A security professional must have knowledge of the different tools that they have at their disposal to identify threats and attacks on the network.

The first area that we will look at is installing and configuring network components such as different types of firewalls. We'll then look at how VPNs operate with their different components and operate with different scenarios. We will also look at NIPS, NIDS, HIPS and HIDS, proxy servers, load balancers, wireless access points, mail gateways, and SIEM systems. We will also look at using DLP to prevent sensitive information from leaving the network, and finally, using NAC to ensure that the devices used for remote connections to the network are fully patched.

Next, we will be using the appropriate tools to access the security posture of a system, including protocol analyzers, network scanners, wireless scanners, and password crackers. We will look at data sanitization tools such as shredding, pulverizing, pulping, and degaussing. Security teams need to know about honeypots to determine the attack methods being used so we can mitigate against them. As a security administrator, you need to be familiar with command-line tools, different backup utilities, and the different types of scans (ranging from vulnerability scans to the more intrusive scans that would cause damage to your systems).

We need to be able to analyze and interpret the output from security tools such as HIDS/HIPS.

A security administrator needs the ability to troubleshoot common security issues such as certificate issues, unauthorized software, and different types of threats, including social engineering. We also need to troubleshoot applications and know when to use whitelists and blacklists.

A security administrator needs to familiarize themselves with deploying mobile devices securely, including connection methods, mobile device management concepts, different deployment models, understanding rooting/jailbreaking, and sideloading of applications.

A good knowledge of implementing secure protocols such as S/MIME, PGP, SRTP, SFTP, and securing data in transit using TLS and SSL.

Start off by answering the questions that you have the knowledge base to answer, then on a separate list write down the questions that you do not know the answers to, because you need to revise those areas before testing:

1. The ACL for a firewall has an allow rule for HTTP, HTTPS, and LDAP. What will happen when a user tries to download a file from an external FTP server?

2. A network administrator is configuring a switch and is unsure whether to enable port security or 802.1x. What can you advise on both of these technologies?

3. A security administrator is enabling IPSec on the file server that hosts the financial server. They are then going to enable IPSec between the server and all of the desktops being the financial users. What mode of IPSec will be adopted?

4. What type of firewall is best suited to deal with an incoming SYN flood attack?

5. A security administrator is enabling an L2TP/IPSec on a virtual private network. What will be the role of a VPN concentrator?

6. Your company is experiencing a very high volume of web traffic coming to their internet web servers. What is the best way to ensure that the people coming to your website get the web pages in a timely manner?

7. Your company is experiencing a high volume of DDoS traffic heading for your company's network. What is the best way to deal with this traffic?

8. What is the purpose of DNS round-robin, and what are the pitfalls of using it?

9. How can I capture the commands going to a network-based gaming application?

10. Your company provides internet access to films. What type of port should we use to ensure that the films run smoothly?

11. What type of tool can we use to determine the patch level version of a web server? Name three tools that can be used for this technique.

12. The security administrator has noticed a rise in the number of unauthorized hosts appearing on your network. What two tools can be implemented so that they are notified when someone attaches a new host?

13. The security administrator has noticed that there has been an increase in the number of failed logins attempts on network-based computers. The account lockout policy allows three failed login attempts. What type of tool can they use for real-time monitoring of these events?

14. The CEO has written a new policy stating that all of the security logs on domain controllers are to be copied to a central location daily. These log files need to be secured to ensure that they have not been tampered with after collection. What action should the security administrator take to fulfill this policy?

15. When an attack on a host is made, a connection is established. Which two tools can capture the established connection so that the attacker can be identified?

16. What data format cannot be analyzed by any of the company's monitoring tools?

17. What are the three main components of a proxy server?

18. What is the purpose of a reverse proxy?

19. What technique does an iPhone use to send software updates to the phone?

20. What is the danger of someone taking an unauthorized smartphone into a research and development laboratory?

21. If I am using my personal phone as a BYOD device, what can be done to keep business data separate from my personal data?

22. What would be a safe, restricted, and contained environment that an IT team could provide to contractors to use?

23. What would I need to use in conjunction with a mobile device to limit the bandwidth being used when I download applications to the device?

24. If I want to use a third-party application on my carrier-locked iOS phone, what two stages should I perform to enable the application to run?

25. If I want to use a third-party application on my carrier-locked Android phone, what two stages should I perform to enable the application to run?

26. In what circumstances would I remote-wipe a device using the mobile device management system; (name two)?

27. The network administrator has been receiving support calls relating to the wireless access point. What tool should they use to diagnose the problem?

28. When the SSID of a wireless access point has been disabled, what two types of devices can be used to discover the SSID?

29. When I was on holiday in Las Vegas, all of the pictures I submitted to Facebook had the location where the picture was taken. Which tool carried out the labeling of photographs?

30. Which tools can I use to see if the DLL files of an application have been altered or tampered with?

31. When setting up certificates on a mobile device, the administrator is receiving certificate trust errors. What two actions should the administrator carry out first?

32. A new employee was given a company laptop with the correct certificates installed. Two weeks later, they report to the IT team that they are getting trust errors with the certificates. What has the new employee done to cause this error?

33. A salesperson cannot get internet access on their laptop, so they connect their 4G phone to the laptop to provide internet access. What technique have they just used?

34. A security administrator has found that many company devices have been tampered with over the past week. When they have looked into the security log files, they found that nothing out of the ordinary had been recorded. What has been tampering with the equipment?

35. A retailer wants to allow its customers to use a wireless payment method to pay for small transactions. What payment method must the customer adopt?

36. An audit has been carried out against the assets held by the IT team and the auditor has found that the company owns 300 Windows 10 licenses, but the software has been installed on 302 laptops. What is this violation known as?

37. A small company is going to purchase a firewall and needs to ensure that the firewall is an all-in-one device providing more protection than just simply being a firewall. What type of firewall would you recommend that they purchase?

38. A security administrator has found that remote users have been infecting the company network with viruses. What tool do they need to implement to mitigate this risk?

39. The security team has discovered that an attacker has been logging in twice to each machine but a security alert has not been logged as the company has an account lockout threshold of three attempts. What type of system should the company implement to alert them of any re-occurrence of this event?

40. What type of system does the security administrator need to implement to prevent anyone from emailing out credit card information?

41. What type of security technology can prevent a hacker from accessing a computer's registry remotely?

42. What common security issue reduces the amount of bandwidth available to the company coupled with reducing the amount of disk space available on a computer?

43. What security technology can be implemented on a virtual machine to protect it against attacks?

44. What security technology only allows approved applications to run on a system? How does it work?

45. Why would a security administrator archive security logs onto a WORM drive?

46. What type of security technology would an administrator implement to protect a web server's applications and data?

47. What is the purpose of push notification services?

48. A security administrator wants to implement a Bluetooth type of technology that uses low power. What technology should he implement?

49. A company has suffered from an increase in the theft of its high-end laptops. What technology can be implemented to prevent such laptops from being stolen?

50. A security administrator has discovered that the incorrect authentication information has been used to access the network. What type of technology is the attacker using?

Fill-the-gaps questions really test your knowledge, and can be quite vague at times. In the CompTIA Security+ examination, some of the test questions can also be quite vague, hence the value of this section.

Complete the answers that you can, then make a list of those topics that you are getting wrong, as you need to revise these areas before you take the test. Best of luck.

In the following questions, fill in the gaps to make the statement. Each underlined section of the sentence represents one word—for example, ___________ means that one word is missing; ________ ___________ means that two words are missing:

1. Both the _______ and _________ use ACLs to block traffic by port, protocol, or IP address.

2. Where the router or firewall has no allow rule for a particular type of traffic, the traffic is blocked by a technique called ________ ____.

3. When setting up IPSec across the internet, it is used in _________ mode but when it is used in the LAN between client and server or server to server, it is known as ___________ mode.

4. I have installed a _________ ________ is my DMZ so that it will decrypt incoming traffic so that my firewall or inline NIPS can __________ the traffic.

5. If I disable the SSID on my wireless access point, it can be discovered by a ___________ _________ _________ as the SSID is included in the packet or an SSID _______ device.

6. The role of the VPN concentrator is to set up the _________ ________ before the exchange of data.

7. _____ ___________ is used to prevent someone plugging a laptop into my network; however, ________ is used to prevent a rogue access point being plugged into my network as it authenticates the user or device itself.

8. A __________ is a device that is used by cybersecurity administrators so that they can observe the attack method used by hackers. This will then enable them to prevent these types of attacks in the future.

9. A security administrator has noticed in the SIEM system log files that an attack was detected on Server 1 but when they manually inspected the server, the attack was not shown; this is known as a ______ ___________.

10. One of the reasons why a SIEM system records a false positive is because the wrong ______ _________ were being used, therefore it was monitoring the wrong type of attack.

11. An ________ NIPS has traffic flowing through it; however, the NIDS is known as ________ and relies on sensors and collectors to discover new attacks.

12. _________ __________ inspects traffic going to a website, whereas a _______ ________ inspects traffic across the network.

13. Banner grabbing uses tools such as Dimitri, _____, ________, and ________.

14. __________ shows established connections in a Windows environment, whereas _________ shows established connections in a Linux/Unix environment.

15. A _____ system correlates security logs from various devices such as servers and firewalls. The security administrator has decided to store the logs into a _______ drive so that they can be read but not tampered with as they may be needed as evidence at a later date.

16. A company could use a ____-__-____ VPN instead of an expensive lease line or even more expensive dark fiber, but it must be set to _______ - ___ mode.

17. A _____ ________ could be used as a spam filter and a ____ solution to prevent PII and sensitive information from leaving the company.

18. Both ____ and a ______ can detect when new hosts have been added to your internal network.

19. A __________-______ NIDS/NIPS uses a known database and is reliant on regular updates where _______- _____ NIDS/NIPS start with a known database but can identify new variants.

20. A security administrator changes the default _________ and _________, disables the SSID, and enables ______ filtering to make a wireless access point more secure.

21. A security administrator sets up a wireless access point by inserting a password that will be used by ____. The user can now access the WAP by simply pushing a button; however, this could be subject to a ______-______ password attack.

22. An auditor reports to a security administrator that the company's wireless network could be detected on the footpath outside of the premises. The security administrator then uses ___ ______ __________ antenna to mitigate the risk of being attacked by an external threat actor.

23. A new company has an increasing amount of people coming to its website; therefore, it can use a ______ _________ or ___ ______ _____ to ensure that incoming web requests were dealt in a timely manner.

24. A company installed a _________ firewall to deal with DDoS traffic trying to attack their company's website.

25. A company has set up account lockout with three attempts. An attacker tries to log in once to three separate hosts but finds himself locked out. This is because a ______ system has a ______ engine.

26. If a company was to use weak passwords, they would set them with a low minimum _________ _____ to mitigate the risk of being attacked or could use a _____ _____ ____-_______ ___________ as a compensating control.

27. There have been attacks on the company's virtual machine network, therefore, the security administrator has installed a _____ on each machine to protect them.

28. A company has set a policy of using mobile device management (MDM) to _______ ______ lost or stolen machine to mitigate the risk of data falling into the wrong hands.

29. _______ can be used to stop PII and sensitive information from leaving the company via email or being exported onto a USB drive.

30. The security team in a company are now using ___________ to ensure that company laptops can remain within the company's premises. Another method would be RFID.

31. One of the company's employees uses ________/_____________ so that they can unlock a mobile phone. They now want to install a third-party application. This is known as ___________.

32. _____ is a secure protocol that can be used to run remote commands securely on routers or directory services. It can also use a graphical user interface.

33. If an application cannot run on a desktop, it could well be that the application is just not on the _________. It does not necessarily need to be on the blacklist. It may not be on any list.

34. If I want to restrict a user's ability to log in to ensure that they can only authenticate when they are in the United States of America and ensure that they cannot authenticate from any other location. This form of authentication is known as ________-
_______ _______________.

35. _____ is first and foremost a firewall, but it can also carry out the functions of URL and content inspection and _________ ___________.

36. An organization was suffering from DNS poisoning and decided to use _________ to encrypt the DNS traffic with TLS. This produced both DNSKEY and ________ records.

37. When two people wish to send digitally signed and encrypted emails, they could use _________ for email integrity and PGP for ___________.

38. When people decide to leave the company for a highly paid job, we should carry out ___ __________ to ensure that the company CYOD equipment has been returned, followed by an _____ ____________ by the human resources department.

39. A company has decided that instead of the sales staff traveling to the head office for weekly meetings, they will use videoconferencing. The videoconferencing should be secure, therefore they will use the _________ protocol.

40. The company has decided to keep the employees' personal data separate from the business data by using either __________________ or storage _______________.

41. When the bandwidth coming into your company is being reduced and the space on one of your company servers is being aggressively reduced, this is a sign of downloading ____________ ____________.

42. You are a directory services administrator and use LDAP to create, search for, and find objects. The CISO has now written a policy requiring you to secure your session with the directory services. Therefore, you will use the ______ protocol and TCP port ____.

43. Security administrators can use ______ _________ to prevent anyone using a CD ROM or any other form of removable media to mitigate the risk of spreading a virus or stealing data.

44. Recently, data has been compromised from a mobile phone, and the CEO has asked the security team to come up with a solution to protect data at rest. The security team are going to use _____ _____ ____________ to protect the data at rest and ________ ______ to prevent access to the mobile phones.

45. There have been certificate trust errors for the company website. The security team is going to check that the certificate is _______ and has been added to the _________ ______ certification authorities store on the web server.

46. Over the past year, a hospital has lost about 25 laptops from the consultant's offices when they were visiting the patients during ward rounds. The security team has now rolled out ____________ to prevent the theft of these laptops.

47. A network team has rolled out ______ __________ to prevent unauthorized rogue DHCP servers from operating on the company network.

48. The CEO of a publishing company has told the IT team that they can no longer use FTP to download books as they need to adopt a protocol that can download large books securely. The chosen protocol was ______ as it is encrypted and uses two ports to download data.

49. A company has recently started using _______ to check the health of the remote user's laptop to ensure that they cannot spread a virus to the company's network.

50. The best method for sanitizing a hard drive is by ___________ it. However, the best way of disposing of paper documents containing PII information is to ________ them.

I suggest using two different-colored pens: blue or black or answers that are easy for you to identify and a red or different-colored pen for answers that you are unsure of. This way, you can identify your strong and weak areas.

Place the answers into the relevant answer boxes in the following table, starting with the answers that you can easily identify. Make a list of those that you cannot answer on your first time through, as you need to revise those areas. Then use logic to answer the remaining questions.

Insert the phrases at the end of this section into the appropriate answer boxes in the following table. Each phrase can only be used once:

Use the following options to answer the preceding questions:

Start off the mock exam with a clean sheet of paper and note down the questions that you cannot answer or are guessing at, because you need to revise those areas. When you take this test, follow these instructions:

DO:

• Read the questions carefully. Do not scan. Draw diagrams on questions you are unsure of.
• Rule out the wrong answers to leave the correct answer.
• When you get the answers down to two answers there is a 50-50 chance of being right. Read the question again and look for the finer detail that will make one of those selections a 60-40.

• Flag up for review (top-right of screen) the questions that you don't like. Do not answer them as the review screen shows those items in red. Don't waste time trying to work them out at this stage.
• Before ending your review, go down the columns left to right and ensure all questions have an answer.
• End review—check all questions and answers and then end the exam.

DON'T:

• Scan the questions, especially if English is not your first language
• Second guess yourself
• Change answers
• Re-read the whole exam if you have spare time

Answer the following questions:

1. The network administrator has received a support call from the CEO stating that he cannot download a book from the internet. The publisher is using an FTP server for the book download. The firewall rules are shown as follows:

• Inbound rules
• HTTP port 80 allow
• HTTPS port 443 allow
• DNS port 53 allow

Which of the following options prevents the download? Choose the BEST answer.

a. There is no allow rule for FTP traffic.
b. There is an explicit deny rule.
c. Implicit deny is preventing the download.
d. He needs to change the web browser to support FTP traffic.

2. The network security team have been informed by the customer services department that visitors in the waiting area keep plugging their laptops into a spare wall jack to obtain internet access. The network team realize that this is a security risk. What is the BEST solution to prevent this?

a. Ask customers to hand their laptops into reception when they arrive.
b. Enable 802.1x on the router to prevent internet access.
c. Place a sign in the waiting room.
d. Enable port security on the router to prevent internet access.
e. Enable port security on the switch.

3. A network administrator has just informed the cyber security team that he is going to set up network access control using host health checks without using a quarantined network. Which of the following best describes what will happen if a host is non-compliant?

a. The remote client will not be authenticated.
b. The remote client will be authenticated then the connection will drop.
c. The remote client will be authenticated.
d. The remote client will not be authenticated and the connection will be successful.

4. The network team have just installed another switch into the network and the network traffic is going extremely slowly. What can they do to ensure the traffic has less latency?

a. Use a packet sniffer to identify which traffic is going slowly and deny it access to the network.
b. Use spanning tree protocol to prevent looping.
c. Reduce the number of VLANs on the switch.
d. Use a network load balancer to balance the traffic.

5. The systems administrator went to a local shop for lunch and paid using a contactless payment method. Which of the following connection methods was he using to purchase lunch?

a. Wi-Fi
b. Cellular
c. NFC
d. KFC
e. Bluetooth

6. A network administrator is setting up a new VPN server and is using a CISCO VPN Series 3000 concentrator. What is the purpose of the VPN concentrator?

a. It increases the concurrent connections on the VPN.
b. It allows the VPN to connect to a RADIUS server.
c. It allows the VPN to connect to a TACACS+ server.
d. It establishes the secure sessions for the VPN.

7. Your company network has recently been attacked by remote users. The cyber security team need to use tools that will identify the established sessions so that they can be identified. Which of the following tools will show established sessions? Choose two.

a. Protocol analyzer
b. Netstat

c. Netcat (nc)
d. Tcpdump

8. During an internal audit, users complained that the quality of the videoconferencing has been intermittent. What is the BEST solution to ensure a better videoconferencing experience?

a. Ensure that they are using SRTP instead of RTP.
b. Use a VPN.
c. Put the voice traffic into a VLAN.
d. Use an iSCSi connector.

9. An exchange engineer has recommended that the mail server is upgraded as the current mail protocol does not keep a copy on the server. What mail protocol is being used?

a. POP 3
b. HTTPS
c. TLS
d. IMAP4
e. Webmail

10. The auditor has carried out an inspection of the finance department and has made recommendations, that the file server holding the financial data and the desktops of the financial department should use IPSec to secure the sessions between them. The network administrator has asked the security analyst what mode of IPSec should be used? What did the security analyst recommend?

a. IPSec in tunnel mode
b. IPSec in split tunnel mode
c. IPSec in transport mode
d. IPSec in full tunnel mode

11. What are the similarities and differences between a proxy server and a UTM firewall? Choose all that apply.

a. The proxy server can perform malware inspection.
b. The UTM can perform malware inspection.
c. The proxy server can perform URL filtering.
d. The UTM can perform URL filtering.
e. The proxy server can perform content filtering.
f. The UTM can perform content filtering.
g. The proxy server can perform web page caching.
h. The UTM can perform web page caching.

12. The system administrator has just installed a new finance application onto the financial director's laptop. The application will not run and the event viewer shows an error running the payroll.dll. What is the BEST solution to ensure that the application works?

a. Add the application to the whitelist.
b. Add the application to the blacklist.
c. Add the application's EXE file to the whitelist.
d. Add the DLL binary for the payroll application to the whitelist.
e. Remove the DLL binary for the payroll application from the blacklist.

13. A security administrator installed a new inline NIPS that has been inspecting all traffic flowing through it with great success. A medium sized packet flowing through the inline NIPS could not be inspected. What is the BEST reason that it could not be inspected?

a. The packet was not recognized by the NIPS
b. The packet was encrypted before arriving at the NIPS
c. The NIPS was using the wrong input filter
d. The NIPS had an exception rule for the packet

14. A cyber security team has carried out an audit of the mail server and has recommended that mail between the mail servers must not be monitored or captured by protocol analyzers. The mail must remain confidential. Which of the following protocols should the auditor recommend?

a. POP secure
b. IMAP secure
c. TLS
d. SSL
e. HTTPS

15. A company refurbishes a lecture theatre with state-of-the-art presentation equipment valued at over $25,000. What can the security administrator install to prevent the theft of the equipment from the theatre? Choose the BEST answer.

a. NFC
b. Geolocation
c. Asset tracking
d. Tagging

16. Which of the following authentication systems could allow a user access to a system while creating an access violation?

a. Smart card authentication
b. Username and password authentication

c. Biometric authentication
d. Federation services authenticated

17. The financial director stores credit card information on his laptop. Therefore, the cyber security team have installed full disk encryption to prevent exfiltration of this data. A DLP solution has also been installed to prevent PII and sensitive information such as credit cards from leaving the laptop via USB drive or email. What can be installed on his laptop to prevent remote attacks?

a. HIDS
b. HIPS
c. NIDS
d. NIPS

18. A company is removing its expensive lease line between London and Glasgow sites and is going to replace it with a VPN solution. What type of VPN will they use as a replacement and which mode is the BEST to use? Choose two.

a. L2TP/IPSec
b. IPSec transport mode
c. Always on mode
d. IPSec tunnel mode
e. Site-to-site VPN
f. PPTP VPN
g. SSL VPN

19. A network administrator needs to be alerted when new hosts join the network. Which of the following tools can help them to achieve this? Choose two.

a. HIDS
b. Nmap
c. Netstat
d. NIDS

20. The security administrator needs to purchase a new biometrics authentication system for a multinational corporation. Which of the following products will he decide is the BEST option to purchase?

a. Product A – low FAR
b. Product B – high FAR
c. Product C – high FRR

d. Product D – low FRR
e. Product E – low CER
f. Product F – high CER

21. The cyber security team have been collecting the security logs from all of the servers and network appliances and storing them in a WORM drive. Why have they chosen this type of drive? Select the MOST suitable answer.

a. It can be protected by a password.
b. It is a portable drive that can be locked away at night.
c. It is an industry-standard drive for cyber security.
d. The information cannot be altered.

22. A systems administrator for a large multinational company is replacing 1,000 hard drives from company desktops. Which of the following data sanitation tools should he use to destroy the data on the old hard drives?

a. Pulverizing
b. Degaussing
c. Low-level formatting
d. Shredding

23. A cyber security analyst obtained the following information:

John Scott 5f4dcc3b5aa765d61d8327deb882cf99

Which tool did the cyber security analyst use and what does it represent? Choose two.

a. It is his employee ID.
b. Packet sniffer.
c. Password hash.
d. Hash of his employee ID.
e. Password cracker.
f. Wireless scanner.

24. The backup operator backs up the company data on a daily basis. Which of the following is the fastest backup?

a. Full backup
b. Differential backup
c. Snapshot
d. Incremental backup

25. A SIEM system notifies the system administrator that a computer with a hardened operating system has a vulnerability. When a manual check is done, no vulnerabilities exist. Why is the system producing the wrong information? Choose the BEST two options.

a. The SIEM system is missing some system updates.
b. The SIEM system is using the incorrect input filters.
c. The host-based firewall is preventing monitoring.
d. The SIEM system is producing false negatives.
e. The SIEM system is producing false positives.

26. The cyber security team wish to prevent mobile devices from operating outside of the United Kingdom. What is the best way to achieve this?

a. Geolocation
b. GPS tracking
c. Context-aware authentication
d. All of the above

27. Your company has been very successful and has an enormous volume of web traffic coming to the company's web servers. However, the load balancer has failed and you are waiting for a replacement. What can we use to manage the web traffic coming in until a new load balancer arrives?

a. NAT server
b. Stateful firewall
c. Round robin
d. Stateless firewall

28. You are a systems administrator for a company hosting the G4 summit. Which of the following data sanitation tools should you use to destroy all of the paperwork used in the summit?

a. Shred
b. Burn
c. Pulverize
d. Pulp

29. An auditor from FAST carried out an audit of the company software and made three observations:

Which of the following BEST describes the auditor's recommendations?

a. Company policy violation
b. Overuse of licenses
c. License compliance violation
d. License compliance warning

30. There has been a number of successful cyber attacks on corporate websites where hackers have managed to steal credit card information. What is the BEST way for your cyber security team to discover the attack methods used?

a. Speak to a company that was attacked
b. Read bulletins from security websites
c. Set up a honeynet
d. Monitor the SQL database holding the information

31. An auditor was carrying out a network audit on the wireless network that was not broadcasting the SSID. He managed to use two different tools to discover the SSID. Which two tools did he use?

a. Tcpdump
b. SSID decloak device
c. Wireless scanner
d. Protocol analyzer
e. Packet sniffer

32. The backup operator backs up the company data on a daily basis. Which of the following is the fastest physical backup?

a. Full backup
b. Differential backup
c. Snapshot
d. Incremental backup

33. The network team have placed the voice traffic in a VLAN so that it is segmented from the rest of the network and has guaranteed bandwidth. The auditor has recommended that the voice traffic should be secured so that it cannot be monitored or captured by a protocol analyzer. Which of the following protocols should the network team select?

a. SCP
b. SFTP
c. SRTP
d. TLS

34. The cyber security team is rolling out new mobile phones that will hold sensitive company data. Which of the following is the BEST solution to protect the phones? Choose three.

a. Context-aware authentication
b. Strong password
c. Device encryption
d. TLS encryption
e. GPS tracking
f. Cable locks
g. Screen locks

35. Which of the following protocols should secure traffic in transit between two mail servers?

a. SSL
b. HTTPS
c. S/MIME
d. TLS

36. A sales person logged into the company VPN to download some files. During the download, the sales person went online to look at the availability for flights for next month. During this session, the company network was hacked by someone gaining access via the web browser. What was the vulnerability that caused the attack?

a. Man-in-the-browser attack
b. Man-in-the-middle attack
c. Split tunneling
d. Session hijacking

37. A member of the sales team managed to connect remotely to the company network, but then a few seconds later his laptop was placed in a quarantined network and was asked to contact the remediation server. Why was this done?

a. The remediation server must scan all incoming traffic to prevent a virus attack.
b. The sales person's password has just expired.
c. Network access control disabled the salesperson's account.
d. The device that the salesperson's logged in with was not fully patched.

38. A small company has only one wireless access point, but today nobody can connect to the network. What tool should the system administrator use to troubleshoot, and why is the wireless access point not working?

a. Protocol analyzer
b. Tcpdump
c. SSID decloak device
d. Wireless scanner

39. A company has over twelve wireless access points that need to be configured centrally. How will this be achieved with the minimum amount of effort?

a. Set up and roll out a group policy.
b. Use a fat wireless controller.
c. Update the wireless controllers using SSH.
d. Use a thin wireless controller.
e. Update the wireless access points using SNMP v 3.

40. A network administrator has just installed a new firewall and finds that traffic cannot flow through it. What is the default setting for a firewall? Choose the BEST two answers.

a. Allow only HTTP and HTTPS traffic.
b. Block all traffic.
c. Allow by exception.
d. The firewall is switched off and needs to be powered on.

41. A cyber security analyst needs to run a scan to discover the hostname, IP address, and missing patches on three separate servers without causing any damage to them. What is the BEST type of scan for him to use?

a. Intrusive scan
b. Non-credentialed scan
c. Credentialed scan
d. Active scan

42. The financial director has notified the IT director that employees have been emailing VISA credit card details to outside agencies. One of the programmers inserted a regular expression into an XML template, so that if any emails matches the following pattern, that mail will automatically get blocked:

^(?:4 [0-9] {12] (?: {0-9] {3} )?

What type of technology is being adopted to prevent the credit card details being emailed out?

a. DLR
b. NFX
c. NFC
d. DLP

43. What do a SIEM server and Kerberos have in common? Choose the BEST answer.

a. They work in real time.
b. You need admin rights to access them.
c. They require time synchronization with the atomic clock.
d. They are both Microsoft products.

44. The network administrator needs to ensure that the data passing through the inline NIPS is decrypted. Which of the following devices will he use to decrypt incoming packets?

a. Load balancer
b. Stateful firewall
c. Proxy server
d. Reverse proxy
e. UTM
f. WAF

45. A salesperson arrives at his hotel at 6:30 pm and realizes that he should have made a credit card payment today. He checks into his room and finds that the free Wi-Fi does not have any encryption. What is the BEST solution that he should take to ensure the payment is as secure as possible? Choose two, each providing part of the solution.

a. Connect to the hotel Wi-Fi.
b. Use a L2TP/IPSec VPN to connect to the credit card portal.
c. Tether his phone to his laptop.
d. Use SSL encryption to connect to the credit card portal.
e. Use a SSL VPN to connect to the credit card portal.

46. Your company has been very successful and has an enormous volume of web traffic coming to the company's web servers. What can you use to help manage the web requests in a timely fashion?

a. NAT server
b. Stateful firewall
c. UTM
d. Load balancer

47. What is the most common method of authentication? Choose two.

a. PIN
b. Password
c. CAC card
d. Username
e. Smart card
f. Biometrics

48. A person at a market stall advertises that he can unlock a mobile and add third-party applications to your phone without the vendor finding out. Which of the following options is he using to achieve this? Choose two.

a. Screen locks
b. Routing/jailbreaking
c. Degaussing
d. Third-party app store
e. Sideloading

49. Your company has been very successful and has an enormous volume of DDoS traffic coming to the company's web servers. What can you use to deal with the DDoS traffic? Choose the best answer.

a. NAT server
b. Stateful firewall
c. Load balancer
d. UTM

50. A network technician is going to set up a L2TP/IPSec VPN so that salespeople can remotely connect to the company offices. He needs to set up the VPN with the most secure protocol and the appropriate mode for its purpose. Which mode and encryption level with be used? Choose two.

a. IPS transport mode
b. Always on mode
c. IPSec tunnel mode
d. 3DES
e. AES
f. RS

The cheat sheet is a condensed format of the main facts that you need to know before taking the exam. We must learn the exam concepts and not just the answers to a bank of questions.

Access Control Lists (ACLs)

• Firewalls and routers use ACL. No allow rule means implicit deny.

Firewalls

• Unified Threat Management (UTM)– all in one URL and content filter
• Stateful firewall – inspect deep into the packet, including size and commands
• Stateful firewall – protects against DDoS attacks
• Web application firewall – protect the web server and web applications
• Host-based – only protects the local computer
• Network-based – only protects the network

Network Protection

• Network Intrusion Prevention System (NIPS) – additional layer of protection placed close to firewall
• Network Intrusion Detection System (NIDS) – detects changes in network, uses sensor and collectors, and alerts the NIPS
• Signature-based – work from a local database
• Anomaly-based – start with a database but can learn new patterns

Proxy Server

• URL filter
• Content filter
• Caches web pages

Reverse Proxy

• Authenticates incoming connections
• Decrypts incoming traffic

Load Balancer

• Deals with a high load of web traffic
• Sends traffic to the least utilized host
• Affinity – sends the host to the same web server
• Round robin – balances traffic using DNS A records

SIEM System

• Real-time monitoring
• Correlates events on the network
• Measures account lockout, even with attempts on different computers
• Needs the correct filter, otherwise false position

Tools

• Packet sniffer/protocol analyzer – analyze network traffic
• Banner grabbing – analyze web server
• Banner grabbing – three main tools: Telnet, Nmap, and Netcat (nc)
• Nmap – maps out whole network – identifies new hosts
• NAC – ensures network clients are fully patched
• DLP – prevents exfiltration of PII, sensitive information, or credit card details
• Mail gateway – filters out spam
• Wireless scanner – troubleshoots WAP problems
• Wireless scanner and SSID decloak device – finds the SSID even if it's disabled
• Password cracker – can find the hash of a password
• Honeypot – looks like a legitimate website with lower security
• Honeypot – analyzes attack methods being used

Data Sanitization Tools

• Hard drive – best to worst: shred, pulverize, then degauss
• Paper – best to worst: pulping then shredding
• Paper – classified – burn bag – destroy by third party – certificate given

Command-Line Tools

• Netstat – shows established connection
• Netcat (nc) – shows established connections on Linux
• Tcpdump – Linux packet analyzer
• Nslookup – troubleshoot DNS issues
• DIG – Linux – troubleshoot DNS issues

Mobile Devices

• Mobile device management – policies and management of mobile devices
• Download manager – controls download speed
• Remote wipe – lost or stolen devices – back to factory reset
• Camera – can record videoconferencing, conversations, or take pictures
• Protect access – screen locks and strong passwords
• Protect data at rest – FDE – Full Disk Encryption or small devices Full Device Encryption
• Containerization/storage segmentation – separates private and business data
• BYOD – needs AUP and on/offboarding policies
• Geofencing – prevent theft of devices
• Geolocation – shows the location of the device
• Carrier unlocking – jailbreaking/rooting followed by sideloading the app