incorrect Answers: Asymmetric keys (public and private keys) are used for security in the form of
encryption, digital signatures and so on; the recipient public key is used to encrypt and the related
private key is used to decrypt. RSA is a public and private key pair cryptosystem. SHA256 is a
hashing algorithm.

Correct Answer: Your private key. Recipient private keys decrypt network messages (the
recipient’s related public key encrypts network messages).
Incorrect Answers: The listed keys are not used for decryption.
Correct Answer: Sender public key. Verifying digital signatures is done using the sender’s public
key (the sender’s private key creates the digital signature).
Incorrect Answers: The listed keys are not used to verify a digital signature.
Correct Answer: Salting adds random data to passwords before they are hashed thus making them
much more difficult to crack.
Incorrect Answers: The listed items do not enhance the security of password hashes. The
password length does not affect the password hash; the hash is always a fixed length. Key pinning
is an older technique that associates a certificate stored on a client device with a Web site.
Multifactor authentication (MFA) uses multiple factors for authentication, such as a username
(something you know) and a private key (something you have).

Correct Answer: With Cipher Feedback Mode (CFB), each previous block ciphertext is encrypted
and fed into the algorithm to encrypt the next block.
Incorrect Answers: Electronic Code Book (ECB), given the same plaintext, always results in the
same ciphertext and is thus considered insecure. Cipher Block Chaining (CBC) is similar to ECB
except that it used a random Initialization Vector (IV). Output Feedback Mode (OFB) uses a
keystream of bits to encrypt data blocks.

Correct Answer: Wildcard certificates allow a single certificate tied a DNS domain to be used by
hosts within subdomains.
Incorrect Answers: Using self-signed or public certificates for each Web site requires more effort
than using a wildcard certificate. Extended validation certificates require the certificate issuer to
perform extra due diligence in ensuring that the certificate request is legitimate.

Correct Answer: Username + password device PIN. MFA uses multiple categories of authentication
such as something you know (username, password) along with something you have (a device on
which you receive a PIN).
Incorrect Answers: The listed items constitute only single factor authentication (SFA) because they
use only one authentication category such as something you are (fingerprint scan, facial
recognition) or something you know (username, password, answer to security question).

Correct Answer: Authorization (gaining access to a resource) occurs only after successful
authentication.
Incorrect Answers: Accounting, also referred to as auditing, is used to track activity in an IT
environment. Availability ensures that data or IT systems are available when needed.
Authentication proves the identity of a user, device, or software component in an IT environment.

Correct Answer: One-time passwords (OTPs) enhance user sign in security since the code is
supplied through a separate mechanism than the login mechanism (out of band), and the code can
only be used once.
Incorrect Answers: Multifactor authentication (MFA) combines authentication categories such as a
username (something you know) with a private key (something you have), where single factor uses
only one category. Digital signatures are used to prove the authenticity of received network
messages.

Correct Answer: User home directory on the Linux server. SSH public keys must be stored on the
server in the user home directory in a file called “authorized_keys”.
Incorrect Answers: None of the listed options specifies the correct location of the SSH public key.
Correct Answer: Access-based Access Control (ABAC) allows resource access based on user, device
and resource attributes.
Incorrect Answers: Role-based Access Control (RBAC) uses roles, which are collections of related
permissions, to control resource access. Discretionary Access Control (DAC) allows the data
custodian to set permissions in accordance with policies set forth by the data owner. Mandatory
Access Control (MAC) labels resources and ties security clearance levels to specific labels to allow
resource access.

Correct Answer: Geotagging uses GPS coordinates or IP address block information to add detailed
location information to social media posts and pictures.
Incorrect Answers: Geofencing is used to allow app access within a specific location. The Global
Positioning System (GPS) uses satellites to pinpoint the location of objects on the Earth’s surface.
Triangulation is a technique used to determine the distances and relative positions of points
spread over a geographical region.

Correct Answer: Identity federation uses a central trusted Identity Provider (IdP) to allow access to
resources such as Web sites.
Incorrect Answers: Multifactor authentication (MFA) combines authentication categories such as a
username (something you know) with a private key (something you have). Security Assertion
Markup Language (SAML) is an authentication scheme whereby an identity provider issues digitally
signed security tokens which are then used to gain resource access. The Lightweight Directory
Access Protocol (LDAP) is a protocol used to access a central network directory.

Correct Answer: Remote Authentication Dial-In User Service (RADIUS) servers are centralized
authentication servers that receive authentication requests from RADIUS clients such as network
switches and Wi-Fi routers.
Incorrect Answers: The Lightweight Directory Access Protocol (LDAP) is a protocol used to access a
central network directory. Identity federation uses a central trusted Identity Provider (IdP) to allow
access to resources such as Web sites. Active Directory is a Microsoft Windows Server role that
uses a replicated database containing user, computer and application configuration information.

Correct Answer: PS1. Microsoft PowerShell scripts normally use a .PS1 file extension.
Incorrect Answers: Batch files use a .BAT extension, Python scripts use a .PY extension and shell
scripts often use the .SH file extension.

Correct Answer: The sudo command prefix allows non-root users to run privileged commands as
long as they are granted this permission in the sudoers file.
Incorrect Answers: The chmod command is used to set Linux file system permissions. Logging in as
root is not recommended because it is such a powerful account. Security Enhanced Linux (SELinux)
is not causing permission denied messages in this scenario.

Correct Answer: The ssh-keygen command creates an SSH public and private key pair.
Incorrect Answers: The listed commands do not create key pairs. md5sum and sha256sum are
used to generate file hashes. The ssh command allows remote management of any device with an
SSH daemon over an encrypted connection.

Correct Answer: To run a Python script either specify the script name after the python command,
or specific python as the script engine using the #!/usr/bin/env python directive.
Incorrect Answers: The listed items are not as probable reasons for the Python script failing, and
the script should not refer to /usr/bin/bash, but instead it should instead refer to the Python
binary.
 Correct Answer: netstat –p tcp –n | find “3389”. Remote Desktop Protocol (RDP) uses TCP port
3389.
Incorrect Answers: RDP does not use port 389, nor does it use UDP or ICMP.

Correct Answer: The name server lookup (nslookup) command is used to test and troubleshoot
DNS name resolution.
Incorrect Answers: While the dig command can also be used to test and troubleshoot DNS name
resolution, this command is not native to Windows as it is with Linux. The tracert command show
the hops (routers) that traffic traverses to reach an ultimate network target. The icacls command is
used to set Window NTFS file system permissions.

Correct Answer: The ifconfig command shows Linux network interfaces and IP address
information.
Incorrect Answers: The dig command in Linux can be used to test and troubleshoot DNS name
resolution. The name server lookup (nslookup) command is used to test and troubleshoot DNS
name resolution in both Windows and Linux. Ipconfig is used to view network interface and IP
address information in Windows.

Correct Answer: chmod o+rx script1.sh. The change mode (chmod) command sets file system
permissions. Use the ‘o’ mnemonic to set ‘other’ permissions, in this case, read and execute.
Incorrect Answers: The other listed commands do not set read and execute permissions for
‘other’.

Correct Answer: Wired Equivalent Privacy (WEP) is a deprecated insecure wireless security
protocol and should not be used.
Incorrect Answers: Wi-Fi Protected Access 3 (WPA3) is a current wireless network security
protocol. Remote Access Dial-in User Service (RADIUS) authentication uses a central
authentication server to service authentication requests from RADIUS clients. Disabling DHCP is a
hardening technique because it makes it more difficult for attackers to get on an IP network.

Correct Answer: Server PKI certificate. HTTP Web sites require a server PKI certificate to secure
communications and normally use TCP port 443.
Incorrect Answers: Client PKI certificates are not required to enable an HTTPS Web application. TLS
v1.2 should be configured on clients and servers as the network security protocol used for HTTPS;
SSL v3.0 and TLS v1.0 are deprecated and should not be used.

Correct Answer: Zero-days are security flaws not yet known by vendors.
Incorrect Answers: The listed flaw types do not reflect security problems unknown to the vendor.

Correct Answer: Common buffer overflow problems occur when too much data is provided to a
memory variable due to a lack of input validation by the programmer.
Incorrect Answers: Driver shimming is normally used to allow legacy software to run; it intercepts
API calls. A race condition is a multi-threaded code runtime phenomenon whereby one code
action that might occur before a security control or programmatic result is in effect from another
thread. Driver refactoring restructures internal code while maintaining external behaviour.
 Correct Answer: Brute-force attacks use automation tools to try every possible combination of
letters, numbers and symbols to crack passwords.
Incorrect Answers: Dictionary attacks use dictionary word or phrase files to try them in
combination with a username in an attempt to crack user passwords. Password spraying blasts
many accounts with a best-guess common password before trying a new password; this is slower
(per-user account basis) than traditional attacks and is less likely to trigger account lockout
thresholds. Offline password attacks use an offline copy of passwords for cracking passwords.

Correct Answer: Client devices are infected and are attempting to discover a command and control
server. Client devices normally query IPv4 A records or IPv6 AAAA records to resolve FQDNs to IP
addresses. Clients querying DNS TXT records is abnormal.
Incorrect Answers: The listed reasons are invalid in this scenario.

Correct Answer: RAID level 1 (disk mirroring) writes each file to all disks in the mirrored array.
Incorrect Answers: RAID 0 (disk striping) writes data across an array of disks to improve
performance. RAID 5 (disk striping with distributed parity) writes data across an array of disks but
also write parity (error recovery information) across the disks in the array, thus providing a
performance improvement in addition to resiliency against a single failed disk in the array. RAID 6
uses at least 4 disks for striping and stores 2 parity stripes on each disk in the array; this allows for
a tolerance of 2 disk failures within the array.

Correct Answer: A network intrusion prevention system can not only detect but also be configured
to stop suspicious activity.
Incorrect Answers: Layer 4 firewalls are packet filtering firewalls which do not detect or prevent
suspicious activity. Reverse proxy servers map public IP addresses and ports to internal servers to
protect their true identities. Intrusion detection systems only detect and report, log, or notify of
suspicious activity.

Correct Answer: Port numbers apply to the OSI model transport layer (layer 4).
Incorrect Answers: The listed OSI layers are not related to port numbers.

Correct Answer: Network devices modify their ARP cache to use the attacker MAC address for the
default gateway. ARP cache poisoning forces client traffic destined for a router (default gateway)
first through an attacker machine.
Incorrect Answers: The listed items do not properly describe ARP cache poisoning.

Correct Answer: The Spanning Tree Protocol (STP) is a network switch configuration option that
can prevent network switching loops.
Incorrect Answers: The listed mitigations are not designed to prevent network switching loops.

Correct Answer: Round robin load balancing sends each client app request to the next backend
server.
Incorrect Answers: Weighted load balancing uses a configured relative weight value for each
backend server to determine how much traffic each server gets. Active/passive is a load balancing
redundancy configuration where a standby server is not active until the active server fails. Least
connections send client app requests to the backend server that is currently the least busy.
 Correct Answer: RADIUS supplicants (client devices) initiate authentication requests.
Incorrect Answers: RADIUS clients are network edge devices such as Wi-Fi routers or network
switches that forward RADIUS supplication authentication requests to a RADIUS server.
Application is not a valid term in this context. RADIUS requester is not a valid term in this context.

Correct Answer: Layer 4. Packet filtering firewall can examine only packets headers (OSI layers 2-
4).
Incorrect Answers: The listed layers do not correctly represent where packet filtering firewalls fit
into the OSI model.

Correct Answer: Forward proxy servers fetch content on behalf of internal client devices, and they
can require authentication and enforce time of day restrictions.
Incorrect Answers: Reverse proxy servers map public IP addresses and port numbers to internal
servers. Port Address Translation (PAT) allows many internal clients to get to the Internet using a
single public IP address. Network Address Translation (NAT) is similar to a reverse proxy server
except it cannot force user authentication or time of day restrictions; it applies to OSI model 4
(transport layer), not layer 7 (the application layer).

Correct Answer: The Extended Set Service Identification (ESSID) is synonymous with the wireless
network name.
Incorrect Answers: The Basic Service Set Identifier (BSSID) represents the Wi-Fi access point MAC
address. Wi-Fi Protected Access (WPA) is a deprecated Wi-Fi network security protocol. Temporal
Key Integrity Protocol (TKIP) was introduced with WPA to address WEP security issues related to
unchanging keys.

Correct Answer: Wi-Fi Protected Setup (WPS) pairs Wi-Fi devices using a PIN.
Incorrect Answers: The listed Wi-Fi standards do not pair Wi-Fi devices using a PIN.

Correct Answer: Use NFC tags that contain Wi-Fi connection information. With a smartphone app,
you can write data to a physical NFC tag that can be purchased inexpensively. Users with NFC-
enabled smartphones can retrieve NFC tag information such as Wi-Fi connection details.
Incorrect Answers: The listed options are not as convenient as using NFC tags.

Correct Answer: Bluetooth Class 2 devices have a range of approximately 30 feet.

Incorrect Answers: The listed ranges are not valid.

Correct Answer: A -30 dBm wireless signal strength is considered excellent.

Incorrect Answers: The listed wireless signal strengths are sub-standard.

Correct Answer: To forcibly disconnect Wi-Fi clients to observe authentication. Deauthentication

kicks connected devices off the Wi-Fi network in order observe the reconnection authentication
information.
Incorrect Answers: The listed explanations do not explain why deauthentication is often used with
Wi-Fi pen testing.
 Correct Answer: EAP-TLS can use client and server PKI certificates for mutual authentication.
Incorrect Answers: The listed EAP configurations do not require both client and server PKI
certificates.

Correct Answer: Captive portals present a Web page when users connect to a Wi-Fi network;
sometimes a user account is required (often users must agree to the terms of use before
connecting to the Internet).
Incorrect Answers: The listed security configurations would not result with the Web page
presented when connection to a public Wi-Fi hotspot.

Correct Answer: The HTTPOnly flag ensures that client Javascript cannot access the cookie which
can help mitigate cross-site scripting (XSS) attacks.
Incorrect Answers: The Samesite attribute helps mitigate cross-site request forgery (CSRF) attacks.
The Secure attribute requires HTTPS connectivity. The Domain attribute controls the target host to
which the cookie will be sent.

Correct Answer: sudo docker run –d –p 4443:443 cust-dev-lamp1. The first port number is the
local Docker host port number, the second port number after the colon is the configured listening
port number within the application container.
Incorrect Answers: The listed syntax options are incorrect.

Correct Answer: Type 2 hypervisors run as an app within an existing operating system.
Incorrect Answers: Type 1 hypervisors are a specialized operating system designed to host
multiple virtual machine guests. Type A and B are not valid hypervisor types.
Correct Answer: Private clouds are owned and used by a single organization.
Incorrect Answers: Public clouds are accessible by anybody over the Internet. Hybrid clouds
combine Public and Private clouds. Community clouds serve the specific cloud computing needs of
a group of tenants, such as for government cloud usage.

Correct Answer: Infrastructure as a Service (IaaS) includes storage, network and virtual machines.
IaaS virtual machine software patching is the responsibility of the cloud tenant.
Incorrect Answers: Software as a Service (SaaS) refers to end-user productivity software running in
the cloud, Security as a Service (SECaaS) refers to cloud security services, and Platform as a Service
(PaaS) refers to database and software development platforms, all of which do not place the
responsibility of virtual machine patching on the cloud tenant.

Correct Answer: A Cloud Access Security Broker (CASB) sits between users and cloud services to
enforce organizational security policies.
Incorrect Answers: Cloud Service Providers (CSPs) host cloud services. Service Level Agreements
(SLAs) guarantee cloud service uptime. Infrastructure as a Service (IaaS) includes storage, network
and virtual machines. IaaS virtual machine software patching is the responsibility of the cloud
tenant.
Correct Answer: Programmable Logic Controllers (PLCs) are used extensively in manufacturing and
various industries such as oil refining, electricity and water treatment.
Incorrect Answers: Service Level Agreements (SLAs) guarantee uptime for services such as those
offered in the cloud. An Industrial Control System (ICS) refers to a collection of computerized
solution used for industrial process control. A Hardware Security Module (HSM) is a tamper-
resistant device used for cryptographic operations and the storage of cryptographic keys.

Correct Answer: Zigbee is designed to make connecting smart home devices together simple and
convenient, and it does not use TCP/IP.
Incorrect Answers: An Industrial Control System (ICS) refers to a collection of computerized
solution used for industrial process control. Programmable Logic Controllers (PLCs) are used
extensively in manufacturing and various industries such as oil refining, electricity and water
treatment. Internet of Things (IoT) refers to devices that connect to and send and receive data
over the Internet.

Correct Answer: The maximum proposed speed for 5G is 10 Gbps.

Incorrect Answers: The listed transmission rates are incorrect.
Correct Answer: 4G cell towers have an approximate range of 6 miles.
Incorrect Answers: The listed distances are incorrect.
Correct Answer: Elliptic Curve Cryptography (ECC) uses small keys to achieve strong crypto
strength.
Incorrect Answers: RSA keys are larger than ECC keys. MD5 and SHA256 do not use keys; they are
hashing algorithms.

Correct Answer: Sideloading refers to installing mobile device apps directly from installation files,
without using an app store.
Incorrect Answers: Geotagging adds geographic metadata (such as GPS coordinates) to files, such
as photos taken with a smart phone. Geofencing uses geographical location to control app access.
Registering refers to linking a mobile device to a centralized Mobile Device Management (MDM)
system.

Correct Answer: Keyloggers come in the form of hardware and software. User keystrokes are
captured and can later be viewed by malicious actors.
Incorrect Answers: A Common Access Card (CAC) is a single card used to authenticate to many
systems such as buildings, floors in a building, as well as computer systems. Ransomware is
malware that encrypts user data files and demands a ransom payment in exchange for a
decryption key. A Hardware Security Module (HSM) is a tamper-proof device used for
cryptographic operations and the secure storage of cryptographic keys.

Correct Answer: Bollards are concrete or steel pillars embedded deep into the ground near
sensitive areas to prevent vehicle ramming.
Incorrect Answers: Security guards cannot effectively prevent vehicles from ramming buildings.
Access control vestibules (man traps) prevent a second inner door from opening until the first
outer door closes and locks. Door locks prevent physical entry to a room but do not mitigate
vehicles ramming buildings.

Correct Answer: Air flow is improved by installing blanking panels in racks where there is no
equipment.
Incorrect Answers: The listed items are not valid reasons for installing blanking panels.

Correct Answer: Hot aisles are designed to pull warm exhaust air away from equipment.
Incorrect Answers: The listed items are not focused on removing warm exhaust air from server
rooms.
Correct Answer: Air-gapping ensures that there is not a physical wired or wireless connection to a
sensitive network.
Incorrect Answers: The listed items can be used for optimizing network throughput (VLAN) and
limiting network access (Layer 4 firewall, reverse proxy), but these options do not ensure external
network access to RNET-A is impossible.

Correct Answer: DNS Security (DNSSEC) digitally signs DNS zone records. Clients validate the
signature to ensure DNS responses are authentic.
Incorrect Answers: IP security (IPsec) is a suite of network security protocols that can be used to
encrypt and authenticate network messages. Public Key Infrastructure (PKI) is a hierarchy of digital
security certificates. Hyper Text Transfer Protocol Secure (HTTPS) encrypts HTTP network
transmissions between clients and servers.

Correct Answer: The Simple Network Management Protocol (SNMP) uses a management station
that connects to network devices to retrieve statistics and to allow remote configuration.
Incorrect Answers: DNS Security (DNSSEC) digitally signs DNS zone records. Clients validate the
signature to ensure DNS responses are authentic. IP security (IPsec) is a suite of network security
protocols that can be used to encrypt and authenticate network messages. Hyper Text Transfer
Protocol Secure (HTTPS) encrypts HTTP network transmissions between clients and servers.

Correct Answer: A Cross-site Request Forgery (CSRF) attack occurs when the attacker takes over an
existing authenticated user session and issues commands to the server that appear to originate
from the authenticated user.
Incorrect Answers: A Cross-site Scripting (XSS) attack occurs when a victim views a Web page
where a malicious user has injected malicious code, normally written in JavaScript, that executes in
the victim Web browser. A Denial of Service (DoS) attack renders a service unreachable by
legitimate users, often by flooding the network or host with useless traffic. A Distributed Denial of
Service (DDoS) is similar to a DoS attack but instead uses multiple hosts to attack the victim host or
network.

Correct Answer: JavaScript. A Cross-site Scripting (XSS) attack occurs when a victim views a Web
page where a malicious user has injected malicious code, normally written in JavaScript, that
executes in the victim Web browser.
Incorrect Answers: The listed languages are not commonly used for XSS attacks.

Correct Answer: In the client Web browser. A Cross-site Scripting (XSS) attack occurs when a victim
views a Web page where a malicious user has injected malicious code, normally written in
JavaScript, that executes in the victim Web browser.
Incorrect Answers: The listed locations do not correctly identity where XSS attacks execute.

Correct Answer: Deception. Attackers use social engineering to trick (deceive) unsuspecting victims
into somehow divulging sensitive information over the phone, via SMS text messages, through
email with infected links or attachments, and so on.
Incorrect Answers: While the listed terms can be related to social engineering in some cases, they
are not always associated as is the word “deception”.

Correct Answer: Dumpster diving involves malicious actors going through garbage seeking
documents that could contain some kind of sensitive information.
Incorrect Answers: Impersonation is more related to social engineering than it is with not
shredding paper documents. Shoulder surfing occurs when malicious actors can watch
unsuspecting victims using computing devices to learn of passwords or to see sensitive
information on their screens. Tailgating occurs when malicious actors follow legitimate users into a
secured facility before a locked door closes.
 Correct Answer: Smishing occurs when social engineering phishing attacks take place over SMS
text.
Incorrect Answers: Vishing occurs when social engineering attacks take place using phone calls.
Spear phishing is a form of phishing that is targeted to a subset of potential victims. Whaling
relates to targeted phishing scams, such as to a company CEO.

Correct Answer: A Non-disclosure Agreement (NDA) ensures that pen testers will not divulge any
sensitive information they might encounter with unauthorized parties.
Incorrect Answers: A Memorandum of Understanding (MOU) consists of a general agreement with
broad terms between 2 parties. An Inter-connection Security Agreement (ISA) defines how 2
parties will securely connect their networks and systems together. A Memorandum of Agreement
(MOA) consists of details terms agreed upon by two parties in a business arrangement.

Correct Answer: The Linux curl command can be used to download files from a variety of sources
including Web servers.
Incorrect Answers: The scanless tool is used to perform port scans through a Web site. The hping3
tool can be used to forge TCP/IP packets. The dnsenum tool is used to go through DNS records
within a DNS zone and also to perform DNS zone transfers, or copies.

Correct Answer: An Incident Response Plan (IRP) is a plan created to deal with incidents as they
occur such as enabling incident containment and ultimately eradication.
Incorrect Answers: A Disaster Recovery Plan (DRP) is specific to a business process, IT system, or
data, and it focuses on recovering from a security incident as quickly as possible. A Business
Continuity Plan (BCP) is a document specifying general terms organizations will take to ensure
continued business operations. A backup plan is not a standard accepted term in this context.

Correct Answer: The Recovery Point Objective (RPO) specifies, in time, the maximum tolerable
amount of data loss due to a negative occurrence.
Incorrect Answers: The Service Level Agreement (SLA) is a document detailing guaranteed service
uptime. A Hardware Security Module (HSM) is a tamper-resistant device used for cryptographic
operations. The Recovery Time Objective (RTO) specifies, in time, the maximum amount of
tolerable downtime for a business process or IT system.

Correct Answer: A Security, Orchestration, Automation, and Response (SOAR) solution allows the
creation of playbooks that can automate some or all incident response tasks.
Incorrect Answers: Security Information Event Management (SIEM) is a solution that ingests
activity data from numerous sources in order to detect indicators of compromise. An Industrial
Control System (ICS) is a collection of computerized solutions used for industry, such as with
manufacturing, oil refining, or power plants. A Programmable Logic Controller (PLC) is a network
device that connects with some kind of industrial component such as robotics, sensors, gauges,
values, centrifuges, and so on.

Correct Answer: CPU registers, RAM, temporary files, hard disk. The most volatile, or fragile types
of evidence should be gathered first, such as CPU registers followed by RAM contents since they
depend on power. Temporary files might persist without power, and files on hard disks are non-
volatile; they persist even when the machine is not turned on.
 Correct Answer: Steganography is a technique used to hide files within other files; it is a form of
obfuscation.
Incorrect Answers: Digital signatures are created with the sender’s private key and are used by the
message recipient to ensure the message is authentic and has not been tampered with. Hashing
feeds data into a 1-way algorithm which results in a fixed-length unique value called a “hash”.
Encryption is used to scramble data; the correct decryption key is needed to reverse the process
thus revealing the original data.