QUESTION 1

Frank was contacted by phone a person claiming to be an executive vice president urgently
requesting that his password be reset. He insisted on the security urgency at hand and informed
Frank that his supervisor would be contacted unless he complied immediately. Frank suspected
that this was a social engineering attack. Which principles of human manipulation did the
attacker attempt on Frank? Choose three.

 Authority

 Fright

 Intimidation

 Urgency

 Scarcity

 Trust

Explanation: Authority is a doubly correct answer here because the caller is made by someone
impersonating an authority figure but also because of the threat to contact Frank’s supervisor.
The threat consists of the threat to contact Frank’s supervisor. The urgency is referenced twice
so clearly belongs to the correct choice. Neither trust nor scarcity apply in this scenario and
Fright is a nonsense detractor as it is not a recognized category of human manipulation for
social engineering.

Answer: Authority – Intimidation – Urgency

This question falls under Main Domain 2.0 Threats, Vulnerabilities, and Mitigations, and sub-
objective 2.2 Explain common threat vectors and attack surfaces.

QUESTION 2

Alina works for a company whose domains are .domain.com and .domain.org. She has been
tasked to acquire a digital certificate that will cover these domains as well as all the subdomains
these main domains have.

Which of the following certificates would best fulfill the requirements?

 Domain validation digital certificate

 Wildcard digital certificate

 SAN

 NAXX
Explanation: SAN – Subject Alternative Name allows different values to be associated with a
single certificate. A SAN allows a single digital certificate to specify additional host names to be
protected by that one certificate. It also allows a certificate to cover multiple IP addresses. A
wildcard digital certificate can protect all first-level subdomains on an entire domain but they
cannot apply to different domains so they can’t fulfill Alina’s requirements. A domain validation
digital certificate will verify the identity of the entity that has control over a given domain name.
NAXX is the nonsense detractor.

Answer: SAN

This question falls under Main Domain 4.0 Security Operations and sub-objective 4.1 Given a
scenario, apply common security techniques to computing resources

QUESTION 3

Which PKI trust model assigns a single hierarchy with one master CA called the root, who signs
all digital certificate authorities with a single key?

 Distributed trust model.

 Bridge trust model.

 Hierarchical trust model.

 Centralized trust model.

Explanation: A hierarchical trust model assigns a single hierarchy with one master CA called the
root, who signs all digital certificate authorities with a single key. The distributed trust model
has multiple CAs that sign digital certificates. With the bridge trust model, no single CA signs
digital certificates, and yet the CA acts as a facilitator to interconnect all other CAs. Centralized
trust model.

Answer: Hierarchical trust model.

This question falls under Main Domain 1.0 General Security Concepts and sub-objective 1.4
Explain the importance of using appropriate cryptographic solutions.

QUESTION 4

What is the primary distinction between a Certificate Policy (CP) and a Certificate Practice
Statement (CPS)?

 A CP describes how end-users register for a digital certificate.

 A CPS is a published set of rules that govern the operation of a PKI.

 A CPS governs the operation of intermediate CA.

Explanation: A CP is a set of rules that provide recommended baseline security requirements

Answer: A CP provides recommended baseline security requirements for the use and operation
of PKI components.

This question falls under Main Domain 1.0 General Security Concepts, and sub-objective 1.4
Explain the importance of using appropriate cryptographic solutions.

QUESTION 5

Several steps can be taken to harden SCADA and ICS systems. Which of the following is not such
a step?

 As much as possible rely on proprietary protocols to protect the network.

 Establish clear policies and conduct training around the policies.

 Test to identify and evaluate possible attack scenarios.

 Remove or disable unnecessary services.

 Identify all connections to SCADA networks.

Explanation: For proprietary protocols, the users are dependent on the company to fix
vulnerabilities, and if the company does not prioritize security, users might be at risk. In such a
situation your organization finds itself in the hands of the company that owns the protocol and
so you relinquish some level of control over your own cybersecurity. Not a good way to harden
your systems. All the other answers show steps that will contribute to hardening SCADA and ICS
systems. The two acronyms stand for: Industrial control systems (ICSs) which enable machines
to, without human involvement, control devices such as valves, pumps, and motors. Multiple
ICSs are managed by Supervisory Control and Data Acquisition (SCADA).

Answer: As much as possible rely on proprietary protocols to protect the network.

This question falls under Main Domain 3.0 Security Architecture and sub-objective 3.1 Compare
and contrast security implications of different architecture models.

QUESTION 6

You have been tasked to configure the VPN to preserve bandwidth. Which configuration would
you choose?
  Point-to-Point Tunneling

 Secure Socket Tunneling

 Full tunnel

 Split tunnel

Explanation: In a split tunnel configuration, only traffic destined for the corporate network is
sent through the Virtual Private Network (VPN) tunnel. All other traffic, such as internet
browsing, goes directly to the internet without passing through the VPN tunnel. This
configuration preserves bandwidth as it doesn’t route unnecessary traffic through the corporate
VPN. The full tunnel configuration has all traffic sent to the VPN so it does not minimize traffic.
Neither Point-to-Point Tunneling nor Secure Socket Tunneling are tunnel configurations, they
are both protocols.

Answer: Split tunnel

This question falls under Main Domain 3.0 Security Architecture and sub-objective 3.2 Given a
scenario, apply security principles to secure enterprise infrastructure.

QUESTION 7

When it comes to cloud computing and security, which of the following statements is correct?
Choose two.

 Secrets management allows for improved administration of SaaS platforms.

 SSE is the security component of SASE that unifies all security services, including WANs.

 A SWG can be placed on endpoints, at the edge but not in the cloud.

 A SASE includes SWG, CASB, ZTA, and SSE technologies.

Explanation: An SWG can be placed on endpoints and at the edge and also in in the cloud. An
SSE does not include WAN technologies. Secrets management A SASE does not include SSE
technologies. The many acronyms used in this question stand for: Secure Access Service Edge
(SASE), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust
Architecture (ZTA), Security Service Edge (SSE), Software As A Service (SaaS), and Wide Area
Network (WAN).

Answer: Secrets management allows for improved administration of a microservices-based

This question falls under Main Domain 3.0 Security Architecture and sub-objective 3.2 Given a
scenario, apply security principles to secure enterprise infrastructure.
QUESTION 8

Which of the following is not a characteristic of a vulnerability scan?

 It, on occasion, will gain unauthorized access and exploit vulnerabilities.

 Its purpose is to reduce the attack surface.

 Its objective is to identify risks by scanning systems and networks.

 It is typically performed by internal security personnel.

Explanation: Gaining unauthorized access to exploit vulnerabilities is an objective of

Answer: It, on occasion, will gain unauthorized access and exploit vulnerabilities.

This question falls under Main Domain 5.0 Security Program Management and Oversight and
sub-objective 5.5 Explain types and purposes of audits and assessments.

QUESTION 9

A method used for improved redundancy is to put in place a server cluster. There a two kinds of
server clusters symmetric and asymmetric clusters. Which of the following is true about
asymmetrical clusters?

 The standby server performs useful work in addition to supporting a failed server.

 The standby server performs no useful work other than to be ready if it is needed.

 The standby server launches a copy of the virtual machine the failed server.

 Virtualization dramatically increases the number of server clusters that are needed for
server redundancy.

Explanation: Only in asymmetrical clusters does the standby server perform useful work in
addition to supporting a failed server. The question applies to symmetrical clusters and on those
the standby machine just stands by. Virtualization dramatically increases the number of server
clusters that are needed for server redundancy is untrue. Because a virtualized image can
rapidly be moved to another physical server the need for large physical clusters is now actually
lessened. The standby server launches a copy of the virtual machine to the failed server is the
nonsense detractor.

Answer: The standby server performs no useful work other than to be ready if it is needed.
This question falls under Main Domain 5.0 Security Program Management and Oversight and
sub-objective 5.2 Explain elements of the risk management process.

QUESTION 10

Below is a description of IT assets typically found in modern enterprises. Which of these has the
highest value and therefore justifies the most significant effort to secure?

 Operating System that provides the foundation for application software.

 Custom-made order fulfillment system.

 Servers, routers, and power supplies.

 Sales, marketing, production, and finance databases.

Explanation: The proprietary databases contain the most unique data and therefore would be
the hardest to replace assets would they be lost. Next is the custom-made order fulfillment
system as it is proprietary and so probably fairly expensive to replace although not as unique as
the data. The off-the-shelf software and hardware are the easiest and cheapest to replace.

Answer: Sales, marketing, production, and finance databases.

This question falls under Main Domain 4.0 Security Operations and sub-objective 4.2 Explain the
security implications of proper hardware, software, and data asset management