Endpoint Security: My Knowledge Check Answers

How to find: Press “Ctrl + F” in the browser and fill in whatever wording is in the question to find that question/answer. If the question is not here, find it in Questions Bank.

NOTE: If you have the new question on this test, please comment Question and Multiple-Choice list in form below this article. We will update answers for you in the shortest time. Thank you! We truly value your contribution to the website.

Endpoint Security: My Knowledge Check Answers

1. Which Windows version was the first to introduce a 64-bit Windows operating system?

  • Windows NT
  • Windows XP
  • Windows 7
  • Windows 10

Explanation: There are more than 20 releases and versions of the Windows operating system. The Windows XP release introduced 64-bit processing to Windows computing.

2. Employees in an organization report that the network access is slow. Further investigation reveals that one employee downloaded a third-party scanning program for the printer. What type of malware may have been introduced?

  • Worm
  • Trojan horse
  • Spam
  • Phishing

Explanation: Worms are malicious code that replicates by independently exploiting vulnerabilities in networks. Worms usually slow down networks. Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial infection, worms no longer require user participation. After a worm affects a host, it is able to spread very quickly over the network. Worms share similar patterns. They all have an enabling vulnerability, a way to propagate themselves, and they all contain a payload.

3. Which two options are window managers for Linux? (Choose two.)

  • File Explorer
  • Gnome
  • Kali
  • KDE
  • PenTesting

Explanation: The X Window System provides the basic framework for a GUI, but the GUI itself varies greatly between different distributions. Two window managers are Gnome and KDE.

4. On a Windows host, which tool can be used to create and maintain blacklists and whitelists?

  • Task Manager
  • Group Policy Editor
  • Computer Management
  • Local Users and Groups

Explanation: In Windows, blacklisting and whitelisting settings can be managed through the Group Policy Editor.

5. Users in a company have complained about network performance. After investigation, the IT staff has determined that an attacker has used a specific technique that affects the TCP three-way handshake. What is the name of this type of network attack?

  • SYN flood
  • DDoS
  • DNS poisoning
  • session hijacking

Explanation: The TCP SYN flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target.

6. Which parameter is commonly used to identify a wireless network name when a home wireless AP is being configured?

  • ad hoc
  • BESS
  • ESS
  • SSID

Explanation: The SSID is used to name a wireless network. This parameter is required in order for a wireless client to attach to a wireless AP.

7. What would be the target of an SQL injection attack?

  • database
  • DHCP
  • DNS
  • email

Explanation: SQL is the language used to query a relational database. Cybercriminals use SQL injections to get information, create fake or malicious queries, or to breach the database in some other way.

8. Which of the following are foundational principles of the cybersecurity domain? (Choose three.)

  • Security
  • Integrity
  • Policy
  • Encryption
  • Availability
  • Confidentiality

Explanation: There are three foundational principles of security. These are confidentiality, integrity, and availability. Together these three principles make up the security triad.

9. A social media site is describing a security breach in a sensitive branch of a national bank. In the post, it refers to a vulnerability. What statement describes that term?

  • The potential damage to the organization that is caused by the threat.
  • The actions that are taken to protect assets by mitigating a threat or reducing risk.
  • The likelihood that a particular threat will exploit a vulnerability of an asset and result in an undesirable consequence.
  • A weakness in a system or its design that could be exploited by a threat.

Explanation: Review terms and descriptions from module 2.

10. Why is Kali Linux a popular choice in testing the network security of an organization?

  • It is an open source Linux security distribution containing many penetration tools.
  • It can be used to intercept and log network traffic.
  • It can be used to test weaknesses by using only malicious software.
  • It is a network scanning tool that prioritizes security risks.

Explanation: Kali is an open source Linux security distribution that is commonly used by IT professionals to test the security of networks.

11. What type of attack targets an SQL database using the input field of a user?

  • XML injection
  • Cross-site scripting
  • SQL injection
  • buffer overflow

Explanation: A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

12. A security specialist is asked for advice on a security measure to prevent unauthorized hosts from accessing the home network of employees. Which measure would be most effective?

  • Implement intrusion detection systems.
  • Implement a firewall.
  • Implement a VLAN.
  • Implement RAID.

Explanation: Protecting data confidentiality requires an understanding of the technologies used to protect data in all three data states.

13. Refer to the exhibit. An IT security manager is planning security updates on this particular network. Which type of network is displayed in the exhibit and is being considered for updates?

Refer to the exhibit. An IT security manager is planning security updates on this particular network. Which type of network is displayed in the exhibit and is being considered for updates? 1

  • WAN
  • CAN
  • data center
  • SOHO

Explanation: A distinguishing factor of campus area networks (CANs) are that they have interconnected LANs.

14. Which two commands could be used to check if DNS name resolution is working properly on a Windows PC? (Choose two.)

  • nslookup cisco.com
  • net cisco.com
  • ping cisco.com
  • nbtstat cisco.com
  • ipconfig /flushdns

Explanation: The ping command tests the connection between two hosts. When ping uses a host domain name to test the connection, the resolver on the PC will first perform the name resolution to query the DNS server for the IP address of the host. If the ping command is unable to resolve the domain name to an IP address, an error will result.
Nslookup is a tool for testing and troubleshooting DNS servers.

15. What are three benefits of using symbolic links over hard links in Linux? (Choose three.)

  • Symbolic links can be exported.
  • They can be encrypted.
  • They can be compressed.
  • They can link to a directory.
  • They can show the location of the original file.
  • They can link to a file in a different file system.

Explanation: In Linux, a hard link is another file that points to the same location as the original file. A soft link (also called a symbolic link or a symlink) is a link to another file system name. Hard links are limited to the file system in which they are created and they cannot link to a directory; soft links are not limited to the same file system and they can link to a directory. To see the location of the original file for a symbolic link use the ls –l command.

16. Match the Apple system security feature to its purpose.

Match the Apple system security feature to its purpose. 1

17. A cyber criminal sends a series of maliciously formatted packets to the database server. The server cannot parse the packets and the event causes the server to crash. What is the type of attack the cyber criminal launches?

  • packet Injection
  • SQL injection
  • DoS
  • man-in-the-middle

Explanation: A cybersecurity specialist needs to be familiar with the characteristics of the different types of malware and attacks that threaten an organization.

18. Which field in the IPv4 header is used to prevent a packet from traversing a network endlessly?

  • Time-to-Live
  • Sequence Number
  • Acknowledgment Number
  • Differentiated Services

Explanation: The value of the Time-to-Live (TTL) field in the IPv4 header is used to limit the lifetime of a packet. The sending host sets the initial TTL value; which is decreased by one each time the packet is processed by a router. If the TTL field decrements to zero, the router discards the packet and sends an Internet Control Message Protocol (ICMP) Time Exceeded message to the source IP address. The Differentiated Services (DS) field is used to determine the priority of each packet. Sequence Number and Acknowledgment Number are two fields in the TCP header.

19. What is required in order to connect a Wi-Fi enabled laptop to a WPA secured wireless network?

  • a security encryption key
  • a MAC address
  • a username and password
  • an updated wireless driver

Explanation: Regardless of the levels of security configured on a WLAN, a WPA secured WLAN always requires the use of an encryption key. Without the proper key, a device cannot connect to the network.

20. Which network service allows administrators to monitor and manage network devices?

  • NTP
  • SNMP
  • syslog
  • NetFlow

Explanation: SNMP is an application layer protocol that allows administrators to manage and monitor devices on the network such as routers, switches, and servers.

21. When considering network security, what is the most valuable asset of an organization?

  • customers
  • data
  • financial resources
  • personnel

Explanation: Data, such as research and development data, sales data, financial data, human resource and legal data, employee data, contractor data, and customer data, is likely to be the most valuable asset for an organization.

22. What is the primary means for mitigating virus and Trojan horse attacks?

  • antivirus software
  • encryption
  • antisniffer software
  • blocking ICMP echo and echo-replies

Explanation: Antivirus software is the primary means of mitigating both virus and Trojan horse attacks. By using up-to-date antivirus software, the spread of viruses and Trojan horse attacks can be reduced.

23. Which language is used to query a relational database?

  • Python
  • C++
  • Java
  • SQL

Explanation: Cybercriminals use SQL injections to breach a relational database, create malicious SQL queries, and obtain sensitive data.

24. What does the term vulnerability mean?

  • a weakness that makes a target susceptible to an attack
  • a computer that contains sensitive information
  • a method of attack to exploit a target
  • a known target or victim machine
  • a potential threat that a hacker creates

Explanation: A vulnerability is not a threat, but it is a weakness that makes the PC or the software a target for attacks.

25. What is an IPS signature?

  • It is the timestamp that is applied to logged security events and alarms.
  • It is the authorization that is required to implement a security policy.
  • It is a set of rules used to detect typical intrusive activity.
  • It is a security script that is used to detect unknown threats.

Explanation: An IPS signature uniquely identifies specific malware, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners.

26. Why would a rootkit be used by a hacker?

  • to do reconnaissance
  • to try to guess a password
  • to gain access to a device without being detected
  • to reverse engineer binary files

Explanation: Hackers use rootkits to avoid detection as well as hide any software installed by the hacker.

27. Which Windows tool can be used by a cybersecurity administrator to secure stand-alone computers that are not part of an active directory domain?

  • Local Security Policy
  • Windows Defender
  • Windows Firewall
  • PowerShell

Explanation: Windows systems that are not part of an Active Directory Domain can use the Windows Local Security Policy to enforce security settings on each stand-alone system.

28. Which file system is the primary file system used by Apple in current Macintosh computers?

  • ext2
  • ext3
  • CDFS
  • HFS
  • APFS

Explanation: To use Force Quit, right-click on the application icon that is not responding from the Dock and close the application.

29. Which device in a LAN infrastructure is susceptible to MAC address-table overflow and spoofing attacks?

  • server
  • switch
  • workstation
  • firewall

Explanation: Switches are LAN infrastructure devices interconnecting endpoints. They are susceptible to LAN-related attacks including MAC address-table overflow attacks, spoofing attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.

30. At a local college, students are allowed to connect to the wireless network without using a password. Which mode is the access point using?

  • network
  • open
  • passive
  • shared-key

Explanation: Network mode is not an authentication mode, it refers to WLAN standards for 802.11a/b/g/n/ac/ad and the ability for access points to operate in mixed mode to support different standards, but it is not an authentication mode. Open authentication is a null authentication mode because wireless connectivity is granted to any wireless device. This authentication is used where security is not a concern. Passive mode is not an authentication mode, it refers to the open advertisement of the SSID, standards, and security settings by an access point. Shared-key authentication uses a pre-shared key between the client and the access point.

31. What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?

  • phishing
  • vishing
  • backdoor
  • trojan

Explanation: Phishing is used by malicious parties who create fraudulent messages that attempt to trick a user into either sharing sensitive information or installing malware.

32. Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?

  • header checksum
  • version
  • destination IPv4 address
  • protocol

Explanation: The header checksum is used to determine if any errors have been introduced during transmission.

33. What is a nontechnical method that a cybercriminal would use to gather sensitive information from an organization?

  • man-in-the-middle
  • ransomeware
  • social engineering
  • pharming

Explanation: A cybersecurity specialist needs to be familiar with the characteristics of the different types of malware and attacks that threaten an organization.

34. Match the type of cyberattackers to the description. (Not all options are used.)

Match the type of cyberattackers to the description. (Not all options are used.) 1

35. What is the purpose of a personal firewall on a computer?

  • to protect the hardware against fire hazard
  • to filter the traffic that is moving in and out of the PC
  • to protect the computer from viruses and malware
  • to increase the speed of the Internet connection

Explanation: The purpose of a firewall is to filter the traffic that is moving in and out of the PC. A computer firewall cannot deny all illegal traffic from a computer or increase the speed of any connection. It is also not able to protect hardware against fire hazards.

36. What technology was created to replace the BIOS program on modern personal computer motherboards?

  • UEFI
  • RAM
  • CMOS
  • MBR

Explanation: As of 2015, most personal computer motherboards are shipped with UEFI as the replacement for the BIOS program.

37. Which protocol provides authentication, integrity, and confidentiality services and is a type of VPN?

  • AES
  • ESP
  • IPsec
  • MD5

Explanation: IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPsec.

38. A new PC is taken out of the box, started up and connected to the Internet. Patches were downloaded and installed. Antivirus was updated. In order to further harden the operating system what can be done?

  • Turn off the firewall.
  • Remove the administrator account.
  • Remove unnecessary programs and services.
  • Install a hardware firewall.
  • Give the computer a nonroutable address.

Explanation: When hardening an operating system, patching and antivirus are part of the process. Many extra components are added by the manufacturer that are not necessarily needed.

39. A cybercriminal sends a series of maliciously formatted packets to a database server, which causes the server to crash. What do you call this type of attack?

  • Packet injection
  • SQL injection
  • DoS
  • Man-in-the-middle

Explanation: A cybersecurity specialist needs to be familiar with the characteristics of the different types of malware and attacks that threaten an organization.

40. Which Linux command can be used to display the name of the current working directory?

  • ps
  • pwd
  • chmod
  • sudo

Explanation: One of the most important commands in Linux is the pwd command, which stands for print working directory. It shows users the physical path for the directory they are working in.

41. A user creates a file with .ps1 extension in Windows. What type of file is it?

  • PowerShell script
  • PowerShell cmdlet
  • PowerShell function
  • PowerShell documentation

Explanation: The types of commands that PowerShell can execute include the following:

  • cmdlets – perform an action and return an output or object to the next command that will be executed
  • PowerShell scripts – files with a .ps1 extension that contain PowerShell commands that are executed
  • PowerShell functions – pieces of code that can be referenced in a script

42. What principle prevents the disclosure of information to unauthorized people, resources, and processes?

  • confidentiality
  • integrity
  • availability
  • nonrepudiation
  • accounting

Explanation: The security principle of confidentiality refers to the prevention of the disclosure of information to unauthorized people, resources, and processes.

43. What is a daemon?

  • a background process that runs without the need for user interaction
  • a record to keep track of important events
  • a type of security attack
  • an application that monitors and analyzes suspicious activity

Explanation: A daemon in Linux is a background process that runs without the need for user interaction. A network administrator can view log files in order to see information about daemons running on the Linux server.

44. Which technology is used to secure, monitor, and manage mobile devices?

  • MDM
  • VPN
  • rootkit
  • ASA firewall

Explanation: Mobile Device Management (MDM) is used to secure, monitor, and manage both corporate-owned and employee-owned devices such as smartphones, tablets, laptops, and desktops.

45. What kind of ICMP message can be used by threat actors to map an internal IP network?

  • ICMP echo request
  • ICMP router discovery
  • ICMP mask reply
  • ICMP redirects

Explanation: Common ICMP messages of interest to threat actors include these:

  • ICMP echo request and echo reply: used to perform host verification and DoS attacks
  • ICMP unreachable: used to perform network reconnaissance and scanning attacks
  • ICMP mask reply: used to map an internal IP network
  • ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack
  • ICMP router discovery: used to inject bogus route entries into the routing table of a target host

46. Match typical Linux log files to the function.

Match typical Linux log files to the function. 1


  • used by RedHat and CentOS computers and tracks authentication-related events: /var/log/secure
  • contains generic computer activity logs, and is used to store informational and noncritical system messages: /var/log/messages
  • stores information related to hardware devices and their drivers: /var/log/dmesg
  • used by Debian and Ubuntu computers and stores all authentication-related events: /var/log/auth.log

47. Which statement describes the term iptables?

  • It is a DNS daemon in Linux.
  • It is a DHCP application in Windows.
  • It is a rule-based firewall application in Linux.
  • It is a file used by a DHCP server to store current active IP addresses.

Explanation: Iptables is an application that allows Linux system administrators to configure network access rules.

48. Which wireless encryption method is the most secure?

  • WPA
  • WEP
  • WPA2 with TKIP
  • WPA2 with AES

Explanation: IEEE 802.11i and WPA2 both use the Advanced Encryption Standard (AES) for encryption. AES is currently considered the strongest encryption protocol. WPA2 does not use TKIP (Temporal Key Integrity Protocol). It is WPA that uses TKIP. Although WPA provides stronger encryption than WEP, it is is not as strong as WPA2 (AES).

49. Which statement describes the term attack surface?

  • It is the network interface where attacks originate.
  • It is the group of hosts that experiences the same attack.
  • It is the total number of attacks toward an organization within a day.
  • It is the total sum of vulnerabilities in a system that is accessible to an attacker.

Explanation: An attack surface is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.

50. A secretary receives a phone call from someone claiming that their manager is about to give an important presentation but the presentation files are corrupted. The caller sternly asks that the secretary email the presentation right away to a personal email address. The caller also states that the secretary is being held personally responsible for the success of this presentation. What type of social engineering tactic is the caller using?

  • Trusted partners
  • Familiarity
  • Intimidation
  • Urgency

Explanation: Intimidation is a tactic that cybercriminals will often use to bully a victim into taking an action that compromises security.

51. How much RAM is addressable by a 32-bit version of Windows?

  • 4 GB
  • 8 GB
  • 16 GB
  • 32 GB

Explanation: A 32-bit operating system is capable of supporting approximately 4 GB of memory. This is because 2^32 is approximately 4 GB.

52. A threat actor uses a program to launch an attack by sending a flood of UDP packets to a server on the network. The program sweeps through all of the known ports trying to find closed ports. It causes the server to reply with an ICMP port unreachable message and is similar to a DoS attack. Which two programs could be used by the threat actor to launch the attack? (Choose two.)

  • ping
  • Smurf
  • WireShark
  • UDP Unicorn
  • Low Orbit Ion Cannon

Explanation: A threat actor can use a tool like UDP Unicorn or Low Orbit Ion Cannon to send a flood of UDP packets to launch a UDP flood attack that causes all the resources on a network to become consumed. These types of programs will sweep through all the known ports trying to find closed ports. This causes the server to reply with an ICMP port unreachable message. Because of the many closed ports on the server, there is so much traffic on the segment that almost all the bandwidth gets used. The end result is very similar to a DoS attack.

53. Which antimalware software approach can recognize various characteristics of known malware files to detect a threat?

  • routing-based
  • behavior-based
  • signature-based
  • heuristics-based

Explanation: Antimalware programs may detect viruses using three different approaches:

  • signature-based – by recognizing various characteristics of known malware files
  • heuristics-based – by recognizing general features shared by various types of malware
  • behavior-based – through analysis of suspicious activities

54. Which wireless parameter refers to the frequency bands used to transmit data to a wireless access point?

  • SSID
  • channel settings
  • security mode
  • scanning mode

Explanation: An access point can be manually set to a specific frequency band or channel in order to avoid interference with other wireless devices in the area.

55. What is the motivation of a white hat attacker?

  • taking advantage of any vulnerability for illegal personal gain
  • fine tuning network devices to improve their performance and efficiency
  • studying operating systems of various platforms to develop a new system
  • discovering weaknesses of networks and systems to improve the security level of these systems

Explanation: White hat attackers break into networks or computer systems in order to discover weaknesses for the purpose of improving the security of these systems. These break-ins are done with permission from the owner or the organization. Any results are reported back to the owner or the organization.

56. What is the reason for disabling SSID broadcasting and changing the default SSID on a wireless access point?

  • Anyone with the default SSID can gain access to the access point and change the configuration.
  • Disabling SSID broadcasting frees up radio frequency bandwidth and increases the data throughput of the access point.
  • The access point stops broadcasting its own MAC address, thus preventing unauthorized wireless clients from connecting to the network.
  • Wireless clients must then have the SSID manually configured to connect to the wireless network.

Explanation: The SSID is the name of the wireless network. Changing the default SSID forces device users to manually enter the SSID in order to gain access to the network. Broadcasting the SSID does not allow other devices to access the configuration, or to discover the MAC address of the device. SSID broadcasts do not affect radio frequency bandwidth.

57. Which statement describes a VPN?

  • VPNs use dedicated physical connections to transfer data between remote users.
  • VPNs use logical connections to create public networks through the Internet.
  • VPNs use open source virtualization software to create the tunnel through the Internet.
  • VPNs use virtual connections to create a private network through a public network.

Explanation: A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.

58. Consider the result of the ls -l command in the Linux output below. What are the file permissions assigned to the sales user for the analyst.txt file?

ls –l analyst.txt
-rwxrw-r-- sales staff 1028 May 28 15:50 analyst.txt
  • write only
  • read, write, execute
  • read, write
  • read only

Explanation: The file permissions are always displayed in the User, Group and Other order. In the example displayed, the file has the following permissions:
The dash (-) means that this is a file. For directories, the first dash would replaced with a “d”.
The first set of characters is for user permission (rwx). The user, sales, who owns the file can read, write and execute the file.
The second set of characters is for group permissions (rw-). The group, staff, who owns the file can read and write to the file.
The third set of characters is for any other user or group permissions (r–). Any other user or group on the computer can only read the file.

59. In Windows Firewall, when is the Domain profile applied?

  • when the host accesses the Internet
  • when the host checks emails from an enterprise email server
  • when the host is connected to a trusted network such as an internal business network
  • when the host is connected to an isolated network from the Internet by another security device

Explanation: The Domain profile in Windows Firewall configuration is for connections to a trusted network, such as a business network, that is assumed to have an adequate security infrastructure.

60. What are three states of data during which data is vulnerable? (Choose three.)

  • stored data
  • purged data
  • data in-transit
  • data encrypted
  • data decrypted
  • data in-process

Explanation: A cybersecurity specialist must be aware of each of the three states of data to effectively protect data and information. Purged data was stored data. Encrypted and decrypted data can be in any of the three states.

61. What does a rootkit modify?

  • operating system
  • programs
  • screen savers
  • notepad
  • microsoft Word

Explanation: A rootkit commonly modifies an operating system to create a backdoor to bypass normal authentication mechanisms.

62. Which security technology is commonly used by a teleworker when accessing resources on the main corporate office network?

  • IPS
  • VPN
  • SecureX
  • biometric access

Explanation: VPNs are commonly used between corporate sites and between mobile or remote workers that connect to and use resources on the corporate network.

63. Which of the following statements describes a distributed denial of service (DDoS) attack?

  • An attacker sends an enormous quantity of data that a server cannot handle
  • An attacker monitors network traffic to learn authentication credentials
  • One computer accepts data packets based on the MAC address of another computer
  • A botnet of zombies, coordinated by an attacker, overwhelms a server with DoS attacks

Explanation: An attacker builds a network of infected hosts, called a botnet, comprised of zombies. Zombies are the infected hosts. The attacker uses handler systems to control the zombies. The zombie computers constantly scan and infect more hosts, creating more zombies. When ready, the hacker instructs the handler systems to make the botnet of zombies carry out a DDoS attack.

64. Match the network-based anti-malware solution to the function. (Not all options are used.)

Endpoint Security (ESec) Module 7 - 10 Group Exam 17

Explanation: Place the options in the following order:

Provides filtering of SPAM and potentially malicious emails before they reach the endpoint Email security appliance
Provides filtering of websites and blacklisting before they reach the endpoint Web security appliance
Permits only authorized and compliant systems to connect to the network Network admission control
Provides dynamic IP addresses to authenticated endpoints No answer available
Provides endpoint protection from viruses and malware Advanced malware protection

65. What is the result of a DHCP starvation attack?

  • Legitimate clients are unable to lease IP addresses.
  • Clients receive IP address assignments from a rogue DHCP server.
  • The attacker provides incorrect DNS and default gateway information to clients.
  • The IP addresses assigned to legitimate clients are hijacked.

Explanation: DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.

66. Which two attacks target web servers through exploiting possible vulnerabilities of input functions used by an application? (Choose two.)

  • SQL injection
  • port scanning
  • port redirection
  • trust exploitation
  • cross-site scripting

Explanation: When a web application uses input fields to collect data from clients, threat actors may exploit possible vulnerabilities for entering malicious commands. The malicious commands that are executed through the web application might affect the OS on the web server. SQL injection and cross-site scripting are two different types of command injection attacks.

67. A client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address?

  • 404
  • 80
  • 443
  • 110

Explanation: Port numbers are used in TCP and UDP communications to differentiate between the various services running on a device. The well-known port number used by HTTPs is port 443.

68. What occurs when a rogue access point is added to a WLAN?

  • Authorized access points can transmit excess traffic to rogue access points to help alleviate congestion.
  • Unauthorized users can gain access to internal servers, thus causing a security hole.
  • All traffic that uses the same channel as the rogue access point will be encrypted.
  • All traffic that uses the same channel as the rogue access point will be required to authenticate.

69. What is the first line of defense to protect a device from improper access control?

  • encryption
  • end user license agreement (EULA)
  • passwords
  • shredding

Explanation: Improper access control is a common data loss vector. Passwords are the first line of defense because stolen or weak passwords provide a threat actor access to machines and data on the network.

70. What would be displayed if the netstat -abno command was entered on a Windows PC?

  • a local routing table
  • only active TCP connections in an ESTABLISHED state
  • only active UDP connections in an LISTENING state
  • all active TCP and UDP connections, their current state, and their associated process ID (PID)

Explanation: With the optional switch -abno, the netstat command will display all network connections together with associated running processes. It helps a user identify possible malware connections.

71. What three tasks are accomplished by a comprehensive security policy? (Choose three.)

  • sets rules for expected behavior
  • defines legal consequences of violations
  • gives security staff the backing of management
  • vagueness
  • useful for management
  • is not legally binding

Explanation: The security policy of an organization accomplishes several tasks:

  • It demonstrates the commitment to security by an organization.
  • It sets the rules for expected behavior.
  • It ensures consistency in system operations, and software and hardware acquisition use and maintenance.
  • It defines the legal consequences of violations.
  • It gives security staff the backing of management.

72. What is the purpose of the cd∖ command?

  • changes directory to the root directory
  • changes directory to the next highest directory
  • changes directory to the previous directory
  • changes directory to the next lower directory

Explanation: CLI commands are typed into the Command Prompt window of the Windows operating system. The cd\ command is used to change the directory to the Windows root directory.

73. As described by the SANS Institute, which attack surface includes the exploitation of vulnerabilities in wired and wireless protocols used by IoT devices?

  • human attack surface
  • Internet attack surface
  • network attack surface
  • software attack surface

Explanation: The SANS Institute describes three components of the attack surface:

  • Network Attack Surface – exploitation of vulnerabilities in networks
  • Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-based software applications
  • Human Attack Surface – exploitation of weaknesses in user behavior

74. Which term is used for bulk advertising emails flooded to as many end users as possible?

  • Phishing
  • Brute force
  • Spam
  • Adware

Explanation: Spam is annoying and unwanted bulk email that is sent to as many end users as possible.

75. A flood of packets with invalid source IP addresses requests a connection on the network. The server busily tries to respond, resulting in valid requests being ignored. What type of attack has occurred?

  • UDP flood
  • TCP session hijacking
  • TCP reset
  • TCP SYN flood

Explanation: The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.

76. Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device?

  • spoofing
  • man-in-the-middle
  • SYN flooding
  • DNS poisoning

Explanation: The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.

77. Which two options can limit the information discovered from port scanning? (Choose two.)

  • authentication
  • encryption
  • firewall
  • intrusion prevention system
  • passwords

Explanation: Using an intrusion prevention system (IPS) and firewall can limit the information that can be discovered with a port scanner. Authentication, encryption, and passwords provide no protection from loss of information from port scanning.

78. What would be a reason for a computer user to use the Task Manager Performance tab?

  • to increase the performance of the CPU
  • to view the processes that are running and end a process if needed
  • to view the services that are currently running on the PC
  • to check the CPU usage of the PC

Explanation: The Performance tab is commonly used to check current computer performance. Two key areas that are shown are memory and CPU usage.

79. Which type of networks poses increasing challenges to cybersecurity specialists due to the growth of BYOD on campus?

  • sneaker net
  • wireless networks
  • wired networks
  • virtual networks

Explanation: A cybersecurity specialist must be familiar with the types of technologies used to store, transmit, and process data.

80. Which method can be used to harden a device?

  • Allow users to re-use old passwords.
  • Allow USB auto-detection.
  • Force periodic password changes.
  • Allow default services to remain enabled.

Explanation: The basic best practices for device hardening are as follows:
Ensure physical security.
Minimize installed packages.
Disable unused services.
Use SSH and disable the root account login over SSH.
Keep the system updated.
Disable USB auto-detection.
Enforce strong passwords.
Force periodic password changes.
Keep users from re-using old passwords.
Review logs regularly.

81. Which technology is used by Cisco Advanced Malware Protection (AMP) in defending and protecting against known and emerging threats?

  • network admission control
  • website filtering and blacklisting
  • network profiling
  • threat intelligence

Explanation: Cisco AMP uses threat intelligence along with known file signatures to identify and block policy-violating file types and exploitations.

82. Which user can override file permissions on a Linux computer?

  • any user that has ‘group’ permission to the file
  • root user
  • any user that has ‘other’ permission to the file
  • only the creator of the file

Explanation: A user has as much rights to a file as the file permissions allow. The only user that can override file permission on a Linux computer is the root user. Because the root user has the power to override file permissions, the root user can write to any file.

83. What do you call an impersonation attack that takes advantage of a trusted relationship between two systems?

  • Sniffing
  • Spamming
  • Spoofing
  • Man-in-the-middle

Explanation: In spoofing attacks, hackers can disguise their devices by using a valid address from the network and therefore bypass authentication processes. MAC addresses and IP addresses can be spoofed and can also be used to spoof ARP relationships.

84. Which device can control and manage a large number of corporate APs?

  • LWAP
  • router
  • switch
  • WLC

Explanation: A wireless LAN controller (WLC) can be configured to manage multiple lightweight access points (LWAPs). On the WLC, a network administrator can configure SSIDs, security, IP addressing, and other wireless network parameters in a centralized management environment.

85. Which HIDS is an open-source based product?

  • Tripwire
  • Cisco AMP
  • AlienVault USM

Explanation: The Open Source HIDS SECurity (OSSEC) software is an open-source HIDS that uses a central manager server and agents that are installed on the hosts that are to be monitored.

86. An attacker is using a laptop as a rogue access point to capture all network traffic from a targeted user. Which type of attack is this?

  • trust exploitation
  • buffer overflow
  • man in the middle
  • port redirection

Explanation: An access attack tries to gain access to a resource using a hijacked account or other means. The five types of access attacks include the following:password – a dictionary is used for repeated login attempts
trust exploitation – uses granted privileges to access unauthorized material
port redirection – uses a compromised internal host to pass traffic through a firewall
man-in-the-middle – an unauthorized device positioned between two legitimate devices in order to redirect or capture traffic
buffer overflow – too much data sent to a memory location that already contains data

87. A threat actor wants to interrupt a normal TCP communication between two hosts by sending a spoofed packet to both endpoints. Which TCP option bit would the threat actor set in the spoofed packet?

  • ACK
  • FIN
  • RST
  • SYN

Explanation: A TCP reset attack can be used to terminate TCP communications between two hosts by sending a spoofed TCP RST packet. A TCP connection is torn down when it receives an RST bit.

88. Employees in an organization report that they cannot access the customer database on the main server. Further investigation reveals that the database file is now encrypted. Shortly afterward, the organization receives a threatening email demanding payment for the decryption of the database file. What type of attack has the organization experienced?

  • DoS attack
  • Man-in-the-middle attack
  • Ransomware
  • Trojan horse

Explanation: In a ransomware attack, the attacker compromises the victum computer and encrypts the hard drive so that data can no longer be accessed by the user. The attacker then demands payment from the user to decrypt the drive.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x