The CIoTSP certification is a cross-industry, vendor-neutral credential that demonstrates your proficiency in securing IoT systems. It covers the essential components and concepts of an IoT system, such as IoT devices, networks, cloud services, data privacy, and security best practices. To obtain the CIoTSP certification, you must pass the ITS-110 exam, which assesses your knowledge and skills in protecting IoT systems from various threats and vulnerabilities. To help you prepare for the ITS-110 exam, we provide you with a set of high-quality ITS-110 dumps that are aligned with the official exam objectives and topics. Our ITS-110 dumps are created by experts who have years of experience in IoT security. By practicing with our dumps questions and answers, you will be able to review the key concepts and skills that you need to ace the ITS-110 exam and earn the CIoTSP certification.
1. An IoT manufacturer wants to ensure that their web-enabled cameras are secured against brute force password attacks.
Which of the following technologies or protocols could they implement?
- URL filtering policies
- Account lockout policies (Correct answer)
- Software encryption
- Buffer overflow prevention
2. Which of the following methods or technologies is most likely to be used in order to mitigate brute force attacks?
- Account lockout policy (Correct answer)
- Automated security logging
- Role-based access control
- Secure password recovery
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/account-lockout-policy#:~:text=Account%20lockout%20policies%20are%20used,twice%2C%20but%20not %20numerous%20times
3. An IoT service collects massive amounts of data and the developer is encrypting the data, forcing administrative users to authenticate and be authorized. The data is being disposed of properly and on a timely basis. However, which of the following countermeasures is the developer most likely overlooking?
- That private data can never be fully destroyed.
- The best practice to only collect critical data and nothing more. (Correct answer)
- That data isn’t valuable unless it’s used as evidence for crime committed.
- That data is only valuable as perceived by the beholder.
4. Accompany collects and stores sensitive data from thousands of IoT devices. The company’s IoT security administrator is concerned about attacks that compromise confidentiality.
Which of the following attacks is the security administrator concerned about? (Choose two.)
- Salami (Correct answer)
- Aggregation (Correct answer)
- Data diddling
- Denial of Service (DoS)
- Inference (Correct answer)
5. A DevOps engineer wants to provide secure network services to an IoT/cloud solution.
Which of the following countermeasures should be implemented to mitigate network attacks that can render a network useless?
- Network firewall
- Denial of Service (DoS)/Distributed Denial of Service (DDoS) mitigation (Correct answer)
- Web application firewall (WAF)
- Deep Packet Inspection (DPI)
Explanation:
Reference: https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/#:~:text=A%20distributed%20denial%2Dof%2Dservice,a%20flood%20of%20Internet %20traffic
6. A software developer for an IoT device company is creating software to enhance the capabilities of his company’s security cameras. He wants the end users to be confident that the software they are downloading from his company’s support site is legitimate.
Which of the following tools or techniques should he utilize?
- Data validation
- Interrupt analyzer
- Digital certificate (Correct answer)
- Pseudocode
7. Web forms that contain unvalidated fields are vulnerable to which of the following attacks? (Choose two.)
- Smurf (Correct answer)
- Ping of death
- Cross-Site Scripting (XSS) (Correct answer)
- Man-in-the-middle (MITM)
- SQL Injection (SQLi) (Correct answer)
8. An embedded developer is about to release an IoT gateway.
Which of the following precautions must be taken to minimize attacks due to physical access?
- Allow access only to the software
- Remove all unneeded physical ports
- Install a firewall on network ports
- Allow easy access to components
9. A security practitioner wants to encrypt a large datastore.
Which of the following is the BEST choice to implement?
- Asymmetric encryption standards
- Symmetric encryption standards (Correct answer)
- Elliptic curve cryptography (ECC)
- Diffie-Hellman (DH) algorithm
10. You work for an IoT software-as-a-service (SaaS) provider. Your boss has asked you to research a way to effectively dispose of stored sensitive customer data.
Which of the following methods should you recommend to your boss?
- Crypto-shredding
- Degaussing
- Overwriting
- Physical destruction (Correct answer)
11. An IoT device has many sensors on it and that sensor data is sent to the cloud. An IoT security practitioner should be sure to do which of the following in regard to that sensor data?
- Collect as much data as possible so as to maximize potential value of the new IoT use-case.
- Collect only the minimum amount of data required to perform all the business functions. (Correct answer)
- The amount or type of data collected isn’t important if you have a properly secured IoT device.
- The amount or type of data collected isn’t important if you implement proper authorization controls.
12. A corporation’s IoT security administrator has configured his IoT endpoints to send their data directly to a database using Secure Sockets Layer (SSL)/Transport Layer Security (TLS).
Which entity provides the symmetric key used to secure the data in transit?
- The administrator’s machine
- The database server (Correct answer)
- The Key Distribution Center (KDC)
- The IoT endpoint
13. An IoT device which allows unprotected shell access via console ports is most vulnerable to which of the following risks?
- Directory harvesting
- Rainbow table attacks
- Malware installation (Correct answer)
- Buffer overflow
14. An IoT security administrator is determining which cryptographic algorithm she should use to sign her server’s digital certificates.
Which of the following algorithms should she choose?
- Rivest Cipher 6 (RC6)
- Rijndael
- Diffie-Hellman (DH)
- Rivest-Shamir-Adleman (RSA) (Correct answer)
15. Which of the following describes the most significant risk created by implementing unverified certificates on an IoT portal?
- The portal’s Internet Protocol (IP) address can more easily be spoofed.
- Domain Name System (DNS) address records are more susceptible to hijacking.
- The portal’s administrative functions do not require authentication.
- Man-in-the-middle (MITM) attacks can be used to eavesdrop on communications. (Correct answer)
16. An IoT security administrator wishes to mitigate the risk of falling victim to Distributed Denial of Service (DDoS) attacks.
Which of the following mitigation strategies should the security administrator implement? (Choose two.)
- Block all inbound packets with an internal source IP address (Correct answer)
- Block all inbound packets originating from service ports
- Enable unused Transmission Control Protocol (TCP) service ports in order to create a honeypot
- Block the use of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) through his perimeter firewall (Correct answer)
- Require the use of (Correct answer)
- 509 digital certificates for all incoming requests
17. What is one popular network protocol that is usually enabled by default on home routers that creates a large attack surface?
- Open virtual private network (VPN)
- Universal Plug and Play (UPnP) (Correct answer)
- Network Address Translation (NAT)
- Domain Name System Security Extensions (DNSSEC)
Explanation:
Reference: https://phoenixnap.com/blog/what-is-upnp
18. Requiring randomly generated tokens for each connection from an IoT device to the cloud can help mitigate which of the following types of attacks?
- Malformed URL injection
- Buffer overflow
- SSL certificate hijacking
- Session replay (Correct answer)
19. A hacker wants to record a live session between a user and a host in hopes that parts of the datastream can be used to spoof the session.
Which of the following attacks is this person attempting?
- Fuzzing
- Session replay (Correct answer)
- Bit flipping
- Reverse shell
20. A web application is connected to an IoT endpoint. A hacker wants to steal data from the connection between them.
Which of the following is NOT a method of attack that could be used to facilitate stealing data?
- Cross-Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- LDAP Injection (Correct answer)
21. If a site administrator wants to improve the secure access to a cloud portal, which of the following would be the BEST countermeasure to implement?
- Require frequent password changes
- Mandate multi-factor authentication (MFA)
- Utilize role-based access control (RBAC) (Correct answer)
- Require separation of duties
22. An IoT developer discovers that clients frequently fall victim to phishing attacks.
What should the developer do in order to ensure that customer accounts cannot be accessed even if the customer’s password has been compromised?
- Implement two-factor authentication (2FA) (Correct answer)
- Enable Kerberos authentication
- Implement account lockout policies
- Implement Secure Lightweight Directory Access Protocol (LDAPS)
23. An IoT security practitioner should be aware of which common misconception regarding data in motion?
- That transmitted data is point-to-point and therefore a third party does not exist.
- The assumption that all data is encrypted properly and cannot be exploited. (Correct answer)
- That data can change instantly so old data is of no value.
- The assumption that network protocols automatically encrypt data on the fly.
24. In order to successfully perform a man-in-the-middle (MITM) attack against a secure website, which of the following could be true?
- Client to server traffic must use Hypertext Transmission Protocol (HTTP)
- The server must be vulnerable to malformed Uniform Resource Locator (URL) injection
- The server must be using a deprecated version of Transport Layer Security (TLS) (Correct answer)
- The web server’s
- 509 certificate must be compromised
Explanation:
Reference: https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/
25. Which of the following attacks is a reflected Distributed Denial of Service (DDoS) attack?
- Teardrop
- Ping of Death
- SYN flood (Correct answer)
- Smurf
Explanation:
Reference: https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
26. The network administrator for an organization has read several recent articles stating that replay attacks are on the rise.
Which of the following secure protocols could the administrator implement to prevent replay attacks via remote workers’ VPNs? (Choose three.)
- Internet Protocol Security (IPSec) (Correct answer)
- Enhanced Interior Gateway Routing Protocol (EIGRP)
- Password Authentication Protocol (PAP)
- Challenge Handshake Authentication Protocol (CHAP) (Correct answer)
- Simple Network Management Protocol (SNMP)
- Layer 2 Tunneling Protocol (L2TP) (Correct answer)
- Interior Gateway Routing Protocol (IGRP)
27. Which of the following tools or techniques is used by software developers to maintain code, but also used by hackers to maintain control of a compromised system?
- Disassembler
- Backdoor (Correct answer)
- Debugger
- Stack pointer
28. Passwords should be stored…
- For no more than 30 days.
- Only in cleartext.
- As a hash value. (Correct answer)
- Inside a digital certificate.
Explanation:
Reference: https://snyk.io/learn/password-storage-best-practices/
29. If an attacker were able to gain access to a user’s machine on your network, which of the following actions would she most likely take next?
- Start log scrubbing
- Escalate privileges
- Perform port scanning (Correct answer)
- Initiate reconnaissance
30. Which of the following is the BEST encryption standard to implement for securing bulk data?
- Triple Data Encryption Standard (3DES)
- Advanced Encryption Standard (AES) (Correct answer)
- Rivest Cipher 4 (RC4)
- Elliptic curve cryptography (ECC)
31. A user grants an IoT manufacturer consent to store personally identifiable information (PII).
According to the General Data Protection Regulation (GDPR), when is an organization required to delete this data?
- Within ninety days after collection, unless required for a legal proceeding
- Within thirty days of a user’s written request (Correct answer)
- Within seven days of being transferred to secure, long-term storage
- Within sixty days after collection, unless encrypted
32. An OT security practitioner wants to implement two-factor authentication (2FA).
Which of the following is the least secure method to use for implementation?
- Out-of-band authentication (OOBA)
- 2FA over Short Message Service (SMS) (Correct answer)
- Authenticator Apps for smartphones
- Fast Identity Online (FIDO) Universal 2nd Factor (U2F) USB key
33. An IoT system administrator discovers that unauthorized users are able to log onto and access data on remote IoT monitoring devices.
What should the system administrator do on the remote devices in order to address this issue?
- Encrypt all locally stored data
- Ensure all firmware updates have been applied
- Change default passwords (Correct answer)
- Implement URL filtering
34. An IoT security administrator realizes that when he attempts to visit the administrative website for his devices, he is sent to a fake website.
To which of the following attacks has he likely fallen victim?
- Buffer overflow
- Denial of Service (DoS)
- Birthday attack
- Domain name system (DNS) poisoning (Correct answer)
35. Which of the following technologies allows for encryption of networking communications without requiring any configuration on IoT endpoints?
- Transport Layer Security (TLS)
- Internet Protocol Security (IPSec)
- Virtual private network (VPN) (Correct answer)
- Elliptic curve cryptography (ECC)