Chapple Quizzes
Tim is installing a data loss prevention system in his organization and is concerned about the likelihood of false positive reports. Which one of the following techniques is most likely to generate false positive alerts? Pattern matching Software updates Watermarking Removable media control
Data loss prevention systems that use pattern matching are most likely to generate false positive reports because data in a file might match a pattern by happenstance. Watermarking and removable media control techniques do not typically generate false positive reports. Software updates would not be detected by a DLP system.
You have had many issues with employees forwarding hoax e-mail messages to each other and taking up valuable mail server resources. As part of your user awareness training, what is the best action to tell your end users to take when they receive what appears to be a hoax e-mail message? Forward it to the entire company to warn them Ignore and delete
Delete the message and do not forward it is correct. A hoax e-mail does nothing but waste time, network bandwidth, and system resources, especially when it is forwarded like a chain letter throughout the organization. It is best to educate your users to delete the hoax e-mail immediately and not forward it.
You are a cybersecurity leader for a program that doesn't currently utilize threat intelligence. You would like to begin using a program that helps you better describe how adversaries use capabilities within an infrastructure to attack a victim. Which of the following best suits this desire? Diamond MITRE Cyber Kill Chain NIST CSF
Diamond
Dylan and Liam are using symmetric cryptography to communicate with each other. They have a shared secret key that no other person knows. What goal of cryptography is impossible for them to achieve? Confidentiality Integrity Authentication Non-repudiation
Dylan and Liam can easily achieve confidentiality and integrity by using the key to encrypt and decrypt messages. They can also achieve authentication because they know that if a message decrypts with the key, it must have been encrypted by the only other person with knowledge of the key. They cannot, however, achieve nonrepudiation because they have no way to prove to a third party that a message came from the other party and wasn't forged by themselves.
When should a forensic investigator begin tracking the chain of custody for evidence? Upon collection Upon production Upon being informed of litigation Upon creation
Forensic analysts should begin tracking the chain of custody for evidence as soon as they collect it. They must not wait until production or notification of litigation because this would leave a period of time where the evidence was unaccounted for. It is not possible to begin a chain of custody when data is first created, as it has not yet been gathered into evidence at that point.
Which of the following groups traffic into flows to then send on to a centralized collection point, and is based on NetFlow v9? IPFIX sFlow NXLog syslog
IPFIX is correct. The IP Flow Information Export (IPFIX) protocol is defined in IETF RFC 7011 as a common representation of flow data and a standard means of communicating, as required for transmitting traffic flow information over a network for collection. Like NetFlow, IPFIX groups traffic into flows to then send on to a centralized collection point. IPFIX is based on NetFlow v9. Incorrect Answers: syslogis incorrect. For Unix-based systems, the syslog (system logger) functionality allows all systems on a network to forward their logs to a central syslog server. NXLog is incorrect. NXLog is an open source, universal log collector across many popular operating systems, such as Windows, Unix, and Linux. sFlow is incorrect. sFlow, short for "sampled flow," does not separate traffic into flows, but instead conducts a random sampling of packets to achieve scalability.
SAML implementations have three basic roles: the __________, the identity provider, and the service provider. service validation authentication provider identity validation authority
Identity is correct. The three roles within a Security Assertions Markup Language (SAML) implementation are the identity, the identity provider, and the service provider.
Which of the following answers refer to the characteristic features of pharming? (Select 3 answers) Domain hijacking Password attack Traffic redirection Credential harvesting Fraudulent website
Traffic redirection Fraudulent website Credential harvesting
For centralized authentication services, you want to use an encrypted authentication service to securely authenticate remote access users who connect to your office via a VPN. Which of the following authentication services should you use? LDAP LDAPS PAP
LDAPS is correct. You can configure a Lightweight Directory Access Protocol (LDAP) server to use Transport Layer Security (TLS) or Secure Sockets Layer (SSL), also known as LDAPS, to encrypt authentication communications. This ensures that client credentials, such as usernames and passwords, are not sent in cleartext over the network.
As the IT administrator for your organization, you have been contacted by your organization's general counsel and instructed to begin collecting evidence for a pending investigation of an employee's alleged use of the organization's network for illegal purposes. What do you need to formally initiate? Chain of custody Order of volatility Acquisition Legal Hold
Legal hold is correct. If your legal counsel determines that evidence should be collected for any reason, be it a pending investigation, litigation, or other situation where evidence would be required, a legal hold must be formally initiated. A legal hold halts the usual backup and disposition processes, and immediately puts your personnel into data protection mode. Chain of custody is incorrect. Chain of custody refers to the requirement that all evidence be properly labeled with information on who secured and validated it. Acquisition is incorrect. Acquisition is the process of collecting data from different mediums for use within an investigation.
You are setting up security for several new smartphones for your company's executive team. Which of the following security controls can you implement for Bluetooth communications to prevent bluesnarfing attacks against the devices? Smartphone lock password Call-back security Link-level security
Link-level security is correct. Link-level security authenticates the actual communications link before data transmission begins. Data encryption can also be performed in this mode after the link is authenticated. Smartphone lock password is incorrect. A password on the phone itself does not authenticate wireless Bluetooth connections.
After performing a site survey of your current wireless network, you discover that the range of the network is well beyond what is required for your facility. Which of the following controls is the best option to mitigate the issue and prevent users outside of your facility from accessing the wireless network? Extend the antennas of your AP Transmit on a narrow-band frequency Remove the AP closest to the outside walls Lower the power of wireless transmissions on your AP
Lower the power of wireless transmissions on your access points is correct. You can limit the power level of transmissions on your wireless network to control the range and speed of wireless access. This way, you can limit the range of your access point coverage to just the needed areas of your location. Remove the access points closest to the outside walls is incorrect. Removing access points could leave internal users' devices without wireless access.
You are a cybersecurity leader for an organization that doesn't currently utilize threat intelligence. You would like to begin using a program that catalogs emerging tactics, techniques, and procedures being used within attacks globally. Which of the following best suits this desire? MITRE NIST CSF Diamond Cyber Kill Chain
MITRE
Which of the following is an example of a weak configuration? Using your primary admin account as a default Not disabling the account to disallow use
Not disabling the account to disallow use is correct. To best protect an account, you should disable it so it cannot be used. Using your primary admin account as a default is best practicing (look into this)
Which of the following terms refers to a nonprofit organization focused on software security? IETF CSIRT CERT OWASP
OWASP
Which one of the following certificate formats is possibly used in the certificate shown below? (shows unreadable gibberish) PFX PEM P12 DER
Of the certificate file types listed, only PEM is an ASCII text format, such as the certificate shown in the figure. The other certificate types (PFX, DER, and D12) are all binary formats that would not show plaintext characters.
You are a cybersecurity analyst that is implementing a new SOAR tool within your organization. You want to develop a list of step-by-step actions that need to occur within the SOAR process. Which is the appropriate name for this list? Runbook Playbook Policy SIEM
Playbook is correct. A playbook lists step-by-step actions that need to occur within the security orchestration, automation, and response (SOAR) process. The actions typically need to be performed by humans, so the playbook serves as the definitive guide to ensure that any documentation, required reporting, or other mandated actions that require human involvement and decision-making occur exactly when they should. Runbook is incorrect. A runbook is a set of rules that can be largely automated and, while it can indeed include human elements, often is used to automate features such as threat response.
Which of the following allows an administrator to inspect traffic passing through a network switch? Port scanner VLAN tagging Fault-tolerant mode Port mirroring
Port mirroring
Which of the following is used in data URL phishing? Prepending Typosquatting Pretexting Domain Hijacking
Prepending
What are the characteristic features of RADIUS? (Select 3 answers) Encrypts only the password in the access-request packet Combines authentication and authorization Encrypts the entire payload of the access-request packet Primarily used for device administration Primarily used for network access Separates authentication and authorization
Primarily used for network access Combines authentication and authorization Encrypts only the password in the access-request packet
Your chief financial officer (CFO) has forwarded to you an e-mail that she thinks is suspicious. The message looks like an official e-mail from your company's accountant, but it is asking for specific bank account numbers for the company. What kind of social engineering attack is this an example of? Spear Fishing Whaling
Whaling
Which one of the following regulations provides strict, detailed procedures for the use of compensating controls? HIPAA FERPA PCIDSS GLBA
While compensating controls may be used for any control requirement, PCI DSS includes very detailed procedures for documenting and approving acceptable compensating controls in credit card processing environments.
OpenID Connect is a protocol used for: Accounting Authorization Authentication
Authentication
Which of the following answers refers to a nonprofit organization promoting best security practices related to cloud computing environments? CSA CIS CCM CSF
CSA
Which of the following would be the BEST method to prevent the physical theft of staff laptops at an open-plan bank location with a high volume of customers each day? Cameras Visitor Logs Guards at the door Cable locks
Cable locks
Which one of the following network device features is NOT used to prevent routing loops from occurring in a network or to correct them when they do occur? Hold-down timers Loop prevention Split horizon Flood guard
Flood guard technology is used to block denial of service attacks on a network. Loop prevention, hold-down timers, and split horizon are all used to prevent and correct routing loops.
A NIDS/NIPS that detects intrusions by comparing network traffic against the previously established baseline can be classified as: (Select all that apply) Signature Heuristic Behavioral Anomaly
Heuristic, Behavioral, Anomaly
The process of removing redundant entries from a database is known as: Input validation Normalization Data sanitization Baselining
Normalization
Which one of the following is the earliest version of SNMP to support encryption?
SMNPv3
Pete is responsible for the security of a highly sensitive system used to control physical infrastructure. The system does not need to communicate with any other systems. Which one of the following security controls would best secure this system? Man trap Private VLAN Segmented Network Air Gap
The best way to secure a sensitive system of this nature is to keep it completely disconnected from any network. This approach is also known as creating an air gap between the system and other devices.
In an authentication system using the mandatory access control (MAC) model, who determines what users may access an object? The user The sys admin The system The object owner
The system
Bernard is considering using a new cloud service where the vendor offers a managed environment for the execution of customer-supplied code. What term best describes this service? SaaS XaaS IaaS PaaS
This environment, where customers supply code and vendors supply managed infrastructure, is known as platform as a service (PaaS) computing.
You are creating a disaster recovery plan for your organization and assigning probabilities to specific risks. Which of the following would be the highest probability risk for your server room? Fire Unauthorized access
Unauthorized access is correct. Unauthorized access to your secure server room is the highest probability risk. Therefore, adequate access control security is required for the server room entrance. Fire is incorrect. Although fire is possible, it is a rare event.
Which one of the following domain names would not be covered by the certificate shown below? (*.nd.edu) nd.edu test.www.nd.edu www.nd.edu mail.nd.edu
test.www.nd.edu This is a wildcard certificate for *.nd.edu. Wildcard certificates cover the domain listed on the certificate (nd.edu) as well as any subdomains (www.nd.edu and mail.nd.edu, for example). They only cover one level of subdomain, so this certificate would not cover a second-level subdomain, such as test.www.nd.edu.
Which ISO standard contains specific guidance on the privacy of personally identifiable information? 27002 31000 27701 27001
27701
For security reasons, you want to enable port security for your network switches to allow only certain clients to connect to specific switches. Which of the following is the best authentication service to implement? RADIUS 802.1x LDAP
802.1X is correct. 802.1X is implemented on network devices such as switches to provide access control by authenticating connecting clients based on the user or system identity. You can then allow or block network connectivity and apply network access policies based on this authentication. Local username and password is incorrect. Using local authentication on the switch is too cumbersome to manage and will not scale for many clients. LDAP and RADIUS are incorrect. Lightweight Directory Access Protocol (LDAP) and Remote Authentication Dial-In User Service (RADIUS) authentication services are not specific to port security but can be used in conjunction with 802.1X for centralized authentication.
The following are the steps for a secure web-based transaction. What is the correct order of the steps? A. A digital certificate establishes the website identity to the browser. B. TLS is activated between the client and the server. C. The browser accepts the certificate from the web server. D. Banking transactions are accepted. CBAD DBCA ACBD ABCD
A, C, B, D is correct. When a client connects to the secure HTTPS site, the web server sends a certificate to the web browser to establish its identity. If the browser accepts the certificate and finds no validation issues with the certificate, Transport Layer Security (TLS) is then activated between the server and client, securing subsequent banking transactions.
A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO) ❍ A. HIPS ❍ B. UTM appliance logs ❍ C. Web application firewall events ❍ D. Host-based firewall logs ❍ E. Next-generation firewall logs
A. HIPS and D. Host-based firewall logs If the laptop is not communicating across the corporate network, then the only evidence of the traffic would be contained on the laptop itself. A HIPS (Host-based Intrusion Prevention System) and host-based firewall logs may contain information about recent traffic flows to systems outside of the corporate network. The incorrect answers: B. UTM appliance logs A unified threat management appliance is commonly located in the core of the network. The use of a cellular hotspot would circumvent the UTM and would not be logged. C. Web application firewall events Web application firewalls are commonly used to protect internal web servers. Outbound Internet communication would not be logged, and anyone circumventing the existing security controls would also not be logged. E. Next-generation firewall logs Although a next-generation firewall keeps detailed logs, any systems communicating outside of the normal corporate Internet connection would not appear in those logs.
Which of the following terms relates closely to the concept of residual risk? Acceptance Deterrence Avoidance Transference
Acceptance
Which one of the following security controls would be MOST effective in combatting buffer overflow attacks? IDS DLP ASLR VPN
Address space layout randomization (ASLR) is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. Virtual private networks (VPN) provide transport encryption and data loss prevention (DLP) systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.
When designing a security awareness program for employees, which one of the following groups would generally receive the most technical security training? Data owners Users Executives System Administrators
All employees should receive security awareness training that is tailored to their role in the organization. System administrators are the most technical employees mentioned here, so they should receive the most technical training.
Which one of the following processes improves the consistency and longevity of a database structure? Stored procedures Query parameterization Input Validation Normalization
All of the activities listed here are good practices for database administration. Stored procedures, query parameterization, and input validation all protect against injection attacks. Normalization ensures that the database has a consistent structure and reduces the need to redesign the database in the future.
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized? Classification Document matching Statistical matching Exact data match
An exact data match (EDM) is a pattern matching technique that uses a structured database of string values to detect matches. For example, a company might have a list of actual social security numbers of its customers. But, since it is not appropriate to load these numbers into a DLP filter, they could use EDM to match the numbers' fingerprints instead based on their format or sequence. Document matching attempts to match a whole document or a partial document against a signature in the DLP. Statistical matching is a further refinement of partial document matching that uses machine learning to analyze various data sources using artificial intelligence or machine learning. Classification techniques use a rule based on a confidentiality classification tag or label attached to the data. For example, the military might use a classification-based DLP to search for any files labeled as secret or top secret.
Brian is concerned about keeping systems in his data center running during a momentary interruption of power. What is the best solution to his requirement? Redundant utility sources PDU Generator UPS
An uninterruptible power supply (UPS) is designed to maintain system operation during brief power disruptions. Generators and redundant utility sources provide power support during long-term outages, but they also require the use of a UPS to cover the brief outage period that occurs while transitioning to a backup power source. Power distribution units (PDUs) distribute power to devices but do not provide a power source. PDUs normally work in conjunction with UPS devices.
You have recently had several instances of malicious macro code within word processing documents infecting users' computers. Which of the following can you implement to help prevent future instances of this issue from occurring? Application baseline with macros disabled Host-based firewall Regular full-computer virus scanning
Application baseline with macros disabled is correct. By installing your word processing applications with a baseline that prohibits the use of macros, you ensure that whenever users receive a document with a macro, it will be prevented from running. Regular full-computer virus scanning is incorrect. A user may receive malicious macro code from another user before the next scheduled scan and that code might evade live scanning services.
You need to utilize certificates for a new web application so that users can trust that the application is connecting to an authenticated server that belongs to your organization. In cryptography, which of the following information assurance objectives is met by using digital certificates? Integrity Authentication Non-repudiation Confidentiality
Authentication is correct. Encrypted digital certificates are used to identify users electronically on a network and satisfy the information assurance objective of authentication. Integrity is incorrect. Hashing is used for checking the integrity of a message.
You have recently installed a network-based intrusion detection system (NIDS). Which of the following network-monitoring methodologies should you use to protect your network devices from zero-day threats? Rule-based Signature Active Behavioral
Behavioral-based monitoring is correct. Behavioral-based monitoring uses a baseline of normal behavior and then detects anomalies to that baseline. This helps prevent zero-day threats by detecting network anomalies that could be a network attack. Rule-based monitoring is incorrect. Rule-based monitoring is dependent on administrator-created rules that search for specific behaviors; it is not useful for zero-day threats.
A quality assurance tester has found that he can easily crash your company's web application by entering an e-mail address that's over 50 characters long in the contact address field. Which of the following application security flaws is causing the issue? XSS SQL Injection Privilege Escalation Buffer Overflow
Buffer overflow is correct. The contact address field does not have proper input validation controls, causing the lengthy e-mail address to overflow the memory buffer allocated for that field.
Which of the following is a framework composed of 20 control groups covering topics that range from hardware inventory to penetration testing within an organization? NIST RMF CIS controls SOC2 Type I
CIS Controls is correct. The Center for Internet Security (CIS) Critical Security Controls (CSC), otherwise known as the "Top 20 Controls" or "CIS Controls," is a framework composed of 20 control groups covering topics that range from hardware inventory to penetration testing within an organization. The underlying thesis for the CSC framework is to pare down the controls to those that are most critical, helping prevent organizations from becoming overwhelmed or choosing the wrong controls to apply to reduce risk. NIST RMF is incorrect. The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a seven-step methodology that provides for risk management through the entire information systems life cycle.
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use? Nessus Cain and Abel Netcat Nmap
Cain and Abel (often abbreviated to Cain) is a popular password cracking tool. It can recover many password types using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force, and cryptanalysis attacks. It also includes a module to conduct Cisco VPN Client Password Decoding too. CUPP is used to create password lists. Nessus is a vulnerability scanner. The netcat tool is used to create reverse shells for remote access.
You have just enabled SNMP on all your servers so that you can monitor them from a central monitoring station. Which of the following actions should you perform to increase security when using SNMP? Disable ICMP Ensure the monitoring station is protected by a firewall Change the "public" community name
Change the "public" community name is correct. The default community name for the Simple Network Management Protocol (SNMP), "public," acts as a password between the SNMP monitor and the device. If you do not change the default, any user with an SNMP monitor can access the device using the "public" community string. How was I supposed to know that
You need to set up security controls to help your company prevent data loss when customer credit card information is being sent outside of your network via e-mail. Which of the following technologies should you implement? Caching proxy server Firewall Anti-spam filter Content filter
Content filter is correct. A content filter can scan outbound messages for patterns that match credit numbers, and then block or quarantine these messages to prevent them from being sent outside of the company's network.
What term refers to the process of checking code into repositories on a continuous basis? Continuous: Validation Deployment Delivery Integration
Continuous integration (CI) is a development practice that checks code into a shared repository on a consistent ongoing basis. In continuous integration environments this can range from a few times a day to a very frequent process of check-ins and automated builds. Continuous deployment (CD) (sometimes called continuous delivery) which rolls out tested changes into production automatically as soon as they have been tested.
Which of the following techniques can you implement to prevent command injection? Disable copy and paste Fuzz input Escape command characters Use SQL injection
Escape command characters is correct. Escaping is a technique used when processing input fields to process command characters inserted into the input as text data to prevent commands from being run. Fuzz input is incorrect. Fuzzing is used to test input validation through the entry of random characters.
Your web application has crashed after a user accidently cut and pasted a large paragraph of text into a small text field within the application. Which technique would help ensure that these types of input validation errors do not occur? Command Injection Fuzzing Transitive Access Escaping
Escaping is correct. Escaping is a secure coding technique that ensures that any system commands are not processed and executed as actual commands; instead, they are only recognized as text. Fuzzing is incorrect. Fuzzing is used to test input validation. Transitive access is incorrect. Transitive access is a security issue that allows user access to pass through unexpectedly from one software component to another without proper authorization or access permissions.
Gary is conducting an incident investigation and would like to detect attempts to connect to a server over an RDP connection. What logs would be least likely to contain this information? Database logs Netflow logs Security logs System logs
Gary may find relevant information in the system and security logs because the login attempts would likely be tracked by the operating system in those locations. NetFlow records may also contain details of the traffic flow to the server. There is no database involved in an RDP connection, so database logs are not likely to contain useful information.
One of your network devices allows remote management capabilities through a web browser. Which of the following secure methods should you use to connect to the remote management console? HTTPS from [internal/external] network?
HTTPS connection from internal network is correct. For the highest security, you should use a Hypertext Transfer Protocol Secure (HTTPS) connection from an internal network. HTTP connection from external network and HTTPS connection from external network incorrect. Allowing connections from an external network, even via HTTPS, leaves your management console open to attacks.
As part of your business continuity planning, you need to consider how to achieve maximum availability of your network services if a situation arises where cloud availability is degraded or lost and the organization needs to work locally. In this scenario, which of the following can be implemented to better ensure the high availability of network servers and the services they provide? Load balancing Cloud computing Hardware redundancy Virtualization
Hardware redundancy is correct. Hardware redundancy means that you always have spare servers or spare parts available in the event that hardware fails. For example, a server may have redundant power supplies so that if one supply fails, the system continues to run. Within the scenario, if the requirement is to be able to maximize effectiveness within a cloud-degraded or cloud-disrupted environment, being sure you have redundancy for your local equipment is key. Load balancing is incorrect. Load balancing spreads processing load between resources; it doesn't replace those resources if they fail.
Brandy is using a computer at a hotel business center and she is concerned that the operating system on the device may be compromised. What is the best way for her to use this computer in a secure fashion? Use live boot media Run a malware scan Only access secure websites Connect to a VPN
If Brandy's major concern is a compromised operating system, she can bypass the operating system on the device by booting it from live boot media and running her own operating system on the hardware. Running a malware scan may provide her with some information but may not detect all compromises and Brandy likely does not have the necessary permissions to correct any issues. Using a VPN or accessing secure sites would not protect her against a compromised operating system, as the operating system would be able to view the contents of her communication prior to encryption.
The data center is valued at $10 million and seismologists expect that a serious earthquake will damage 75% of the facility once every 50 years. In this scenario, what is the annualized loss expectancy? 150k 5,625,000 10,000,000 7.5 mil
In this scenario, the annualized rate of occurrence (ARO) is once every 50 years, or a 0.02 ARO on an annual basis. The asset value (AV) is $10,000,000 and the exposure factor (EF) is 75%, resulting in a single loss expectancy (SLE) of $7,500,000. The annualized loss expectancy (ALE) is computed by multiplying the SLE by the ARO to get $150,000.
Alan's firm recently engaged a cloud service provider to handle credit card transactions on the company's behalf. What role is the provider playing in this scenario? Data: Processor Regulator Owner Controller
In this scenario, the cloud service provider is processing data on behalf of Alan's organization, making it a data processor. Alan's firm remains the data owner and controller. Neither organization serves as a regulator, as those responsibilities are reserved for government agencies and self-regulatory bodies.
You are contracting with an IaaS vendor to provide computing services to your organization. You will use those services to deliver a SaaS offering to your own clients. Under the cloud reference architecture, what is your organization's role with respect to the IaaS vendor relationship? Carrier broker provider Consumer
In this scenario, you are both a cloud consumer and a cloud provider. You are a cloud consumer with respect to the IaaS service offering and you are a cloud provider with respect to the SaaS offering. The question asks about the IaaS relationship, so the correct answer is cloud consumer.
Tom would like to send an encrypted message to Jerry using asymmetric cryptography. What key should Tom use to encrypt the message?
Jerry's private. When encrypting a message with asymmetric cryptography, the sender of the message always encrypts it using the recipient's public key. The recipient can then decrypt the message using their own private key.
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise? Red Blue Purple White
Judges are white, purple and blue and red collaborating
You are designing and coding a new web application to replace a legacy web application that was recently removed because of excessive security vulnerabilities. Which of the following coding techniques is most helpful to prevent vulnerabilities in your application during the development stage? Code review Application documentation Minimizing attack surfaces Design review
Keeping attack surfaces to a minimum is correct. An attack surface is an aspect of your software application that is vulnerable for an attacker to exploit, such as an open port or running network service. Determine the minimum number of acceptable attack surfaces required and keep to that framework throughout the entire development cycle of the product. Design review and code review are incorrect. Design and code reviews are helpful at catching coding errors and bugs but are not as important as keeping the number of exploitable attack surfaces to a minimum. Application documentation is incorrect. Application documentation is helpful to testers and code reviewers but has no security impact.
Which one of the following questions would be most difficult to answer based upon a review of NetFlow records? Amount of data exchanged during an attack Source of the attack What information left the organization What systems were targeted
NetFlow records typically contain the source and destination IP addresses and ports, a timestamp, and the amount of data transferred in each direction. NetFlow does not capture packet payloads, so it would not be able to answer questions about the specific data that was transferred.
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again? MAC filtering NAC ACL SPF
Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company's networks or place the workstation into a separate quarantined portion of the network for further remediation. An access control list (ACL) is a network traffic filter that can control incoming or outgoing traffic. An ACL alone would not have prevented this issue. Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during email delivery.
Your organization's e-mail server has been flagged by a third-party anti-spam service as a possible source of spam messages. Which of the following is most likely the issue? Using TLS for SMTP connections Open relay on SMTP port 25 Using insecure versions of POP and IMAP for retrieving messages Out-of-date spam signatures
Open relay on SMTP port 25 is correct. If you allow Simple Mail Transfer Protocol (SMTP) relay on port 25, any mail client outside of your network can send mail through your server, and this is often exploited by spammers. Using insecure versions of POP and IMAP for retrieving messages is incorrect. The Post Office Protocol (POP) and the Internet Message Access Protocol (IMAP) are used for retrieving, not sending, mail. Out-of-date anti-spam signatures is incorrect. Anti-spam software is used to control incoming spam and will not prevent spam due to an open SMTP relay Using TLS for SMTP connections is incorrect. Transport Layer Security (TLS), if enabled, can be initiated by the sender or receiver to start an encrypted message delivery and will not prevent spam.
Which of the following answers refers to a software library used to implement encrypted connections? DNSSEC OpenSSL SDK DLL
OpenSSL
Examples of key stretching algorithms include: (Select 2 answers) ROT13 Twofish PBKDF2 Bcrypt DSA
PBKDF2 Bcrypt
You have a small office consisting of about 25 users. You need to utilize mail encryption to allow specific users to encrypt outbound e-mail messages, but you do not need an expensive onsite encryption server. Which of the following applications can you implement? PGP WPA3 HTTPS POP/IMAP
PGP is correct. Pretty Good Privacy (PGP) provides a low-cost or open-source alternative for allowing users to encrypt their e-mail messages. Technically, neither PGP nor web of trust is Public Key Infrastructure (PKI), since it is all peer-to-peer certificate trust and management, versus a centralized certificate authority (CA).
After a recent hacking attack on your organization's primary web server, you have resolved several vulnerabilities and are confident that no more existing vulnerabilities can be exploited. Which of the following actions should you take? Put the server back in production Run a port scan Run an AV scan Perform pen testing
Perform penetration testing is correct. Penetration testing evaluates the security of a system by actively simulating an attack and is best suited for testing solutions used to resolve past vulnerabilities. Put the web server back into production, run an antivirus scan, and run a port scan are incorrect. These options will not help test how your solutions to your vulnerability issues hold up to a real attack on your server.
You are setting up your network, which spans several different floors of an office building. You want to subdivide the network using logical methods to prevent cross-network chatter and improve access security, but several departments have employees on different floors and sections of the building. Which of the following techniques should you implement? Subnetting Firewall Zones Port-based VLAN Protocol-based VLAN Port-based VLAN is correct. Using a port-based virtual local area network (VLAN), you can assign specific router and switch ports to different VLANs, which allows you to assign any network segment on any floor of your office to a specific VLAN. This provides flexibility so that the user's location does not limit his or her network access.
Protocol-based VLAN is incorrect. A protocol-based VLAN subdivides networks into logical networks using specific network protocols and is not based on client location. Subnetting is incorrect. Subnetting on its own will not provide the same access to clients in different physical locations. Firewall zones is incorrect. Firewall zones are used at a higher level of the network to divide and secure networks behind the firewall.
You are developing a web-based software application that utilizes user ID and password authentication mechanisms. Which of the following methods can you use to prevent session cookie hijacking? Regenerate session keys and IDs after a successful login Disable cookies in the web browser
Regenerate session keys and IDs after a successful login is correct. To protect against session cookie hijacking (a type of attack in which an unauthorized user uses a session cookie from another authenticated user to access the application), web applications should regenerate session keys and IDs after a successful login so that a secondary attempt to use the same session credentials from a hijacked cookie will not work. Disable cookies in the web browser is incorrect. Disabling cookies will prevent the application from working properly.
You have just discovered that several user accounts are still active for employees who have long since left the organization or were let go from the company. After changing the passwords and disabling the accounts, which of the following would be best to implement to prevent this security issue from recurring? Set account expiration dates Regular audit of personnel credentials
Regular audit of personnel credentials is correct. By regularly checking user accounts and permissions, you ensure that current users only have the rights and permissions required for their current positions. If you find accounts from users who have left the organization, you can disable those accounts. Set account expiration dates is incorrect. Only contracted employees should have expiration dates on their accounts for when their contract is completed.
You are a cybersecurity analyst that is implementing a new SOAR tool within your organization. You want to develop a set of rules to automate features such as threat response, threat intelligence enrichment, and other activities that the SOAR platform can orchestrate. Which is the appropriate name for this set of rules? SIEM Runbook Policy Playbook
Runbook is correct. A runbook is a set of rules that can be largely automated and, while it can indeed include human elements, often is used to automate features such as threat response, threat intelligence enrichment, and other activities that the security orchestration, automation, and response (SOAR) platform can orchestrate. These rules are generally condition-based, so instead of following a step-by-step pattern, they are triggered by preset conditions. Incorrect Answers: SIEM is incorrect. Security information and event management (SIEM) tools are used to gather and analyze multiple sources of data to enable cybersecurity analysists to understand trends better and make decisions. Playbook is incorrect. A playbook lists step-by-step actions that need to occur within the SOAR process. The actions typically need to be performed by humans, so the playbook serves as the definitive guide to ensure that any documentation, required reporting, or other mandated actions that require human involvement and decision-making occur exactly when they should. Policy is incorrect. While policies might guide the rules within the runbook, they don't orchestrate the activities within the SOAR platform.
What is the purpose of STIX?
STIX is a collaborative effort to develop a standardized, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible.
Which of the following is the best method to mitigate DNS attacks? Encrypting host files Encrypting DNS lookups Secure authenticated zone transfers Using reverse DNS resolution
Secure authenticated zone transfers is correct. Domain Name Service (DNS) poisoning attacks can be mitigated by ensuring that your DNS server updates its information only from authoritative sources by proper authentication or the use of secure communications. Using reverse DNS resolution is incorrect. Reverse DNS resolution is a normal practice to resolve IP addresses to host names and would not prevent DNS poisoning.
Darlene is concerned about the level of security at a cloud service provider that her organization is considering using and would like to review the results of an independent audit that verifies that the cloud provider has appropriate controls in place and that they are operating efficiently and effectively. What type of audit report would provide this assurance? SOC 1 Type I/II SOC 2 Type I/II
Service Organizational Control (SOC) reports provide the results of an independent audit of a service provider. SOC 1 reports are done to verify controls that could impact a client's financial reporting. SOC 2 reports are done to verify controls that could impact security and privacy of data. Type 1 reports simply verify that controls are in place. Type 2 reports verify that the controls are operating efficiently and effectively. Therefore, Darlene should choose a SOC 2 Type 2 report.
You are developing a web application that requires strong security controls. Which of the following secure coding practices helps prevent cross-site request forgery attacks? Session Cookie identification Fuzzing Cookie privacy Input validation
Session cookie authentication is correct. Cross-site request forgery (XSRF/CSRF) is a type of attack that tricks a user into navigating to a website that contains malicious code. To prevent XSRF/CSRF attacks, a web application must verify that a request came from an authorized user. Web applications can require a second identifying value saved in a cookie that is compared with every single request to the website. Cookie privacy is incorrect. Cookie privacy controls will not help prevent a cross-site request forgery attack. Fuzzing is incorrect. Fuzzing is a method of testing input validation. Input validation is incorrect. Input validation checks that the input into a form meets requirements and does not allow cross-site scripting (XSS) or other attacks from a malicious input.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst? Port scan Database vulnerability scan Network vulnerability scan Web app vulnerability scan
Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn't contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.
. An organization is installing a UPS for their new data center. Which of the following would BEST describe this type of control? ❍ A. Compensating ❍ B. Preventive ❍ C. Administrative ❍ D. Detective
The Answer: A. Compensating A compensating security control doesn't prevent an attack, but it does restore from an attack using other means. In this example, the UPS does not stop a power outage, but it does provide alternative power if an outage occurs. The incorrect answers: B. Preventive A preventive control physically limits access to a device or area. C. Administrative An administrative control sets a policy that is designed to control how people act. D. Detective A detective control may not prevent access, but it can identify and record any intrusion attempts.
A security incident has occurred on a file server. Which of the following data sources should be gathered to address file storage volatility? (Select TWO) ❍ A. Partition data ❍ B. Kernel statistics ❍ C. ROM data ❍ D. Temporary file systems ❍ E. Process table
The Answer: A. Partition data and D. Temporary file systems Both temporary file system data and partition data are part of the file storage subsystem. the incorrect answers: B. Kernel statistics Kernel statistics are stored in memory. C. ROM data ROM data is a type of memory storage. E. Process table The process table keeps track of system processes, and it stores this information in RAM.
A security administrator has identified a DoS attack against the company's web server from an IPv4 address on the Internet. Which of the following security tools would provide additional details about the attacker's location? (Select TWO) ❍ A. tracert ❍ B. arp ❍ C. ping ❍ D. ipconfig ❍ E. dig ❍ F. netcat
The Answer: A. tracert and E. dig Tracert (traceroute) provides a summary of hops between two devices. In this example, tracert can be used to determine the local ISP's IP addresses and more information about the physical location of the attacker. The dig (Domain Information Groper) command can be used to perform a reverse-lookup of the IPv4 address and determine the IP address block owner that may be responsible for this traffic. The incorrect answers: B. arp The arp (Address Resolution Protocol) command shows a mapping of IP addresses to local MAC addresses. This information doesn't provide any detailed location information outside of the local IP subnet. C. ping The ping command can be used to determine if a device may be connected to the network, but it doesn't help identify any geographical details. D. ipconfig The ipconfig command shows the IP address configuration of a local device, but it doesn't provide any information about a remote computer. F. netcat Netcat reads or writes information to the network. Netcat is often used as a reconnaissance tool, but it has limited abilities to provide any location information of a device.
A network administrator would like each user to authenticate with their personal username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points? ❍ A. WPA2-PSK ❍ B. 802.1X ❍ C. WPS ❍ D. WPA2-AES
The Answer: B. 802.1X 802.1X uses a centralized authentication server, and all users can use their normal credentials to authenticate to an 802.1X network. The incorrect answers: A. WPA2-PSK The PSK (Pre-shared Key) is the shared password that this network administration would like to avoid using in the future. C. WPS WPS (Wi-Fi Protected Setup) connects users to a wireless network using a shared PIN (Personal Identification Number). D. WPA2-AES WPA2 (Wi-Fi Protected Access 2) encryption with AES (Advanced Encryption Standard) is a common encryption method for wireless networks, but it does not provide any centralized authentication functionality.
Rodney, a security engineer, is viewing this record from the firewall logs: UTC 04/05/2018 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818 Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked. Which of the following can be observed from this log information? ❍ A. The victim's IP address is 136.127.92.171 ❍ B. A download was blocked from a web server ❍ C. A botnet DDoS attack was blocked ❍ D. The Trojan was blocked, but the file was not
The Answer: B. A download was blocked from a web server A traffic flow from a web server port number (80) to a device port (60818) indicates that this traffic flow originated on port 80 of the web server. A file download is one of the most common ways to deliver a Trojan, and this log entry shows that the file containing the XPACK.A_7854 Trojan was blocked. The incorrect answers: A. The victim's IP address is 136.127.92.171 The format for this log entry uses an arrow to differentiate between the attacker and the victim. The attacker IP address is 136.127.92.171, and the victim's IP address is 10.16.10.14. C. A botnet DDoS attack was blocked A botnet attack would not commonly include a Trojan horse as part of a distributed denial of service (DDoS) attack. D. The Trojan was blocked, but the file was not A Trojan horse attack involves malware that is disguised as legitimate software. The Trojan malware and the file are the same entity, so there isn't a way to decouple the malware from the file.
Which of the following would be commonly provided by a CASB? (Select TWO) ❍ A. List of all internal Windows devices that have not installed the latest security patches ❍ B. List of applications in use ❍ C. Centralized log storage facility ❍ D. List of network outages for the previous month ❍ E. Verification of encrypted data transfers ❍ F. VPN connectivity for remote users
The Answer: B. A list of applications in use E. Verification of encrypted data transfers A CASB (Cloud Access Security Broker) can be used to apply security policies to cloud-based implementations. Two common functions of a CASB are visibility into application use and data security policy use. Other common CASB functions are the verification of compliance with formal standards and the monitoring and identification of threats. The incorrect answers: A. List of all internal Windows devices that have not installed the latest security patches A CASB focuses on policies associated with cloud-based services and not internal devices. C. Centralized log storage facility Using Syslog to centralize log storage is most commonly associated with a SIEM (Security Information and Event Manager). D. List of network outages for the previous month A network availability report would be outside the scope of a CASB. F. VPN connectivity for remote users VPN concentrators are commonly used to provide security connectivity for remote users.
Juan is concerned that information he has stored in a cloud block storage service may be accessible to the service provider. What control can he use to best protect against this risk? Permissions or Encryption?
The best control for Juan to use in this case is encryption. If he applies strong encryption to the data and maintains control of the encryption key, nobody without the key will be able to read the data. Permissions would also be a useful control here, but they would not prevent a rogue employee of the cloud provider from modifying the permissions and accessing the data. High availability and replication do not protect against confidentiality risks.
A security manager has created a report showing intermittent network communication from external IP addresses to certain workstations on the internal network. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns? ❍ A. ARP poisoning ❍ B. Backdoor ❍ C. Polymorphic virus ❍ D. Trojan horse
The Answer: B. Backdoor A backdoor would allow an attacker to access a system at any time without any user intervention. If there are inbound traffic flows that cannot be identified, it may be necessary to isolate that computer and examine it for signs of a compromised system. The incorrect answers: A. ARP poisoning ARP (Address Resolution Protocol) poisoning is a local exploit that is often associated with a man-in-the-middle attack. The attacker must be on the same local IP subnet as the victim, so this is not often associated with an external attack. C. Polymorphic virus Polymorphic viruses will modify themselves each time they are downloaded. Although a virus could potentially install a backdoor, a polymorphic virus would not be able to install itself without user intervention. D. Trojan horse A Trojan horse is malware that is hidden inside of a seemingly harmless application. Once the Trojan horse is executed, the malware will be installed onto the victim's computer. Trojan horse malware could possibly install backdoor malware, but the Trojan horse itself would not be the reason for these traffic patterns.
Which of the following would be the BEST way to confirm the secure baseline of a deployed application instance? ❍ A. Compare the production application to the sandbox ❍ B. Perform an integrity measurement ❍ C. Compare the production application to the previous version ❍ D. Perform QA testing on the application instance
The Answer: B. Perform an integrity measurement An integrity measurement is designed to check for the secure baseline of firewall settings, patch levels, operating system versions, and any other security components associated with the application. These secure baselines may vary between different application versions. The incorrect answers: A. Compare the production application to the sandbox A sandbox is commonly used as a development environment. Security baselines in a production environment can be quite different when compared to the code in a sandbox. C. Compare the production application to the previous version The newer version of an application may have very different security requirements than previous versions. D. Perform QA testing on the application instance QA (Quality Assurance) testing is commonly used for finding bugs and verifying application functionality. The primary task of QA is not generally associated with verifying security baselines.
A company's outgoing email server currently uses SMTP with no encryption. The security administrator would like to implement encryption between email clients without changing the existing server-to-server communication. Which of the following would be the BEST way to implement this requirement? ❍ A. Implement Secure IMAP ❍ B. Require the use of S/MIME ❍ C. Install an SSL certificate on the email server ❍ D. Use a VPN tunnel between email clients
The Answer: B. Require the use of S/MIME S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a way to integrate public key encryption and digital signatures into most modern email clients. This would encrypt all email information from client to client, regardless of the communication used between email servers. The incorrect answers: A. Implement Secure IMAP Secure IMAP (Internet Message Access Protocol) would encrypt communication downloaded from an email server, but it would not provide any security for outgoing email messages. C. Install an SSL certificate on the email server An SSL certificate on an email server could potentially be used to encrypt server-to-server communication, but the security administrator is looking for an encryption method between email clients. D. Use a VPN tunnel between email clients Email communication does not occur directly between email clients, so configuring a VPN between all possible email recipients would not be a valid implementation.
Which part of the PC startup process verifies the digital signature of the OS kernel? ❍ A. Measured Boot ❍ B. Trusted Boot ❍ C. Secure Boot ❍ D. POST
The Answer: B. Trusted Boot The Trusted Boot portion of the startup process verifies the operating system kernel signature and starts the ELAM (Early Launch Anti-Malware) process. The incorrect answers: A. Measured Boot Measured Boot occurs after the Trusted Boot process and verifies that nothing on the computer has been changed by malicious software or other processes. C. Secure Boot Secure Boot is a UEFI BIOS boot feature that checks the digital signature of the bootloader. The Trusted Boot process occurs after Secure Boot has completed. D. POST POST (Power-On Self-Test) is a hardware check performed prior to booting an operating system.
Jack, a security administrator, has been tasked with hardening all of the internal web servers to prevent on-path attacks and to protect the application traffic from protocol analysis. These requirements should be implemented without changing the configuration on the client systems. Which of the following should Jack include in his project plan? (Select TWO) ❍ A. Add DNSSEC records on the internal DNS servers ❍ B. Use HTTPS over port 443 for all server communication ❍ C. Use IPsec for client connections ❍ D. Create a web server certificate and sign it with the internal CA ❍ E. Require FTPS for all file transfers
The Answer: B. Use HTTPS over port 443 for all server communication, and D. Create a web server certificate and sign it with the internal CA Using the secure HTTPS (Hypertext Transfer Protocol Secure) protocol will ensure that all network communication is protected between the web server and the client devices. If someone manages to capture the network traffic, they would be viewing encrypted data. A signed certificate from a trusted internal CA (Certificate Authority) allows web browsers to trust that the web server is the legitimate server endpoint. If someone attempts an on-path attack, the certificate presented will not validate and a warning message will appear in the browser. The incorrect answers: A. Add DNSSEC records on the internal DNS servers DNSSEC (Domain Name System Security Extensions) records are useful to validate the IP address of a device, but they would not prevent an on-path attack. DNSSEC also doesn't provide any security of the network communication itself. C. Use IPsec for client connections IPsec (IP Security) would provide encrypted communication, but it is not commonly used between a web client and web server. It would also require additional configuration changes on the client devices. E. Require FTPS for all file transfers Web server communication occurs with HTTP or the encrypted HTTPS protocols. The FTPS (File Transfer Protocol Secure) protocol is not commonly used between web clients and servers.
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network? Router/switch MAC reporting Port scanner Reviewing a central endpoint management tool
The best option is MAC address reporting from a source device like a router or a switch. If the company uses a management system or inventory process to capture these addresses, then a report from one of these devices will show what is connected to the network even when they are not currently in the inventory. This information could then be used to track down rogue devices based on the physical port connected to a network device.
A file server has a full backup performed each Monday at 1 AM. Incremental backups are performed at 1 AM on Tuesday, Wednesday, Thursday, and Friday. The system administrator needs to perform a full recovery of the file server on Thursday afternoon. How many backup sets would be required to complete the recovery? ❍ A. 2 ❍ B. 3 ❍ C. 4 ❍ D. 1
The Answer: C. 4 Each incremental backup will archive all of the files that have changed since the last full or incremental backup. To complete this full restore, the administrator will need the full backup from Monday and the incremental backups from Tuesday, Wednesday, and Thursday. The incorrect answers: A. 2 If the daily backup was differential, the administrator would only need the full backup and the differential backup from Thursday. B. 3 Since the incremental backup only archives files that have changed, he will need all three daily incremental backups as well as Monday's full backup. D. 1 To recover incremental backups, you'll need the full backup and all incremental backups since the full backup.
A security administrator is collecting information associated with a ransomware infection on the company's web servers. Which of the following log files would provide information regarding the memory contents of these servers? ❍ A. Web ❍ B. Packet ❍ C. Dump ❍ D. DNS
The Answer: C. Dump A dump file contains the contents of system memory. In Windows, this file can be created from the Task Manager. The incorrect answers: A. Web Web server logs will document web pages that were accessed, but it doesn't show what information may be contained in the system RAM. B. Packet A packet trace would provide information regarding network communication, but it would not include any details regarding the contents of memory. D. DNS DNS (Domain Name System) server logs can show which domain names were accessed by internal systems, and this information can help identify systems that may be infected. However, the DNS log doesn't include any information about the memory contents of a server.
A security administrator has been using EAP-FAST wireless authentication since the migration from WEP to WPA2. The company's network team now needs to support additional authentication protocols inside of an encrypted tunnel. Which of the following would meet the network team's requirements? ❍ A. EAP-TLS ❍ B. PEAP ❍ C. EAP-TTLS ❍ D. EAP-MSCHAPv2
The Answer: C. EAP-TTLS EAP-TTLS (Extensible Authentication Protocol - Tunneled Transport Layer Security) allows the use of multiple authentication protocols transported inside of an encrypted TLS (Transport Layer Security) tunnel. This allows the use of any authentication while maintaining confidentiality with TLS. The incorrect answers: A. EAP-TLS EAP-TLS does not provide a mechanism for using multiple authentication types within a TLS tunnel. B. PEAP PEAP (Protected Extensible Authentication Protocol) encapsulates EAP within a TLS tunnel, but does not provide a method of encapsulating other authentication methods. D. EAP-MSCHAPv2 EAP-MSCHAPv2 (EAP - Microsoft Challenge Handshake Authentication Protocol v2) is a common implementation of PEAP.
Which of the following standards provides information on privacy and managing PII? ❍ A. ISO 31000 ❍ B. ISO 27002 ❍ C. ISO 27701 ❍ D. ISO 27001
The Answer: C. ISO 27701 The ISO (International Organization for Standardization) 27701 standard extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy. The incorrect answers: A. ISO 31000 The ISO 31000 standard sets international standards for risk management practices. B. ISO 27002 Information security controls are the focus of the ISO 27002 standard. D. ISO 27001 The ISO 27001 standard is the foundational standard for Information Security Management Systems (ISMS).
. A security administrator is designing an authentication process for a new remote site deployment. They would like the users to provide their credentials when they authenticate in the morning, and they do not want any additional authentication requests to appear during the rest of the day. Which of the following should be used to meet this requirement? ❍ A. TACACS+ ❍ B. LDAPS ❍ C. Kerberos ❍ D. 802.1X
The Answer: C. Kerberos Kerberos uses a ticket-based system to provide SSO (Single Sign-On) functionality. You only need to authenticate once with Kerberos to gain access to multiple resources. The incorrect answers: A. TACACS+ TACACS+ (Terminal Access Controller Access-Control System) is a common authentication method, but it does not provide any single signon functionality. B. LDAPS LDAPS (Lightweight Directory Access Protocol Secure) is a standard for accessing a network directory. This can provide an authentication method, but it does not provide any single sign-on functionality. D. 802.1X 802.1X is a standard for port-based network access control (PNAC), but it does not inherently provide any single sign-on functionality
A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID Which of the following attacks would be the MOST likely reason for this message? ❍ A. Brute force ❍ B. DoS ❍ C. On-path ❍ D. Disassociation
The Answer: C. On-path An on-path attack is often associated with a third-party who is actively intercepting network traffic. This entity in the middle would not be able to provide a valid SSL certificate for a third-party website, and this error would appear in the browser as a warning. The incorrect answers: A. Brute force A brute force attack is commonly associated with password hacks. Brute force attacks would not cause the certificate on a website to be invalid. B. DoS A DoS (Denial of Service) attack would prevent communication to a server and most likely provide a timeout error. This error is not related to a service availability issue. D. Disassociation Disassociation attacks are commonly associated with wireless networks, and they usually cause disconnects and lack of connectivity. The error message in this example does not appear to be associated with a network outage or disconnection.
Brian recently completed the change approval process for code that he developed and is waiting for the change control team to release the code for users. What environment is the code most likely in at this point? Development Test Production Staging
The fact that Brian has completed the change approval process means that the code is most likely in a staging environment. This staging environment is where code resides until change managers release it into the production environment. Code is moved to staging after being created in a development environment and evaluated in a test environment. Once code is in production, it is available to users.
A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues? ❍ A. On-path ❍ B. Worm ❍ C. RAT ❍ D. Logic bomb
The Answer: C. RAT A RAT (Remote Access Trojan) is malware that can control a computer using desktop sharing and other administrative functions. Because the installation program is often disguised as something else, the victim often doesn't realize they're installing malware. Once the RAT is installed, the attacker can control the desktop, capture screenshots, reboot the computer, and many other administrative functions. The incorrect answers: A. Man-in-the-middle A man-in-the-middle attack commonly occurs without any knowledge to the parties involved, and there's usually no additional notification that an attack is underway. B. Worm A worm is malware that can replicate itself between systems without any user intervention, so a spreadsheet that requires additional a user to click warning messages would not be categorized as a worm. D. Logic bomb A logic bomb is malware that installs and operates silently until a certain event occurs. Once the logic bomb has been triggered, the results usually involve loss of data or a disabled operating system.
A security team has been provided with a non-credentialed vulnerability scan report created by a third-party. Which of the following would they expect to see on this report? ❍ A. A summary of all files with invalid group assignments ❍ B. A list of all unpatched operating system files ❍ C. The version of web server software in use ❍ D. A list of local user accounts
The Answer: C. The version of web server software in use A scanner like Nmap can query services and determine version numbers without any special rights or permissions, which makes it well suited for non-credentialed scans. The incorrect answers: A. A summary of all files with invalid group assignments Viewing file permissions and rights requires authentication to the operating system, so you would not expect to see this information if the scan did not have credentials. B. A list of all unpatched operating system files Viewing detailed information about the operating system files requires authentication to the OS, and an uncredentialed scan does not have those permissions. D. A list of local user accounts Local user accounts are usually protected by the operating system, so you would need to have credentials to view this information.
A company is deploying a new mobile application to all of its employees in the field. Some of the problems associated with this rollout include: • The company does not have a way to manage the mobile devices in the field • Company data on mobile devices in the field introduces additional risk • Team members have many different kinds of mobile devices Which of the following deployment models would address these concerns? ❍ A. Corporate-owned ❍ B. COPE ❍ C. VDI ❍ D. BYOD
The Answer: C. VDI A VDI (Virtual Desktop Infrastructure) would allow the field teams to access their applications from many different types of devices without the requirement of a mobile device management or concern about corporate data on the devices. The incorrect answers: A. Corporate-owned A corporate-owned device would solve the issue of device standardization, but the corporate data would be stored on the mobile devices in the field. B. COPE COPE (Corporate Owned and Personally Enabled) devices are purchased by the company but are used as both a corporate device and a personal device. This would standardize the devices, but the corporate data would still be at-risk in the field. D. BYOD BYOD (Bring Your Own Device) means that the employee would choose the mobile platform. This would not address the issue of mobile device management, data security in the field, or standardization of mobile devices and apps.
An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data? ❍ A. Data processor ❍ B. Data owner ❍ C. Privacy officer ❍ D. Data custodian
The Answer: D. Data custodian The data custodian manages access rights and sets security controls to the data. The incorrect answers: A. Data processor The data processor manages the operational use of the data, but not the rights and permissions to the information. B. Data owner The data owner is usually a higher-level executive who makes business decisions regarding the data. C. Privacy officer A privacy officer sets privacy policies and implements privacy processes and procedures.
A security analyst has identified a number of sessions from a single IP address with a TTL equal to zero. One of the sessions has a destination of the Internet firewall, and a session immediately after has a destination of your DMZ server. Which of the following BEST describes this log information? ❍ A. Someone is performing a vulnerability scan against the firewall and DMZ server ❍ B. Users are performing DNS lookups ❍ C. A remote user is grabbing banners of the firewall and DMZ server ❍ D. Someone is performing a traceroute to the DMZ server
The Answer: D. Someone is performing a traceroute to the DMZ server A traceroute maps each hop by slowly incrementing the TTL (Time to Live) value during each request. When the TTL reaches zero, the receiving router drops the packet and sends an ICMP (Internet Control Message Protocol) TTL Exceeded message back to the original station. The incorrect answers: A. Someone is performing a vulnerability scan against the firewall and DMZ server Vulnerability scans are usually very specific requests, and they won't get to their destination if the TTL is zero. The question did not provide any information that would indicate an active vulnerability scan. B. Users are performing DNS lookups Properly working DNS (Domain Name System) responses would not have a TTL of zero, and nothing in the question indicated information that would commonly be included in a DNS query. C. A remote user is grabbing banners of the firewall and DMZ server Banners can provide useful reconnaissance information about a service, but the TTL of zero and the lack of connection to a specific service would not indicate a banner grabbing session.
What's more volatile: RAM or Registry
The highest volatility information is the information likely to disappear first. In this case, the contents of RAM memory are the most volatile. They may be lost as soon as power is removed from the device. The contents of magnetic HDD drives or solid state SSD drives are preserved even when power is removed, and the Windows Registry is stored on disk.
When a home user connects to the corporate VPN, they are no longer able to print to their local network printer. Once the user disconnects from the VPN, the printer works normally. Which of the following would be the MOST likely reason for this issue? ❍ A. The VPN uses IPSec instead of SSL ❍ B. Printer traffic is filtered by the VPN client ❍ C. The VPN is stateful ❍ D. The VPN tunnel is configured for full tunnel
The Answer: D. The VPN tunnel is configured for full tunnel A split tunnel is a VPN (Virtual Private Network) configuration that only sends a portion of the traffic through the encrypted tunnel. A split tunnel would allow work-related traffic to securely traverse the VPN, and all other traffic would use the non-tunneled option. In this example, the printer traffic is being redirected through the VPN instead of the local home network because of the non-split/full tunnel. The incorrect answers: A. The VPN uses IPSec instead of SSL There are many protocols that can be used to send traffic through an encrypted tunnel. IPsec is commonly used for site-to-site VPN connections, and SSL (Secure Sockets Layer) is commonly used for enduser VPN connections. However, either protocol can technically be used for any VPN tunnel, and the choice of protocol would have no difference on the operation of the local printer. B. Printer traffic is filtered by the VPN client VPN clients are usually tasked with sending traffic unfiltered through the encrypted tunnel. Although data could be filtered at some point along the communication path, it's not commonly filtered by the VPN client. C. The VPN is stateful A stateful communication is commonly associated with firewalls, and it refers to the firewall's ability to track traffic flows. Stateful communication would not be a technology commonly associated with a VPN, and it would not be part of the user's printing issue.
Which metric from a CVSS3 rating describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability? AV vs PR vs AC vs UI
The Attack Complexity (AC) metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. The Privileges Required (PR) metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The User Interaction (UI) metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. The Attack Vector (AV) metric describes the context by which vulnerability exploitation is possible.
Which one of the following industry standards provides specific guidance on the implementation of security controls in the cloud? CSF ISO 02 CCM ISO 01
The Cloud Security Alliance's Cloud Controls Matrix (CCM) is specifically designed to cover cloud security control best practices. ISO 27001 and 27002 cover information security management systems more broadly, as does the NIST Cybersecurity Framework (CSF).
Ramzi is implementing DNSSEC to better secure his organization's DNS infrastructure. When he creates his DNSKEY record, what encryption key should he include in it?
The DNSKEY record should contain the public key that corresponds to the private key used to sign the records. Since Ramzi's organization manages its own DNS infrastructure, the records would be signed with the organization's private key and should be verified with the organization's public key.
You are a cybersecurity leader for a program that doesn't currently utilize threat intelligence. You would like to begin using a program that helps you better describe how adversaries use capabilities within an infrastructure to attack a victim. Which of the following best suits this desire? Diamond Model MITRE Cyber Kill Chain NIST CMF
The Diamond Model of Intrusion Analysis is correct. The Diamond Model categorizes the relationships and characteristics of an attack's four main components: the model describes that an adversary deploys a capability over some infrastructure against a victim. These are known as events and form the diamond. Analysts then populate each part of the diamond with the information they gather during the analysis process. NIST Cybersecurity Framework is incorrect. The NIST Cybersecurity Framework (CSF) is a controls framework originally designed for organizations that are part of the U.S. Critical Infrastructure. CSF contains a set of controls that are sorted into five categories to reduce risk and help organizations respond more rapidly when incidents do occur. MITRE ATT&CK is incorrect. MITRE created the ATT&CK framework to help catalog emerging tactics, techniques, and procedures being used within attacks globally. Cyber Kill Chain is incorrect. The Cyber Kill Chain was developed for use by the major defense contractor, Lockheed Martin, with the end state of portraying how attackers step through their actions to reach their final goal.
Wendy is examining the logs of a web server that was compromised by a remote attacker. She notices that right before the attack, the logs show a series of segmentation fault errors. Other logs indicate that the attacker sent very long input strings to the web server that had malicious commands at the end of the string. What type of attack most likely took place? Buffer Overflow XSS SQL injection CSRF
The input used in this attack is indicative of a buffer overflow attack, where the attacker sent input too long for the buffers meant to store it. Segmentation fault errors commonly result from buffer overflow attacks.
Which of the following types of digital forensic investigations is the most challenging due to the on-demand nature of the analyzed assets? Cloud services On-premise servers Employee workstations Mobile devices
The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM.
Chelsea believes that an attacker has compromised the private key for her web server's digital certificate. What action should she take? None Change the cert's public key Change its private Revoke the Cert
The private key for a digital certificate is very sensitive information and must be safeguarded. If a private key is compromised, the digital certificate should be immediately revoked. It is not possible to change the keys for a certificate. The certificate must be revoked and reissued.
Roland recently wrote code that implements a new feature demanded by end users of an application he manages. He would like users to examine the feature and determine whether it meets their needs. What environment is most appropriate for this activity? Staging Development Test Production
The process described, where users evaluate features to determine whether they meet business requirements, is known as user acceptance testing (UAT) and it should take place in the staging environment. Roland would have created the new feature in a development environment where initial testing by developers would take place. After the code passes developer testing, it will move on to staging for UAT and then finally into production.
Rob is troubleshooting a production application in his organization. He discovers that after the application has been running for about a week, it begins producing repeated errors. When he reboots the system, it again works fine for another week, until the errors begin recurring. What is the most likely cause of this issue? Memory Leak Insider Attack Buffer Overflow Logic Bomb
The symptoms described here are the classic symptoms of a memory leak. The system is slowly depleting memory as it runs until it finally runs out of available memory, resulting in errors. When Rob reboots the system, it clears out available memory and begins the cycle anew
Visitor control procedures, such as visitor registration, badging, and escorting, are an example of what category of security control? Physical Technical Managerial Operational
The three categories of security control are managerial, operational, and technical. Physical is a control type, not a control category. Visitor procedures are carried out by humans to reduce risk to the organization and, therefore, would be classified as an operational control.
Tawfiq recently completed an audit of his organization's security practices and learned that the organization stores passwords for their website in a file that is hashed but not salted. The hashing is done using a cryptographically secure hash function. Which one of the following statements correctly describes the situation?
The use of hashing stores passwords in a manner where they are not reversible, but the fact that they are not salted leaves the passwords vulnerable to a rainbow table attack where the attacker precomputes the hash values of common passwords and then searches for those values in the password file.
An end user was using your web application when it suddenly crashed and allowed the user access to a command-line prompt with administrator access to the system. Which of the following is the security issue with your application? Buffer overflow Command injection Fuzzing Transitive Access
Transitive access is correct. Transitive access occurs when a user is inadvertently given advanced access to another part of the application or the system on which it is hosted. You must ensure that your application does not allow transitive access in the event of a crash or malfunction. Buffer overflow is incorrect. A buffer overflow occurs when user input is greater than what the input field allows. Command injection is incorrect. The user did not perform a command injection into the application; it simply crashed and presented the user with a command prompt. Fuzzing is incorrect. Fuzzing is used to test input validation through the entry of random characters.
Which of the following techniques allows you to run a public-facing web application but still maintain a private back end with servers that aren't publicly accessible? Virtual private cloud NAT Proxy server Private IP
Virtual private cloud is correct. By using a virtual private cloud (VPC), you can run a public-facing web application but still maintain a private back end with servers that aren't publicly accessible. Incorrect Answers: Proxy server is incorrect. A proxy server only processes requests on a client's behalf. Network address translation is incorrect. Network address translation (NAT) is used to translate private internal IP addresses to routable public addresses. Private IP addressing is incorrect. Internal private IP addressing does not help subdivide networks.
Your quality assurance team is testing a new web application and requires several servers on-site to properly test the application on different operating systems. Due to budget and resource constraints, your company does not have enough physical servers to cover the testing requirements and provide adequate security for each system. Which of the following technologies could you implement? Cloud computing Firewall DMZ Web-caching proxy Virtualization
Virtualization
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password? Enable WEP Disable WPS/WPA3/SSID Broadcast
WPS was created to ease the setup and configuration of new wireless devices by allowing the router to automatically configure them after a short eight-digit PIN was entered. Unfortunately, WPS is vulnerable to a brute-force attack and is easily compromised. Therefore, WPS should be disabled on all wireless networks. If Bob could enter your apartment and press the WPS button, he could have configured his laptop to use your wireless network without your WPA3 password. While disabling the SSID broadcast could help prevent someone from seeing your network, the issue was someone connecting to your network without having the password. Disabling the SSID broadcast would not solve this issue.