401 SEC+ Exam Guaranteed Pass: Proven
Strategies, Premier Questions, and Detailed
Explanations for Top Grades
Which of the following assessment techniques would a security administrator implement to
ensure that systems and software are developed properly?
A. Baseline reporting
B. Input validation
C. Determine attack surface
D. Design reviews - -correct ans- -Answer: D
Explanation:
When implementing systems and software, an important step is the design of the systems and
software. The systems and software should be designed to ensure that the system works as
intended and is secure.
The design review assessment examines the ports and protocols used, the rules, segmentation,
and access control in the system or application. A design review is basically a check to ensure
that the design of the system meets the security requirements.
A financial company requires a new private network link with a business partner to cater for
realtime and batched data flows.
Which of the following activities should be performed by the IT security staff member prior to
establishing the link?
A. Baseline reporting
B. Design review
C. Code review
D. SLA reporting - -correct ans- -Answer: B
Explanation:
,This question is asking about a new private network link (a VPN) with a business partner. This
will provide access to the local network from the business partner.
When implementing a VPN, an important step is the design of the VPN. The VPN should be
designed to ensure that the security of the network and local systems is not compromised.
The design review assessment examines the ports and protocols used, the rules, segmentation,
and access control in the systems or applications. A design review is basically a check to ensure
that the design of the system meets the security requirements.
Which of the following assessments would Pete, the security administrator, use to actively test
that an application's security controls are in place?
A. Code review
B. Penetration test
C. Protocol analyzer
D. Vulnerability scan - -correct ans- -Answer: B
Explanation:
Penetration testing (also called pen testing) is the practice of testing a computer system,
network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually.
Either way, the process includes gathering information about the target before the test
(reconnaissance), identifying possible entry points, attempting to break in (either virtually or for
real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can
also be used to test an organization's security policy compliance, its employees' security
awareness and the organization's ability to identify and respond to security
incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys
are attempting to break in.
Pen test strategies include:
Targeted testing
, Targeted testing is performed by the organization's IT team and the penetration testing team
working together. It's sometimes referred to as a "lights-turned-on" approach because everyone
can see the test being carried out.
External testing
This type of pen test targets a company's externally visible servers or devices including domain
name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an
outside attacker can get in and how far they can get in once they've gained access.
Internal testing
This test mimics an inside attack behind the firewall by an authorized user with standard access
privileges. This kind of test is useful for estimating how much damage a disgruntled employee
could cause.
Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting
the information given to t
Which of the following is the MOST intrusive type of testing against a production system?
A. White box testing
B. War dialing
C. Vulnerability testing
D. Penetration testing - -correct ans- -Answer: D
Explanation:
Penetration testing is the most intrusive type of testing because you are actively trying to
circumvent the system's security controls to gain access to the system.
During an anonymous penetration test, Jane, a system administrator, was able to identify a
shared print spool directory, and was able to download a document from the spool. Which
statement BEST describes her privileges?
A. All users have write access to the directory.
Strategies, Premier Questions, and Detailed
Explanations for Top Grades
Which of the following assessment techniques would a security administrator implement to
ensure that systems and software are developed properly?
A. Baseline reporting
B. Input validation
C. Determine attack surface
D. Design reviews - -correct ans- -Answer: D
Explanation:
When implementing systems and software, an important step is the design of the systems and
software. The systems and software should be designed to ensure that the system works as
intended and is secure.
The design review assessment examines the ports and protocols used, the rules, segmentation,
and access control in the system or application. A design review is basically a check to ensure
that the design of the system meets the security requirements.
A financial company requires a new private network link with a business partner to cater for
realtime and batched data flows.
Which of the following activities should be performed by the IT security staff member prior to
establishing the link?
A. Baseline reporting
B. Design review
C. Code review
D. SLA reporting - -correct ans- -Answer: B
Explanation:
,This question is asking about a new private network link (a VPN) with a business partner. This
will provide access to the local network from the business partner.
When implementing a VPN, an important step is the design of the VPN. The VPN should be
designed to ensure that the security of the network and local systems is not compromised.
The design review assessment examines the ports and protocols used, the rules, segmentation,
and access control in the systems or applications. A design review is basically a check to ensure
that the design of the system meets the security requirements.
Which of the following assessments would Pete, the security administrator, use to actively test
that an application's security controls are in place?
A. Code review
B. Penetration test
C. Protocol analyzer
D. Vulnerability scan - -correct ans- -Answer: B
Explanation:
Penetration testing (also called pen testing) is the practice of testing a computer system,
network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually.
Either way, the process includes gathering information about the target before the test
(reconnaissance), identifying possible entry points, attempting to break in (either virtually or for
real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can
also be used to test an organization's security policy compliance, its employees' security
awareness and the organization's ability to identify and respond to security
incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys
are attempting to break in.
Pen test strategies include:
Targeted testing
, Targeted testing is performed by the organization's IT team and the penetration testing team
working together. It's sometimes referred to as a "lights-turned-on" approach because everyone
can see the test being carried out.
External testing
This type of pen test targets a company's externally visible servers or devices including domain
name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an
outside attacker can get in and how far they can get in once they've gained access.
Internal testing
This test mimics an inside attack behind the firewall by an authorized user with standard access
privileges. This kind of test is useful for estimating how much damage a disgruntled employee
could cause.
Blind testing
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting
the information given to t
Which of the following is the MOST intrusive type of testing against a production system?
A. White box testing
B. War dialing
C. Vulnerability testing
D. Penetration testing - -correct ans- -Answer: D
Explanation:
Penetration testing is the most intrusive type of testing because you are actively trying to
circumvent the system's security controls to gain access to the system.
During an anonymous penetration test, Jane, a system administrator, was able to identify a
shared print spool directory, and was able to download a document from the spool. Which
statement BEST describes her privileges?
A. All users have write access to the directory.
