Home > Articles > Certification > CompTIA

CompTIA Security+ SY0-201 Practice Questions: Assessment and Audits

  • Print
  • + Share This
This chapter provides practice questions, along with answers and explanations, for Assessment and Audits section of the Security+ exam.
This chapter is from the book

To secure a network, it is important to identify the normal operating parameters so that you can recognize atypical variations from this baseline operational level. The first step toward minimizing the potential damage that may result from unauthorized access attempts is the detection and identification of an unauthorized intrusion. Intrusion detection requires a detailed understanding of all operational aspects of the network, along with a means to identify variations and bring these changes to the attention of the proper responsible parties. Auditing is done to protect the validity and reliability of organizational information and systems. As a security professional, you can audit a vast amount of data. Auditing can create a large repository of information that has to be filtered through. Monitoring can be as simple or complex as you want to make it. Many organizations monitor an extensive amount of information, whereas others may monitor little or nothing. As a prospective security professional, you should also take every opportunity you may find to expand your skill base beyond these basic foundational elements. The following list includes the key areas from Domain 4 that you need to master for the exam:

  • Conduct risk assessments and implement risk mitigation.
  • Carry out vulnerability assessments using common tools.
  • Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.
  • Use monitoring tools on systems and networks and detect security-related anomalies.
  • Compare and contrast various types of monitoring methodologies.
  • Execute proper logging procedures and evaluate the results.
  • Conduct periodic audits of system security settings.

Practice Questions

Objective 4.1: Conduct risk assessments and implement risk mitigation.

1.

Metrics for security baselines and hardening efforts rely on which of the following?

bullet.jpg

A.

Mitigation of threats and attacks

bullet.jpg

B.

Identification of security measures and policies

bullet.jpg

C.

Identification of vulnerability and risk

bullet.jpg

D.

Mitigation of vulnerability and risk

Quick Answer: 229

Detailed Answer: 232

2.

When the risk of equipment loss is covered by a full-replacement insurance policy, which of the following best describes the risk?

bullet.jpg

A.

Accepted

bullet.jpg

B.

Transferred

bullet.jpg

C.

Eliminated

bullet.jpg

D.

Mitigated

Quick Answer: 229

Detailed Answer: 232

3.

An organization removes legacy dial-up telephony modem devices to prevent war-dialing attacks. Which of the following best describes the risk?

bullet.jpg

A.

Accepted

bullet.jpg

B.

Transferred

bullet.jpg

C.

Eliminated

bullet.jpg

D.

Mitigated

Quick Answer: 229

Detailed Answer: 232

4.

When an organization installs a firewall to prevent attacks, which of the following best describes the risk?

bullet.jpg

A.

Accepted

bullet.jpg

B.

Transferred

bullet.jpg

C.

Eliminated

bullet.jpg

D.

Mitigated

Quick Answer: 229

Detailed Answer: 232

5.

When an organization decides the cost of an IDS is too expensive to implement, which of the following best describes the risk?

bullet.jpg

A.

Accepted

bullet.jpg

B.

Transferred

bullet.jpg

C.

Eliminated

bullet.jpg

D.

Mitigated

Quick Answer: 229

Detailed Answer: 232

6.

Which of the following best describes the primary purpose of a risk assessment?

bullet.jpg

A.

To collect user logins and passwords for administrative purposes

bullet.jpg

B.

To scan the network to find and address vulnerabilities

bullet.jpg

C.

To properly store and protect personally identifiable information

bullet.jpg

D.

To identify existing threats and potential mitigation mechanisms

Quick Answer: 229

Detailed Answer: 233

7.

Which of the following is the correct formula for calculating annual loss expectancy?

bullet.jpg

A.

SLE × ARO

bullet.jpg

B.

ALE × SLE

bullet.jpg

C.

ALE × ARO

bullet.jpg

D.

CLE × SLE

Quick Answer: 229

Detailed Answer: 233

8.

Which of the following best describes how single loss expectancy is calculated?

bullet.jpg

A.

Loss prevented minus the total cost of the solution

bullet.jpg

B.

Asset value multiplied by the threat exposure factor

bullet.jpg

C.

Threat factor multiplied by potential vulnerability

bullet.jpg

D.

Annualized rate of occurrence multiplied by threat factor

Quick Answer: 229

Detailed Answer: 233

9.

An organization has identified and reduced risk to a level that is comfortable and then implemented controls to maintain that level. Which of the following best describes this action?

bullet.jpg

A.

Risk management

bullet.jpg

B.

Risk acceptance

bullet.jpg

C.

Risk analysis

bullet.jpg

D.

Risk transference

Quick Answer: 229

Detailed Answer: 233

10.

An organization identified risks, estimated the impact of potential threats, and identified ways to reduce the risk without the cost of the prevention outweighing the risk. Which of the following best describes this action?

bullet.jpg

A.

Risk management

bullet.jpg

B.

Risk acceptance

bullet.jpg

C.

Risk analysis

bullet.jpg

D.

Risk transference

Quick Answer: 229

Detailed Answer: 233

11.

Which of the following best describes risk?

bullet.jpg

A.

Probability of threat exposure

bullet.jpg

B.

Cumulative loss expectancy

bullet.jpg

C.

Possibility of loss or danger

bullet.jpg

D.

Mitigation of loss or danger

Quick Answer: 229

Detailed Answer: 233

12.

During the process of risk assessment, which of the following would be reviewed? (Select all correct answers.)

bullet.jpg

A.

Audit policies

bullet.jpg

B.

Access methods

bullet.jpg

C.

Financial records

bullet.jpg

D.

Hiring procedures

Quick Answer: 229

Detailed Answer: 234

13.

Which of the following best describes return on investment?

bullet.jpg

A.

Estimating the impact of potential threats and identifying ways to reduce the risk

bullet.jpg

B.

Implemented controls to maintain a level of risk that is comfortable for the organization

bullet.jpg

C.

A measure of how effectively a company uses the money invested in its operations

bullet.jpg

D.

The ratio of money realized on an investment relative to the amount of money invested

Quick Answer: 229

Detailed Answer: 234

14.

When the return on investment is calculated, if the result is a negative number, which of the following is true?

bullet.jpg

A.

Less money was spent than the loss prevented.

bullet.jpg

B.

More money was spent than the loss prevented.

bullet.jpg

C.

The money spent was not a worthwhile investment.

bullet.jpg

D.

The money spent was an excellent investment.

Quick Answer: 229

Detailed Answer: 234

15.

Which of the following best describes exposure factor or probability?

bullet.jpg

A.

The weakness that allows an attacker to violate the integrity of a system

bullet.jpg

B.

The actual amount of loss prevented by implementing a total cost solution

bullet.jpg

C.

The percentage of loss that a realized threat could have on a certain asset

bullet.jpg

D.

The estimated possibility of a specific threat taking place in a one-year period

Quick Answer: 229

Detailed Answer: 234

Objective 4.2: Carry out vulnerability assessments using common tools.

1.

Which of the following is a software utility that will scan a single machine or a range of IP addresses checking for a response on service connections?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 235

2.

Which of the following is a software utility that will scan a range of IP addresses testing for the present of known weaknesses in software configuration and accessible services?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 235

3.

Which of the following is a software utility that is used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 235

4.

Which of the following is a software utility that is used to conduct network assessments over a range of IP addresses and compiles a listing of all systems, devices, and hardware present within a network segment?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 235

5.

Which of the following best describes the purpose of OVAL?

bullet.jpg

A.

An abstract description for layered communications and computer network protocol design

bullet.jpg

B.

A family of standards dealing with local area networks and metropolitan area networks

bullet.jpg

C.

An international standard setting body composed of representatives from various national standards organizations

bullet.jpg

D.

An international language for representing vulnerability information allowing the development of vulnerability test tools

Quick Answer: 229

Detailed Answer: 235

6.

An administrator working in the Department of Homeland Security needs to document standards for the assessment process of systems. Which of the following would be most useful to the administrator?

bullet.jpg

A.

OVAL

bullet.jpg

B.

IEEE

bullet.jpg

C.

ISO

bullet.jpg

D.

ISSA

Quick Answer: 229

Detailed Answer: 235

7.

An organization wants to select an assessment tool for creating an inventory of services hosted on networked systems. Which of the following should the organization choose?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 235

8.

An organization wants to select an assessment tool that will examine individual protocols and specific endpoints. Which of the following should the organization choose?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 236

9.

An organization wants to select an assessment tool for checking particular versions and patch levels of a service. Which of the following should the organization choose?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 236

10.

An organization wants to select an assessment tool that will create graphical details suitable for reporting on network configurations. Which of the following should the organization choose?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 236

11.

An organization wants to select an assessment tool that will directly test user logon password strength. Which of the following should the organization choose?

bullet.jpg

A.

Password Locker

bullet.jpg

B.

Password generator

bullet.jpg

C.

Password cracker

bullet.jpg

D.

Password keychain

Quick Answer: 229

Detailed Answer: 236

12.

Which of the following best describes the difference between a port scanner and a vulnerability scanner?

bullet.jpg

A.

Port scanners only test for the availability of services; vulnerability scanners check for a particular version or patch level of a service.

bullet.jpg

B.

Port scanners compile a listing of all hardware present within a network segment; vulnerability scanners check for the availability of services.

bullet.jpg

C.

Vulnerability scanners only test for the availability of services; port scanners check for a particular version or patch level of a service.

bullet.jpg

D.

Vulnerability scanners compile a listing of all hardware present within a network segment; port scanners test for the availability of services.

Quick Answer: 229

Detailed Answer: 236

13.

When using a password cracker to test mandatory complexity guidelines, which of the following should the password cracker provide?

bullet.jpg

A.

The password only

bullet.jpg

B.

The password and hash value

bullet.jpg

C.

The username and password

bullet.jpg

D.

The strength of the password

Quick Answer: 229

Detailed Answer: 237

14.

An organization wants to select an assessment tool that will report information used to identify single points of failure. Which of the following should the organization choose?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 237

15.

Which of the following tools is often referred to as a packet sniffer?

bullet.jpg

A.

Port scanner

bullet.jpg

B.

Network mapper

bullet.jpg

C.

Protocol analyzer

bullet.jpg

D.

Vulnerability scanner

Quick Answer: 229

Detailed Answer: 237

Objective 4.3: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.

1.

Which of the following is best described as a friendly attack against a network to test the security measures put into place?

bullet.jpg

A.

Vulnerability assessment

bullet.jpg

B.

Penetration test

bullet.jpg

C.

Security assessment

bullet.jpg

D.

Compliance test

Quick Answer: 229

Detailed Answer: 237

2.

Which of the following are the most serious downsides to conducting a penetration test? (Select all correct answers.)

bullet.jpg

A.

They can cause some disruption to network operations.

bullet.jpg

B.

The help desk can be flooded by affected users.

bullet.jpg

C.

They can generate false data in IDS systems.

bullet.jpg

D.

External users can have difficulty accessing resources.

Quick Answer: 229

Detailed Answer: 237

3.

Which of the following is true about inexperienced internal systems administrators performing penetration tests against the organizational network? (Select all correct answers.)

bullet.jpg

A.

It is a safe practice.

bullet.jpg

B.

It is a bad practice.

bullet.jpg

C.

It may be a violation of privacy laws.

bullet.jpg

D.

It does not violate any privacy laws.

Quick Answer: 229

Detailed Answer: 238

4.

Which of the following is true about the relationship between vulnerability assessment and penetration testing?

bullet.jpg

A.

They are inversely related.

bullet.jpg

B.

They are contradictory.

bullet.jpg

C.

They are separate functions.

bullet.jpg

D.

They are complementary.

Quick Answer: 229

Detailed Answer: 238

5.

Which of the following is the main security risk of penetration testing?

bullet.jpg

A.

It can conceal aggression that is unrelated to the test.

bullet.jpg

B.

It can affect user connectivity and resource access.

bullet.jpg

C.

It can disrupt the normal business environment.

bullet.jpg

D.

It can weaken the network’s security level.

Quick Answer: 229

Detailed Answer: 238

Objective 4.4: Use monitoring tools on systems and networks and detect security-related anomalies.

1.

Which of the following would most likely be used as a troubleshooting tool to tell whether a route is available to a host?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ping

Quick Answer: 230

Detailed Answer: 238

2.

Which of the following would most likely be used as a troubleshooting tool in a Windows environment to test the connectivity path a packet takes to arrive at the destination?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ping

Quick Answer: 230

Detailed Answer: 238

3.

Which of the following would most likely be used to troubleshoot a Domain Name System (DNS) server database?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ping

Quick Answer: 230

Detailed Answer: 238

4.

Which of the following would most likely be used to display all the ports on which the computer is currently listening?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ping

Quick Answer: 230

Detailed Answer: 239

5.

Which of the following is used in a Windows environment to verify the Transmission Control Protocol/Internet Protocol (TCP/IP) configuration?

bullet.jpg

A.

traceroute

bullet.jpg

B.

ipconfig

bullet.jpg

C.

netstat

bullet.jpg

D.

ifconfig

Quick Answer: 230

Detailed Answer: 239

6.

Which of the following is the most likely reason the ping command returns a time out when trying to contact an external host?

bullet.jpg

A.

The host is unavailable.

bullet.jpg

B.

DNS traffic is blocked.

bullet.jpg

C.

The host network is unavailable.

bullet.jpg

D.

ICMP traffic is blocked.

Quick Answer: 230

Detailed Answer: 239

7.

Which of the following best describes benchmarking?

bullet.jpg

A.

A measuring of normal activity

bullet.jpg

B.

The improving of system performance

bullet.jpg

C.

Determining how much load a server can handle

bullet.jpg

D.

Spreading work between two or more computers

Quick Answer: 230

Detailed Answer: 239

8.

Which of the following best describes a baseline?

bullet.jpg

A.

A measure of normal activity

bullet.jpg

B.

The improvement of system performance

bullet.jpg

C.

A comparison of how much load a server can handle

bullet.jpg

D.

The distribution of work between two or more computers

Quick Answer: 230

Detailed Answer: 239

9.

Which of the following protocols is used by the ping utility?

bullet.jpg

A.

ICMP

bullet.jpg

B.

SNMP

bullet.jpg

C.

SMTP

bullet.jpg

D.

NNTP

Quick Answer: 230

Detailed Answer: 239

10.

Which of the following is used for tracking and viewing the utilization of operating system resources?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 239

11.

Which of the following is used for system monitoring by allowing an administrator to view actions that occur on the system?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 240

12.

Which of the following is Microsoft’s version of a protocol analyzer that comes with Windows Server operating systems?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 240

13.

Which of the following gives you an instant history view of CPU and memory usage?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 240

14.

The network administrator for the organization attempts to access the security log in Event Viewer on the file server, but the log file does not contain any entries. Which of the following is the most likely reason the security log is missing?

bullet.jpg

A.

Logging is not enabled.

bullet.jpg

B.

The security log is not shared.

bullet.jpg

C.

Auditing is not enabled.

bullet.jpg

D.

The security log is not stored on the server.

Quick Answer: 230

Detailed Answer: 240

15.

Which of the following is an application layer protocol used to collect statistics from TCP/IP devices?

bullet.jpg

A.

ICMP

bullet.jpg

B.

SNMP

bullet.jpg

C.

SMTP

bullet.jpg

D.

NNTP

Quick Answer: 230

Detailed Answer: 240

16.

At which of the following levels should the operating system be monitored to detect rootkits?

bullet.jpg

A.

Kernel

bullet.jpg

B.

Network

bullet.jpg

C.

Application

bullet.jpg

D.

Shell

Quick Answer: 230

Detailed Answer: 240

17.

An organization is concerned about unauthorized users attempting to access network resources. Which of the following tools will the organization use to monitor user access activity?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 240

18.

An organization is concerned about high I/O and CPU usage on the servers. Which of the following tools will the organization use to monitor resource activity?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 241

19.

An organization is concerned about high memory and CPU usage on the local user machines. Which of the following tools will the organization use to spot check resource activity?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 241

20.

An organization is having internal network connectivity issues and would like to implement a packet sniffer. Which of the following tools will the organization use to conduct this activity?

bullet.jpg

A.

Event Viewer

bullet.jpg

B.

Performance console

bullet.jpg

C.

Network Monitor

bullet.jpg

D.

Task Manager

Quick Answer: 230

Detailed Answer: 241

21.

Several users appear to be having internal network connectivity issues. The systems administrator is not exactly sure where the problem lies. Upon going to a workstation and opening a command prompt, which of the following commands would most likely be typed first?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ipconfig

Quick Answer: 230

Detailed Answer: 241

22.

The users appear to be having connectivity issues to a vendor’s web hosted application. The systems administrator is not exactly sure where the problem lies. Upon going to a workstation and opening a command prompt, which of the following commands would most likely be typed first?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ipconfig

Quick Answer: 230

Detailed Answer: 241

23.

No one seems to be able to contact the intranet using DNS names but the intranet can be contacted by using the IP address. After opening a command prompt, which of the following commands would most likely be typed first?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ipconfig

Quick Answer: 230

Detailed Answer: 241

24.

A user reports slowness and intermittent odd activity on their workstation. After opening a command prompt, which of the following commands would most likely be typed first?

bullet.jpg

A.

tracert

bullet.jpg

B.

netstat

bullet.jpg

C.

nslookup

bullet.jpg

D.

ipconfig

Quick Answer: 230

Detailed Answer: 241

25.

Which of the following is true about baselines? (Select all correct answers.)

bullet.jpg

A.

An initial baseline should be done for the network but not applications.

bullet.jpg

B.

Baselines must be updated on a regular basis.

bullet.jpg

C.

Baselines do not need to be updated when new technology is added.

bullet.jpg

D.

Baselines must be updated when the network has changed.

Quick Answer: 230

Detailed Answer: 242

Objective 4.5: Compare and contrast various types of monitoring methodologies.

1.

Which of the following best describes behavior-based monitoring?

bullet.jpg

A.

Looks at patterns of access that have been established

bullet.jpg

B.

Looks at the way certain executable files make a computer act

bullet.jpg

C.

Looks for specific byte sequences that appear in attack traffic

bullet.jpg

D.

Looks for traffic behavior that is new or unusual

Quick Answer: 230

Detailed Answer: 242

2.

Which of the following best describes anomaly-based monitoring?

bullet.jpg

A.

Looks at patterns of access that have been established

bullet.jpg

B.

Looks at the way certain executable files make a computer act

bullet.jpg

C.

Looks for specific byte sequences that appear in attack traffic

bullet.jpg

D.

Looks for traffic behavior that is new or unusual

Quick Answer: 230

Detailed Answer: 242

3.

Which of the following best describes signature-based monitoring?

bullet.jpg

A.

Looks at patterns of access that have been established

bullet.jpg

B.

Looks at the way certain executable files make a computer act

bullet.jpg

C.

Looks for specific byte sequences that appear in attack traffic

bullet.jpg

D.

Looks for traffic behavior that is new or unusual principal

Quick Answer: 230

Detailed Answer: 242

4.

An organization is concerned about buffer overflow attacks. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 243

5.

An organization is concerned about internal misuse. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 243

6.

An organization is concerned about system compromises from older known attacks on unpatched systems. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 243

7.

An organization wants to implement a monitoring solution that returns few false positives and does not use a lot of system resources. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring up

Quick Answer: 230

Detailed Answer: 243

8.

An organization wants to implement a monitoring solution that can be used in a mixed operating system environment and not dependent on OS-specific mechanisms. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 243

9.

An organization wants to implement a monitoring solution that includes video surveillance. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 243

10.

An organization wants to implement a monitoring solution that does not require a lot of software updating and can be self-learning. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 244

11.

An organization wants to implement a monitoring solution that returns a low number of false positives. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 244

12.

An organization that issues credit cards requires spending profiles for their customers. Which of the following monitoring methods will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 244

13.

An organization requires a monitoring solution that determines if program is malicious by inspecting the stream of system calls that the program issues to the operating system. Which of the following monitoring method will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 244

14.

Which of the following are disadvantages of using a behavior-based monitoring solution? (Select all correct answers.)

bullet.jpg

A.

The rule sets need constant updating.

bullet.jpg

B.

It can generate false positives.

bullet.jpg

C.

File checking is quite slow.

bullet.jpg

D.

It is based on passive monitoring.

Quick Answer: 230

Detailed Answer: 244

15.

Which of the following are disadvantages of using a signature-based monitoring solution? (Select all correct answers.)

bullet.jpg

A.

The rule sets need constant updating.

bullet.jpg

B.

It can generate false positives.

bullet.jpg

C.

File checking is quite slow.

bullet.jpg

D.

It is based on passive monitoring.

Quick Answer: 230

Detailed Answer: 244

16.

Which of the following are advantages of using a behavior-based monitoring solution? (Select all correct answers.)

bullet.jpg

A.

Can monitor for malware activities

bullet.jpg

B.

Triggers a low number of false positives

bullet.jpg

C.

Can identify polymorphic viruses

bullet.jpg

D.

Uses very few system resources

Quick Answer: 230

Detailed Answer: 245

17.

Which of the following are advantages of using a signature-based monitoring solution? (Select all correct answers.)

bullet.jpg

A.

Can monitor for malware activities

bullet.jpg

B.

Triggers a low number of false positives

bullet.jpg

C.

Can identify polymorphic viruses

bullet.jpg

D.

Uses very few system resources

Quick Answer: 230

Detailed Answer: 245

18.

An organization requires a monitoring solution for a highly secure environment in which the individual use patterns for each user profile can be identified. Which of the following monitoring method will best suit the organization?

bullet.jpg

A.

Signature-based monitoring

bullet.jpg

B.

Anomaly-based monitoring

bullet.jpg

C.

Performance-based monitoring

bullet.jpg

D.

Behavior-based monitoring

Quick Answer: 230

Detailed Answer: 245

19.

Which of the following types of attacks are anomaly-based monitoring solutions best at detecting? (Select all correct answers.)

bullet.jpg

A.

DoS attacks based on payloads

bullet.jpg

B.

Protocol and port exploitation

bullet.jpg

C.

Documented malicious software

bullet.jpg

D.

Known intrusive activity

Quick Answer: 230

Detailed Answer: 245

20.

Which of the following types of attacks are signature-based monitoring solutions best at detecting? (Select all correct answers.)

bullet.jpg

A.

DoS attacks based on payloads or volume

bullet.jpg

B.

Protocol and port exploitation

bullet.jpg

C.

Documented malicious software

bullet.jpg

D.

Known intrusive activity

Quick Answer: 230

Detailed Answer: 245

Objective 4.6: Execute proper logging procedures and evaluate the results.

1.

Which of the following best describes system logging?

bullet.jpg

A.

The process of measuring the performance of a network

bullet.jpg

B.

The process of collecting data to be used for monitoring

bullet.jpg

C.

The process of tracking users and actions on the network

bullet.jpg

D.

The process of observing of the state of a system

Quick Answer: 230

Detailed Answer: 245

2.

To get an accurate view of a network, which of the following must precede logging?

bullet.jpg

A.

Baselining

bullet.jpg

B.

Auditing

bullet.jpg

C.

Monitoring

bullet.jpg

D.

Archiving

Quick Answer: 230

Detailed Answer: 245

3.

Which of the following best describes the way logging should be implemented?

bullet.jpg

A.

Only the user events should be logged.

bullet.jpg

B.

Only pertinent events should be logged.

bullet.jpg

C.

All events should be logged so nothing is missed.

bullet.jpg

D.

Nothing should be logged until there is a need for it.

Quick Answer: 230

Detailed Answer: 245

4.

Which of the following would be considered a best practice for improved server performance when deciding where to store log files?

bullet.jpg

A.

Store in the system directory of a machine in the DMZ

bullet.jpg

B.

Store in the system directory on the local machine

bullet.jpg

C.

Store on a nonsystem striped or mirrored disk volume

bullet.jpg

D.

Store on a nonsystem disk volume on the local machine

Quick Answer: 230

Detailed Answer: 246

5.

Which of the following would be considered a best security practice when deciding where to store log files?

bullet.jpg

A.

Stored in the system directory on the local machine

bullet.jpg

B.

Stored in a data directory on a server in the Intranet

bullet.jpg

C.

Stored in the system directory of a machine in the DMZ

bullet.jpg

D.

Stored in a centralized repository of an offline volume

Quick Answer: 230

Detailed Answer: 246

6.

An organization requires the implementation of an enterprise application logging strategy. Which of the following would be a critical analysis consideration when choosing a solution?

bullet.jpg

A.

A proprietary custom-built solution

bullet.jpg

B.

Already built-in application logging solutions

bullet.jpg

C.

A solution that uses standard protocols and formats

bullet.jpg

D.

A variety of solutions that each use different formats

Quick Answer: 230

Detailed Answer: 246

7.

An organization chooses to implement a manual application logging strategy and desires to use a format that can readily be parsed. Which of the following formats will meet the organizational requirements?

bullet.jpg

A.

CSV

bullet.jpg

B.

HTML

bullet.jpg

C.

TXT

bullet.jpg

D.

SQL

Quick Answer: 230

Detailed Answer: 246

8.

Application logging standards should be implemented for the types of events the organization logs based on which of the following? (Select all correct answers.)

bullet.jpg

A.

User requirements

bullet.jpg

B.

Vendor requirements

bullet.jpg

C.

Business requirements

bullet.jpg

D.

Regulatory requirements

Quick Answer: 230

Detailed Answer: 246

9.

Which of the following is pertinent in addition to reading the log files?

bullet.jpg

A.

Knowing how to correlate events

bullet.jpg

B.

Knowing how to parse log files

bullet.jpg

C.

Knowing how to delete events

bullet.jpg

D.

Knowing how to export log files

Quick Answer: 230

Detailed Answer: 246

10.

Internet Information Services (IIS) logs can be used for which of the following purposes? (Select all correct answers.)

bullet.jpg

A.

Assess content

bullet.jpg

B.

Identify bottlenecks

bullet.jpg

C.

End processes

bullet.jpg

D.

Investigate attacks

Quick Answer: 230

Detailed Answer: 246

11.

Which of the following most accurately describes best practice for using Microsoft DNS logging?

bullet.jpg

A.

Only the user events should be logged.

bullet.jpg

B.

Only pertinent events should be logged.

bullet.jpg

C.

All events should be logged so nothing is missed.

bullet.jpg

D.

Nothing should be logged until there is a need for it.

Quick Answer: 230

Detailed Answer: 246

12.

Which of the following would be the first place an administrator would look when troubleshooting Microsoft DNS-related issues?

bullet.jpg

A.

The DNS debug log file

bullet.jpg

B.

The Event Viewer DNS server log file

bullet.jpg

C.

Syslog channel log.msgs

bullet.jpg

D.

The Event Viewer Application log file

Quick Answer: 230

Detailed Answer: 246

13.

Which of the following would be the first place an administrator would look when troubleshooting UNIX- or Linux-based systems?

bullet.jpg

A.

Mtools.conf

bullet.jpg

B.

Msconfig

bullet.jpg

C.

Event Viewer

bullet.jpg

D.

Syslogd

Quick Answer: 230

Detailed Answer: 247

14.

Which of the following would be considered best practices for system logging? (Select all correct answers.)

bullet.jpg

A.

For easy compilation, keep log files in plain text.

bullet.jpg

B.

When permissible, encrypt the log files.

bullet.jpg

C.

Store log files on a stand-alone system.

bullet.jpg

D.

Store log files on individual system data partitions.

Quick Answer: 230

Detailed Answer: 247

15.

Which of the following would an administrator use to end applications that get hung up without having to reboot the machine?

bullet.jpg

A.

Network Monitor

bullet.jpg

B.

Task Manager

bullet.jpg

C.

Event Viewer

bullet.jpg

D.

Performance Console

Quick Answer: 230

Detailed Answer: 247

16.

Which of the following would provide information for troubleshooting remote-access policy issues?

bullet.jpg

A.

Internet Information Services logging

bullet.jpg

B.

Critical and error level logging

bullet.jpg

C.

Authentication and accounting logging

bullet.jpg

D.

Event Viewer Application logging

Quick Answer: 230

Detailed Answer: 247

17.

Which of the following are events in the firewall log that require additional examination? (Select all correct answers.)

bullet.jpg

A.

Traffic on port 25

bullet.jpg

B.

HTTP traffic

bullet.jpg

C.

Blocked attempts

bullet.jpg

D.

Suspicious signatures

Quick Answer: 230

Detailed Answer: 247

18.

The organizational firewall log shows repeated traffic to port 53. This could be an indication of which of the following types of attacks? (Select all correct answers.)

bullet.jpg

A.

Cross-site scripting

bullet.jpg

B.

Denial of service

bullet.jpg

C.

Distributed denial of service

bullet.jpg

D.

SQL injection

Quick Answer: 230

Detailed Answer: 247

19.

Which of the following types of logging events are most commonly found in antivirus software? (Select all correct answers.)

bullet.jpg

A.

Updates

bullet.jpg

B.

Dropped packets

bullet.jpg

C.

Quarantined viruses

bullet.jpg

D.

Update history

Quick Answer: 230

Detailed Answer: 247

20.

An organization primarily contracts workers and is concerned about remote-access usage and remote authentication attempts. Which of the following would the organization implement to track this type of activity?

bullet.jpg

A.

Firewall logging

bullet.jpg

B.

RRAS logging

bullet.jpg

C.

IIS logging

bullet.jpg

D.

System logging

Quick Answer: 230

Detailed Answer: 247

Objective 4.7: Conduct periodic audits of system security settings.

1.

Which of the following best describes auditing?

bullet.jpg

A.

The process of measuring the performance of a network

bullet.jpg

B.

The process of collecting data to be used for monitoring

bullet.jpg

C.

The process of tracking users and actions on the network

bullet.jpg

D.

The process of observing the state of a system

Quick Answer: 231

Detailed Answer: 248

2.

Which of the following are unintended consequences when auditing is not clear-cut or built around the organizational goals and policies? (Select all correct answers.)

bullet.jpg

A.

Irrelevant information is gathered.

bullet.jpg

B.

Important security events are deleted.

bullet.jpg

C.

User hard drives quickly run out of space.

bullet.jpg

D.

System administrators have reduced workloads.

Quick Answer: 231

Detailed Answer: 248

3.

A systems administrator is tasked with auditing user privileges. Which of the following steps must be taken? (Select two correct answers.)

bullet.jpg

A.

Enable logging within the operating system.

bullet.jpg

B.

Enable auditing within the operating system.

bullet.jpg

C.

Specify the resources to be audited.

bullet.jpg

D.

Specify the audit file storage directory.

Quick Answer: 231

Detailed Answer: 248

4.

An organization has primarily contract workers and is concerned about unauthorized and unintentional access on these accounts. Which of the following would the organization audit to track this type of activity?

bullet.jpg

A.

Group policies

bullet.jpg

B.

Retention polices

bullet.jpg

C.

DHCP events and changes

bullet.jpg

D.

Access use and rights changes

Quick Answer: 231

Detailed Answer: 248

5.

Which of the following are user rights used by processes? (Select all correct answers.)

bullet.jpg

A.

Process tracking

bullet.jpg

B.

Create a token object

bullet.jpg

C.

Bypass traverse checking

bullet.jpg

D.

Account management

Quick Answer: 231

Detailed Answer: 248

6.

Which of the following is true about the auditing of failed logon events and successful login events?

bullet.jpg

A.

Only failed events should be audited.

bullet.jpg

B.

Only successful events should be audited.

bullet.jpg

C.

Both successful and failed events should be audited.

bullet.jpg

D.

Neither one should be audited unless absolutely necessary.

Quick Answer: 231

Detailed Answer: 248

7.

Which of the following best describes the activity that involves collecting information used for monitoring and reviewing purposes?

bullet.jpg

A.

Auditing

bullet.jpg

B.

Logging

bullet.jpg

C.

Baselining

bullet.jpg

D.

Inspecting

Quick Answer: 231

Detailed Answer: 248

8.

Which of the following best describes the unintended consequence of turning on all auditing counters for all objects?

bullet.jpg

A.

Reduced user productivity

bullet.jpg

B.

Reduced I/O activity on user machines

bullet.jpg

C.

Reduced administrative overhead

bullet.jpg

D.

Reduced server performance

Quick Answer: 231

Detailed Answer: 248

9.

Which of the following would an organization include in its retention and disposal policies? (Select all correct answers.)

bullet.jpg

A.

Security evaluations

bullet.jpg

B.

Commercial software manuals

bullet.jpg

C.

Operational documentation

bullet.jpg

D.

Vendor user manuals

Quick Answer: 231

Detailed Answer: 249

10.

Which of the following most accurately describes the maintenance of data-retention and storage polices?

bullet.jpg

A.

Once in place, they are good for many years.

bullet.jpg

B.

They need to be updated on a monthly basis.

bullet.jpg

C.

They need to be updated on a quarterly basis.

bullet.jpg

D.

They need to be updated when business goals change.

Quick Answer: 231

Detailed Answer: 249

11.

An organization does not have a data-retention policy in place when it becomes involved in a lawsuit. Many of the employees have kept emails for a period of up to ten years. As a general rule, which of the following is true about the discovery of these emails?

bullet.jpg

A.

All are discoverable regardless of time frame or format.

bullet.jpg

B.

None are discoverable because they are electronic format.

bullet.jpg

C.

They are discoverable only going back three years.

bullet.jpg

D.

Only the emails the organization deems necessary are discoverable.

Quick Answer: 231

Detailed Answer: 249

12.

Which of the following are pertinent for an organization to review before formulating data-retention policy? (Select all correct answers.)

bullet.jpg

A.

ISP requirements

bullet.jpg

B.

Regulatory requirements

bullet.jpg

C.

User requirements

bullet.jpg

D.

Business requirements

Quick Answer: 231

Detailed Answer: 249

13.

Which of the following best describes how settings will actually be applied to an object in a group policy?

bullet.jpg

A.

Individually applied to the object and only from the last policy

bullet.jpg

B.

A combination of all the settings that can affect the object

bullet.jpg

C.

Only from settings within the domain where the object is located

bullet.jpg

D.

A combination of only local group polices that affect the object

Quick Answer: 231

Detailed Answer: 249

14.

An administrator is attempting to resolve some issue with multiple group policies on several computers. Which of the following tools would be used to script GPO troubleshooting of multiple computers?

bullet.jpg

A.

Gpupdate

bullet.jpg

B.

Gpresult

bullet.jpg

C.

Resultant Set of Policy

bullet.jpg

D.

Group Policy object

Quick Answer: 231

Detailed Answer: 249

15.

Which of the following tools is used to review the effects of Group Policy settings on a particular computer?

bullet.jpg

A.

Resultant Set of Policy

bullet.jpg

B.

Group Policy object

bullet.jpg

C.

Gpupdate

bullet.jpg

D.

Local Security settings

Quick Answer: 231

Detailed Answer: 249

16.

An organization is concerned with knowing about any unusual activity that would indicate modification to the local security authority (LSA). Which of the following event categories should be audited?

bullet.jpg

A.

Audit success events in the account management

bullet.jpg

B.

Success events in the policy change on domain controllers

bullet.jpg

C.

Success and failure events in the system events

bullet.jpg

D.

Audit success events in the logon event category

Quick Answer: 231

Detailed Answer: 250

17.

An organization is concerned with unusual activity indicating that an intruder is attempting to gain access to the network. Which of the following event categories should be audited?

bullet.jpg

A.

Audit success events in the account management

bullet.jpg

B.

Success events in the policy change on domain controllers

bullet.jpg

C.

Success and failure events in the system events

bullet.jpg

D.

Audit success events in the logon event category

Quick Answer: 231

Detailed Answer: 250

18.

An organization wants to verify changes that are made to user account and group properties. Which of the following event categories should be audited?

bullet.jpg

A.

Audit success events in the account management

bullet.jpg

B.

Success events in the policy change on domain controllers

bullet.jpg

C.

Success and failure events in the system events

bullet.jpg

D.

Audit success events in the logon event category

Quick Answer: 231

Detailed Answer: 250

19.

An organization wants a record of when each user logs on to or logs off from any computer. Which of the following event categories should be audited?

bullet.jpg

A.

Audit success events in the account management event

bullet.jpg

B.

Success events in the policy change on domain controllers

bullet.jpg

C.

Success and failure events in the system events

bullet.jpg

D.

Audit success events in the logon event category

Quick Answer: 231

Detailed Answer: 250

20.

An organization wants to verify when users log on to or log off from the domain. Which of the following event categories should be audited?

bullet.jpg

A.

Audit success events in the account management event

bullet.jpg

B.

Success events in the policy change on domain controllers

bullet.jpg

C.

Success events in the account logon on domain controllers

bullet.jpg

D.

Audit success events in the logon event category

Quick Answer: 231

Detailed Answer: 250

  • + Share This
  • 🔖 Save To Your Account