CompTIA SY0-401 Security+ 100-Question Practice Exam

Developed for www.GetCertify4Less.com

(Author to remain anonymous)
This practice exam has been developed exclusively for GetCertif4Less.Com. Answers and explanations
on last pages.

1. Which of the following answers refers to a dedicated device for managing secure connections
established over an untrusted network, such as the Internet?
A. Load balancer
B. VPN concentrator
C. Spam filter
D. Web server

2. Which of the following acronyms refers to a network or host based monitoring system designed to
automatically alert administrators of known or suspected unauthorized activity?
A. IDS
B. AES
C. TPM
D. EFS

3. A software tool used to monitor and examine contents of network traffic is known as: (Select all that
apply)
A. Port scanner
B. Packet sniffer
C. Vulnerability scanner
D. Protocol analyzer

4. Which of the following acronyms refers to a network security solution combining the functionality of a
firewall with additional safeguards such as URL filtering, content inspection, or malware inspection?
A. MTU
B. STP
C. UTM
D. XML

5. Which of the following network security solutions inspects network traffic in real-time and has the
capability to stop the ongoing attack?
A. NIPS
B. HIDS
C. HIPS
D. NIST

6. Which of the following actions can be taken by passive IDS? (Select 2 answers)
A. Reconfiguring firewall
B. Closing down connection
C. Logging
D. Terminating process
E. Sending an alert

7. Which of the following answers refers to a set of rules that specify which users or system processes
are granted access to objects as well as what operations are allowed on a given object?
A. CRL
B. NAT
C. BCP
D. ACL

8. Which type of Intrusion Detection System (IDS) relies on the previously established baseline of normal
network activity in order to detect intrusions?
A. Signature-based
B. URL filter
C. Anomaly-based
D. ACL

9. 802.1x is an IEEE standard defining:

A. Token ring networks
B. Port-based network access control
C. VLAN tagging
D. Wireless networking

10. Which of the following security solutions provides a countermeasure against denial-of-service attack
characterized by increasing number of half-open connections?
A. Flood guard
B. MAC filter
C. Honeypot
D. Port scanner

11. Which of the following protocols protects against switching loops?

A. UTP
B. SSH
C. STP
D. HMAC

12. Which type of Intrusion Detection System (IDS) relies on known attack patterns to detect an
intrusion?
A. Load balancer
B. Signature-based
C. Protocol analyzer
D. Anomaly-based

13. A lightly protected subnet placed on the outside of the company's firewall consisting of publicly
available servers is known as:
A. VPN
B. Access Point (AP)
C. VLAN
D. DMZ

14. Which of the following acronyms refers to a solution allowing companies to cut costs related to
managing of internal calls?
A. PBX
B. POTS
C. P2P
D. PSTN

15. Which security measure is in place when a client is denied access to the network due to outdated
antivirus software?
A. NAC
B. DMZ
C. VLAN
D. NAT

16. Which of the following solutions is used to hide the internal IP addresses by modifying IP address
information in IP packet headers while in transit across a traffic routing device?
A. NAC
B. ACL
C. NAT
D. DMZ

17. In which of the cloud computing infrastructure types clients, instead of buying all the hardware and
software, purchase computing resources as an outsourced service from suppliers who own and maintain
all the necessary equipment?
A. IaaS
B. SaaS
C. P2P
D. PaaS

18. Which of the following cloud service types would provide the best solution for a web developer
intending to create a web app?
A. SaaS
B. API
C. PaaS
D. IaaS

19. A cloud computing infrastructure type where applications are hosted over a network (typically
Internet) eliminating the need to install and run the software on the customer's own computers is
called:
A. Thick client
B. SaaS
C. Virtualization
D. IaaS

20. Which of the following protocols is used in network management systems for monitoring networkattached devices?
A. RTP
B. SNMP
C. IMAP
D. RTP

21. Which of the protocols listed below is used by the PING utility?
A. TLS
B. SNMP
C. FCoE
D. ICMP

22. FTP runs by default on ports: (Select 2 answers)

A. 25
B. 23
C. 20
D. 21
E. 22

23. Which of the following protocols run(s) on port number 22? (Select all that apply)
A. FTP
B. SSH
C. SMTP
D. SCP
E. SFTP

24. Port number 23 is used by:

A. SMTP
B. SSH
C. Telnet
D. TFTP

25. Which of the following TCP ports is used by SMTP?

A. 25
B. 53
C. 80
D. 23

26. Which of the following ports enable(s) retrieving email messages from a remote server? (Select all
that apply)
A. 80
B. 139
C. 110
D. 443
E. 143

27. Which of the following answers lists the default port number for a Microsoft-proprietary remote
connection protocol?
A. 139
B. 443
C. 3389
D. 53

28. Which of the following wireless encryption schemes offers the highest level of protection?
A. WEP
B. WPA2
C. WAP
D. WPA

29. A network access control method whereby the 48-bit address assigned to each network card is used
to determine access to the network is known as:
A. EMI shielding
B. Hardware lock
C. MAC filter
D. Quality of Service (QoS)

30. Disabling SSID broadcast:

A. Is one of the measures used for securing networks
B. Makes a WLAN harder to discover
C. Blocks access to WAP
D. Prevents wireless clients from accessing the network

31. AES-based encryption mode implemented in WPA2 is known as:

A. CCMP
B. TPM
C. TKIP
D. MTBF

32. Which of the following WAP configuration settings allows for adjusting the boundary range of the
wireless signal?
A. Beacon frame
B. Power level controls
C. Quality of Service (QoS)
D. MAC filtering

33. Which of the following answers refers to a solution allowing administrators to block Internet access
for users until they perform required action?
A. Access logs
B. Mantrap
C. Post-admission NAC
D. Captive portal

34. An antivirus software identifying non-malicious file as a virus due to faulty virus signature file is an
example of:
A. Fault tolerance
B. False positive error
C. Incident isolation
D. False negative error

35. Which of the following terms refers to a situation where no alarm is raised when an attack has taken
place?
A. False negative
B. True positive
C. False positive
D. True negative

36. A policy outlining ways of collecting and managing personal data is known as:
A. Acceptable use policy
B. Audit policy
C. Privacy policy
D. Data loss prevention

37. Which of the following acronyms refers to a set of rules enforced in a network that restrict the use
to which the network may be put?
A. OEM
B. AUP
C. UAT
D. ARO

38. One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent
activity within the company.
A. True
B. False

39. Which of the following answers refers to a concept of having more than one person required to
complete a given task?
A. Acceptable use policy
B. Privacy policy
C. Multifactor authentication
D. Separation of duties
40. A security rule that prevents users from accessing information and resources that lie beyond the
scope of their responsibilities is known as:
A. Order of volatility
B. Principle of least privilege
C. Privacy policy
D. Single sign-on

41. Which of the following acronyms refers to a risk assessment formula defining probable financial loss
due to a risk over a one-year period?
A. ARO
B. ALE
C. SLE
D. UAT

42. Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
The Exposure Factor (EF) used in the formula above refers to the impact of the risk over the asset, or
percentage of asset lost when a specific threat is realized. Which of the following answers lists the
correct EF value for an asset that is entirely lost?
A. 0
B. 100
C. 1.0
D. 0.1

43. Contracting out a specialized technical component when the company's employees lack the
necessary skills is an example of:
A. Risk deterrence
B. Risk avoidance
C. Risk acceptance
D. Risk transference

44. Disabling certain system functions or shutting down the system when risks are identified is an
example of:
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk deterrence

45. What type of risk management strategy is in place when accessing the network involves a login
banner warning designed to inform potential attacker of the likelihood of getting caught?
A. Risk avoidance
B. Risk acceptance
C. Risk deterrence
D. Risk transference

46. Which of the following terms refers to one of the hardware-related disadvantages of the
virtualization technology?
A. Single point of failure
B. Server clustering
C. Privilege escalation
D. Power and cooling costs

47. An agreement between a service provider and the user(s) defining the nature, availability, quality,
and scope of the service to be provided is known as:
A. SLE
B. BPA
C. SLA
D. DLP

48. A document established between two or more parties to define their respective responsibilities in
accomplishing a particular goal or mission is known as:
A. BPA
B. MOU
C. SLE
D. ISA

49. Which of the following answers refers to an agreement established between the organizations that
own and operate connected IT systems to document the technical requirements of the interconnection?
A. ISA
B. ALE
C. MOU
D. BPA

50. In forensic procedures, a sequence of steps in which different types of evidence should be collected
is known as:
A. Order of volatility
B. Layered security
C. Chain of custody
D. Transitive access

51. In forensic procedures, a chronological record outlining persons in possession of an evidence is

referred to as:
A. Proxy list
B. Order of volatility
C. Access log
D. Chain of custody

52. Taking hashes ensures that data retains its:

A. Confidentiality
B. Integrity
C. Order of volatility
D. Availability

53. A sticky note with a password kept on sight in user's cubicle would be a violation of which of the
following policies?
A. Data labeling policy
B. Clean desk policy
C. User account policy
D. Password complexity

54. Which of the following security controls is used to prevent tailgating?

A. Hardware locks
B. Mantraps
C. Video surveillance
D. EMI shielding

55. Zero-day attack exploits:

A. New accounts
B. Patched software
C. Vulnerability that is present in already released software but unknown to the software developer
D. Well known vulnerability

56. Which of the following solutions provide(s) availability? (Select all that apply)
A. RAID 5
B. RAID 0
C. Encryption
D. RAID 1
E. Hot site

57. Hardware-based RAID Level 0: (Select 2 answers)

A. Offers redundancy
B. Requires at least three drives to implement
C. Doesn't offer fault tolerance
D. Requires at least two drives to implement
E. Offers fault tolerance

58. In a differential backup strategy, restoring data from backup requires only a working copy of the last
full backup.
A. True
B. False

59. A United States federal government initiative aimed at enabling agencies to continue their essential
functions across a broad spectrum of emergencies is known as:
A. OVAL
B. TACACS
C. COOP
D. OCSP

60. Which of the following security controls provides confidentiality?

A. CCTV
B. Encryption
C. Digital signatures
D. Hashing

61. Steganography allows for:

A. Checking data integrity
B. Calculating hash values
C. Hiding data within another piece of data
D. Data encryption

62. Which of the following security controls provide(s) integrity? (Select all that apply)
A. Hashing
B. Fault tolerance
C. Digital signatures
D. Non-repudiation
E. Encryption

63. What is the purpose of non-repudiation?

A. Hiding one piece of data in another piece of data
B. Ensuring that received data hasn't changed in transit
C. Preventing someone from denying that they have taken specific action
D. Transforming plaintext into ciphertext

64. Which of the following answers refers to a general term used to describe software designed
specifically to damage or disrupt the operation of a computer system?
A. Adware
B. Spyware
C. Spam
D. Malware

65. What is adware?

A. Unsolicited or undesired electronic messages
B. Malicious program that sends copies of itself to other computers on the network
C. Software that displays advertisements
D. Malicious software that collects information about users without their knowledge

66. A computer program containing malicious segment that attaches itself to an application program or
other executable component is called:
A. Adware
B. Virus
C. Spam
D. Flash cookie

67. Malicious software collecting information about users without their knowledge/consent is called:
A. Logic bomb
B. Adware
C. Computer worm
D. Spyware

68. Which of the following answers refers to malicious software performing unwanted and harmful
actions in disguise of a legitimate and useful program?
A. Trojan horse
B. Spyware
C. Logic bomb
D. Adware

69. A collection of software tools used by a hacker in order to mask intrusion and obtain administratorlevel access to a computer or computer network is known as:
A. Backdoor
B. Botnet
C. Rootkit
D. Armored virus

70. Which of the following answers refers to an undocumented way of gaining access to a program,
online service or an entire computer system?
A. Tailgating
B. Rootkit
C. Trojan horse
D. Backdoor

71. Malicious code activated by a specific event is known as:

A. Logic bomb
B. Spyware
C. Trojan horse
D. Armored virus

72. A group of computers running malicious software under control of a hacker is referred to as:
A. Intranet
B. Botnet
C. Ethernet
D. Subnet

73. Malware that restricts access to a computer system by encrypting files or locking the entire system
down until the user performs requested action is known as:
A. Grayware
B. Adware
C. Ransomware
D. Spyware

74. The process by which malicious software changes its underlying code to avoid detection is called:
A. Fuzzing
B. Polymorphism
C. Pharming
D. Spoofing

75. A type of virus that takes advantage of various mechanisms specifically designed to make tracing,
disassembling and reverse engineering its code more difficult is known as:
A. Armored virus
B. Rootkit
C. Logic bomb
D. Backdoor

76. Which of the following is an example of active eavesdropping?

A. Phishing
B. DDoS
C. Xmas attack
D. MITM

77. Which of the following attacks uses multiple compromised computer systems against its target?
(Select best answer)
A. Spear phishing
B. DoS
C. Watering hole attack
D. DDoS

78. A replay attack occurs when an attacker intercepts user credentials and tries to use this information
later for gaining unauthorized access to resources on a network.
A. True
B. False

79. Which of the following authentication protocols offer(s) countermeasures against replay attacks?
(Select all that apply)
A. NTP
B. PAP
C. Kerberos
D. CHAP

80. An email sent from unknown source disguised as a source known to the message receiver is an
example of:
A. Spoofing
B. Shoulder surfing
C. Backdoor
D. Birthday attack

81. Which of the following answers apply to smurf attack? (Select 3 answers)
A. IP spoofing
B. Privilege escalation
C. DDoS
D. Polymorphic malware
E. Order of volatility
F. Large amount of ICMP echo replies

82. URL hijacking is also referred to as:

A. Session hijacking
B. Sandboxing
C. Typo squatting
D. Shoulder surfing

83. What is tailgating?

A. Looking over someone's shoulder in order to get information
B. Scanning for unsecured wireless networks while driving in a car
C. Manipulating a user into disclosing confidential information
D. Gaining unauthorized access to restricted areas by following another person

84. Which of the following terms refers to a rogue access point?

A. Computer worm
B. Backdoor
C. Evil twin
D. Trojan horse

85. The practice of sending unsolicited messages over Bluetooth is known as:
A. Vishing
B. Bluejacking
C. Phishing
D. Bluesnarfing

86. Gaining unauthorized access to a Bluetooth device is referred to as:

A. Xmas attack
B. Bluesnarfing
C. Bluejacking
D. Pharming

87. A monitored host or network specifically designed to detect unauthorized access attempts is known
as:
A. Botnet
B. Rogue access point
C. Honeypot
D. Flood guard

88. Penetration testing: (Select all that apply)

A. Bypasses security controls
B. Only identifies lack of security controls
C. Actively tests security controls
D. Exploits vulnerabilities
E. Passively tests security controls

89. Finding vulnerability in an application by feeding it incorrect input is known as:

A. Patching
B. Exception handling
C. Application hardening
D. Fuzzing

90. The term Trusted OS refers to an operating system:

A. Admitted to a network through NAC
B. Implementing patch management
C. That has been authenticated on the network
D. With enhanced security features

91. Which of the following acronyms refers to a microchip embedded on the motherboard of a personal
computer or laptop that can store keys, passwords and digital certificates?
A. FRU
B. EFS
C. TPM
D. HCL

92. An authentication subsystem that enables a user to access multiple, connected system components
(such as separate hosts on a network) after a single login at only one of the components is known as:
A. SSO
B. TLS
C. SSL
D. WAP

93. Which of the following is an example of a multi-factor authentication?

A. Password and biometric scan
B. User name and PIN
C. Smart card and identification badge
D. Iris and fingerprint scan

94. Which of the following technologies simplifies configuration of new wireless networks by providing
non-technical users with a capability to easily configure network security settings and add new devices
to an existing network?
A. WPA
B. WPS
C. WEP
D. WAP

95. Penetration test with the prior knowledge on how the system that is to be tested works is known as:
A. White hat
B. Sandbox
C. White box
D. Black box

96. The practice of finding vulnerability in an application by feeding it incorrect input is referred to as:
A. Patching
B. Exception handling
C. Application hardening
D. Fuzzing

97. Which of the following answers refers to a stream cipher?

A. DES
B. AES
C. RC4
D. 3DES

98. Which of the following solutions would be the fastest in validating digital certificates?
A. IPX
B. OCSP
C. CRL
D. OSPF

99. Copies of lost private encryption keys can be retrieved from a key database by:
A. Power users
B. Recovery agents
C. GPS tracking
D. Backup operators

100. What is the name of a storage solution used to retain copies of private encryption keys?
A. Trusted OS
B. Key escrow
C. Proxy
D. Recovery agent

ANSWERS

1. Answer: B. VPN concentrator

Explanation: Virtual Private Network (VPN) is a logical, restricted-use network created with the use of
encryption and tunneling protocols over physical, public network links. A dedicated device for managing
VPN connections established over an untrusted network, such as the Internet, is called VPN
concentrator.

2. Answer: A. IDS
Explanation: Intrusion Detection Systems (IDSs) rely on passive response which might include recording
an event in logs or sending a notification alert. An IDS doesn't take any active steps in order to prevent
an intrusion.

3. Answers: B and D. Packet sniffer and Protocol analyzer

Explanation: Protocol analyzer is a software tool used to monitor and examine contents of network
traffic. Protocol analyzers are also referred to as packet sniffers.

4. Answer: C. UTM
Explanation: The term Unified Threat Management (UTM) refers to a network security solution
(commonly in the form of a dedicated device called UTM appliance) which combines the functionality of
a firewall with additional safeguards such as for example URL filtering, spam filtering, gateway antivirus
protection, intrusion detection or prevention, content inspection, or malware inspection.

5. Answer: A. NIPS
Explanation: Network Intrusion Prevention system (NIPS) inspects network traffic in real-time and has
the capability to stop the attack.

6. Answers: C and E. Logging and Sending an alert

Explanation: Intrusion Detection Systems (IDSs) rely on passive response which might include recording
an event in logs or sending a notification alert. An IDS doesn't take any active steps in order to prevent
an intrusion.

7. Answer: D. ACL

Explanation: An Access Control List (ACL) contains a set of rules that specify which users or system
processes are granted access to objects as well as what operations are allowed on a given object.

8. Answer: C. Anomaly-based
Explanation: Anomaly-based Intrusion Detection System (IDS) relies on the previously established
baseline of normal network activity in order to detect intrusions. A Signature-based IDS relies on known
attack patterns to detect an intrusion.

9. Answer: B. Port-based network access control

Explanation: 802.1x is an Institute Electrical and Electronics Engineers (IEEE) standard for port-based
network access control. 802.1X provides mechanisms to authenticate devices connecting to a Local Area
Network (LAN), or Wireless Local Area Network (WLAN). Due to a similar name, 802.1X is sometimes
confused with 802.11x (a general term used in reference to a family of wireless networking standards).

10. Answer: A. Flood guard

Explanation: Flooding is a type of Denial of Service (DoS) attack aimed at providing more input than a
networked host can process properly so that it becomes overwhelmed with false requests and in result
doesn't have time and/or system resources to handle legitimate requests. Enabling flood detection on
networking equipment provides a countermeasure against this type of attack.

11. Answer: C. STP

Explanation: Spanning Tree Protocol (STP) is used to prevent switching loops. Switching loop occurs
when there's more than one active link between two network switches, or when two ports on the same
switch become connected to each other.

12. Answer: B. Signature-based

Explanation: Signature-based Intrusion Detection System (IDS) relies on known attack patterns to detect
an intrusion. Anomaly-based IDS relies on the previously established baseline of normal network activity
in order to detect intrusions. Load balancers are network devices designed for managing the optimal
distribution of workloads across multiple computing resources. A protocol analyzer (also known as
packet sniffer) is a software tool used to monitor and examine contents of network traffic.

13. Answer: D. DMZ

Explanation: In the context of computer security, the term Demilitarized Zone (DMZ) refers to a lightly
protected subnet consisting of publicly available servers placed on the outside of the company's firewall.

14. Answer: A. PBX

Explanation: Private Branch Exchange (PBX) is an internal telephone exchange or switching system
implemented in a particular business or office. PBX allows for handling of internal communications
without the use of paid Public Switched Telephone Network (PSTN) service.

15. Answer: A. NAC

Explanation: Network Access Control (NAC) defines a set of rules enforced in a network that the clients
attempting to access the network must comply with. With NAC, policies can be enforced before or after
end-stations gain access to the network. NAC can be implemented as Pre-admission NAC, where a host
must, for example, be virus free or have patches applied before it is allowed to connect to the network,
and/or Post-admission NAC, where a host is being granted/denied permissions based on its actions after
it has been provided with the access to the network.

16. Answer: C. NAT

Explanation: Network Address Translation (NAT) is a technology that provides an IP proxy between a
private Local Area Network (LAN) and a public network such as the Internet. Computers on the private
LAN can access the Internet through a NAT-capable router which handles the IP address translation. NAT
hides the internal IP addresses by modifying IP address information in IP packet headers while in transit
across a traffic routing device.

17. Answer: A. IaaS

Explanation: Infrastructure as a Service (IaaS) is one of the cloud computing infrastructure types where
clients, instead of buying all the hardware and software, purchase computing resources as an
outsourced service from suppliers who own and maintain all the necessary equipment. The clients
usually pay for computational resources on a per-use basis. In IaaS, cost of the service depends on the
amount of consumed resources.

18. Answer: C. PaaS

Explanation: Platform as a Service (PaaS) is a category of cloud computing services providing cloudbased application development tools, in addition to services for testing, deploying, collaborating on,
hosting, and maintaining applications.

19. Answer: B. SaaS

Explanation: Software as a Service (SaaS) is a type of cloud computing infrastructure where applications
are hosted over a network (typically Internet) eliminating the need to install and run the software on the
customer's own computers and simplifying maintenance and support. Compared to conventional
software deployment which requires licensing fee and often investment in additional hardware on the
client side, SaaS can be delivered at a lower cost by providing remote access to applications and pricing
based on monthly or annual subscription fee.

20. Answer: B. SNMP

Explanation: Simple Network Management Protocol (SNMP) is a protocol used in network management
systems to monitor network-attached devices. SNMP is typically integrated into most modern network
infrastructure devices such as routers, bridges, switches, servers, printers, copiers, fax machines, and
other network-attached devices. An SNMP-managed network consists of three key components: a
managed device, a network-management software module that resides on a managed device (Agent),
and a network management system (NMS) which executes applications that monitor and control
managed devices and collect SNMP information from Agents. All SNMP-compliant devices include a
virtual database called Management Information Base (MIB) containing information about configuration
and state of the device that can be queried by the SNMP management station. The manager receives
notifications (Traps and InformRequests) on UDP port 162. The SNMP Agent receives requests on UDP
port 161, and before answering a request from SNMP manager, SNMP Agent verifies that the manager
belongs to an SNMP community with access privileges to the Agent. An SNMP community is a group that
consists of SNMP devices and one or more SNMP managers. The community has a name, and all
members of a community have the same access privileges. An SNMP device or Agent may belong to
more than one SNMP community and it will not respond to requests from management stations that do
not belong to one of its communities. The relationship between SNMP server system and the client
systems is defined by the so called community string which acts like a password. Versions 1 and 2 of the
SNMP protocol (SNMPv1 and SNMPv2) offer only authentication based on community strings sent in
cleartext. SNMPv3 provides authentication, packet encryption, and hashing mechanisms that allow for
checking whether data has changed in transit.

21. Answer: D. ICMP

Explanation: PING is a command-line utility used for checking the reachability of a remote host. It
operates by sending Internet Control Message Protocol (ICMP) echo request packets to the destination
host.

22. Answers: C and D. 20 and 21

Explanation: File Transfer Protocol (FTP) is an unencrypted file exchange protocol. FTP employs TCP
ports 20 and 21. Connection established over TCP port 20 (the data connection) is used for exchanging

data, connection made over TCP port 21 (the control connection) remains open for the duration of the
whole session and is used for session administration (commands, identification, and passwords).

23. Answers: B, D, and E. SSH, SCP, and SFTP

Explanation: Secure Shell (SSH) runs by default on the TCP port 22. Apart from providing the ability to
log in remotely and execute commands on a remote host, SSH is also used for secure file transfer
through the SSH-based protocols such as Secure Copy (SCP) or SSH File Transfer Protocol (SFTP).

24. Answer: C. Telnet

Explanation: Port number 23 is used by Telnet.

25. Answer: A. 25
Explanation: TCP port 25 is used by the Simple Mail Transfer Protocol (SMTP). The purpose of SMTP is to
facilitate the exchange of email messages between email servers.

26. Answers: C and E. 110 and 143

Explanation: TCP port number 110 is used by the Post Office Protocol v3 (POP3). TCP port 143 is used by
the Internet Message Access Protocol (IMAP). POP and IMAP are protocols enabling retrieval of email
messages from servers.

27. Answer: C. 3389

Explanation: Remote Desktop Protocol (RDP) is a Microsoft-proprietary remote connection protocol.
RDP runs by default on TCP port 3389.

28. Answer: B. WPA2

Explanation: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP) are encryption
standards designed for securing wireless networks. WEP is an older standard and due to its
vulnerabilities is not recommended. WPA was designed as an interim replacement for WEP, and WPA2
was introduced as the official standard offering the strongest security of the three.

29. Answer: C. MAC filter

Explanation: Network access control method based on the physical address (MAC address) of the
Network Interface Card (NIC) is called MAC filtering or MAC address filtering. 48-bit MAC address is a

unique number assigned to every network adapter. Devices acting as network access points can have
certain MAC addresses blacklisted or whitelisted and based on the entry on either of the lists grant or
deny access to the network.

30. Answer: B. Makes a WLAN harder to discover

Explanation: Service Set Identifier (SSID) is another term for the name of a Wireless Local Area Network
(WLAN). Wireless networks advertise their presence by regularly broadcasting the SSID in a special
packet called beacon frame. In wireless networks with disabled security features knowing the network
SSID is enough to get access to the network. SSID can be hidden by disabling the SSID broadcast on the
Wireless Access Point (WAP), but hidden SSID makes a WLAN only harder to discover and is not a true
security measure. Wireless networks with hidden SSID can still be discovered with the use of a packet
sniffing software. Security measures that help in preventing unauthorized access to a wireless network
include strong encryption schemes such as WPA and WPA2.

31. Answer: A. CCMP

Explanation: Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) is an
encryption mode implemented in the Wi-Fi Protected Access II (WPA2) security protocol. CCMP relies on
the Advanced Encryption Standard (AES) providing much stronger security than the Wired Equivalent
Privacy (WEP) protocol and Temporal Key Integrity Protocol (TKIP) implemented in Wi-Fi Protected
Access (WPA).

32. Answer: B. Power level controls

Explanation: Power level controls in Wireless Access Point (WAP) configuration settings allow for
adjusting the boundary range of the wireless signal. From a security standpoint, this functionality keeps
the signal coverage within the designated area and serves as a countermeasure against unauthorized
network access attempts from outside.

33. Answer: D. Captive portal

Explanation: Captive portals allow administrators to block Internet access for users until they perform
required action. An example captive portal could be a web page requiring authentication and/or
payment (e.g. at a public Wi-Fi hotpot) before a user is allowed to proceed and use the Internet access
service.

34. Answer: B. False positive error

Explanation: An antivirus software identifying non-malicious file as a virus due to faulty virus signature
file is an example of a false positive error.

35. Answer: A. False negative

Explanation: A situation where no alarm is raised when an attack has taken place is an example of a false
negative error.

36. Answer: C. Privacy policy

Explanation: A policy outlining ways of collecting and managing personal data is known as privacy policy.

37. Answer: B. AUP

Explanation: Acceptable Use Policy (AUP) is a set of rules enforced in a network that restrict the use to
which the network may be put.

38. Answer: A. True

Explanation: One of the goals behind the mandatory vacations policy is to mitigate the occurrence of
fraudulent activity within the company.

39. Answer: D. Separation of duties

Explanation: A concept of having more than one person required to complete a given task is known as
separation of duties. By delegating tasks and associated privileges for a specific process among multiple
users this internal control type provides a countermeasure against fraud and errors.

40. Answer: B. Principle of least privilege

Explanation: A security rule that prevents users from accessing information and resources that lie
beyond the scope of their responsibilities is known as principle of least privilege.

41. Answer: B. ALE

Explanation: A risk assessment formula defining probable financial loss due to a risk over a one-year
period is known as Annual Loss Expectancy (ALE).

42. Answer: C. 1.0

Explanation: The Exposure Factor (EF) for an example asset that is entirely lost due to the impact of the
risk over the asset equals 1.

43. Answer: D. Risk transference

Explanation: Contracting out a specialized technical component when the company's employees lack the
necessary skills is an example of risk transference.

44. Answer: B. Risk avoidance

Explanation: Disabling certain system functions or shutting down the system when risks are identified is
an example of risk avoidance.

45. Answer: C. Risk deterrence

Explanation: A login banner warning designed to inform potential attacker of the likelihood of getting
caught falls into the category of risk deterrence measures.

46. Answer: A. Single point of failure

Explanation: Virtualization is a technology that allows multiple operating systems to work
simultaneously on the same hardware. One of the disadvantages of virtualization relates to the fact that
hardware used for the purpose of virtualization becomes a single point of failure.

47. Answer: C. SLA

Explanation: Service-Level Agreement (SLA) is an agreement between a service provider and the user(s)
defining the nature, availability, quality, and scope of the service to be provided.

48. Answer: B. MOU

Explanation: A document established between two or more parties to define their respective
responsibilities in accomplishing a particular goal or mission is known as Memorandum of
Understanding (MoU).

49. Answer: A. ISA

Explanation: The term Interconnection Security Agreement (ISA) refers to an agreement established
between the organizations that own and operate connected IT systems to document the technical
requirements of the interconnection.

50. Answer: A. Order of volatility

Explanation: In forensic procedures, a sequence of steps in which different types of evidence should be
collected is known as order of volatility.

51. Answer: D. Chain of custody

Explanation: In forensic procedures, a chronological record outlining persons in possession of an
evidence is referred to as chain of custody.

52. Answer: B. Integrity

Explanation: Taking hashes ensures that data retains its integrity. Hash functions allow for mapping large
amounts of data content to small string of characters. The result of hash function provides the exact
"content in a nutshell" (in the form of a string of characters) derived from the main content. In case
there's any change to the data after the original hash was taken, the next time when hash function is
applied the resulting hash value calculated after content modification will be different from the original
hash. In computer forensics procedures comparing hashes taken at different stages of evidence handling
process ensures that the evidence hasn't been tampered with and stays intact.

53. Answer: B. Clean desk policy

Explanation: A sticky note with a password kept on sight in user's cubicle would be a violation of clean
desk policy.

54. Answer: B. Mantraps

Explanation: Mantraps are two-door entrance points connected to a guard station. A person entering
mantrap from the outside remains inside until he/she provides authentication token required to unlock
the inner door. Mantraps are used to prevent tailgating, which is the practice of gaining unauthorized
access to restricted areas by following another person.

55. Answer: C. Vulnerability that is present in already released software but unknown to the software
developer
Explanation: Zero-day attacks exploit vulnerabilities that are present in already released software but
unknown to the software developer.

56. Answers: A, D, and E. RAID 5, RAID 1, and Hot site

Explanation: Availability provides assurance that resources can be used when needed. Redundant Array
of Independent Disks (RAID) is a collection of different data storage schemes (referred to as RAID levels)
that allow for combining multiple hard disks into a single logical unit in order to increase fault tolerance
and performance. RAID levels increase availability allowing the system to remain operational even when
one of its components (hard drives) fails (this applies to all RAID levels except RAID 0 which doesn't
provide any fault tolerance). Hot site is an alternate site where a company can move its operations in
case of failure of the main site.

57. Answers: C and D. Doesn't offer fault tolerance and Requires at least two drives to implement
Explanation: Redundant Array of Independent Disks (RAID) is a collection of different data storage
schemes (referred to as RAID levels) that allow for combining multiple hard disks into a single logical unit
in order to increase fault tolerance and performance. RAID Level 0 breaks data into fragments called
blocks and each block of data is written to a separate disk drive. This greatly improves performance as
every physical disk drive handles only a part of the workload related to write and read operations. Each
consecutive physical drive included in this type of array improves the speed of read/write operations by
adding more hardware resources to handle decreasing amount of workload. The main disadvantage of
RAID 0 is that it doesn't offer any fault tolerance. Each of the drives holds only part of the information
and in case of failure of any of the drives there is no way to rebuild the array which in turn results in the
loss of all data. Hardware-based RAID Level 0 requires minimum of two disk drives to implement.

58. Answer: B. False

Explanation: In a differential backup strategy, restoring data from backup requires working copies of the
most recent full backup and the last differential backup.

59. Answer: C. COOP

Explanation: Continuity of Operation Planning (CCOP) is a United States federal government initiative
aimed at enabling agencies to continue their essential functions across a broad spectrum of
emergencies.

60. Answer: B. Encryption

Explanation: Confidentiality is achieved by encrypting data so that it becomes unreadable to anyone
except the person with the decryption key.

61. Answer: C. Hiding data within another piece of data

Explanation: Steganography allows for hiding data within another piece of data.

62. Answers: A, C, and D. Hashing, Digital signatures, and Non-repudiation

Explanation: Hashing, digital signatures, and non-repudiation fall into the category of security controls
aimed at providing integrity.

63. Answer: C. Preventing someone from denying that they have taken specific action
Explanation: The purpose of non-repudiation is to prevent someone from denying that they have taken
a specific action.

64. Answer: D. Malware

Explanation: Unwanted programs designed specifically to damage or disrupt the operation of a
computer system are referred to as malicious software, or malware.

65. Answer: C. Software that displays advertisements

Explanation: Adware is a type of software that displays advertisements on the user system, often in the
form of a pop-up window. Unsolicited or undesired electronic messages are known as spam. Malicious
program that sends copies of itself to other computers on the network is called computer worm.
Malicious software that collects information about users without their knowledge is called spyware.

66. Answer: B. Virus

Explanation: The term computer virus refers to a program containing malicious segment that attaches
itself to an application program or other executable component.

67. Answer: D. Spyware

Explanation: Malicious software collecting information about users without their knowledge/consent is
called spyware.

68. Answer: A. Trojan horse

Explanation: Software that performs unwanted and harmful actions in disguise of a legitimate and useful
program is referred to as a Trojan horse. This type of malware may act like a legitimate program and
have all the expected functionalities, but apart from that it will also contain a portion of malicious code
appended to it that the user is unaware of.

69. Answer: C. Rootkit

Explanation: A collection of software tools used by a hacker in order to mask intrusion and obtain
administrator-level access to a computer or computer network is known as rootkit.

70. Answer: D. Backdoor

Explanation: The term backdoor refers to an undocumented way of gaining access to a program, online
service or an entire computer system.

71. Answer: A. Logic bomb

Explanation: Malicious code activated by a specific event is known as logic bomb.

72. Answer: B. Botnet

Explanation: A group of computers running malicious software under control of a hacker is referred to as
a botnet.

73. Answer: C. Ransomware

Explanation: Malware that restricts access to a computer system by encrypting files or locking the entire
system down until the user performs requested action is known as ransomware.

74. Answer: B. Polymorphism

Explanation: The process by which malicious software changes its underlying code to avoid detection is
called polymorphism.

75. Answer: A. Armored virus

Explanation: A type of virus that takes advantage of various mechanisms specifically designed to make
tracing, disassembling and reverse engineering its code more difficult is known as armored virus.

76. Answer: D. MITM

Explanation: Man-In-The-Middle attack (MITM) falls into the category of active eavesdropping.

77. Answer: D. DDoS

Explanation: As opposed to the simple Denial of Service (DoS) attacks that usually are performed from a
single system, a Distributed Denial of Service (DDoS) attack uses multiple compromised computer
systems to perform an attack against its target. The intermediary systems that are used as platform for
the attack are the secondary victims of the DDoS attack; they are often referred to as zombies, and
collectively as a botnet. The goal of DoS and DDoS attacks is to flood the bandwidth or resources of a
targeted system so that it becomes overwhelmed with false requests and in result doesn't have time or
resources to handle legitimate requests.

78. Answer: A. True

Explanation: A replay attack occurs when an attacker intercepts user credentials and tries to use this
information later for gaining unauthorized access to resources on a network.

79. Answers: C and D. Kerberos and CHAP

Explanation: A replay attack occurs when an attacker intercepts user credentials and tries to use this
information later for gaining unauthorized access to resources on a network. Kerberos and Challenge
Handshake Authentication Protocol (CHAP) are authentication protocols offering countermeasures
against replay attacks. Kerberos supports a system of time-stamped tickets that grant access to
resources and expire after a certain period of time. CHAP prevents replay attacks by periodically
reauthenticating clients during session.

80. Answer: A. Spoofing

Explanation: An email sent from unknown source disguised as a source known to the message receiver is
an example of spoofing.

81. Answers: A, C, and F. IP spoofing, DDoS, and Large amount of ICMP echo replies
Explanation: The smurf attack is a Distributed Denial of Service (DDoS) attack in which large numbers of
Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are sent
to all hosts on a network through the network broadcast address. In result, the targeted system gets
flooded with large amount of ICMP echo replies.

82. Answer: C. Typo squatting

Explanation: URL hijacking is also known as typo squatting. The term refers to a practice of registering
misspelled domain name closely resembling other well established and popular domain name in hopes
of getting Internet traffic from users who would make errors while typing in the web address in their
browsers.

83. Answer: D. Gaining unauthorized access to restricted areas by following another person
Explanation: The practice of gaining unauthorized access to restricted areas by following another person
is called tailgating. Looking over someone's shoulder in order to get information is known shoulder
surfing. The term war driving refers to scanning for unsecured wireless networks while driving in a car.
Manipulating/deceiving users into disclosing confidential information is known as social engineering.

84. Answer: C. Evil twin

Explanation: Evil twin is another term for a rogue access point. Rogue access point will have the same
network name as the legitimate access point and can be set up by a hacker in order to steal user
credentials or for the purpose of traffic eavesdropping.

85. Answer: B. Bluejacking

Explanation: Sending unsolicited messages over Bluetooth is known as bluejacking.

86. Answer: B. Bluesnarfing

Explanation: Gaining unauthorized access to a Bluetooth device is referred to as bluesnarfing.

87. Answer: C. Honeypot

Explanation: A monitored host or network specifically designed to detect unauthorized access attempts
is known as a honeypot. This type of system contains no valuable data and is used to divert the
attacker's attention from the corporate network. Multiple honeypots set up on a network are known as
a honeynet.

88. Answers: A, C, and D. Bypasses security controls, Actively tests security controls, and Exploits
vulnerabilities
Explanation: Penetration testing bypasses security controls and actively tests security controls by
exploiting vulnerabilities. Passive testing of security controls, identification of vulnerabilities and missing
security controls, or common misconfigurations are the features of a vulnerability scan.

89. Answer: D. Fuzzing

Explanation: Finding vulnerability in an application by feeding it incorrect input is known as fuzzing, or
fuzz test.

90. Answer: D. With enhanced security features

Explanation: The term Trusted OS refers to an operating system with enhanced security features. The
most common access control model used in Trusted OS is Mandatory Access Control (MAC). Examples of
Trusted OS implementations include Security Enhanced Linux (SELinux) and FreeBSD with the
TrustedBSD extensions.

91. Answer: C. TPM

Explanation: Trusted Platform Module (TPM) is a specification, published by the Trusted Computing
Group (TCG), for a microcontroller that can store secured information, and also the general name of
implementations of that specification. Trusted Platform Modules are hardware based security
microcontrollers that store keys, passwords and digital certificates and protect this data from external
software attacks and physical theft. TPMs are usually embedded on the motherboard of a personal
computer or laptop, but they can also be used in other devices such as mobile phones or network
equipment.

92. Answer: A. SSO

Explanation: An authentication subsystem that enables a user to access multiple, connected system
components (such as separate hosts on a network) after a single login at only one of the components is
known as Single Sign-On (SSO). A single sign-on subsystem typically requires a user to log in once at the
beginning of a session, and then during the session grants further access to multiple, separately
protected hosts, applications, or other system resources without further login action by the user.

93. Answer: A. Password and biometric scan

Explanation: Authentication is proving user identity to a system. Authentication process can be based on
different categories of authentication factors, including unique physical traits of each individual such as
fingerprints ("something you are"), physical tokens such as smart cards ("something you have"), or user
names and passwords ("something you know"). Additional factors might include geolocation
("somewhere you are"), or user-specific activity patterns such as for example keyboard typing style
("something you do"). Multi-factor authentication systems require implementation of authentication
factors from two or more different categories.

94. Answer: B. WPS

Explanation: Wi-Fi Protected Setup (WPS) is a network security standard which simplifies configuration
of new wireless networks by providing non-technical users with a capability to easily configure network
security settings and add new devices to an existing network. WPS has known vulnerabilities and
disabling this functionality is one of the recommended ways of securing the network.

95. Answer: C. White box

Explanation: Penetration test of a computer system with the prior knowledge on how the system works
is known as white box testing.

96. Answer: D. Fuzzing

Explanation: The practice of finding vulnerability in an application by feeding it incorrect input is
referred to as fuzzing, or fuzz test.

97. Answer: C. RC4

Explanation: Rivest Cipher 4 (RC4) is a symmetric stream cipher. Advanced Encryption Standard (AES),
Data Encryption Standard (DES) and Triple DES (3DES) are all block ciphers. RC4 is used in Wired
Equivalent Privacy (WEP) standard for wireless encryption and Secure Sockets Layer (SSL) for Internet
traffic encryption.

98. Answer: B. OCSP

Explanation: Online Certificate Status Protocol (OCSP) allows for querying Certificate Authority (CA) for
validity of a digital certificate. Another solution for checking whether a certificate has been revoked is
Certificate Revocation List (CRL). CRLs are updated regularly and sent out to interested parties.
Compared to CRL, OCSP allows for querying the CA at any point in time and retrieving information
without any delay.

99. Answer: B. Recovery agents

Explanation: Copies of lost private encryption keys can be retrieved from key escrow by recovery agents.
Recovery agent is an individual with access to key database and permission level allowing him/her to
extract keys from escrow.

100. Answer: B. Key escrow

Explanation: Key escrow is a storage solution used to retain copies of private encryption keys.