1. Which antimalware software approach can recognize various characteristics of known malware files to detect a threat?
- heuristics-based
- routing-based
- behavior-based
- signature-based
Explanation: Antimalware programs may detect viruses using three different approaches:
- signature-based – by recognizing various characteristics of known malware files
- heuristics-based – by recognizing general features shared by various types of malware
- behavior-based – through analysis of suspicious activities
2. In most host-based security suites, which function provides robust logging of security-related events and sends logs to a central location?
- safe browsing
- intrusion detection and prevention
- anti-phishing
- telemetry
Explanation: The telemetry functionality in most host-based security suites provides robust logging functionality and submits logs to a central location for analysis.
3. Which technology might increase the security challenge to the implementation of IoT in an enterprise environment?
- data storage
- CPU processing speed
- cloud computing
- network bandwidth
Explanation: With cloud computing, boundaries of enterprise networks are expanded to include locations on the Internet for which the enterprises are not responsible. Malicious software might access the internal network endpoints to attack internal networks.
4. Which statement describes the term attack surface?
- It is the total number of attacks toward an organization within a day.
- It is the network interface where attacks originate.
- It is the group of hosts that experiences the same attack.
- It is the total sum of vulnerabilities in a system that is accessible to an attacker.
Explanation: An attack surface is the total sum of the vulnerabilities in a system that is accessible to an attacker. The attack surface can consist of open ports on servers or hosts, software that runs on Internet-facing servers, wireless network protocols, and even users.
5. Which HIDS is an open-source based product?
- Tripwire
- AlienVault USM
- Cisco AMP
- OSSEC
Explanation: The Open Source HIDS SECurity (OSSEC) software is an open-source HIDS that uses a central manager server and agents that are installed on the hosts that are to be monitored.
6. Which device in a LAN infrastructure is susceptible to MAC address-table overflow and spoofing attacks?
- workstation
- switch
- firewall
- server
Explanation: Switches are LAN infrastructure devices interconnecting endpoints. They are susceptible to LAN-related attacks including MAC address-table overflow attacks, spoofing attacks, LAN storm attacks, STP manipulation attacks, and VLAN attacks.
7. As described by the SANS Institute, which attack surface includes the use of social engineering?
- network attack surface
- software attack surface
- Internet attack surface
- human attack surface
Explanation: The SANS Institute describes three components of the attack surface:
- Network Attack Surface – exploitation of vulnerabilities in networks
- Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-based software applications
- Human Attack Surface – exploitation of weaknesses in user behavior
8. What is a host-based intrusion detection system (HIDS)?
- It detects and stops potential direct attacks but does not scan for malware.
- It identifies potential attacks and sends alerts but does not stop the traffic.
- It is an agentless system that scans files on a host for potential malware.
- It combines the functionalities of antimalware applications with firewall protection.
Explanation: A current HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall protection. An HIDS not only detects malware but also prevents it from executing. Because the HIDS runs directly on the host, it is considered an agent-based system.
9. Which security endpoint setting would be used by a security analyst to determine if a computer has been configured to prevent a particular application from running?
- services
- block listing
- baselining
- Allow listing
Explanation: Block listing can be used on a local system or updated on security devices such as a firewall. Block lists can be manually entered or obtained from a centralized security system. Block lists are applications that are prevented from executing because they pose a security risk to the individual system and potentially the company.
10. In Windows Firewall, when is the Domain profile applied?
- when the host accesses the Internet
- when the host checks emails from an enterprise email server
- when the host is connected to a trusted network such as an internal business network
- when the host is connected to an isolated network from the Internet by another security device
Explanation: The Domain profile in Windows Firewall configuration is for connections to a trusted network, such as a business network, that is assumed to have an adequate security infrastructure.
11. As described by the SANS Institute, which attack surface includes the exploitation of vulnerabilities in wired and wireless protocols used by IoT devices?
- Internet attack surface
- software attack surface
- human attack surface
- network attack surface
Explanation: The SANS Institute describes three components of the attack surface:
- Network Attack Surface – exploitation of vulnerabilities in networks
- Software Attack Surface – exploitation of vulnerabilities in web, cloud, or host-based software applications
- Human Attack Surface – exploitation of weaknesses in user behavior
12. Which statement describes agentless antivirus protection?
- Host-based antivirus systems provide agentless antivirus protection.
- Antivirus scans are performed on hosts from a centralized system.
- The antivirus protection is provided by the ISP.
- The antivirus protection is provided by the router that is connected to a cloud service.
Explanation: Host-based antivirus protection is also known as agent-based. Agent-based antivirus runs on every protected machine. Agentless antivirus protection performs scans on hosts from a centralized system.