Mock Exam1

Question 1

You are the Chief Information Security Officer (CISO), and have been invited to meet with the board of directors at their monthly meeting. In that meeting, the CEO states that someone called Joe Hopkins from the help desk has been calling him and some of the board members to help reset their passwords as the old passwords were too insecure. The financial director found this very strange as this Joe Hopkins is not on the payroll. Which of the following is the BEST answer for what has been discovered?

A. Social engineering.
B. Spear phishing.
C. Vishing attack.
D. Password cracking.
E. Phishing.
F. Replay.

Answer 1

A Social engineering.

Concept: This is a social engineering impersonation attack where Joe pretends to be from the help desk. The financial director confirms this.

Question 2

You are the cybersecurity administrator for a large company that has offices in Stuttgart. The SIEM system alerts you that files are being deleted on file server FS001. The cyber administrator cannot find any remote connection to the file server. He then quarantines the file server from the network. The deletion of the files is still in progress. The forensics team discovers that a script was placed there by Dave Lloyd, who had left the company exactly four weeks ago. Which of the following BEST describes the actions of Dave Lloyd?

a. Dave Lloyd installed a RAT into the file server and is actively removing files.
b. Dave Lloyd placed a logic bomb on the file server to delete the files once he had gone so that he was not a suspect.
c. Dave Lloyd installed ransomware to encrypt the customers’ critical files.
d. Dave Lloyd connected through a VPN connection and remotely deleted files.

Answer 2

B

David Lloyd left exactly 4 weeks ago and logic bombs work on a trigger; here, it was the time of 4 weeks.

Question 3

Following an annual penetration test, the chief information security officer notices in the final report that all of the company’s domain controllers are vulnerable to a pass‐the‐hash attack. Which of the following actions should the company take to mitigate the risk (choose TWO)?

a. Enable CHAP.
b. Disable CHAP.
c. Disable NTLM.
d. Disable MD5.
e. Enable Kerberos.
f. Disable PAP.

Answer 3

c, e

A pass‐the‐hash attack needs NTLM authentication, therefore, if you disable it or use Kerberos authentication, both will prevent the attack.

Question 4

Q: Your new interns are debating the difference between Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). They look to you, their manager, to settle the argument.

Which of the following statements is the MOST accurate?

A. An XSS attack’s primary goal is to forge a request, exploiting the trust a site has in a user’s browser.
B. A CSRF attack’s primary goal is to inject malicious script, exploiting the trust a user has in a site.
C. A successful XSS attack does not require the victim to be authenticated, though it can be more damaging if they are.
D. A successful CSRF attack does not require the victim to be authenticated, as it is forging a new session.

Answer 4

C. A successful XSS attack does not require the victim to be authenticated, though it can be more damaging if they are.

Explanation
A is Wrong: This is the definition of CSRF.

B is Wrong: This is the definition of XSS.

C is Correct: An XSS attack (like injecting a script to deface a webpage) works on any user, logged in or not. It’s just more dangerous if the user is authenticated because the script can then be used to steal their session cookie.

D is Wrong: This is the opposite of the truth. A CSRF attack absolutely requires the victim to have an active, authenticated session for the attack to work. The attack’s entire premise is based on exploiting that existing session.

Question 5

A well‐known hacker called Mark Birch has been detained by the local police. When they searched his home, they found various pieces of information about your company on a large whiteboard. The information has been obtained from a social media website, such as Facebook and LinkedIn. It has details about the company’s hierarchy, the executives, administrators, and help-desk staff. Which of the following BEST describes the type of attack he has carried out?

a. White-box testing.
b. Passive reconnaissance.
c. Black-box testing.
d. Initial exploitation.
e. Gray-box testing.
g. Intrusive scanning.

Answer 5

b

Passive reconnaissance is where information is gathered about the company, but no real action has been taken.

Question 6

A security analyst is leading a workshop for employees on “Securing Your Smart Home.” The goal is to protect the home network from compromised IoT devices (smart cameras, thermostats) and printers.

Which THREE recommendations are the most critical to include in the guide?

A. Use the device’s default password for the first 24 hours to ensure stability.
B. Change default usernames and passwords immediately upon setup.
C. Place IoT devices on a separate “Guest” Wi-Fi network or VLAN.
D. Enable UPnP to ensure devices can be reached from the internet.
E. Disable UPnP to prevent devices from automatically opening ports to the internet.
F. Connect printers directly to the modem to bypass the firewall.

Answer 6

B, C, E

Explanation:
1. B (Change Defaults): Default credentials are the #1 attack vector for IoT (e.g., the Mirai botnet).
2. C (Segmentation): Putting IoT devices on a Guest Network or VLAN isolates them. If your smart fridge gets hacked, the attacker cannot pivot from the fridge to your laptop to steal your banking info.
3. E (Disable UPnP): UPnP allows devices to punch holes in your firewall automatically. Disabling it ensures IoT devices are not “directly connected” (exposed) to the public internet without your knowledge.

(Note on MFDs/Printers: They are attacked via their Network Interface. The advice to secure them is the same as any other IoT device: change the password and don’t expose the admin page to the internet).

Question 7

You are the chief information security officer for a large multinational corporation that has offices in Hong Kong, London, Paris, and New York. The New York office has 100 employees, The Hong Kong office has five employees, Paris has four employees, and London has the most, with 10,000 employees. You have purchased a small company based in Alaska that has four people. They have been using weak passwords. Which of the following is a compensating control that was adopted to BEST mitigate the risk of using weak passwords?

a. Use a password history with a value of 3.
b. Implement time‐based one-time passwords.
c. Increase the password history to a value of 20.
d. Set the account lockout to a value of 1.
e. Set the password expiry to three days.

Answer 7

e

We should never use weak passwords, however, if the exam says we are using them, then we need to accept it. The only way to mitigate the risk is to use a very short password expiry time.

Question 8

What type of attack is a padding oracle on downgrading legacy encryption attack (Choose TWO)?

a. IV attack.
b. Replay attack.
c. Man‐in‐the-middle attack.
d. TLS 1.0 with electronic-code book.
e. SSL 3.0 with chain-block cipher.

Answer 8

c, e

A POODLE attack is a man in the middle that exploits a downgraded browser using SSL 3.0 with CBC.

Question 9

The cybersecurity team have set up a honeypot to track the attack vector of a newly released malware. As they review the virus, they notice that the hash value of the malware changes from host to host. Which of the following types of malware has been detected?

a. Virus.
b. RAT.
c. Worm.
d. Logic bomb.
e. Polymorphic virus.

Answer 9

e

A polymorphic virus mutates as it replicates; that is why the hash is changing.

Question 10

The cybersecurity team have looked at the latest trends and have identified that there has been an increase in brute-force attacks. Which of the following is a random value that can be appended to the stored password to make it more difficult for a brute-force password attack to be carried out (choose TWO)?

a. Obfuscation.
b. Nonce.
c. Key stretching.
d. Salting.

Answer 10

c, d

Both salting and key stretching increase the password length by appending random characters to the end of the password.

Question 11

There has been a spate of DNS-poisoning attacks and your company wants to make itself resilient against these attacks. Your company wants to encrypt the DNS traffic by using DNSSEC. Once you have signed the zone, what record is created for each host?

a. CNAME.
b. SPF.
c. RRSIG.
d. MX.
e. PTR

Answer 11

c

DNSSEC encrypts DNS traffic preventing DNS poisoning and produces RRSIG records.

Question 12

A security administrator discovers that an attacker used a compromised host as a platform for launching attacks deeper into a company’s network. What terminology BEST describes the use of the compromised host?

a. Brute force.
b. Active reconnaissance.
c. Pivoting.
d. Passing point.

Answer 12

c

Pivoting is where an attacker enters your network via a vulnerable host then attacks a secondary host.

Question 13

At what stage of the SDLC are computer systems no longer supported by the original vendor?

a. Sandboxing.
b. End‐of‐life systems.
c. Resource exhaustion.
d. System sprawl.

Answer 13

b

End‐of‐life systems are no longer supported, updated, or patched by the vendor, making them vulnerable to attack.

Question 14

Company A has just developed a bespoke system for booking airline tickets. What is it called if a freelance coding specialist tests it for security flaws?

a. Code review.
b. Static-code review.
c. Regression testing.
d. Dynamic-code review.

Answer 14

c

Regression testing is where a coding expert checks your code.

Question 15

You are the security administrator for an airline company that suffered a loss of availability of their systems last month. Which of the following attacks would MOST LIKELY affect the availability of your IT systems?

a. Spear phishing.
b. Replay.
c. Man‐in‐the‐middle.
d. DoS.

Answer 15

d

Loss of availability means the system is down; DoS is where one host takes down another and is the most likely answer.

Question 16

You are a lecturer in a college and you need to deliver a session on salting passwords. What are the two main reasons you would salt passwords?

a. To slow down brute-force attacks.
b. To make access to the password slower.
c. To prevent duplicate passwords from being stored.
d. To stop simple passwords from being used.

Answer 16

a,c

Salting appends random characters to a password; therefore, it makes the password longer and more difficult to crack. If two people use the same password, the random characters appended to them make them unique.

Question 17

17. An auditor is carrying out an annual inspection of a SCADA network and finds that the programmable logic controllers (PLCs) have not been updated since last year. Upon further investigation, it is discovered that the company manufacturing these PLCs has gone into liquidation, making these controls end-of-life systems. The manufacturer is currently looking for another company to make an upgraded PLC. Which of the following recommendations should the auditor make to the management team to mitigate the risk in the short term?

a. Remove the PLCs from the manufacturing infrastructure.
b. Produce their own updated PLCs for the firmware.
c. Set up a SIEM system for real-time monitoring of the SCADA system.
d. Place the PLCs in a VLAN.

Answer 17

d

If a system or a printer is vulnerable and it cannot be replaced, we can segment it from the rest of the network by placing it in a VLAN.

Question 18

18. The security administrator has identified an unknown vulnerability on an application that is used infrequently. They have isolated the application and gathered information to send to the vendor so that a patch can be produced. Once the company receives a patch for the application, what is the best way for the company to test the application before rolling it out into production?

a. Obfuscation.
b. VLAN.
c. Regression testing.
d. Sandboxing.

Answer 18

d

Sandboxing can be used to isolate an application for testing or patching or because it is dangerous. The Linux version is called chroot jail.

Question 19

What is it called when a user has exploited an IT system so that he has obtained access to all files on the file server?

a. Remote exploit.
b. Zero‐day exploit.
c. Privilege escalation.
d. Pivoting.

Answer 19

c

It takes someone with admin right to access all files, therefore the user would need to have privilege escalation to do so

Question 20

Which of the following is an email‐based attack on all members of the sales team?

a. Phishing.
b. Vishing.
c. Spear phishing.
d. Pharming.

Answer 20

c

An email attack on a group of users is called spear phishing. Watch out in the exam for plural words. Phishing is attacking one person by email.

Question 21

An attacker tries to target a high‐level executive, but unfortunately has to leave a voicemail as they did not answer the telephone. What was the intended attack and what attack was eventually was used (choose all that apply)?

a. Whaling.
b. Vishing.
c. Phishing.
d. Spear phishing.

Answer 21

b

The attack method, first of all, uses a telephone, but the attacker has to leave a voicemail; this is known as vishing. For whaling to take place, the CEO would have to take some sort of action.

Question 22

You are carrying out annual training for your company and need to put a PowerPoint slide together for the symptoms of a backdoor virus. Which three bullet points will you include in the slide? Each provides part of the explanation of a backdoor virus.

a. Passwords may have been there a long time.
b. You must click on several items.
c. Can be included in an email attachment.
d. Files open quicker than before.
e. You can only get infected through a link on a webpage.

Answer 22

a, b, c

A backdoor password is written by the application developer to be used at a later stage should the user lock themselves out. Another form is when you have to click several times to execute it.

Question 23

Which of the following commands can be used to create a buffer overflow (choose all that apply)?

a. var char.
b. strcpy.
c. var data.
d. strcat.

Answer 23

b. d

Buffer overflow happens when an application receives more data than it can deal with. Both strcpy and strcat can collect strings of data that would cause a buffer overflow.

Question 24

You are the security administrator for a multinational corporation and the development team have asked your advice as to how BEST to prevent SQL injection, integer overflow, and buffer overflow attacks. Which of the following should you advise them to use?

a. Input validation.
b. A host‐based firewall with advanced security.
c. strcpy.
d. Hashing.

Answer 24

a

Input validation only accepts data in a certain format within a certain length and will prevent buffer overflow, integer overflow, and injection types attacks such as SQL injection.

Question 25

Your company is opening up a new data center in Galway in Ireland where you have installed the server farm, and now a construction company has come in to put a six‐foot mantrap into the entrance. What the main two reasons why this mantrap has been installed? a. To prevent theft. b. To prevent tailgating. c. To prevent unauthorized personnel gaining access to the data center. d. To allow faster access to the facility.

Answer 25

b, c Mantraps only allow one person in at a time and control who can access the facility; they are used frequently with data centers.

Question 26

Which of the following devices can prevent unauthorized access to the network and prevent attacks from unknown sources? a. Router. b. Load balancer. c. Web-security gateway. d. UTM.

Answer 26

d The UTM's first role is a firewall that prevents unauthorized access to the network. It can also provide URL and content filtering and malware protection.

Question 27

You are the cybersecurity analyst for a large corporation, and have been investigating recent incidents. You found an attacker who seems to be trying to post political messages on your company website. Which of the following BEST describes this threat actor? a. Organized crime. b. Script kiddie. c. Hacktivist. d. APT. e. Malicious insider. f. Nation state.

Answer 27

c A hacktivist is a politically motivated threat actor.

Question 28

A security administrator wants to audit a web application to determine whether default accounts are being used. What technique is being used to carry this task out? a. Social engineering. b. Banner grabbing. c. Protocol analyzer. d. Netcat (nc).

Answer 28

b Banner grabbing is a technique that can interrogate the web servers; it can provide login details and patch level versions of a web server. Two common applications used for banner grabbing are netcat (nc) and telnet.

Question 29

You are the CISO for a large financial institution. You are setting up an annual contract with a third‐party company who will take the data away for shredding and pulping. What type of attack are you preventing? a. Social engineering. b. Dumpster diving. c. Watering-hole attack. d. Smurf attack. e. Replay attack.

Answer 29

b Dumpster diving is where an attacker will look for company information in the trash can. Most companies have a third party collect their paper waste and destroy it.

Question 30

You are the chief information security officer for a large corporation and you have been informed that the forms on the company's website are passing unsanitized values to the backend ticketing system. Which of the following types of attack has been carried out? a. Input validation. b. Buffer overflow. c. XSS attack. d. Replay attack. e. SQL injection. f. Integer overflow.

Answer 30

e The frontend would be a web server and the backend would be a database such as a SQL server that would hold ticketing and credit card information.

Question 31

Company A are using a third party to perform a pen test against the company's network. No information has been given to the company prior to their visit. As the pen testers are about to start testing, one of the ladies from the network gives them a floor plan showing all of the network points. Which type of pen testing is being carried out? a. Gray box. b. White box. c. Intrusive scan. d. Black box.

Answer 31

a Gray box penetration testing is where the tester has at least one piece of information.

Question 32

You are the cybersecurity analyst for a large corporation, and have been analyzing various log files on the external firewall. You notice the following: SELECT* from Customers, Orders, Bank Account Number, 1=1. Which of the following types of attack is being carried out? a. Buffer overflow. b. Social engineering. c. Customer services are printing off a list of all customers. d. SQL injection. e. Smurf.

Answer 32

d In the Security+ exam, the phrase 1=1 means a SQL injection attack.

Question 33

A black-box pen tester has crashed the company's main systems. Which type of scan have they been using? a. Intrusive scan. b. Vulnerability scan. c. Non‐credentialed. d. Application scan.

Answer 33

a Penetration tests are intrusive and can cause damage, therefore, the type of scan would be an intrusive scan.

Question 34

A payroll department has contacted the security team regarding a problem with the transfer of the payroll that was submitted to the bank. The payroll system log files revealed the following entries: - September 1, 2020, August Payroll File created – File transferred to the bank - October 1, 2020, September Payroll File created – File transferred to the bank - November 1, 2020, October Payroll File created – Transfer failed - November 2, 2020, October Payroll File created – File transferred to the bank Which of the following explains why the file transfer failed? a. The file hashed changed while in transit. b. The file was transferred to the wrong destination. c. The file was corrupted while in transit. d. The bank refused the transfer.

Answer 34

c Files were created and transferred regularly, therefore, files being corrupted in transit looks the most likely—after all, the next file transfer worked.

Question 35

During a routine review of firewall log reports, a security technician discovers multiple successful logins for users during unusual hours. The technician contacts the network administrator, who confirms that the logins were not related to the administrator's activities. Which of the following is the MOST likely reason for these logins? a. The file hashed changed while in transit. b. The file was transferred to the wrong destination. c. The file was corrupted while in transit. d. The bank refused the transfer.

Answer 35

c Files were created and transferred regularly, therefore, files being corrupted in transit looks the most likely—after all, the next file transfer worked.

Question 36

You are an employee working in the finance department, and have just received an email from the Chief Financial Officer (CFO) instructing you to pay $3,000 immediately to a vendor before critical services are cut. The vendor's invoice is attached for ease of reference. Which of the following BEST describes the type of attack being used (choose TWO)? a. Impersonating. b. Shoulder surfing. c. Consensus/social proof. d. Authority. e. Urgency.

Answer 36

d, e Social engineering authority gets an email from the CEO or the HR director, and urgency means that you have to deal with something immediately.

Question 37

During a routine review of firewall log reports, a security technician discovers multiple successful logins for users during unusual hours. The technician contacts the network administrator, who confirms that the logins were not related to the administrator's activities. Which of the following is the MOST likely reason for these logins? a. Firewall maintenance service windows were scheduled. b. Default credentials were still in place. c. The entries in the log were caused by the file-integrity monitoring system. d. A blue team was conducting a penetration test on the firewall.

Answer 37

b If we did not change the default credentials for the firewall, this would explain why someone other than the administrators could access the firewall.

Question 38

A security analyst is assigned to perform a penetration test for one of the company's clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies this type of penetration testing? a. Black box. b. White box. c. Gray box. d. Blue teaming.

Answer 38

a A black box penetration tester is given no information prior to starting the pen test.

Question 39

Company emails have been intercepted and altered in transit. The security administrator needs to implement a solution that provides both email integrity and nonrepudiation. Which of the following should he use? a. OAuth. b. Kerberos. c. S/MIME. d. TLS.

Answer 39

c SMIME is where a user will digitally sign an email to ensure integrity, and using their private key ensures non‐repudiation of the message being sent.

Question 40

Which of the following is an example of resource exhaustion? a. A penetration tester requests every available IP address from a DHCP server. b. An SQL injection attack returns confidential data back to the browser. c. Server CPU utilization peaks at 100% during the reboot process. d. System requirements for a new software package recommend having 12 GB of RAM, but only 8 GB are available.

Answer 40

c Resource exhaustion is where a system has no resources left; the best example here is when the CPU is running at 100%, meaning full capacity.

Question 41

A security scanner lists security discrepancies that are not present when the system is manually inspected. Which of the following is the MOST likely reason for this? a. Credentialed scan. b. Fail-acceptance rate. c. False positives. d. False negatives.

Answer 41

c When a monitoring system finds that attacks are in place and when a manual inspection does not find any, this is called a false positive.

Question 42

Which of the following methods minimizes the use of a system interaction when conducting a vulnerability scan? a. Stopping the firewall service. b. Running a credentialed scan first thing in the morning. c. Conducting the assessment once everyone finishes work. d. Running a non‐credentialed scan first thing in the morning.

Answer 42

c When there are no users in the company, they will not be using the system.

Question 43

A security analyst monitoring the domain controller identifies the following attack: Pinging 192.168.5.253 with 24456 bytes of data Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128 Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128 Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128 Reply from 192.168.5.253 bytes 24456 time<1ms TTL=128 Which of the following attacks is occurring? a. Ping of death. b. DNS poisoning. c. Buffer overflow. d. SQL injection. e. Remote-access trojan. f. Integer overflow.

Answer 43

c Buffer overflow is where data larger than normal is being submitted; in this case, the normal number of bytes is 32, so 24,456 exceeds this and causes a buffer overflow.

Question 44

Which of the following are considered among the best indicators that a received message is a hoax (choose TWO)? a. License violation. b. Warnings of monetary loss. c. Claims of possible damage to the computer. d. Event logs filling up. e. Certificate trust error.

Answer 44

b, c The question asks for a message as a hoax; the only two items that produce messages are warning of monetary loss and claims of possible damage. All other items won't send a message.

Question 45

A threat actor purchases an exploit from the dark web to launch an attack. Name the threat actor. a. Organized crime. b. Malicious insider. c. Script kiddie. d. Competitor. e. Hacktivist.

Answer 45

c A script kiddie does not have a high technical skill set, therefore, he has to use script or programs written by others; in this example, they are purchasing one from an illegal website.

Question 46

What type of threat actor would attend a political rally? a. Organized crime. b. Malicious insider. c. Script kiddie. d. Competitor. e. Hacktivist.

Answer 46

e A hacktivist is politically motivated.

Question 47

A security administrator has completed a monthly review of DNS server query logs. He notices persistent TCP connections to a remote server carrying megabytes of data each day. Which of the following is the most likely explanation for this anomaly? a. An attacker is stealing large amounts of proprietary company data. b. Employees are playing multiplayer computer games. c. A worm is attempting to spread to other hosts via SMB exploits. d. Internal hosts have become members of a botnet.

Answer 47

d An infected machine that is running as a bot member can be accessed 24/7, 365 days a year. If they were playing games, that traffic would be intermittent.

Question 48

Which of the following can be implemented to prevent a local LAN attack? a. arp ‐s. b. dig ‐n. c. arp ‐a. d. netstat ‐an. e. tcpdump ‐.

Answer 48

a Arp is the only local attack, arp ‐s IP address MAC address, inserts static entries into the arp cache and prevents it from being poisoned.

Question 49

A black box penetration tester has managed to access the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run What type of penetration-testing technique did he use? a. Privilege escalation. b. Pivoting. c. Regression testing. d. Active reconnaissance.

Answer 49

d Active reconnaissance is where an action is taken; this time, the attacker has got access to the system's registry

Question 50

The CISO has written a policy informing the IT team that he wants company personnel to be able to make changes to data and delete documents. Which of the following titles should he use for the policy? a. On‐boarding policy. b. Acceptable-use policy (AUP). c. Least-privilege policy. d. Separation-of-duties policy.

Answer 50

c Least privilege allows access and permissions to data.

Question 51

The company is upgrading the computers for the customer services department, and the cybersecurity team has built an image to roll out. Which of the following is the best security reason that an image was used for the deployment? a. To enable the computers to boot securely. b. To ensure that the same applications are deployed. c. To reduce the number of updates. d. To ensure that the computers have the same baseline.

Answer 51

d Rolling out an image ensures that all of the computers have the same baseline, including security settings and patches.