SEC+ Q01

The Answer: B. Passive footprinting

Passive footprinting focuses on learning as much information from

open sources such as social media, corporate websites, and business

organizations.

The incorrect answers:

A. Backdoor testing

Some active reconnaissance tests will directly query systems to see if a

backdoor has been installed.

C. OS fingerprinting

To fingerprint an operating system, you must actively query and receive

responses across the network.

D. Partially known environment

A partially known environment penetration test is a focused approach

that usually provides detailed information about specific systems or

applications.

The Answer: A. HTTPS and C. FTPS

TLS (Transport Layer Security) is a cryptographic protocol used to

encrypt network communication. HTTPS is the Hypertext Transfer

Protocol over TLS, and FTPS is the File Transfer Protocol over TLS.

An earlier version of TLS is SSL (Secure Sockets Layer). Although

we don’t commonly see SSL in use any longer, you may see TLS

communication referenced as SSL.

The incorrect answers:

B. SSH

SSH (Secure Shell) can use symmetric or asymmetric encryption, but

those ciphers are not associated with TLS.

D. SNMPv2

SNMPv2 (Simple Network Management Protocol version 2) does not

implement TLS, or any encryption, within the network communication.

E. DNSSEC

DNSSEC (DNS security extensions) do not provide any confidentiality

of data.

F. SRTP

SRTP (Secure Real-time Transport Protocol) is a VoIP (Voice over IP)

protocol used for encrypting conversations. SRTP protocol commonly uses

AES (Advanced Encryption Standard) for confidentiality.

The Answer: A. Organized crime

An organized crime actor is motivated by money, and their hacking

objectives are usually based around objectives that can be easily exchanged

for financial capital.

The incorrect answers:

B. Hacktivist

A hacktivist is focused on a political agenda and not commonly on a

financial gain.

C. Nation state

Nation states are already well funded, and their primary objective is not

usually based on revenue or income.

D. Competitor

A competitor doesn’t have any direct financial gain by disrupting a

website or stealing customer lists, and often their objective is to disable

a competitor’s business or to harm their reputation. If there is a financial

gain, it would often be an indirect result of an attack.

The Answer: A. Partition data and D. Temporary file systems

Both temporary file system data and partition data are part of the file

storage subsystem.

The incorrect answers:

B. Kernel statistics

Kernel statistics are stored in memory.

C. ROM data

ROM data is a type of memory storage.

E. Process table

The process table keeps track of system processes, and it stores this

information in RAM.

The Answer: C. MFD

An all-in-one printer that can print, scan, and fax is often categorized as

an MFD (Multifunction Device).

The incorrect answers:

A. IoT

Wearable technology and home automation devices are commonly called

IoT (Internet of Things) devices.

B. RTOS

RTOS (Real-time Operating Systems) are commonly used in

manufacturing and automobiles.

D. SoC

Multiple components that run on a single chip are categorized as an SoC

(System on a Chip).

The Answer: C. ISO 27701

The ISO (International Organization for Standardization) 27701

standard extends the ISO 27001 and 27002 standards to include detailed

management of PII (Personally Identifiable Information) and data privacy.

The incorrect answers:

A. ISO 31000

The ISO 31000 standard sets international standards for risk management

practices.

B. ISO 27002

Information security controls are the focus of the ISO 27002 standard.

D. ISO 27001

The ISO 27001 standard is the foundational standard for Information

Security Management Systems (ISMS).

The Answer: A. Create an operating system security policy to prevent

the use of removable media

Removable media uses hot-pluggable interfaces such as USB to connect

storage drives. A security policy in the operating system can prevent any

files from being written to a removable drive.

The incorrect answers:

B. Monitor removable media usage in host-based firewall logs

A host-based firewall monitors traffic flows and does not commonly log

hardware or USB drive access.

C. Only allow applications that do not use removable media

File storage access options are not associated with applications, so it’s not

possible to allow based on external storage drive usage.

D. Define a removable media block rule in the UTM

A UTM (Unified Threat Manager) watches traffic flows across the

network and does not commonly manage the storage options on individual

computers.

The Answer: D. SOAR

SOAR (Security Orchestration, Automation, and Response) is designed

to make security teams more effective by automating processes and

integrating third-party security tools.

The incorrect answers:

A. ISO 27701

The ISO (International Organization for Standardization) 27701 standard

focuses on privacy and securing PII.

B. PKI

A PKI (Public Key Infrastructure) describes the processes and procedures

associated with maintaining digital certificates.

C. IaaS

IaaS (Infrastructure as a Service) describes a cloud service that provides

the hardware required for deploying application instances and other cloudbased

applications.

The Answer: A. Restrict login access by IP address and GPS location,

E. Consolidate all logs on a SIEM, and

G. Enable time-of-day restrictions on

the authentication server

Adding location-based policies will prevent direct data access from outside

of the country. Saving log information from all devices and creating audit

reports from a single database can be implemented through the use of a

SIEM (Security Information and Event Manager). Adding a check for the

time-of-day will report any access that occurs during non-working hours.

The incorrect answers:

B. Require government-issued identification during the

onboarding process

Requiring proper identification is always a good idea, but it’s not one of

the listed requirements.

C. Add additional password complexity for accounts that access data

Additional password complexity is another good best practice, but it’s not

part of the provided requirements.

D. Conduct monthly permission auditing

No requirements for ongoing auditing were included in the requirements,

but ongoing auditing is always an important consideration.

F. Archive the encryption keys of all disabled accounts

If an account is disabled, there may still be encrypted data that needs to be

recovered later. Archiving the encryption keys will allow access to that data

after the account is no longer in use.

The Answer: B. A download was blocked from a web server

A traffic flow from a web server port number (80) to a device port (60818)

indicates that this traffic flow originated on port 80 of the web server. A

file download is one of the most common ways to deliver a Trojan, and

this log entry shows that the file containing the XPACK.A_7854 Trojan

was blocked.

The incorrect answers:

A. The victim’s IP address is 136.127.92.171

The format for this log entry uses an arrow to differentiate between the

attacker and the victim. The attacker IP address is 136.127.92.171, and the

victim’s IP address is 10.16.10.14.

C. A botnet DDoS attack was blocked

A botnet attack would not commonly include a Trojan horse as part of a

distributed denial of service (DDoS) attack.

D. The Trojan was blocked, but the file was not

A Trojan horse attack involves malware that is disguised as legitimate

software. The Trojan malware and the file are the same entity, so there isn’t

a way to decouple the malware from the file.