CompTIA Security+ Sy0-501 Practice Test 02

This is an attempted buffer overflow attack. The vrfy buffer is designed to hold only 128 bytes so sending 999 bytes to it could cause the vrfy buffer to be overrun crashing the email server. As a best practice, the vrfy command is disabled on email servers, which causes this command to fail.
It's useful to break down this command. The echo command will print specified text. The vrfy command is used to verify a username in a mailbox on an email server. The 'perl -e 'print "a" x 999" " prints the letter "a" 999 times. The result is 999 a's. The | operator pipes the result of the previous command to the next command. In this case, it sends the output of the echo command (999 a's) to port 25 of the getcertifiedgetahead.com server using nc (netcat).

A SQL injection attack will typically use a SELECT command and the scenario doesn't give any indication that a database is being queried.

Cross-site request forgery (XSRF or CSRF) is an attack where an attacker tricks a user into performing an action on a web site, but the scenario indicates a security tester is entering the command.

Address Resolution Protocol (ARP) poisoning is an attack that misleads computers or switches about the actual MAC address of a system.

The annual rate of occurrence (ARO) is the best choice to identify how many times a specific type of incident occurs in a year. Annual loss expectancy (ALE) identifies the expected monetary loss for a year and single loss expectancy (SLE) identifies the expected monetary loss for a single incident. ALE = SLE × ARO and if you know any two of these values, you can identify the third value. For example, ARO = ALE / SLE. Write once read many (WORM) is a term sometimes used with archived logs indicating they cannot be modified.

The annual loss expectancy (ALE) is $15,000. The single loss expectancy (SLE) is $6,000 ($3,500 to repair or replace each server plus $2,500 in additional losses for each outage). The annual rate of occurrence (ARO) is 2.5 (five failures in two years or 5 / 2). You calculate the ALE as SLE × ARO ($6,000 × 2.5).

Pivoting is the process of accessing other systems through a single compromised system. Reconnaissance techniques are done before attacking a system. A successful attack on a single computer is the initial exploitation. Escalating privileges attempts to gain higher privileges on a target.

An airgap ensures that a computer or network is physically isolated from another computer or network. A mantrap helps prevent unauthorized entry and is useful for preventing tailgating. Control diversity is the use of different controls such as technical, administrative, and physical, but it doesn’t necessarily isolate networks. Infrared motion detectors sense motion from infrared light, but they don’t isolate networks.

A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. CCTV uses cameras for video surveillance and it can record unauthorized entry, but it can’t prevent it. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating, so it isn’t as useful as a mantrap. A cipher lock is a door access control, but it can’t prevent tailgating.

The mean time between failures (MTBF) provides a measure of a system’s reliability and would provide an estimate of how often the systems will experience outages. The mean time to recover (MTTR) refers to the time it takes to restore a system, not the time between failures. The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. The recovery point objective (RPO) identifies a point in time where data loss is acceptable.

A privacy threshold assessment helps an organization identify Personally Identifiable Information (PII) within a system, and in this scenario, it would help the organization determine if the customer data is PII. A privacy impact assessment is done after you have verified that the system is processing PII, not to determine if the data is PII. A tabletop exercise is a discussion-based exercise used to talk through a continuity of operations plan. Affinity scheduling is a load-balancing scheduling scheme using the client’s IP address and is unrelated to PII.

The checksum (also known as a hash) provides integrity for the updates and patches so that users can verify they have not been modified. Installing updates and patches increases the availability of the application. Confidentiality is provided by encryption. The checksums are for the updates and patches, so they do not provide integrity for the application.

If Acme submitted the bid via email using a digital signature, it would provide proof that the bid was submitted by Acme. Digital signatures provide verification of who sent a message, non-repudiation preventing them from denying it, and integrity verifying the message wasn’t modified. Integrity verifies the message wasn’t modified. Repudiation isn’t a valid security concept. Encryption protects the confidentiality of data, but it doesn’t verify who sent it or provide nonrepudiation.

The correct answer is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) uses perfect forward secrecy using ephemeral keys and only one answer includes ECDHE. RSA uses static key pairs. so it doesn't support perfect forward secrecy. Diffie-Hellman (DH) can use either static keys or ephemeral keys, so it would not ensure that perfect forward secrecy was always used. SSL has been replaced by TLS and should not be used.

A separation of duties policy prevents any single person from performing multiple job functions that might allow the person to commit fraud. In this scenario, the administrator has accumulated privileges across several job functions, which represents the risk. A mandatory vacation policy is useful to discover fraud committed by an individual, but this scenario clearly indicates this individual controls too many job functions. An exit interview is performed when an employee leaves the organization. Change management ensures changes are reviewed before being implemented.

A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise. A legal hold refers to a court order to protect data that might be needed as evidence. A legal hold policy may state that the organization will comply with the court order, but it isn’t related to data theft. Job rotation policies require employees to change roles on a regular basis and can expose fraudulent activity. A background check policy typically identifies what to check for when hiring an employee.

Medical history is not appropriate to include in a background check. However, it is common to check a potential employee’s social media presence, criminal background, and financial history.

The dd command is available on Linux systems and it is used to copy files for analysis. As an example, the dd if=/dev/sda2
of=sd2disk.img command creates an image of a disk without modifying the original disk. None of the other choices creates an image of a drive. Hashing algorithms create a hash of a file. Screenshots create a graphic from a computer screen. Logs record log entries in files.

Data on a hard disk drive is the least volatile of those listed. All other sources are some type of memory, which will be lost if a system is turned off. This includes data in normal memory, a redundant array of inexpensive disks 10 (RAID-10) cache, and the central processing unit’s (CPU’s) cache.

RAID-1 (mirroring) requires a minimum of two disks.

RAID-5 (striping with parity) requires a minimum of three disks.

RAID-6 (striping with parity) requires a minimum of four disks.

A tabletop exercise is discussion-based and is typically performed in a classroom or conference room setting. Because this is a
meeting that includes disaster recovery personnel, it is a tabletop exercise. Functional exercises are hands-on exercises and include simulations and full-blown tests.

A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role- based access control (role-BAC) model. The mandatory access control (MAC) model uses sensitivity labels and classification levels. MAC is effective at restricting access based on a need to know. The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list.

Digital signatures will support a use case of supporting nonrepudiation. Digital signatures don’t encrypt data, so they do not support a use case of supporting confidentiality. Redundancy and fault-tolerance solutions will increase availability. Steganography is one way of supporting obfuscation.

The chief technology officer (CTO) should ensure systems are not susceptible to unauthorized changes, which is an element of integrity. A security program should address the three core security principles of confidentiality, integrity, and availability (CIA). The system in the example is already addressing confidentiality and availability. Ensuring critical systems provide uninterrupted service addresses availability. Protecting data and securing data to prevent unauthorized disclosure addresses confidentiality.

Cable locks are effective equipment theft deterrents for laptops and other systems. Snapshots refer to digital snapshots that capture the state of a virtual machine at a moment in time. Passwords prevent unauthorized access to systems but don’t provide physical security. A virtual desktop infrastructure (VDI) allows users to access a desktop on a remote server. A persistent VDI saves the user changes on the desktop, but it does not deter thefts.

Taking a snapshot of the virtual machine (VM) before deploying it ensures that the VM can be reverted to the original configuration if the new application causes problems. Taking a snapshot after the installation doesn’t allow you to revert the image. Non-persistence is used in a virtual desktop infrastructure (VDI), where user changes to the desktop are not changed. It isn’t appropriate to use non-persistence on a virtual server. Backing up the server might be appropriate before installing the new application but not after.

The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC). The ipconfig command performs similar checks on Windows computers, but not on Linux systems. Netstat shows network statistics and active connections but not the network settings. The tracert command traces the route of data and can help determine which network devices are failing.

Container-based virtualization (also called application cell virtualization) uses the same operating system kernel of the host computer. It is often used to run isolated applications or services within a virtual environment. Type I hypervisor virtualization runs directly on the system hardware. Type II hypervisor virtualization runs VMs that all include their own operating system, including their own kernel. A virtual desktop environment (VDE) provides a full desktop operating system to users.

The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies. Arp resolves IP addresses to media access control (MAC) addresses and does not use echo commands. Ipconfig checks the configuration of a NIC. Netstat shows active connections and network statistics.

The best solution is to create a rule in the password policy for the password minimum age. Currently, users can change their passwords five more times in just a couple of minutes, changing it back to their original password on the sixth change. None of the other settings prevent the users from doing this. A password history of 10 forces the users to take a couple more minutes to get back to the original password. The password policy currently requires complex passwords. A maximum age of 60 days increases how long a user can keep the same password.

A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do not expire. A Common Access Card (CAC) is a type of smart card, but it does not create passwords. Kerberos uses tickets instead of passwords.

A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FA R ) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don’t indicate accuracy by themselves. A higher CER indicates a less accurate biometric system.

Kerberos uses a ticket-granting ticket (TGT) server, which creates tickets for authentication. Shibboleth is a federated identity solution used in some single sign-on (SSO) solutions. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML) used for some SSO solutions. Lightweight Directory Access Protocol (LDAP) is an X.500- based authentication service used to identify objects.

Removing all shared accounts is the best answer of the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn’t possible to identify which employee deleted the data. File and folder access control lists (ACLs) identify permissions for users, but don’t control the user identity. Role-based (or group-based) privileges assign the same permissions to all members of a group, which simplifies administration. A single sign-on (SSO) solution allows a user to log on once and access multiple resources.

The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn’t indicate the accounts have an expiration date. Because the contractors need to access the accounts periodically, it’s better to disable them rather than delete them. Reset the accounts implies you are changing the password, but this isn’t needed.

A location-based policy restricts access based on location, such as with an IP address, and this is the best possible answer of those given. The scenario indicates they could use the virtual private network (VPN) connection from home, but it was blocked when they tried to access it from the library. A time-of-day access control restricts access based on the time of day, but the scenario doesn’t indicate the time. Neither a discretionary access control model nor a role-based access control model restricts access based on location.

When creating temporary accounts, i t ’s best to configure expiration dates so that the system will automatically disable the accounts on the specified date. History, password expiration, and complexity all refer to password policy settings. However, it’s rare to configure a specific password policy on a single account.

A software defined network (SDN) typically uses an attributebased access control (ABAC) model, which is based on attributes that identify subjects and objects within a policy. A discretionary access control (DAC) model has an owner, and the owner establishes access for the objects. A mandatory access control (MAC) model uses labels assigned to subjects and objects. A role-based access control (role-BAC) model uses roles or groups to assign rights and permissions.

You can use Secure Shell (SSH) to encrypt Personally Identifiable Information (PII) data when transmitting it over the network (data-intransit). Secure File Transfer Protocol (SFTP) uses SSH to encrypt File Transfer Protocol (FTP) traffic. FTP, Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) transmit data in cleartext unless they are combined with an encryption protocol.

The Network Time Protocol (NTP) provides time synchronization services, so enabling NTP on servers would meet this use case. The Real-time Transport Protocol (RTP) delivers audio and video over IP networks, and Secure RTP (SRTP) provides encryption, message authentication, and integrity for RTP. Protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol v3 (POP3), and Internet Message Access Protocol version 4 (IMAP4) are used for email. Encrypting data isn’t relevant to time synchronization services provided by NTP.

Iptables include settings used by the Linux Kernel firewall and can be used to replace a firewall. While it’s possible to implement iptables on a wireless access point (assuming it is Linux-based), iptables still function as a firewall, not a wireless access point. A Layer 2 switch routes traffic based on the destination media access control (MAC) address, but iptables focus on IP addresses. A network bridge connects multiple networks together.

A stateful firewall filters traffic based on the state of the packet within a session. It would filter a packet that isn’t part of a TCP three-way handshake. A stateless firewall filters traffic based on the IP address, port, or protocol ID. While it’s appropriate to place a network firewall in a demilitarized zone (DMZ), a network firewall could be either a stateless firewall or a stateful firewall. An application-based firewall is typically only protecting a host, not a network.

A demilitarized zone (DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network. You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created on switches in the internal network. A firewall does provide protection for the web server, but doesn’t necessarily separate the web-facing traffic from the internal network. A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic.

You would most likely configure the Uniform Resource Locator (URL) filter on the unified threat management (UTM) security appliance. This would block access to the peer-to-peer sites based on their URL. Content inspection and malware inspection focus on inspecting the data as it passes through the UTM, but they do not block access to sites. A distributed denial-of-service (DDoS) mitigator will attempt to block incoming DDoS attack traffic.

Domain Name System Security Extensions (DNSSEC) add security to DNS systems. The functions in the list indicate that the server in the demilitarized zone (DMZ) is a DNS server.

DNS servers identify mail servers with MX records, provide IPv4 addresses of systems with A records, and provide IPv6 addresses with AMA records.

DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies. While a DNS server responds to DNS queries with A and AMA records, DNS without DNSSEC doesn't prevent poisoning attacks.

RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn't provide adequate protection. Nslookup is a command-line tool used to test DNS, but it doesn't provide any DNS services.

A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice. Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide the access. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks, but do not control remote access.

This is a port scan. The key is to understand the log format. In this example, it is:

Time - Source IP : Port - Destination IP : Port 

Each packet was sent 

• At 10:10 PM (22:10 using a 24-hour clock format)
• From a source computer with an IP address of 10.10.80.5
• From the source computer's port 49154
• To the destination computer with an IP address of 192.168.1.15
• To the destination computer's ports of 20, 21, 23, and 25
How do you know the source computer has an IP address of 10.10.80.5? 

The packets are always coming from the same port of 49154. Also, with the varied ports (20, 21, 23, and 25) on the destination computer helps you identify it as port scan. 

A ping sweep attempts to identify active IP addresses on a network. It typically uses Internet Control Message Protocol (ICMP) to check a range of IP addresses, but it doesn't use different ports. 

A service scan is typically done after a port scan. It checks to see if the system is actually running the service associated with well-known port.

A SYN stealth scan uses part of the TCP three-way handshake to see if a system responds and identify active IP addresses on a network. It sends the SYN packet and waits for the SYN/ACK packet. If it receives it, it typically responds with a RST packet to reset and close the connection.

A sandbox provides a simple method of testing patches and would be used with snapshots so that the virtual machine (VM) can easily be reverted to the original state. A baseline image is a starting point of a single environment. Bring your own device (BYOD) refers to allowing employee-owned mobile devices in a network, and is not related to this question. Change management practices ensure changes are not applied until they are approved and documented.

A remote attestation process checks a computer during the boot cycle and sends a report to a remote system. The remote system attests, or confirms, that the computer is secure. None of the other answers sends data to a remote system. A Trusted Platform Module (TPM) is a hardware chip on a motherboard and provides a local secure boot process. A TPM includes an encryption key burned into the CPU, which provides a hardware root of trust. A trusted operating system meets a set of predetermined requirements typically enforced with the mandatory access control (MAC) model.

A network intrusion prevention system (NIPS) is the most relevant security control of those listed to ensure availability of the supervisory control and data acquisition (SCADA) system. A data loss prevention (DLP) system helps prevent loss of data, but wouldn’t protect a SCADA system from potential attacks. A Trusted Platform Module (TPM) is a hardware chip on a computer’s motherboard that stores cryptographic keys used for encryption. An electromagnetic pulse (EMP) is a short burst of electromagnetic energy and unrelated to a SCADA system.

Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted. Full database encryption and whole disk encryption aren’t appropriate because everything doesn’t need to be encrypted to protect the credit card data. File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application.

A logic bomb is code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company). In this scenario, the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.

Tailgating is the practice of following closely behind someone else without using credentials. In this scenario, Bart might be an employee who forgot his badge, or he might be a social engineer trying to get in by tailgating. Spear phishing and whaling are two types of phishing with email. Mantraps prevent tailgating.

A digital signature provides assurances of who sent an email and meets the goal of this scenario. Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email. A training program would help educate employees about attacks and would help prevent the success of these attacks, but it doesn’t provide assurances about who sent an email. Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures.

Of the given choices, an untrained user is the most likely vulnerability in this scenario. A trained user would be less likely to click
on a malicious link received in an email. While the attack describes ransomware, ransomware isn’t a vulnerability. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack often results in resource exhaustion, but that is the result of an attack, not a vulnerability. An insider threat implies a malicious insider, but there isn’t any indication that the new employee was malicious.

The sender is using the social engineering principle of authority in this scenario. A chief executive officer (CEO) would respect legal authorities and might be more inclined to open an attachment from such an authority. While the scenario describes whaling, a specific type of phishing attack, whaling and phishing are attacks, not social engineering principles. The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario.

A password salt is additional random characters added to password before hashing the password, and it decreases the success of password attacks. Rainbow tables are used by attackers and contain precomputed hashes. Message Digest 5 (MD5) is a hashing algorithm that creates hashes, but the scenario already states that passwords are hashed. Input validation techniques verify data is valid before using it and they are unrelated to protecting hashed passwords.

Input validation should be performed on the server side. Clientside validation can be combined with server-side validation, but it can be bypassed, so it should not be used alone. Boundary or limit checks are an important part of input validation. Pointer dereference techniques use references to point to values and are unrelated to input validation techniques.

Code signing provides a digital signature for the code and verifies the publisher of the code and verifies that it hasn’t been modified since the publisher released it. None of the other answers verify the application hasn’t been modified. Input validation verifies data is valid before using it. Code obfuscation makes the code more difficult to read. Stored procedures are used with SQL databases and can be used for input validation.

Dynamic analysis techniques (such as fuzzing) can test the application’s ability to maintain availability and data integrity for some scenarios. Fuzzing sends random data to an application to verify the random data doesn’t crash the application or expose the system to a data breach. Model verification ensures that the software meets specifications and fulfills its intended purpose, but it doesn’t focus on reliability or integrity. Input validation and error-handling techniques protect applications, but do not test them.

A vulnerability scanner is passive and has the least impact on systems, and it can detect systems that are lacking specific security controls. Network scanners use methods such as a syn stealth scan and a ping scan to discover devices on a network, but they don’t identify missing security controls. A penetration test is invasive and does not have the least impact on systems.

Running the scans as credentialed scans (within the context of a valid account) allows the scan to see more information and typically results in fewer falsepositives. Non-credentialed scans run without any user credentials and can be less accurate. Passive reconnaissance collects information on a target using open-source intelligence. All vulnerability scans use active reconnaissance techniques.

This command sends a query to the server over port 80 and if the server is running a service on port 80, it will connect. This is a
common beginning command for a banner grabbing attempt. It does not send 80 separate packets. Netcat is often used to remotely administer servers, but not using port 80. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.

The /var/log/btmp log contains information on user failed login attempts. While not available as an answer, /var/log/auth also includes information on failed login attempts. While the /var/log/faillog log includes information on failed logins, /var/log/fail isn’t a valid log name in Linux. The /var/log/httpd directory includes logs from the Apache web server, when i t ’s installed. The /var/log/kern log contains information logged by the system kernel.

A security information and event management (SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources and can aggregate and correlate logs. None of the other choices aggregate and correlate logs. Nmap is a network scanner that can discover and map devices on a network. Netcat is a command-line tool that can be used to connect to servers. Wireshark is a graphical-based protocol analyzer.

A permission auditing and review process verifies that the principle of least privilege is followed. This includes ensuring users can access only the resources they need to perform their job. Continuous monitoring includes monitoring all relevant security controls, but isn’t the best choice for this specific scenario. A vulnerability scan will discover vulnerabilities on a system or network and a penetration test will scan a system or network and attempt to exploit vulnerabilities. However, vulnerability scans and penetration tests cannot verify a user has the appropriate privileges.

A redundant array of inexpensive disks 10 (RAID-10) subsystem provides fault tolerance for disks and increases data availability. An alternate processing site might be used for a mission-essential function, but it is expensive and does much more than increase the availability of data. Backups help ensure data availability, but they do not help with fault tolerance. A Faraday cage is a room or enclosure that prevents signals from emanating beyond the room.

Source address IP affinity scheduling allows a load balancer to direct client requests to the same server during a web session. Round-robin scheduling simply sends each request to the next server. Load balancers can use a virtual IP, but this refers to the IP address of the web server, not the IP address of a visitor. An active-passive configuration has at least one server that is not actively serving clients, but the scenario doesn’t indicate any of the servers are in a passive mode.

The design is using load balancing to spread the load across multiple application servers. The scenario indicates the goal is to use multiple servers because of heavy processing requirements, and this is exactly what load balancing does. Clustering is typically used to provide high availability by failing over to another server if one server fails. RAID provides fault tolerance for disk drives, not servers. Affinity scheduling helps ensure clients go to the same server during a session, but this isn’t relevant to this scenario.

The database servers are in an active-active load-balancing configuration because web servers can query both database servers. In an active-passive configuration, only one of the database servers would be answering queries at any given time. Round-robin and affinity are two methods of scheduling the load balancing in an active-active configuration.

The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose. RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system.

The best choice is Triple Data Encryption Standard (3DES). None of the other answers are valid replacements for the symmetric
encryption algorithm Data Encryption Standard (DES). Secure/Multipurpose Internet Mail Extensions (S/MIME) is used to digitally sign and encrypt email. Hash-based Message Authentication Code (HMAC) is a hashing algorithm used to verify the integrity and authenticity of messages. Transport Layer Security (TLS) uses both symmetric and asymmetric encryption to encrypt data-in-transit, not data-at- rest.

Lisa would decrypt the digital signature with Bart’s public key and verify the public key is valid by querying a Certificate Authority (CA). The digital signature provides verification that Bart sent the message, non-repudiation, and integrity for the message. Bart encrypts the digital signature with his private key, which can only be decrypted with his public key. Lisa’s keys are not used for Bart’s digital signature, but might be used for the encryption of the email. Although not part of this scenario, Bart would encrypt the email with Lisa’s public key and Lisa would decrypt the email with Lisa’s private key.

The best solution is to use certificates signed by an internal private Certificate Authority (CA). This ensures connections use Hypertext Transfer Protocol Secure (HTTPS) instead of HTTP. Even if the organization doesn’t have an internal CA, it is possible to create one on an existing server without incurring any additional costs. A code signing certificate provides a digital signature for an application or script, not an entire web server. A wildcard certificate is used for a single domain with multiple subdomains. It is not used for multiple web servers unless they all share the same root domain name, but the scenario doesn’t indicate the web servers share the same root domain name. You would not create a public CA to support internal private servers. While it is feasible to purchase certificates from a public CA, that would cost money, but the scenario indicates money isn’t available.

P12 (PKCS #12) certificates commonly include a private key and they are used to install a private key on a server. A Distinguished Encoding Rules (DER)–based certificate is an ASCII encoded file, but P12 certificates are Canonical Encoding Rules (CER) binary encoded files. A P7B (PKCS #7) certificate never includes the private key. CRT isn’t a valid certificate type, though many certificates do use the .crt extension.

A certificate revocation list (CRL) provides the best solution in this scenario. After a CRL is retrieved, systems hold a copy of it for a period of time (in a cache) and instead of downloading the same CRL every time a system needs to validate a certificate, they just look at the cached copy of the CRL.

Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response to validate certificates. Because OCSP responds in real-time, it is susceptible to Internet outages.

A Subject Alternative Name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization.

PEM-based certificates can be used for just about anything. They can be formatted as Canonical Encoding Rules (CER, binary files) or Distinguished Encoding Rules (DER, ASCII files). They are often used as a Base64 encoded DER certificate.

An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it
defines acceptable rules of behavior. A non- disclosure agreement (NDA) ensures that individuals do not share proprietary data with others. A bring your own device (BYOD) policy identifies requirements for employee- owned mobile devices. The dd command (short for data duplicator) is available on Linux systems to copy files or entire disk images. Forensic analysts use it to create an image of a disk without modifying the original disk.

His account should be disabled (or deleted if that is the company policy) during the exit interview. It’s appropriate to conduct an exit interview immediately before an employee departs. Employees often give a two-week or longer notice. If their access is revoked immediately, they won’t be able to do any more work. While some companies do terminate employment when someone gives notice, from a security perspective, it’s best to take action related to the user account. The purpose of a mandatory vacation is to detect fraud, but if the employee is leaving, any potential fraud will be detected when that employee leaves.

A non-disclosure agreement (NDA) helps ensure that proprietary data is not shared. It can be written to ensure that employees don’t share proprietary data or business partners don’t share proprietary data. A memorandum of understanding (MOU) expresses an understanding between two or more parties indicating their intention to work together toward a common goal. A business partners agreement (BPA) details the relationship between business partners, including their obligations toward the partnership. An interconnection security agreement (ISA) specifies the technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.

The court order specified a legal hold on email from the last three years, so all the backups for the last three years should be kept. If the backups had been destroyed before the court order, they wouldn’t be available, so the legal hold wouldn’t apply to them. Deleting them after the court order is illegal. Protecting only the backups from the last 12 months or the last two years doesn’t comply with the court order.

Using directional antennas on both access points (APs) is the best choice to meet this need because they have high gain with a very narrow radiation pattern. Omnidirectional antennas transmit the signal in all directions at the same time and are not a good choice when connecting networks between two buildings. Wider channels reduce the range of wireless transmissions and aren’t a good choice here. Because 802.11ac uses only the 5 GHz frequency band, you can’t use 2.4 GHz.

You can maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption. Hashes provide integrity, not confidentiality. A digital signature provides authentication, nonrepudiation, and integrity. A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem.

If most physical servers within the organization are currently underutilized, virtualization will provide a high return on investment (ROI). If the servers are currently utilized close to 100 percent, new servers will need to be purchased to virtualize them. It is possible to implement failover services on virtualized servers so there is little cost difference between physical and virtualized servers. The amount of processing power or memory requirements isn’t relevant unless you know how much systems are currently utilizing.

In a virtual desktop environment (VDE), users access virtual desktops hosted on remote servers. VDE desktops can use snapshots for non-persistence, but it is also possible to allow users to have persistent unique desktops in a VDE. Type I hypervisors (bare-metal hypervisors) run directly on the system without an operating system and are not used for a VDE. VM sprawl describes a problem of many unmanaged VMs, but the scenario doesn’t mention that the virtual desktops are not managed.

The netstat -nab command can show connections (with the -a switch), addresses and ports of these connections (with the -n switch) to identify the remote computer, and the executable that created the connection (with the -b switch).

Tcpdump is a command-line packet analyzer user to capture packets. While it will show the IP address of the connection if it occurs duing the packet capture, it won't show how the connection is being initiated.

The tracert command will list the routers between two systems, but it wont identify the remote computer unless you already know the remote computer's IP address.

Nmap is a network scanner. While it can detect hosts, it doesn't track connections.

Ncat is a command-line tool used to connect to remote systems and often used in banner grabbing.

She is pursuing an elasticity strategy. Elasticity refers to the ability of a system to resize computing capacity based on the load. This includes both expanding the computing ability to handle increased loads and reducing the computing ability when the load is reduced. Because elasticity strategies increase or decrease computing abilities based on loads, they reduce overall costs and are cost-effective.

Resiliency strategies help deploy systems securely and keep them in a secure state.

Scalability refers to the ability of a system to scale up to handle an increased load, but it doesn't refer to reducing the computing ability when the load decreases.

Persistence refers virtual desktops and is unrelated to this question. In a persistent virtual desktop, each user has a custom desktop image. Non-persistent virtual desktops serve the same desktop for all users.

Redundancy adds duplication to critical system components and networks and provides fault tolerance.

The most likely reason of the given choices is that the secure server is using Security-Enhanced Linux (SELinux) and it is set to enforcing mode. If SELinux is in enforcing mode, it enforces the SELinux policy. In this scenario, it could prevent the changes even though the permissions clearly show that the user has adequate permissions to make changes to the file.

If SELinux is in permissive mode, it does not enforce the SELinux policy so the change in the scenario would not be blocked. However, the SELinux system logs what would have been blocked.

If SELinux has been disabled, it would not apply any SELinux policy.

The user has adequate permissions. Note that the leading dash (-) indicates the permissions are for a file. The rwx permission indicates that the group owner (Web Admins) has read, write, and execute permissions on the file, which is more than enough to modify the file.

While chmod is the correct command to enter against the file to change the permissions, this is not necessary because the permissions are adequate. Instead, the SELinux policy would need to be modified or the set to permissive mode or disabled.

A distributed denial-of-service (DDoS) mitigator attempts to block DDoS attacks and should be placed at the border of the network, between the private network and the Internet. If the network includes a demilitarized zone (DMZ), the appliance should be placed at the border of the DMZ and the Internet. Placing it in the DMZ or the internal network doesn’t ensure it will block incoming traffic.

The centralized access point (AP) is a fat AP and it configures thin APs in the network. The fat AP could also be called a stand-alone, intelligent, or autonomous AP and it is used to configure thin APs, not fat APs. Thin APs do not configure other APs. Stand-alone APs are not configured by other APs.

The network devices should be configured to use TCP port 49 for authentication. Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire authentication process and uses TCP port 49 by default.

Remote Authentication Dial-In User Service (RADIUS) uses port 1813 for accounting.

Kerberos uses TCP port 88 but the scenario doesn't indicate that Kerberos is in use.

Lightweight Directory Access Protocol (LDAP) uses port 389 and LDAP Secure (LDAPS) uses port 636 but there isn't any indication that LDAP or LDAPS is used in this scenario.

RADIUS uses port 1812 for authentication but the question states that TACACS+ is to be used for authentication.