Comptia Security+
EF (Exposure Factor)
- A quantitative risk assessment for the potential percentage of loss to an asset if a threat is realized
Types of Security Policies
- Acceptable use policy (AUP) - Resource access policies - Account policies - Data retention policies - Change control policies - Asset management policies
Cryptographic Erasure Methods
- Destroy storage media decryption key - SEDs Self Encrypting Devices
SSAE SOC 2 (Statement on Standards for Attestation Engagements System and Organization Controls)
- Financial statement integrity - Internal controls - Type I and Type II
OSINT (open-source intelligence)
- Government intelligence reports. Media- Academic paper sources
BPA (Business Partnership Agreement)
- Legal document - Responsibilities, investment, decision-making
Security Control Categories
- Managerial/administrative - Operational - Technical
Attack Vectors (suppy chain)
- Manufacturers- Contractors - Implementers - Outsourced software development - Right-to-audit clause
RPO (Recovery Point Objective)
- Maximum tolerable amount of data loss - Directly related to backup frequency
Standard classification
- PII (personally identifiable information) - PHI (protected health information) - Proprietary - Public/private - Critical - Financial
Port Address Translation (PAT)
- Part of OSI Layer 2 - No content caching - No authentication.
Forward Proxy Server
- Part of OSI layer 7 - Sits between internal users and the internet - Fetches Internet content for internal users - Hides IP address of internal client machine
Security Control Types
- Physical; Access control vestibule - Detective; Log analysis - Corrective; Patching known vulnerabilities - Deterrent; Device logon warning banners - Compensating; Network isolation for Internet of Things (IoT) devices
STIX - Structured Threat Information eXpression
- A form of AIS - Data exchange format for cybersecurity intelligence
Which of the following ports should you block at the firewall if you want to prevent a remote login to a server from occurring? a. 22 b. 80 c. 143 d. 21 - FTP or 23 telnet
D. 21 - FTP or 23 telnet
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords? a. Rainbow table attack b. Brute force attack c. Birthday attack d. Cognitive password attack
D. A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity
Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat? a. Biometric lock b. Badge reader c. Hardware token d. Privacy screen
D. A privacy screen is a filter placed on a monitor to decrease the viewing angle of a monitor. This prevents the monitor from being viewed from the side and can help prevent shoulder surfing.
You are trying to select the best device to install to proactively stop outside attackers from reaching your internal network. Which of the following devices would be the BEST for you to select? a. Proxy Server b. IDS c. Syslog server d. IPS
D. An intrusion prevention system (IPS) is a form of network security that detects and prevents identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents, and capturing information about them.
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts? a. Notification to local law enforcement b. Notification to Visa and Mastercard c. Notification to federal law enforcement d. Notification to your credit card processor
D. Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard)
What information should be recorded on a chain of custody form during a forensic investigation? a. The list individuals who made contact with files leading to the investigation. b. The list of former owners/operators of the workstation involved in the investigation c. The law enforcement agent who was first on the scene d. Any individual who worked with evidence during the investigation.
D. Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation.
James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled "Proprietary Information - Internal Use Only." The new iPhone is still several months away from release. What should James do next? a. Contact website's owner and request it be taken down. b. Reply to blog post and deny accuracy of specifications. c. Contact team lead and ask what to do. d. Contact service desk or incident response team to determine what to do next
D. Contact service desk or incident response team to determine what to do next
Which term is used in software development to refer to the method in which app and platform updates are committed to a production environment rapidly? a. Continuous integration b. Continuous delivery c. Continuous monitoring d. Continuous development
D. Continuous deployment is a software development method in which app and platform updates are committed to production rapidly. Continuous delivery is a software development method in which app and platform requirements are frequently tested and validated for immediate availability
Certificate Types
DV (Domain Validated) EV (Extended Validated) SAN (Subject Alternative Name) Limited wild card
Discretionary Access Control (DAC)
Data custodian sets permissions at their discretion
In the OSI model, what is the primary function of the Physical layer?
Deals with physical specifications like wire size, frequencies
Symmetric Block Algorithm
Defined by - Key length - Block size - Number of rounds
MOA (Memorandum of Agreement)
Detailed terms between parties
National Institute Standards & Techology. (NIST)
Develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.
AIS - Automated Indicator Sharing
Exchange of cybersecurity intelligence (CI) between entities
DDoS (Distributed denial of service)
External Risk type
Biometric Efficacy Rates
False acceptance False rejection Crossover error rate
PTA (Privacy Threshold Assessment)
First step before implementing solutions related to sensitive data
OSI - Application Layer - Layer 7
OSI model protocol responsible for the network-related program code and functions running on a computer system that either initiate the request (on the sending system) or service the request (on the receiving system)
PHI (Protected Health Information)
One or more pieces of sensitive medical information that can be traced back to an individual
OTP
One-time password
ISO/IEC
Standardization/International Electrotechnical Commission
Which type of encryption uses a single key for encryption and decryption?
Symmetric
MTTR (Mean Time To Repair)
The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online.
MTTF (Mean Time To Failure)
The length of time you can expect a device to remain in operation before it fails. It is similar to MTBF, but the primary difference is that the MTBF metric indicates you can repair the device after it fails. This metric indicates that you will not be able to repair a device after it fails.
SLE (Single Loss Expectancy)
The monetary value of any single loss. It is used to measure risk with ALE and ARO in a quantitative risk assessment.
Cryptography
The practice of disguising information in a way that looks random
MFA (Multifactor Authentication)
To use more than one factor to authenticate access. - Something you know - Something you have - Something you are
Government/Military classification
Top Secret Secret Confidential Sensitive but unclassified Unclassified
ALE (Annualized Loss Expectancy)
Total yearly cost of bad things happening
Rule Based Access Control (RBAC)
Uses conditional access policies such as (MFA, Device Type, Location)
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack's target?
a. 389 b. 3389 c. 21 D. 443
You are configuring the ACL (Access Control List) for the network perimeter firewall. You have just finished adding all the proper allow and deny rules. What should you place at the end of your ACL rules?
a. A time of day restriction b. A SNMP deny string C. An implicit deny statement d. An implicit allow statement
Which of the following access control methods utilizes a set of organizational roles in which users are assigned to gain permissions and access rights?
a. ABAC - Attribute Based Access Control b. DAC - Discretionary Access Control C. RBAC - Role/Rule Based Access Control d. MAC - Media Address Card
You received an incident response report indicating a piece of malware was introduced into the company's network through a remote workstation connected to the company's servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
a. ACL B. NAC c. SPF d. MAC filtering
During which incident response phase is the preservation of evidence performed?
a. Preparation b. Post-incident activity C. Containment, eradication and recovery d. Detection and analysis
Your company has decided to move all of its data into the cloud. Your company is small and has decided to purchase some on-demand cloud storage resources from a commercial provider (such as Google Drive) as its primary cloud storage solution. Which of the following types of clouds is your company using?
a. Public B. Hybrid c. Private d. Community
After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization's privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?
a. Quantitative risk assessment b. Privacy assessment C. Qualitative risk assessment d. Supply chain assessment
PKI Standards
x.509: Method to query systems that stores certificates and standards for constructing certificate PKCES: Public Key Cryptography Standards RA: Registration Authorities perform registrations for Intermediate authorities
Anonymization Techniques
- Pseudo-anonymization - Replace PII with fake identifiers - Data minimization - Limit stored/retained sensitive data - Tokenization - A digital token authorizes access instead of the original credentials - Data masking- Hide sensitive data from unauthorized users - Masked out credit card number digits on a receipt
Security Controls
- Solution that mitigates threat - Implemented differently based on platform/vendor/user
MFA Attributes
- Somewhere you are (location, GPS) - something you can do (signature) - something you exhibit (brainwave response) - Someone you know (friend, relative)
What constitutes an ethernet frame
1) Preamble 2) Destination MAC 3) Source MAC 4) Destination IP Address 5) Source IP Address 6) Destination Port 7) Source Port 8) DATA 9) FCS
CRL (Certificate Revocation List)
A list of certificates that a CA has revoked. Certificates are commonly revoked if they are compromised, or issued to an employee who has left the organization or expired.
CVE (Common Vulnerabilities and Exposure)
A list of publicly disclosed information security vulnerabilities and exposures.
MTBF (Mean Time Between Failures)
A metric that provides a measure of a system's reliability and is' usually represented in hours. Identifies the average time between failures.
Center for Internet Security (CIS)
A nonprofit entity whose mission is to 'identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.'
ARP (Address Resolution Protocol)
A protocol that maps IP addresses to MAC addresses on a LAN
GDPR (General Data Protection Regulation)
A regulation (2016) where by companies have 2 years to transition to compliance (from EU directive) after the final text is published
Ephemeral Key
A temporary key that is used only once before it is discarded.
Symmetric Key Algorithms
DES (Data Encryption Standard) Same key used to encrypt and decrypt data
HMA
A cryptographic authentication technique that uses a hash function and a secret key.
Symmetric Block Algorithm Implementations
DES, 3DES, Blowfish
Asymmetric Encryption
A type of cryptographic based on algorithms that require two keys, one of which is secret (or private) and one of which is public (freely known to others).
Vulnerability
A weakness inherent in an asset that leaves it open to a threat
APT
A Threat Actor that is persistent and sophisticated.
TAXII (Trusted Automated eXchange of Indicator Information)
A collection of services and message exchanges to enable the sharing of information about cyber threats across product, service and organizational boundaries.
Using the image provided, place the port numbers in the correct order with their associated protocols: SCP POP3 SNMP Telnet
A. 22, 110, 161, 23 b. 110, 161, 23, 22 c. 161, 22, 110, 23 d. 23 , 110, 22, 161
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future? a. Implement a VLAN to separate the HVAC control system from the open wireless network b. Enable SPA2 security on the open wireless network. c. Install an IDS to protect the HVAC system d. Enable NAC on the open wireless network
A. A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network.
Which of the following tools could be used to detect unexpected output from an application being managed or monitored? a. A behavior-based analysis b. Manual analysis c. A log analysis tool d. A signature-based detection tool
A. A behavior-based analysis tool can capture/analyze normal behavior and then alert when an anomaly occurs
Which of the following must be combined with a threat to create risk? a. Vulnerability b. Malicious actor c. Exploit d. Mitigation
A. A risk results from the combination of a threat and a vulnerability.
Which of the following cryptographic algorithms is classified as symmetric?
A. AES b. Diffie-Hellman c. ECC d. RSA
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?
A. AES 256 b. ECC 256 c. DES 56 d. Randomized one-time use pad
Which of the following policies should contain the requirements for removing a user's access when an employee is terminated?
A. Account management policy b. Data retention policy c. Data ownership policy d. Data classification policy
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
A. Active scanning engine installed on the enterprise console b. Combination of server-based and agent-based scanning engines c. Passive scanning engine located at the core of the network infrastructure d. Combination of cloud-based and server-based scanning engines
What tool is used to collect wireless packet data?
A. Aircrack-ng b. Nessus c. Netcat d. John the Ripper
Which of the following hashing algorithms results in a 160-bit fixed output? a. RIPEMD b. NTLM c. MD-5 d. SHA-2
A. RIPEMD creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output
You work as the incident response team lead at Fail to Pass Systems. Sierra, a system administrator, believes an incident has occurred on the network and contacts the SOC. At 2:30 am, you are woken up by a phone call from the CEO of Fail to Pass stating an incident has occurred and that you need to solve this immediately. As you are getting dressed to drive into the office, your phone rings again. This time, the CIO starts asking you a lot of technical questions about the incident. The first you heard of this incident was 5 minutes ago from the CEO, so you don't have the answers to the CIO's questions, yet. Based on this scenario, which of the following issues needs to be documented in your lessons learned report once this incident is resolved?
A. An established incident response form for all employees to use to collect data b. A robust method of incident detection c. A call list/escalation list d. An office incident response jump bag or kit
Which of the following access control methods provides the most detailed and explicit type of access control over a resource? a. ABAC b. MAC c. RBAC d. DAC
A. Attribute-based access control (ABAC) provides the most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
A. Brute-force b. Dictionary c. Rainbow table d. Hybrid
An attacker is searching in Google for Cisco VPN configuration files by using the filetype:pcf modifier. The attacker located several of these configuration files and now wants to decode any connectivity passwords that they might contain. What tool should the attacker use?l
A. Cain and Abel b. Nmap c. Nessus d. Netcat
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets?
A. Cloud services b. On-premise servers c. Employee workstations d. Mobile devices
Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement?
A. Configure a virtual switch on the physical server and create VLAN b. Install a virtual firewall and establish an ACL c. Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions d. Create virtual router and disable the spanning tree protocol
Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace?
A. Counterfeiting b. Entrepreneurship c. Recycling d. Capitalism
Which of the following cryptographic algorithms is classified as asymmetric?
A. DSA b. DES c. RC4 d. AES
When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?
A. Data minimization b. Anonymization c. Data masking d. Tokenization
A user reports that every time they try to access https://www.diontraining.com, they receive an error stating "Invalid or Expired Security Certificate." The technician attempts to connect to the same site from other computers on the network, and no errors or issues are observed. Which of the following settings needs to be changed on the user's workstation to fix the "Invalid or Expired Security Certificate" error?
A. Date and Time b. User Access Control c. UEFI boot mode d. Logon times
You have recently been hired as a security analyst at Dion Training. On your first day, your supervisor begins to explain the way their network is configured, showing you the physical and logical placement of each firewall, IDS sensor, host-based IPS installations, the networked spam filter, and the DMZ. What best describes how these various devices are placed into the network for the highest level of security?
A. Defense in depth b. Network segmentation c. UTM d. Load balancer
Your organization has recently suffered a data breach due to a server being exploited. As a part of the remediation efforts, the company wants to ensure that the default administrator password on each of the 1250 workstations on the network is changed. What is the easiest way to perform this password change requirement?
A. Deploy a new group policy b. Utilize the key escrow process c. Create new security group d. Revoke the digital certificate
Which of the following cryptographic algorithms is classified as asymmetric?
A. Diffie-Hellman b. AES c. RC4 d. BLowfish
Which of the following proprietary tools is used to create forensic disk images without making changes to the original evidence?
A. FTK Imager b. dd c. Autopsy d. Memdump
What is used as a measure of biometric performance to rate the system's ability to correctly authenticate an authorized user by measuring the rate that an unauthorized user is mistakenly permitted access?
A. False acceptance rate. b. False rejection rate c. Failure to capture d. Crossover error rate
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank's cybersecurity program?
A. GLBA Gramm-Leach-Bliley Act b. FERPA c. SOX d. HIPAA
Which of the following security controls provides Windows system administrators with an efficient way to deploy system configuration settings across many devices?
A. GPO - Group Policy Object MS b. Patch management c. HIPS d. Anti-malware
Your organization has just migrated to provisioning its corporate desktops as virtual machines and accessing them using thin clients. The organization believes this will enhance security since the desktop can be rewritten with a new baseline image every time the user logs into it. Based on this scenario, which of the following technologies has the organization adopted? a. VDI b. VPN c. UEBA d. VPC
A. Virtual desktop infrastructure (VDI) is a virtualization implementation that separates the personal computing environment from a user's physical computer.
Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach? a. Conduct notification to all affected customers within 72 hours of the discovery of the breach b. Provide a statement to the press that minimizes the scope of the breach c. Conduct a 'hack-back' of the attacker to retrieve the stolen information d. Purchase a cyber insurance policy, alter the date of the incident in the log files, and file an insurance claim.
A. Generally speaking, most laws require notification within 72 hours, such as the GDPR.
You are working in a doctor's office and have been asked to set up a kiosk to allow customers to check in for their appointments. The kiosk should be secured, and only customers to access a single application used for the check-in process. You must also ensure that the computer will automatically log in whenever the system is powered on or rebooted. Which of the following types of accounts should you configure for this kiosk?
A. Guest b. Power User c. Administrator d. Remote Desktop User
When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the hard drive contents during your analysis? a. Hardware write blocker b. Software write blocker c. Degausser d. Forensic drive duplicator
A. Hardware write blocker Both hardware and software write blockers are designed to ensure that forensic software and tools cannot change a drive inadvertently by accessing it.
You are installing Windows 2019 on a rack-mounted server and hosting multiple virtual machines within the physical server. You just finished the installation and now want to begin creating and provisioning the virtual machines. Which of the following should you utilize to allow you to create and provision virtual machines?
A. Hypervisor b. Device manager c. Disk management d. Terminal services
To improve the Dion Training corporate network's security, a security administrator wants to update the configuration of their wireless network to have IPSec built into the protocol by default. Additionally, the security administrator would like for NAT to no longer be required for extending the number of IP addresses available. What protocol should the administrator implement on the wireless network to achieve their goals?
A. IPv6 b. WPA2 c. WEP d. IPv4
What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? a. You should accept the risk if the residual risk is low enough b. You should ignore any remaining risk c. You should continue to apply additional controls until there is zero risk. d. You should remove the current controls since they are not completely effective.
A. In most cases, you will be unable to remove all risks. Instead, it would be best to mitigate the risk to a low enough level to accept the residual risk.
The email client on a desktop workstation is acting strangely. Every time the user opens an email with an image embedded within it, the image is not displayed on their screen. Which of the following is the MOST likely cause of this issue?
A. Incorrect security settings in the email client b. Incorrect settings in the host based firewall c. Incorrect settings in your email proxy server d. Incorrect settings in your web browser's trusted site configuration
What containment technique is the strongest possible response to an incident?
A. Isolating affected systems b. Isolating the attacker c. Segmentation d. Enumeration
The paparazzi have found copies of pictures of a celebrity's new baby online. The celebrity states they were never publicly released but were uploaded to their cloud provider's automated photo backup. Which of the following threats was the celebrity MOST likely a victim of?
A. Leaked personal files b. Unintended Bluetooth pairing c. Unauthorized camera activation. d. Unauthorized root access.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?
A. MTTR b. RTO c. MTBF d. RPO
Which type of agreement between companies and employees is used as a legal basis for protecting information assets?
A. NDA b. SLA c. MOU d. ISA
A new smartphone supports users' ability to transfer a photograph by simply placing their phones near each other and "tapping" the two phones together. What type of technology does this most likely rely on?
A. NFC - Near Field Communication b. RF - Radio Frequency c. BT - Blue Tooth d. IR - Infer-Red
What kind of attack is an example of IP spoofing?
A. On-path attack b. SQL Injection c. ARP poising d. Cross-site scripting
You have been asked to classify a hospital's medical records as a form of regulated data. Which of the following would BEST classify this type of data?
A. PHI b. PCI c. PII d. GDPR
What type of weakness is John the Ripper used to test during a technical assessment?
A. Passwords b. File permissions c. Usernames d. Firewall rulesets
Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server?
A. Pharming b. Hoax c. Spamming d. Vishing e. Spear phishing
Your company has decided to move all of its data into the cloud. Your company is concerned about the privacy of its data due to some recent data breaches that have been in the news. Therefore, they have decided to purchase cloud storage resources that will be dedicated solely for their use. Which of the following types of clouds is your company using?
A. Private b. Hybrid c. Public d. Community
In which type of attack does the attacker begin with a normal user account and then seek additional access rights?
A. Privilege escalation b. Spear phishing c. Cross-site scripting - XSS d. RCE - Remote Code Exploitation/Execution
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?
A. RDP b. MySQL c. IMAP d. LDAP
Which party in a federation provides services to members of the federation? a. RP b. SSO c. SAML d. IdP
A. Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders. The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties between an identity provider and a service provider (SP) or a relying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related yet independent software systems across a federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this question.
A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?
A. Rootkit b. Ransomeware c. Botnet d. Trojan
The management at Steven's work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
A. Router and switch-based MAC address reporting b. A physical survey c. Reviewing a central administration tool like an endpoint manager. d. A discovery scan using a port scanner
Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?
A. SOAR (Security Orchestration Automation Response) b. MDM (Mobile Device Management) c. SIEM (Security Information Event Management) d. DLP (Data Loss Prevention)
You are in the recovery steps of an incident response. Your analysis revealed that the attacker exploited an unpatched vulnerability on a public-facing web server as the initial intrusion vector in this incident. Which of the following mitigations should be implemented first during the recovery?
A. Scan the network for additional instances of this vulnerability and patch asset b. Restrict host access to peripheral protocols like USB, BT c. Disable unused user account and reset the admin creds d. Restrict shell commands by user or host to ensure least privilege
You are developing a containment and remediation strategy to prevent the spread of an APT within your network. Your plan suggests creating a mirror of the company's databases, routing all externally sourced network traffic to it, and gradually updating with pseudo-realistic data to confuse and deceive the APT as they attempt to exfiltrate the data. Once the attacker has downloaded the corrupted database, your company would then conduct remediation actions on the network and restore the correct database information to the production system. Which of the following types of containment strategies does the plan utilize?
A. Segmentation based containment that deceives the attack into believing is was successful b. Segmentation based containment the disrupts the APT by using a hack-back approach c. Isolation based containment by disconnecting the APT from affected network. d. Isolation based containment by removing the affected database from production.
You have been asked to develop a solution for one of your customers. The customer is a software development company, and they need to be able to test a wide variety of operating systems to test the software applications their company is developing internally. The company doesn't want to buy a bunch of computers to install all of these operating systems for testing. Which of the following solutions would BEST meet the company's requirements? a. Purchase a high-end computer that has a lot pf CPU cores and RAM, install hypervisor, and configure a virtual machine for each operating system that will be used to test the applications being developed. b. Purchase one computer, install an operating system on it, create an image of the system, then reformat it, install the next operating system, create another image, and reimage the machine each time you need to test a different application. c. Purchase multiple workstations, install a VM on each one, then install one operating system that will be used to test the applications being developed in each VM. d. Purchase multiple inexpensive workstations and install one operating system that will be used to test the applications being developed on each workstation.
A. Since the company's main goal was to minimize the amount of hardware required, the BEST solution is to purchase a high-end computer that has a lot of CPU cores and RAM, install a hypervisor
Dion Training has an open wireless network called "InstructorDemos" for its instructors to use during class, but they do not want any students connecting to this wireless network. The instructors need the "InstructorDemos" network to remain open since some of their IoT devices used during course demonstrations do not support encryption. Based on the requirements provided, which of the following configuration settings should you use to satisfy the instructor's requirements and prevent students from using the "InstructorDemos" network? a. MAC filtering b. Signal strength c. QoS d. NAT
A. Since the instructors need to keep the wireless network open, the BEST option is to implement MAC filtering to prevent the students from connecting to the network while still keeping the network open.
Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent? a. Brute force attack b. On-path attack c. Privilege escalation d. Spoofing
A. Since the policy will lock out the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack
What is the biggest disadvantage of using single sign-on (SSO) for authentication? a. It introduces a single point of failure b. Systems must be configured to utilize the federation c. The identity provider issues the authorization d. Users need to authenticate with each server as they log on.
A. Single sign-on is convenient for users since they only need to remember one set of credentials.
You need to determine the best way to test operating system patches in a lab environment before deploying them to your automated patch management system. Unfortunately, your network has several different operating systems in use, but you only have one machine available to test the patches on. What is the best environment to utilize to perform the testing of the patches before deployment?
A. Virtualization b. Bypass testing and deploy patches into prod c. Purchase additional workstations d. Sandboxing
DPO (Data Protection Officer)
Ensures data privacy regulation compliance such as with GDPR
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services? a. TACACS+ b. CHAP c. RADIUS d. Kerberos
A. TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco. The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but Cisco did not develop it. Kerberos is a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT. Challenge-Handshake Authentication Protocol (CHAP) is used to authenticate a user or network host to an authenticating entity. CHAP is an authentication protocol but does not provide authorization or accounting services.
Using the image provided, place the port numbers in the correct order with their associated protocols. a. 69, 25, 80, 53 b. 80, 53, 69, 25 c. 53, 69, 25, 80 d. 25, 80, 53, 69
A. TFTP, SMTP, HTTP, DNS
William would like to use full-disk encryption on his laptop. He is worried about slow performance, though, so he has requested that the laptop have an onboard hardware-based cryptographic processor. Based on this requirement, what should William ensure the laptop contains?
A. TPM b. AES c. PAM d. FDE
Dion Training is concerned with the possibility of employees accessing another user's workstation in secured areas without their permission. Which of the following would BEST be able to prevent this from happening? a. Require biometric identification for user logins b. Require a username and password for user logins c. Install security cameras in secure areas to monitor logins d. Enforce a policy that requires passwords to be changed every 30 days.
A. The BEST choice is to implement biometric identification for user logins, such as a fingerprint reader or a retina scanner
Dion Training is concerned with students entering the server room without permission. To prevent this from occurring, the organization wants to purchase and install an access control system that will allow each instructor to have access using an RFID device. Which of the following authentication mechanisms should Dion Training use to meet this requirement? a. Proximity badge b. Biometric reader c. Access control vesitbule d. CCTV
A. The best option is to use a proximity badge. This type of badge embeds an RFID chip into the card or badge. When an authorized user swipes their card or badge over the reader, it sends an RF signal that uniquely identifies the card's holder or badge.
You have been hired as a consultant to help Dion Training develop a new disaster recovery plan. Dion Training has recently grown in the number of employees and information systems infrastructure used to support its employees. Unfortunately, Dion Training does not currently have any documentation, policies, or procedures for its student and faculty networks. What is the first action you should take to assist them in developing a disaster recovery plan? a. Identify the organization's assets b. Develop a data retention policy c. Conduct a risk assessment d. Conduct a vulnerability scan
A. The first step to developing an effective disaster recovery plan is to identify the assets. The organization must understand exactly what assets they own and operate.
Which of the following actions should be done FIRST after forensically imaging a hard drive for evidence in an investigation? a. Create hash digest of the source drive and image file to ensure they match b. Encrypt the image file and ensure it maintains data integrity c. Encrypt the source drive to ensure an attacker cannot modify its content d. Digitally sign the image file to provide non-repudiation of the collection
A. The first thing that must be done after acquiring a forensic disk image is to create a hash digest of the source drive and destination image file to ensure they match.
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
A. The full email header from one of the spam messages b. Network flows for the DMZ containing email servers c. Firewall logs showing the SMTP connections d. The SMTP audit log from his company's email server
The Pass Certs Fast corporation has recently been embarrassed by several high-profile data breaches. The CIO proposes improving the company's cybersecurity posture by migrating images of all the current servers and infrastructure into a cloud-based environment. What, if any, is the flaw in moving forward with this approach? a. This approach only changes location of network. b. Approach assumes that the on-site admin will be better c. This is reasonable approach that will increase security d. Company already paid for physical servers no ROI
A. This approach only changes location of network.
You have just received a phishing email disguised to look like it came from [email protected] asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email?
A. Trust b. Intimidation c. Urgency d. Consensus
Ryan needs to verify the installation of a critical Windows patch on his organization's workstations. Which method would be the most efficient to validate the current patch status for all of the organization's Windows 10 workstations?
A. Use an endpoint manager to validate patch status for each machine on the domain b. Check Update History manually c. Conduct a registry scan of each workstation to validate patch was installed d. Create and run power shell script to search for specific patch in question
Your company has an office in Boston and is worried that its employees may not reach the office during periods of heavy snowfall. You have been asked to select a technology that would allow employees to work remotely from their homes during poor weather conditions. Which of the following should you select? a. VPN b. IDS c. NAT d. VLAN
A. VPN
Which of the following is not normally part of an endpoint security suite?
A. VPN b. IPS c. Software firewall d. Anti-virus
A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? a. Conduct a data criticality and prioritization analysis b. Conduct a Nessus scan of the FIREFLY server c. Logically isolate the PAYROLL_DB server from the production network d. Hardening the DEV_SERVER7 server
A. While the payroll server could be assumed to hold PII, financial information, and corporate information, the analyst would only be making that assumption based on its name. Even before an incident response occurs, it would be a good idea to conduct a data criticality and prioritization analysis to determine what assets are critical to your business operations and need to be prioritized for protection
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as?
A. Zero-day b. DDOS - Distributed Denial Of Service c. Spoofing d. Brute force
What kind of security vulnerability would a newly discovered flaw in a software application be considered? a. Zero-day vulnerability b. HTTP header injection vulnerability c. Input validation flaw d. Time-to-check to time-to-use flaw
A. Zero-day vulnerability
A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computers were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machines were part of a larger botnet. Which of the following BEST describes your company's infected computers?
A. Zombie b. Monsters c. Zero-day d. Bugs
Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue? if (shippingAddress <= 75) {update field} else exit if (shippingAddress = 75) {update field} else exit if (shippingAddress >= 75) {update field} else exit if (shippingAddress != 75) {update field} else exit See all questionsBackSkip question
A. if (shippingAddress <= 75) {update field} else exit b. if (shippingAddress = 75) {update field} else exit c. if (shippingAddress >= 75) {update field} else exit d. if (shippingAddress != 75) {update field} else exit
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and impacts the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why? a. syslog b. firewall logs c. Network mappings d. NIDS
A. syslog
Your company has numerous public-facing Web sites that use the same DNS domain suffix. You need to use PKI to secure each Web site. Which solution involves the least amount of administrative effort?
Acquire a wildcard certificate
Diffe-Hellman
An Asymmetric Algorithm that provides a methodology for 2 parties to come up with the same session key.
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization
SLA (Service Level Agreement)
An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
ISA (Interconnection Security Agreement)
An agreement that specifies technical and security requirements for connections between two or more entities. Compare with MOU/MOA.
Threat
An attack (exploit) that a malicious actor will use against an asset
ARO (Annualized Rate of Occurrence)
An estimate based on the historical data of how often a threat would be successful in exploiting a vulnerability. For example, if an event occurs once every 10 years, then its annualized rate of occurrence is 1 / 10 = 0.1.
Web Application Firewall (WAF)
Applied to OSI Application Layer 7 Protection against Cross-site scripting, directory traversal, SQL injection attacks
Which of the following biometric authentication factors relies on matching patterns on the eye's surface using near-infrared imaging? a. Pupil dilation b. Iris scan c. Retinal scan d. Facial recognition
B. Iris scans rely on the matching of patterns on the surface of the eye using near-infrared imaging, and so is less intrusive than retinal scanning
Which operating system feature is designed to detect malware that is loaded early in the system startup process or before the operating system can load itself? a. Startup Control b. Measured boot c. Advanced anti-malware d. Master Boot Record analytics
B. Measured boot is a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware software on a remote server.
When you are managing a risk, what is considered an acceptable option? a. Deny b. Mitigate c. Initiate d. Reject
B. Mitigating a risk makes the effect of a risk a little less unpleasant, harmful, or serious.
Which of the following is the LEAST secure wireless security and encryption protocol? a. WPA2 b. WEP c. WPA d. WPA3
B. Wired equivalent privacy (WEP) is an older mechanism for encrypting data sent over a wireless connection. WEP is considered vulnerable to attacks that can break its encryption
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? a. 172.16.1.100 b. 192.168.1.100 c. 192.186.1.100 d. 10.15.1.100
B. 192.168.1.100
Dion Training just installed a new webserver within a screened subnet. You have been asked to open up the port for secure web browsing on the firewall. Which port should you set as open to allow users to access this new server? a. 143 b. 443 c. 21 d. 80
B. 443 The hypertext transfer protocol secure (HTTPS) is a secure protocol used to provide web content to browsers using SSL/TLS encryption over port 443
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization? a. Hacktivist b. Insider threat c. Organized Crime d. APT
B. An insider threat is a type of threat actor assigned privileges on the system that cause an intentional or unintentional incident. Insider threats can be used as unwitting pawns of external organizations or make crucial mistakes that can open up exploitable security vulnerabilities.
You are trying to select the best device to install to detect an outside attacker trying to reach into your internal network. The device should log the event, but it should not take any action to stop it. Which of the following devices would be the BEST for you to select? a. Authentication server b. IDS c. IPS d. Proxy server
B. An intrusion detection system is a device or software application that monitors a network or system for malicious activity or policy violations.
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont's discovery, what type of attack might occur? a. SQL Injection b. Buffer overflow c. Cross-site scripting d. Malicious logic
B. Buffer overflow
Users connecting to an SSID appear to be unable to authenticate to the captive portal. Which of the following is the MOST likely cause of the issue? a. SSL certificates b. RADIUS c. WPA2 security key d. CSMA/CA
B. Captive portals usually rely on 802.1x, and 802.1x uses RADIUS for authentication. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network.
What type of scan will measure the size or distance of a person's external features with a digital video camera? a. Iris scan b. Facial recognition d. Signature kinetics d. Retinal scan
B. Facial recognition
What should administrators perform to reduce a system's attack surface and remove unnecessary software, services, and insecure configuration settings? a. Harvesting b. Hardening c. Windowing d. Stealthing
B. Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)? a. SSLv2 b. IPsec c. SSLv3 d. PPTP
B. IPsec
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+? a. 802.1q b. 802.1x c. 802.3af d. 802.11ac
B. If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol. The IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. This defines port security. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.
A firewall administrator has configured a new screened subnet to allow public systems to be segmented from the organization's internal network. The firewall now has three security zones set: Untrusted (Internet) [143.27.43.0/24]; DMZ (Screened Subnet) [161.212.71.0/24]; Trusted (Intranet) [10.10.0.0/24]. The firewall administrator has been asked to enable remote desktop access from a fixed IP on the remote network to a remote desktop server in the screened subnet for the Chief Security Officer to work from his home office after hours. The CSO's home internet uses a static IP of 143.27.43.32. The remote desktop server is assigned a public-facing IP of 161.212.71.14. What rule should the administrator add to the firewall? a. Permit 143.27.43.32 161.212.71.0/24 RDP 3389 b. Permit 143.27.43.32 161.212.71.14 RDP 3389 c. Permit 143.27.43.0/24 161.212.71.14 RDP 3389 d. Permit 143.27.43.0/24 161.212.71.0/24 RDP 3389
B. Permit 143.27.43.32 161.212.71.14 RDP 3389
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit? a. Sensitive data exposure b. Race conditions c. Broken authentication d. Dereferencing
B. Race conditions occur when the outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer.
Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline? a. MTTR b. RTO c. MTBF d. RPO
B. Recovery time objective (RTO) is when an individual IT system may remain offline following a disaster.
Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? a. Higher data integrity due to more efficient SSD cooling. b. Longer MTBF of hardware due to lower operating temperatures. c. Increase the availability of network services due to higher throughput d. Longer UPS run time due to increased airflow
B. The mean time between failure (MTBF) is the measure of the anticipated rate of failure for a system or component
What role does the red team perform during a tabletop exercise (TTX)? a. Network defender b. Adversary c. System administrator d. Cybersecurity analyst
B. The red team acts as the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker. The red team might select members of in-house security staff, a third-party company, or a consultant contracted to perform the role. The blue team operates the security system with a focus on detecting and repelling the red team. The blue team usually consists of system administrators, cybersecurity analysts, and network defenders.
Your firewall is blocking outbound email traffic that is attempting to be sent. Which port should you verify is set to ALLOW in the firewall to ensure your emails are being sent? a. 143 b. 25 c. 80 d. 22
B. The simple mail transfer protocol (SMTP) is the protocol used to send mail between hosts on the Internet using TCP port 25. Port 25 must be set to OPEN or ALLOW in the firewall for SMTP (Sendmail transfer protocol) to function properly. Secure shell (SSH) is the protocol used for remote administration and file copying using TCP port 22.
You are troubleshooting a network connectivity issue and need to determine the packet's flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems? a. nbtstat b. tracert c. netstat d. ipconfig
B. The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination
What popular open-source port scanning tool is commonly used for host discovery and service identification? a. dd b. nmap c. services.msc d. Nessus
B. The world's most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services.The dd tool is used to copy files, disks, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.
Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server? a. $1,500 b. $7,500 c. $15,000 d. $2,500
B. To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
Your company is making a significant investment in infrastructure-as-a-service (IaaS) hosting to replace its data centers. Which of the following techniques should be used to mitigate the risk of data remanence when moving virtual hosts from one server to another in the cloud? a. Use data masking b. User full-disk encryption c. Span multiple virtual disks to fragment data d. Zero-wipe drives before moving systems
B. To mitigate the risk of data remanence, you should implement full disk encryption. This method will ensure that all data is encrypted and cannot be exposed to other organizations or the underlying IaaS provider.
Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database? a. Data masking b. Tokenization c. Data minimization d. Anonymization
B. Tokenization means that all or part of data in a field is replaced with a randomly generated token.
Which of the following cryptographic algorithms is classified as symmetric? a. RSA b. 3DES c. PGP d. ECC
B. Triple DES (3DES) is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block to increase its security over DES. RSA, PGP, and ECC are all asymmetric algorithms.
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? a. VM sprawl b. VM escape c. VM data remnant d. VM migration
B. irtual machine escape vulnerabilities are the most severe issue that may exist in a virtualized environment. In this attack, the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to different virtual machines.
MOU (Memorandum Of Understanding)
Broad terms of agreement between parties
OSI - Transport Layer -Layer 4
OSI model protocol responsible for splitting and assembling packet data into 1500 bytes chunks.
AV (Asset Value)
Quantitative Risk Assessment for assets
CCM
Cloud Controls Matrix; Cloud Security Control Documents
CSA
Cloud Security Alliance; Cloud Security Control Documents
Which of the following functions is not provided by a TPM? a. Secure generation of cryptographic keys b. Sealing c. User authentication d. Binding e. Random number generation f. Remote attestation
C User authentication is performed at a much higher level in the operating system. Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions
You are working as a network administrator for Dion Training. The company has decided to allow employees to connect their devices to the corporate wireless network under a new BYOD policy. You have been asked to separate the corporate network into an administrative network (for corporate-owned devices) and an untrusted network (for employee-owned devices). Which of the following technologies should you implement to achieve this goal? a. VPN b. MAC filtering c. VLAN d. WPA2
C. A virtual local area network (VLAN) is a type of network segmentation configured in your network switches that prevent communications between different VLANs without using a router.
A small business recently experienced a catastrophic data loss due to flooding from a recent hurricane. The customer had no backups, and flooding destroyed all of the hardware associated with the small business. As part of the rebuilding process, the small business contracts with your company to help create a disaster recovery plan to ensure this never reoccurs again. Which of the following recommendations should you include as part of the disaster recovery plan? a. Purchase waterproof devices to prevent data loss b. Local backups should be conducted c. Backups should be conducted to a cloud-base storage. d. Local backups should be verified weekly.
C. Backups should be conducted to a cloud-base storage.
Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of? a. Phishing b. Ransomware c. Hijacked email c. Spear phishing
C. Barbara is MOST likely the victim of hijacked email. Hijacked email occurs when someone takes over your email account and sends out messages on your behalf.
Which of the following is required for evidence to be admissible in a court of law? a. Order of volatility b. Legal hold c. Chain of custody d. Right to audit
C. Chain of custody forms list every person who has worked with or who has touched the evidence that is a part of an investigation
A financial services company wants to donate some old hard drives from their servers to a local charity. Still, they are concerned about the possibility of residual data being left on the drives. Which of the following secure disposal methods would you recommend the company use? a. Zero-fill b. Secure erasure c. Cryptographic erase d. Overwrite
C. Cryptographic erase
Your company recently suffered a small data breach caused by an employee emailing themselves a copy of the current customer's names, account numbers, and credit card limits. You are determined that something like this shall never happen again. Which of the following logical security concepts should you implement to prevent a trusted insider from stealing your corporate data? a. Strong passwords b. Firewall c. DLP d. MDM
C. Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in-motion (network traffic), and at rest (data storage).
Order of Evidence Collection a. Hard Drive, swap, ram, cache b. Cache, swap, ram, hard drive c. Processor Cache, ram, swap, hard d. swap, cache, ram, hard
C. Processor Cache, ram, swap, hard
Which of the following hashing algorithms results in a 256-bit fixed output? a. MD-5 b. SHA-1 c. SHA-2 d. NTLM
C. SHA-2 creates a 256-bit fixed output. SHA-1 creates a 160-bit fixed output. NTLM creates a 128-bit fixed output. MD-5 creates a 128-bit fixed output.
Your organization has been receiving many phishing emails recently, and you are trying to determine why they are effective in getting your users to click on their links. The latest email consists of what looks like an advertisement that is offering an exclusive early access opportunity to buy a new iPhone at a discounted price. Still, there are only 5 phones available at this price. What type of social engineering principle is being exploited here? a. Trust b. Intimidation c. Scarcity d. Familiarity
C. Scarcity is used to create a fear in a person of missing out on a special deal or offer. This technique is used in advertising all the time, such as "supplies are limited," "only available for the next 4 hours", and other such artificial limitations being used.
You have been investigating how a malicious actor could exfiltrate confidential data from a web server to a remote host. After an in-depth forensic review, you determine that a rootkit's installation had modified the web server's BIOS. After removing the rootkit and reflashing the BIOS to a known good image, what should you do to prevent the malicious actor from affecting the BIOS again? a. Install a host-based IDS b. Install an anti-malware application c. Utilize secure boot d. Utilize file integrity monitoring
C. Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a security system offered by UEFI. It is designed to prevent a computer from being hijacked by a malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors.
Which of the following is not considered an authentication factor? a. Something you know b. Something you are c. Something you want d. Something you have
C. Something you want
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware? a. Scan the file using local anti virus/malware engine b. Run the Strings tool c. Submit the files to open-source intelligence provider d. Disassemble the files and conduct static analysis IDA Pro.
C. Submit the files to open-source intelligence provider
While working as a security analyst, you have been asked to monitor the SIEM. You observed network traffic going from an external IP to an internal host's IP within your organization's network over port 443. Which of the following protocols would you expect to be in use? a. TFTP b. SSH c. TLS d. HTTP
C. TLS
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only the name servers? a. request type=ns b. locate type=ns c. set type=ns d. transfer type=ns
C. The nslookup command is used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records. The "set type=ns" tells nslookup only reports information on name servers. If you used "set type=mx" instead, you would receive information only about mail exchange servers.
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the steps into the proper order by dragging and dropping them into place.) What is the correct order of the Incident Response process? a. Lessons Learned, Recovery, Preparation, Identification, Containment and Eradication b. Containment, Eradication, Identification, Lessons learned, Preparation, and Recovery. c. Preparation, Identification, Containment, Eradication, Recovery and Lessons learned d. Identification, Containment, Eradication, Preparation, Recovery and lessons learned.
C. The proper order of the Incident Response process is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Concepts with lists of steps are common questions asked as an ordering or a drag and drop question on the exam
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? a. Anomaly b. Heuristic c. Behavior d. Trend
C. This is an example of behavior-based detection. Behavior-based detection (or statistical- or profile-based detection) means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device.
What is a legal contract outlining the confidential material or information that will be shared by the pentester and the organization during an assessment? a. SOW b. SLA c. NDA d. MSA
C. This is the definition of a non-disclosure agreement (NDA).
You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization's operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system? a. Conduct a nmap scan of the network to determine the OS of each system b. Ask the CEO for a list of the critical systems c. Review the asset inventory and BCP d. Scope the scan based on IP subnets
C. To best understand a system's criticality, you should review the asset inventory and the BCP.
Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack? a. Vishing b. Smishing c. Whaling d. Phishing
C. Whaling occurs when the attacker targets the C-level executives (CEO, CFO, CIO, etc.), board members, and other senior executives within the organization.
Fail To Pass Systems has just been the victim of another embarrassing data breach. Their database administrator needed to work from home this weekend, so he downloaded the corporate database to his work laptop. On his way home, he left the laptop in an Uber, and a few days later, the data was posted on the internet. Which of the following mitigations would have provided the greatest protection against this data breach? a. Require a VPN to be utilized b. Require data masking for any information stored in DB c. Require data at rest encryption on all endpoints d. Require all new employees to sing an NDA
C. he greatest protection against this data breach would have been to require data at rest encryption on all endpoints, including this laptop. If the laptop were encrypted, the data would not have been readable by others, even if it was lost or stolen.
You are conducting an incident response and want to determine if any account-based indicators of compromise (IoC) exist on a compromised server. Which of the following would you NOT search for on the server? a. Failed logins b. Unauthorized sessions c. Off-hour usage d. Malicious process
C. malicious process is any process running on a system that is outside the norm. This is a host-based indicator of compromise (IOC) and not directly associated with an account-based IOC. Off-hours usage, unauthorized sessions, and failed logins are all account-based examples of an IOC. Off-hours usage occurs when an account is observed to log in during periods outside of normal business hours.
RMFs (Risk Management Frameworks)
Center for Internet Security (CIS). NIST Risk Management. ISO/IEC
Which block cipher mode uses the ciphertext from the previous block to be fed into the algorithm to encrypt the next block?
Cipher Feedback Mode (CFB)
Which term describes the result of plaintext that has been fed into an encryption algorithm along with an encryption key?
Ciphertext
Attribute-based access control (ABAC)
Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
ECC (Elliptic Curve Cryptography)
Creates a smaller key than RSA (4096) and provides the same security with increased performance
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? a. Non-credentialed scan b. Internal scan c. External scan d. Credentialed scan
D. Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results.
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out, and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours, and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? a. MAC filtering b. VPN c. Intrusion detection system d. Implement an allow list (whitelist IPs)
D. Implement an allow list (whitelist IPs)
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? a. Password spraying b. Impersonation c. SQL injection d. Integer overflow attack
D. Integer overflow attack
What tool can be used as an exploitation framework during your penetration tests? a. Nmap b. Nessus c. Autopsy d. Metasploit
D. Metasploit
You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide? a. PHI b. IP c. CUI d. PII
D. PII
Which of the following types of data breaches would require that the US Department of Health and Human Services and the media be notified if more than 500 individuals are affected by a data breach? a. Trade secret information b. Credit card information c. Personally identifiable information d. Protected health information
D. Protected health information (PHI) is defined as any information that identifies someone as the subject of medical and insurance records, plus their associated hospital and laboratory test results.
After several data breaches involving stolen laptops and stolen media you are asked to implement a solution to mitigate the issue. The solution must protect data at rest with a minimum of user inconvenience. What solution best addresses the scenario? a. Encrypting File System (EFS) b. Hardware Security Module (HSM) c. Trusted Platform Module (TPM) d. Self-encrypting drive (SED)
D. Self-encrypting drive (SED)
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network? a. Application security testing b. Network sniffing c. Vulnerability scanning d. Social engineering
D. Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected? a. GLBA b. COSO c. SOX d. HIPAA
D. The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of healthcare information
Which role validates the user's identity when using SAML for authentication? a. SP b. RP c. User-agent d. Idp
D. The IdP provides the validation of the user's identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue? a. The user doesn't have a PDF reader installed on their computer b. The email is a form of spam and should be deleted c. The file contains an embedded link to a malicious website d. The attachment is using a double file extension to mask its identity.
D. The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows.
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device? a. Port scanning b. Site surveys c. MAC validation d. War walking
D. War walking is conducted by walking around a build while locating wireless networks and devices.
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system? a. Lateral movement b. Pivoting c. Golden ticket d. Pass the hash
D. ass the Hash (PtH) is the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system. This would then allow the attacker to use the credentials on other systems, as well. A golden ticket is a Kerberos ticket that can grant other tickets in an Active Directory environment.
Which protocol relies on mutual authentication of the client and the server for its security? a. RADIUS b. CHAP c. Two-factor authentication d. LDAPS
D. he Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources
Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization? a. Phishing b. Vishing c. Hoax d. Pharming e. Spear phishing
E. pear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information.
Three parts of Authentication
Identification Unique authentication password Authorization (read/write/execute)
BIA (Business Impact Analysis)
Identifies critical business or mission requirements and includes elements such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), but it doesn't identify solutions.
MSA (Measurement System Analysis)
Identifies supply chain improvements
RTO (Recovery Time Objective)
Identifies the maximum amount of time it can take to restore a system after an outage. It is related to the RPO and the BIA often includes both RTOs and RPOs.
PIA (Privacy Impact Assessment)
Impact assessment on sensitive data
PII (Personally Identifiable Information)
Information about individuals that can be used to trace a person's identity, such as a full name, birth date, bio-metric data, and identifying numbers such as a Social Security number (SSN). Organizations have an obligation to protect PII and often identify procedures for handling and retaining PII in data policies.
OSI - Session Layer -Layer 5
OSI model protocol responsible for session (data connection) setup, management and termination. Uses port numbers to route to correct application. Keeps track of Source/Destination ports.
Physical Access Control
Limited facility access (vestibules, door locks, proximity cards, key fob)
Hash Types
MD5: 128 bit hash SHA-1: 160 bit hash SHA-256/512 RIPEMD; 128,160,256,320
OSI Layer 1 - Physical
OSI Layer? Bit expression on media and bit synchronization. Physical Topology. Bandwidth Usage and Multiplexing.
OSI - Presentation Layer - Layer 6
OSI model protocol responsible for "managing and translating the information into an understandable format that the Application layer can process further. Many "Application-layer" protocols function at the Presentation layer too, taking datagrams and segments and turning them into formats programs can use".
You are ordering laptops for sales executives that travel for work. The laptops will run the Windows 10 Enterprise operating system. You need to ensure that protection of data at rest is enabled for internal laptop disks. The encryption must be tied to the specific laptop. What should you do?
Order laptops with TPM chips and configure BitLocker disk encryption
Certificate File Types
P7B: certificate, chained certificates without private key P12: certificate, chained certificates with private key
(Sample Simulation - On the real exam for this type of question, you would drag and drop the authentication factor into the spot for the correct category.)
PIN - Something you know Smart Card - Something you have Fingerprint - Something you are Signature - Something you do GPS - Somewhere you are
NDA (Non-Disclosure Agreement)
Prevent sensitive data disclosure to third parties
HIPAA (Health Insurance Portability and Accountability Act)
Protects American patient medical information
Reverse Proxy Server
Provides external users access to internal servers thereby hiding internal servers IP
DLP (Data Loss Prevention)
Reduce intentional/ unintentional sensitive data exfiltration
PCI DSS (Payment Card Industry Data Security Standard)
Required by the contract for those handling cardholder data, whether you are a start-up or a global enterprise.
Mandatory Access Control (MAC)
Resources are labeled Permissions assignments are based on resource labels and security clearances
Risk Management
Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a threat against an IT asset
Which technique is used to enhance the security of password hashes?
Salting
You are verifying a digital signature. Which key will be used?
Sender's public key
OSI - Network Layer -Layer 3
Validate incoming ethernet packets Destination IP. Keeps Destination IP for response.
OSI - Data Link Layer -Layer 2
Validates incoming ethernet packets Destination MAC against NIC card MAC. Keeps Source MAC to determine where to send response.
Attack Vectors (pathways)
Weak configurations - Open firewall ports - Lack of user security awareness - Lack of multifactor authentication - Missing patches Equifax hack - Infected USB thumb drives - Stuxnet worm
Trust Models
Web of Trust: uses network of mutually trusted peers PKI: Uses a hierarchy structure with CA Certificates Authorities and Intermediate Authorities as trust model
You are decrypting a message sent over the network. Which key will be used for decryption?
Your private key
Jamie's organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie's organization?
a. $36k B. $9K c. $360k d. $90k
$ tcpdump -n -i eth0 15:01:35.1700763 IP 10.0.19.121.53497 > 11.154.12.121.ssh: P 105:157(52) ack 18060 win 16549 15:01:35.1700776 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 23988:24136(148) ack 157 win 113 15:01:35.1700894 IP 11.154.12.121.ssh > 10.0.19.121.52497: P 24136:24380(244) ack 157 win 113
a. 11.154.12.121 is under attack from a host at 10.0.19.121 b. 10.0.19.121 is a client that is accessing an SSH server over port 52497 C. 11.154.12.121 is a client that is accessing an SSH server over port 52497 d. 10.0.19.121 is under attack from a host at 11.154.12.121
Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?
a. 22 ssh B. 23 Telnet c. 53 d. 443
Dion Training has just suffered a website defacement of its public-facing webserver. The CEO believes the company's biggest competitor may have done this act of vandalism. The decision has been made to contact law enforcement so that evidence can be collected properly for use in a potential court case. Laura is a digital forensics investigator assigned to collect the evidence. She creates a bit-by-bit disk image of the web server's hard drive as part of her evidence collection. What technology should Laura use after creating the disk image to verify the copy's data integrity matches that of the original web server's hard disk?
a. AES b. RSA C. SHA-256 d. 3DES
What is a reverse proxy commonly used for?
a. Allowing access to a virtual private cloud. b. To obfuscate the origin of the user within a network C. Directing traffic to internal services if the contents of the traffic comply with the policy d. To prevent the unauthorized use of a cloud services from a local network.
Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst's statement?
a. An externally hosted website should be prepared in advance to ensure that when an incident occurs, victims have timely access to notifications from a non-compromised resource b. The first responder should contact law upon confirmation of a security incident for a forensic team to preserve the chain of custody. c. The Human Resource department should have information security personnel who are involved in the investigation of the incident sign a NDA so company can't be held liable. D. Guidance from laws and regulations should be considered when deciding who must be notified to avoid fines and judgements from non-compliance.
Dion Training wants to ensure that none of its computers can run a peer-to-peer file-sharing program on its office computers. Which of the following practices should be implemented to achieve this?
a. Application allow listing B. Application block listing c. MAC filtering d. Enable NAC
Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?
a. COPPA b. SOX C. FISMA - Federal Information Security Manage Act d. HIPAA
Dion Training has contracted a software development firm to create a bulk file upload utility for its website. During a requirements planning meeting, the developers asked what type of encryption is required for the project. After some discussion, Jason decides that the file upload tool should use a cipher capable of encrypting 64 bits of data at a time before transmitting the files from the web developer's workstation to the webserver. What of the following should be selected to meet this security requirement?
a. CRC B. Block chiper c. Hashing algorithm d. Steam chiper
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented?
a. Cable lock b. Key fob c. Biometric reader D. Smart card
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, how it was remediated, the effectiveness of the incident response, and any identified gaps that might require improvement?
a. Chain of custody report b. Trends analysis report c. Forensic analysis report D. Lessons learned report
You conducted a security scan and found that port 389 is being used when connecting to LDAP for user authentication instead of port 636. The security scanning software recommends that you remediate this by changing user authentication to port to 636 wherever possible. What should you do?
a. Change all devices and servers that support it to port 636 since port 389 is a reserved port that requires root. b. Conduct remediation actions to update the encryption keys on each server to match port 636 C. Change all devices and servers that support it to port 636 since the encrypted services run by default on port 636 d. Mark this as false positive in your audit report since the services that typically run on ports 389 and 636 are identical.
A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?
a. Clear test authentication b. Web portal data leak C. Open mail relay d. Open file/print sharing
Taylor needs to sanitize hard drives from some leased workstations before returning them to a supplier at the end of the lease period. The workstations' hard drives contained sensitive corporate data. Which is the most appropriate choice to ensure that data exposure doesn't occur during this process?
a. Clear the drives B. Purge, validate and document the sanitization of the drives c. Clear, validate and document the sanitization of the drives d. The drives must be destroyed to ensure no data loss
Which type of media sanitization would you classify degaussing as?
a. Clearing b. Erasing C. Purging d. Destruction
Your company has decided to begin moving some of its data into the cloud. Currently, your company's network consists of both on-premise storage and some cloud-based storage. Which of the following types of clouds is your company currently using?
a. Community B. Hybrid c. Public d. Private
Dave's company utilizes Google's G-Suite environment for file sharing and office productivity, Slack for internal messaging, and AWS for hosting their web servers. Which of the following cloud models type of cloud deployment models is being used?
a. Community b. Public C. Multi-cloud d. Private
Dion Training's offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent?
a. Compensating b. Corrective c. Administrative D. Deterrent
A cybersecurity analyst has deployed a custom DLP signature to alert on any files that contain numbers in the format of a social security number (xxx-xx-xxxx). Which of the following concepts within DLP is being utilized?
a. Document matching b. Classification C. Exact data match d. Statistical matching
(Sample Simulation - On the real exam for this type of question, you would have access to the log files to determine which server on a network might have been affected, and then choose the appropriate actions.) A cybersecurity analyst has determined that an attack has occurred against your company's network. Fortunately, your company uses a good logging system with a centralized Syslog server, so all the logs are available, collected, and stored properly. According to the cybersecurity analyst, the logs indicate that the database server was the only company server on the network that appears to have been attacked. The network is a critical production network for your organization. Therefore, you have been asked to choose the LEAST disruptive actions on the network while performing the appropriate incident response actions. Which actions do you recommend as part of the response efforts?
a. Conduct a system restore of the database server, image the hard drive, and maintain chain of custody. b. Isolate the affected server from the network immediately, format database server, reinstall from a known good backup c. Immediately remove the database server from the network, create an image of its hard disk, and maintain chain of custody. D. Capture network traffic sing a sniffer, schedule a period of downtime to image and remediate the affected server, and maintain chain of custody.
Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements?
a. Configure replication of the data to a set of servers located at a hot spot b. Conduct full backups daily to tape C. Create a daily incremental backup to tape. d. Create disk-to-disk snapshots of the server every hour
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests to block certain content types before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements?
a. Configure the IP filtering on the internal and external interfaces of the router B. Install a NIPS on the internal interface and a firewall on the external interface of the router c. Install a NIPS on both internal and external interfaces d. Install firewall on router internal and NIDS on external interface
Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify?
a. Critical systems b. Single point of failure c. Backup and restoration plan D. Mission essential function
Which of the following cryptographic algorithms is classified as asymmetric?
a. DES B. ECC c. Twofish d. RC4
Your organization requires the use of TLS or IPsec for all communications with an organization's network. Which of the following is this an example of?
a. DLP b. Data at rest C. Data in transit d. Data in use
Which cloud computing concept is BEST described as focusing on the replacement of applications and programs on a customer's workstation with cloud-based resources?
a. DaaS b. PaaS c. IaaS D. SaaS
Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?
a. Data custodian b. Data steward c. Privacy officer D. Data owner
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer's data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?
a. Data limitation b. Data minimization c. Data enrichment D. Data sovereignty
Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?
a. Data owner b. Data controller C. Data protection officer d. Data steward
You are working as a junior cybersecurity analyst and utilize a SIEM to support investigations into ongoing incidents. The SIEM is configured to collect data from numerous sources across the network, including network sensors, routers, switches, firewalls, hosts, and servers. Unfortunately, due to the number of data sources, you have data about a particular event being detected by different sensors and devices. Which of the following must you ensure to make sense of all the data being collected by your SIEM before analyzing it?
a. Data retention b. Data sanitization c. Data recovery D. Data correlation
Which of the following is exploited by an SQL injection to give the attacker access to a database?
a. Database server b. Operating system C. Web application d. Firewall
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
a. Database vulnerability scan b. Port scan c. Network vulnerability scan D. Web application vulnerability scan
You just moved into a new house, and you are worried about a burglar breaking into the home and stealing your laptop. Unfortunately, the security alarm company cannot get to your home to install the security system you just purchased for another 3 weeks. In the meantime, they have sent you a little sign that says, "Protected by Security Inc." for you to place in front of your house. Once installed, which of the following control types is this sign?
a. Detective B. Deterrent c. Corrective d. Preventative
A new corporate policy dictates that all access to network resources will be controlled based on the user's job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy?
a. Directory permissions b. Permission creep C Least privilege d. Blocklists
Which type of threat will patches NOT effectively combat as a security control?
a. Discover software bugs b. Malware with defined indicators of compromise C. Zero-day attacks d. Known vulnerabilities
Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario?
a. Dual control authentication B. Separation of duties c. Least privilege d. Security through obscurity
You have been asked to assist with an investigation into a malicious user's activities. Unfortunately, your organization did not have full packet capture available for the time period of the suspected activities. Instead, you have received netflow data that contains statistics and information about the network traffic during that time period. Which of the following best represents the type of data you can obtain from this netflow data to support the investigation?
a. Email messages b. Applications logs C Metadata d. File contents
A company's NetFlow collection system can handle up to 2 Gbps. Due to excessive load, this has begun to approach full utilization at various times of the day. If the security team does not have additional money in their budget to purchase a more capable collector, which of the following options could they use to collect useful data?
a. Enable QoS b. Enable NetFlow compression C. Enable sampling of the data d. Enable full packet capture
Your home network is configured with a long, strong, and complex pre-shared key for its WPA2 encryption. You noticed that your wireless network has been running slow, so you checked the list of "connected clients" and see that "Bob's Laptop" is connected to it. Bob lives downstairs and is the maintenance man for your apartment building. You know that you never gave Bob your password, but somehow he has figured out how to connect to your wireless network. Which of the following actions should you take to prevent anyone from connecting to your wireless network without the proper WPA3 password?
a. Enable WEP b. Disable SSID broadcast C. Disable WPS d. Disable WPA3
Which of the following biometric authentication factors uses an infrared light shone into the eye to identify the pattern of blood vessels?
a. Facial recognition B. Retinal scan c. Pupil dilation d. Iris scan
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
a. False negative B. False positive c. True positive d. True negative
Which of the following describes the overall accuracy of a biometric authentication system?
a. False rejection rate b. False positive rate C. Crossover error rate d. False acceptance rate
Susan, a help desk technician at Dion Training, has received several trouble tickets today related to employees receiving the same email as part of a phishing campaign. She has determined that the email's malicious link is not being blocked by the company's security suite when a user clicks the link. Susan asked you what action can be performed to prevent a user from reaching the website associated with the phishing email's malicious link. What action do you recommend she utilize?
a. Forward this phishing email to all employees with warning b. Block the IP address of the malicious domain firewall ACL C. Add the malicious domain name to your content filter and web proxy's block list. d. Enable TLS on our organizations mail server
Which of the following would a virtual private cloud (VPC) infrastructure be classified as?
a. Function as a Service b. Software as a Service c. Platform as a Service D. Infrastructure as a Service
Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards?
a. GDPR b. PHI C PCI-DSS d. PII
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?
a. Generative adversarial network b. Artificial intelligence C. Machine learning d. Deep learning
What is the lowest layer (bottom layer) of a bare-metal virtualization environment?
a. Guest operating system b. Host operating system C. Physical hardware d. Hypervisor
Chris just downloaded a new third-party email client for his smartphone. When Chris attempts to log in to his email with his username and password, the email client generates an error messaging stating that "Invalid credentials" were entered. Chris assumes he must have forgotten his password, so he resets his email username and password and then reenters them into the email client. Again, Chris receives an "Invalid credentials" error. What is MOST likely causing the "Invalid credentials" error regarding Chris's email client?
a. His email account is locked out b. His smartphone has full device encryption enabled. C. His email account requires multi-factor authentication d. His email account requires a strong password to be used.
Aymen is creating a procedure for the remediation of vulnerabilities discovered within his organization. He wants to ensure that any vendor patches are tested before deploying them into the production environment. What type of environment should his organization establish?
a. Honeypot b. Development c. Honeynet D. Staging
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?
a. ISA - Interconnection Security Agreement b. DSUA - Data Sharing Use Agreement c. SLA D. NDA - Non-disclosure Agreement
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role?
a. IaaS - Infrastructure b. PaaS - Platform C. MSSP - Managed Security Services Provider d. SaaS - Software
Tim, a help desk technician, receives a call from a frantic executive who states that their company-issued smartphone was stolen during their lunch meeting with a rival company's executive. Tim quickly checks the MDM administration tool and identifies that the user's smartphone is still communicating with the MDM, and displays its location on a map. What should Tim do next to ensure the stolen device's data remains confidential and inaccessible to the thief?
a. Identify the IP address of the smartphone b. Reset the device's password c. Remotely encrypt the device D. Perform remote wipe of the device
Following a root cause analysis of an edge router's unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
a. Increase network vulnerability scan frequency b. Verify that all the routers are patched to the latest version C. Conduct secure supply chain management training d. Ensure all anti-virus signatures are up to date
Julie was just hired to conduct a security assessment of Dion Training's security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?
a. Increase password security b. More efficient baseline management C. Increase individual accountability d. More routing auditing
Which of the following describes the security method used when users enter their username and password only once and can access multiple applications?
a. Inheritance B. SSO c. Permission propagation d. Multifactor authentication
A corporate workstation was recently infected with malware. The malware was able to access the workstation's credential store and steal all the usernames and passwords from the machine. Then, the malware began to infect other workstations on the network using the usernames and passwords it stole from the first workstation. The IT Director has directed its IT staff to develop a plan to prevent this issue from occurring again. Which of the following would BEST prevent this from reoccurring?
a. Install a host-based intrusion detection system on all of the corporate workstations B. Install an anti-virus or anti-malware solution that uses heuristic analysis c. Install a Unified Threat Management system on network d. Monitor all workstations for failed login attempts and forward central syslog
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
a. Insufficient logging and monitoring b. Insecure object reference c. Use of insecure functions D. Improper error handling
A cybersecurity analyst conducts an incident response at a government agency when she discovers that attackers had exfiltrated PII. Which of the following types of breaches has occurred?
a. Integrity breach B. Privacy breach c. Financial breach d. Proprietary breach
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to "click here" to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?
a. Intimidation B. Familiarity c. Urgency d. Consensus
You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as?
a. Introduction of new accounts B. Data exfiltration c. Beaconing d. Unauthorized privilege
Which of the following is a common attack model of an APT attack?
a. Involves sophisticated DDoS attacks b. Relies on worms to spread laterally c. Quietly gathers information from compromised system D. Holds an organizations data hostage using encryption.
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
a. Known environment testing b. Semi-trusted environment testing c. Partially known environment testing D. Unknown environment testing
Which analysis framework provides a graphical depiction of the attacker's approach relative to a kill chain?
a. Lockheed Martin cyber kill chain b. MITRE ATT&CK framework c. OpenIOC D. Diamond Model of Intrusion Analysis
What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software?
a. Logic bomb B. Polymorphic virus c. Ransomware d. Trojan
You are attending a cybersecurity conference and just watched a security researcher demonstrating the exploitation of a web interface on a SCADA/ICS component. This caused the device to malfunction and be destroyed. You recognize that the same component is used throughout your company's manufacturing plants. Which of the following mitigation strategies would provide you with the most immediate protection against this emergent threat?
a. Logically or physically isolate the SCADA/ICS component from the enterprise network. b. Demand that the manufacturer of the component release a patch immediately. C. Evaluate the web interface must remain open for the system to function. If it isn't then block the web interface d. Replace the affected SCADA/ICS components with more secure model
Which of the following access control models is the most flexible and allows the resource owner to control the access permissions?
a. MAC - Mandatory Access b. ABAC - Attribute-based C. DAC - Discretionary d. RBAC Role/Rule-based
Which mobile device strategy is most likely to introduce vulnerable devices to a corporate network?
a. MDM - Mobile Device Management b. COPE - Corporate Owned C. BYOD - Bring Your Own Device d. CYOD - Choose Your Own Device
Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time?
a. MTBF b. RPO C. RTO d. MTTR
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?
a. Manual Peer Review b. Pair programming c. Dynamic code analysis D. Static code analysis
You are working as part of the server team for an online retail store. Due to the upcoming holidays, your boss is worried that the current servers may not be able to handle the increased demand during a big sale. Which of the following cloud computing concepts can quickly allow services to scale upward during busy periods and scale down during slower periods based on the changing user demand?
a. Metered services B. Rapid elasticity c. On-demand d. Resource pooling
A competitor recently bought Dion Training's ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training's perspective, how would you BEST classify this situation?
a. Mission essential function b. Identity theft C. IP theft d. Data breach
A penetration tester has issued the following command on a victimized host: nc -l -p 8080 | nc 192.168.1.76 443. What will occur based on this command?
a. Netcat will listen on the 192.168.1.76 interface for 443 seconds on port 8080 B. Netcat will listen on 8080 and output anything received to a remote connection on 192.168.1.76 port 443 c. Netcat will listen on 8080 ant then output anything received to local interface 192.168.1.76 d. Netcat will listen for a connection from 192.168.1.76 on 443 and output anything received to on 8080
What control provides the best protection against both SQL injection and cross-site scripting attacks?
a. Network layer firewalls B. Input validation c. Hypervisors d. CSRF
Which of the following technologies is NOT a shared authentication protocol?
a. OAuth b. OpenID Connect c. Facebook Connect D. LDAP
The digital certificate on the Dion Training web server is about to expire. Which of the following should Jason submit to the CA to renew the server's certificate?
a. OCSP - Online Certification Status Protocol b. CRL - Certificate Revocation List c. Key escrow D. CSR - Certificate Signing Request
Which of the following categories would contain information about a French citizen's race or ethnic origin?
a. PII b. PHI c. DLP D. SPI
You want to play computer-based video games from anywhere in the world using your laptop or tablet. You heard about a new product called a Shadow PC that is a virtualized Windows 10 Home gaming PC in the cloud. Which of the following best describes this type of service?
a. PaaS b. IaaS c. SaaS D. DaaS
You want to create a website for your new technical support business. You decide to purchase an on-demand cloud-based server and install Linux, Apache, and WordPress on it to run your website. Which of the following best describes which type of service you have just purchased?
a. PaaS b. SaaS c. DaaS D. IaaS
Dion Training wants to install a new accounting system and is considering moving to a cloud-based solution to reduce cost, reduce the information technology overhead costs, improve reliability, and improve availability. Your Chief Information Officer is supportive of this move since it will be more fiscally responsible. Still, the Chief Risk Officer is concerned with housing all of the company's confidential financial data in a cloud provider's network that might be shared with other companies. Since the Chief Information Officer is determined to move to the cloud, what type of cloud-based solution would you recommend to account for the Chief Risk Officer's concerns?
a. PaaS in hybrid cloud b. PaaS in community cloud C. SaaS in a private cloud d. SaaS in public cloud
You have been asked to determine if Dion Training's web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
a. Passive scan B. Protocol analysis c. Banner grabbing d. Vulnerability scan
Which of the following would NOT be included in a company's password policy?
a. Password complexity b. Password age c. Password history D. Password style
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?
a. Password spraying b. Directory traversal c Session hijacking D. Zero-day attack
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called?
a. Penetration testing B. Threat hunting c. Incident response d. Information assurance
You have just completed identifying, analyzing, and containing an incident. You have verified that the company uses older unencrypted SSDs as part of their default configuration, and the manufacturer does not provide a SE utility for the devices. The storage devices contained top-secret data that would bankrupt the company if it fell into a competitor's hands. After safely extracting the device's data and saving it to a new self-encrypting drive, you have been asked to dispose of the SSDs securely. Which of the following methods should you use?
a. Perform a cryptographic erase (CE) on storage devices B. Physically destroy the storage devices c. Use secure erase (SE) utility on storage devices d. Conduct zero-fill on the storage devices
Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?
a. Pharming b. Hoax c. Phishing D. Vishing e. Spear phishing
A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing?
a. Pharming b. Phishing c. Worm D. Rogue anti-virus
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords?
a. Phishing b. Tailgating C. Shoulder surfing d. On-path attack
You have discovered that an employee has been conducting illegal activities using his workplace computer. You have taken possession of the employee's laptop according to your company's procedures and are waiting to give it to law enforcement authorities. What should you do when turning over the laptop to the police?
a. Quarantine the system b. Preserve the evidence c. Document the changes D. Maintain the chain of custody
You have been asked to help design a new architecture for Dion Training's website. The current architecture involves a single server that hosts the website in its entirety. The company's newest course has been creating a lot of interest on social media. The CIO is concerned that the single server will not be able to handle the increased demand that could result from this increased publicity. What technology should you implement in the new architecture to allow multiple web servers to serve up the courses and meet this expected increase in demand from new students?
a. RAID b. DLP c. VPN Concentrator D. Load balancer
(Sample Simulation - On the real exam for this type of question, you may receive a list of different RAID types and be asked to visually display which hard drives in the RAID are used for redundant data storage as either a stripe or a mirror. You will then have to identify which RAID type is most appropriate for each type of server shown.) You are configuring a RAID drive for a Media Streaming Server. Your primary concern is the speed of delivery of the data. This server has two hard disks installed. What type of RAID should you install, and what type of data will be stored on Disk 1 and Disk 2?
a. RAID1-Disk 1 (Mirror) and Disk2 (Mirror) b. RAID1-Disk 1 (Stripe) and Disk2(Stripe) c. RAID0-Disk1 (Mirror) and Disk2(Mirror) D. RAID0-Disk1(Stripe) and Disk2(Stripe)
A salesperson's laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?
a. RAT b. PII exfiltration c. Ping of death D. Zero-day malware
(Sample Simulation - On the real exam for this type of question, you would have to rearrange the ports into the proper order by dragging and dropping them into place.) L2TP - 1701 RDP - 3389 Kerberos - 88 LDAP - 389
a. RDP - 3389 b. L2TP - 1701 c. LDAP - 389 d. Kerberos - 88
Which of the following cryptographic algorithms is classified as symmetric?
a. RSA b. ECC C. Blowfish d. PGP
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that their file server has crashed twice in the last two years. The most recent time was in August, and the time before that was 15 months before. Which of the following metrics would best represent this 15 month time period?
a. RTO b. MTTR c. RPO D. MTBF
Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?
a. RTO b. RPO C. MTTR d. MTBF
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
a. Ransomware B. Trojan c. Rootkit d. Keylogger
During your review of the firewall logs, you notice that an IP address from within your company's server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
a. Raw financial information about the company was accessed. b. IP addr and other network-related config where exfiltrated c. Forensic review or server req fallback to less efficient service D. PII of company employees and customers was exfiltrated.
Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. You are conducting a vulnerability scan of the hospital's enterprise network when you detect several devices that could be vulnerable to a buffer overflow attack. Upon further investigation, you determine that these devices are PLCs used to control the hospital's elevators. Unfortunately, there is not an update available from the elevator manufacturer for these devices. Which of the following mitigations do you recommend?
a. Recommend immediate replacement of the PLC's with ones that are not vulnerable to this type of attack B. Recommend isolation of the elevator control system from the rest of the production network through change control request c. Recommend immediate disconnection of the elevator's control system from the enterprise network. d. Conduct a penetration test of the elevator control system to prove that the possibility of this kind of attack exists.
You just received an email from Bob, your investment banker, stating that he completed the wire transfer of $10,000 to your bank account in Vietnam. The problem is, you do not have a bank account in Vietnam, so you immediately call Bob to ask what happened. Bob explains that he received an email from you requesting the transfer. You insist you never sent that email to Bob initiating this wire transfer. What aspect of PKI could be used to BEST ensure that a sender sent a particular email message and avoid this type of situation?
a. Recovery agents b. Trust model c. CRL D. Non-repudiation
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?
a. Red team B. Blue team c. White team d. Yellow team
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders' and attackers' technical environment during the exercise?
a. Red team b. Purple team C. White team d. Blue team
Dion Training utilizes a wired network throughout the building to provide network connectivity. Jason is concerned that a visitor might plug their laptop into a CAT 5e wall jack in the lobby and access the corporate network. What technology should be utilized to prevent users from gaining access to network resources if they can plug their laptops into the network?
a. UTM b. NAC c. DMZ D. VPN
A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system's web browsers to a series of malicious websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers?
a. Reformat the system and reinstall OS b. Perform a System Restore to earlier date before infection C. Verify the hosts file has not been maliciously modified d. Install a second anti-malware solution on system
What problem can you solve by using Wireshark?
a. Resetting the administrator password on 3 servers b. Validating the creation dates of web pages on server C. Performing packet capture and analysis on a network. d. Tracking source code version changes.
Which protocol is paired with OAuth2 to provide authentication of users in a federated identity management solution?
a. SAML B. OpenID Connect c. Kerberos d. ADFS
Which of the following hashing algorithms results in a 128-bit fixed output?
a. SHA-1 b. SHA-2 c. RIPEMD D. MD-5
Which of the following methods should a cybersecurity analyst use to locate any instances on the network where passwords are being sent in cleartext?
a. SIEM event log monitoring b. Software design documentation review C. Full packet capture d. Net flow capture
During her login session, Sally is asked by the system for a code sent to her via text (SMS) message. Which of the following concerns should she raise to her organization's AAA services manager?
a. SMS should be encrypted to be secure b. SMS is a costly method of providing a 2nd factor auth c. SMS should be paired with third factor D. SMS messages may be accessible to attackers via VoIP type systems.
Which of the following protocols could be used inside a virtual system to manage and monitor the network?
a. SMTP - Simple Mail Transfer Protocol B. SNMP - Simple Network Management Protocol c. EIGRP - Enhanced Interior Gateway Routing Protocol d. BGP - Border Gateway Protocol
What regulation protects the privacy of student educational records?
a. SOX b. HIPAA c. GLBA D. FERPA
A hacker successfully modified the sale price of items purchased through your company's website. During the investigation that followed, the security analyst has verified the web server, and the Oracle database was not compromised directly. The analyst also found no attacks that could have caused this during their log verification of the Intrusion Detection System (IDS). What is the most likely method that the attacker used to change the items' sale price?
a. SQL Injection b. Buffer overflow attack c. Cross-site scripting D. Changing hidden form values
Windows file servers commonly hold sensitive files, databases, passwords, and more. What common vulnerability is usually used against a Windows file server to expose sensitive files, databases, and passwords?
a. SQL injection B. Missing patches c. Cross-site scripting XSS d. CRLF injection (Carriage Return Line Feed)
Which of the following does a User-Agent request a resource from when conducting a SAML (Security Assertion Markup Language) transaction?
a. SSO - Single Sign On b. RP - Relying Party c. IdP - Indentity Provider D. SP - Service Provider
Dion Training has added a salt and cryptographic hash to their passwords to increase the security before storing them. To further increase security, they run this process many times before storing the passwords. What is this technique called?
a. Salting b. Collision resistance C. Key stretching d. Rainbow table
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?
a. Schedule scans to begin at the same time every day B. Schedule scans to run during periods of low activity c. Schedule scans to be conducted evenly throughout day d. Schedule scans to run during peak times to stimulate performance.
A software assurance test analyst performs a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing?
a. Sequential data sets. b. Known bad data injection c. Static code analysis D. Fuzzing
Which of the following features is supported by Kerberos but not by RADIUS?
a. Services for authentication b. Single sign-on capability C. Tickets used to identify authenticated users d. XML for cross-platform interoperability
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?
a. Social engineering B. Privilege escalation c. Phishing d. Session hijacking
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat?
a. Spear phishing B. APT - Advanced Persistent Threat c. Privilege escalation d. Insider threat
Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger?
a. Spear phishing B. Spamming c. Phishing d. Pharming e. Spimming
(Sample Simulation - On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that "Your Bank of America account is locked out. Please click here to reset your password." What types of attacks have occurred in (1) and (2)?
a. Spearphishing, Pharming B. Vishing, Phishing c. Hoax, Spearphishing d. Pharming, Phishing
Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?
a. Sponsored guest passwords must be at least 14 alphanumeric characters containing a mix of upper, lower and special b. Network authentication of all guest users should occur using 802.1x protocol by RADIUS server c. Open authentication standards should be implemented on all wireless infrastructures D. All guests must provide valid identification when registering their wireless devices for use on the network.
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?
a. Spoofing b. Social Engineering C. Tailgating d. Shoulder surfing
You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next?
a. Start the incident response process b. Establish continuous monitoring C. Submit a Request for Change using the change management process. d. Download and install patch immediately
A software assurance laboratory performs a dynamic assessment on an application by automatically generating random data sets and inputting them to cause an error or failure condition. Which of the following is the laboratory performing?
a. Stress testing b. Security regression testing C. Fuzzing d. User acceptance testing
Which of the following types of attacks are usually used as part of an on-path attack?
a. Tailgating b. DDOS C. Spoofing d. Brute force
You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?
a. The host might be the victim of a remote access trojan -- reimage the machine b. The host uses as CCN for a bot -- should disconnect from host C. The host is staging for data exfiltration -- conduct volume-based analysis on host storage d. The host offline and conducted backups -- contact system admin
As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?
a. The scanner failed to connect with majority workstations B. An uncredentialled scan of network performed c. The scanner was not compatible with devices d. The network has exceptionally strong security posture.
An electronics store was recently the victim of a robbery where an employee was injured, and some property was stolen. The store's IT department hired an external supplier to expand its network to include a physical access control system. The system has video surveillance, intruder alarms, and remotely monitored locks using an appliance-based system. Which of the following long-term cybersecurity risks might occur based on these actions?
a. There are no new risks to the install and the company has stronger physical security posture b. These devices are insecure and should be isolated from internet c. Devices should be scanned for viruses before installation D. Devices should be isolated from rest of network
Which of the following would NOT be useful in defending against a zero-day threat?
a. Threat intelligence b. Allow listing C. Patching d. Segmentation
Why would a company want to utilize a wildcard certificate for their servers?
a. To extend the renewal date of the certificate b. To secure the certificate's private key c. To increase the certificate's encryption key length D. To reduce the certificate management burden
Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data?
a. Touch ID B. Containerization c. Long and complex passwords d. Face ID
If you cannot ping a target because you are receiving no response or a response that states the destination is unreachable, then ICMP may be disabled on the remote end. If you wanted to elicit a response from a host using TCP, what tool would you use?
a. Traceroute b. Broadcast ping c. Ptunnel D. Hping
An internet marketing company decided that they didn't want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose?
a. Transference B. Acceptance c. Mitigation d. Avoidance
Dion Training has set up a lab consisting of 12 laptops for students to use outside of normal classroom hours. The instructor is worried that a student may try to steal one of the laptops. Which of the following physical security measures should be used to ensure the laptop is not stolen or moved out of the lab environment?
a. USB lock b. Key fob C. Cable locks d. Biometric locks
You are notified by an external organization that an IP address associated with your company's email server has been sending spam emails requesting funds as part of a lottery collection scam. An investigation into the incident reveals the email account used was Connor from the sales department and that Connor's email account was only used from one workstation. You analyze Connor's workstation and discover several unknown processes running, but netflow analysis reveals no attempted lateral movement to other workstations on the network. Which containment strategy would be most effective to use in this scenario?
a. Unplug the workstation network cable B. Isolate the workstation computer by disabling the switch port and resetting user credentials c. Request disciplinary action d. Isolate the network segment Conner is on and conduct forensic review of all workstations.
A cybersecurity analyst is working for a university that is conducting a big data medical research project. The analyst is concerned about the possibility of an inadvertent release of PHI data. Which of the following strategies should be used to prevent this?
a. Utilize formal methods of verification against the application processing the PHI B. Conduct tokenization of the PHI data before ingesting it into the application c. Use DevSecOps to build the application that processes PHI d. Utilize a SaaS model to process PHI rather than on-premise solution
A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted?
a. Vulnerability assessment b. Active information gathering C. Passive information gathering d. Information reporting
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement?
a. WPA2 with complex shared key B. 802.1x using EAP with MSCHAPv2 c. PKI with user authentication d. MAC address filtering with IP filtering
Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?
a. Wait to perform any additional scanning until current list of vulnerabilities have been remediated. b. Attempt to identify all the false positives and exceptions, then resolve any remaining items. c. Place any assets containing PHI in a sandbox then remediate. D. Filter the scan results to include only those items listed as critical in the asset inventory and remediate those first.
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?
a. XML Injection b. Buffer overflow C. Directory traversal d. SQL Injection
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as?
a. Zero-day B. Insider Threat c. Advanced persistent threat d. Known threat
You are reviewing the IDS logs and notice the following log entry: (where [email protected] and password=' or 7--7')
a. header manipulation B. SQL injection c. XML injection d. cross-site scripting
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
a. journalctl_UID=1003 | grep -e 1003 | grep sudo b. journalctl_UID=003 | grep -e [Tt]erri | grep -e 1003 | grep sudo c. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo D. journalctl_UID=1003 | grep sudo
You are troubleshooting an issue with a Windows desktop and need to display the machine's active TCP connections. Which of the following commands should you use?
a. ping b. ipconfig c. net use D. netstat
Consider the following snippet from a log file collected on the host with the IP address of 10.10.3.6. What type of activity occurred based on the output above?
a. port scan targeting 10.10.3.2 B. port scan targeting 10.10.3.6 c. Denial of Service on 10.10.3.6 d. Fragmentation attack on 10.10.3.6
Using the image provided, select four security features that you should use to best protect your servers in the data center. This can include physical, logical, or administrative protections.
a. strong passwords, biometrics, mantrap, cable lock b. antivirus, mantrap, cable lock, GPS track c. GPS track, biometrics, proximity badges, remote wipe D. FM-200 (fire suppress), biometrics-locks, mantrap, antivirus
What type of wireless security measure can easily be defeated by a hacker by spoofing their network interface card's hardware address? a. Disable SSID broadcast b. MAC filtering c. WPS d. WEP
b. MAC filtering
Asymmetric Private Keys Used To
decrypt data
Asymmetric Public Key Used To
encrypt data